home » Auto-Moto » Ensuring information security of the organization. Basics of information security. Information security hardware and software

Ensuring information security of the organization. Basics of information security. Information security hardware and software

The creator of cybernetics, Norbert Wiener, believed that information has unique characteristics and cannot be attributed to either energy or matter. The special status of information as a phenomenon has given rise to many definitions.

In the dictionary of the ISO / IEC 2382: 2015 "Information technology" standard, the following interpretation is given:

Information (in the field of information processing) - any data presented in electronic form, written on paper, expressed at a meeting or in any other medium, used by a financial institution for making decisions, moving funds, setting rates, granting loans, processing transactions, etc., including components processing system software.

To develop the concept of information security (IS), information is understood as information that is available for collection, storage, processing (editing, transformation), use and transmission in various ways, including in computer networks and other information systems.

Such information is of high value and can become objects of encroachment by third parties. The desire to protect information from threats underlies the creation of information security systems.

Legal basis

In December 2017, Russia adopted the Information Security Doctrine. In the document, IB is defined as the state of protection of national interests in the information sphere. In this case, national interests are understood as the totality of interests of society, the individual and the state, each group of interests is necessary for the stable functioning of society.

Doctrine is a concept paper. Legal relationships related to information security are governed by federal laws "On state secrets", "On information", "On the protection of personal data" and others. On the basis of the fundamental normative acts, government decrees and departmental normative acts are developed, devoted to particular issues of information protection.

Definition of information security

Before developing an information security strategy, it is necessary to adopt a basic definition of the concept itself, which will allow the use of a certain set of methods and methods of protection.

Industry practitioners suggest that information security be understood as a stable state of security of information, its carriers and infrastructure, which ensures the integrity and resilience of information-related processes to intentional or unintentional impacts of a natural and artificial nature. Impacts are classified as IS threats that can harm the subjects of information relations.

Thus, the protection of information will be understood as a complex of legal, administrative, organizational and technical measures aimed at preventing real or perceived information security threats, as well as eliminating the consequences of incidents. The continuity of the information protection process should guarantee the fight against threats at all stages of the information cycle: in the process of collecting, storing, processing, using and transmitting information.

Information Security in this understanding, it becomes one of the characteristics of the system performance. At every moment in time, the system must have a measurable level of security, and ensuring the security of the system must be a continuous process that is carried out at all time intervals during the life of the system.

The infographic uses data from our own SearchInform.

In the theory of information security, information security subjects are understood as owners and users of information, and not only users on an ongoing basis (employees), but also users who access databases in isolated cases, for example, government agencies requesting information. In a number of cases, for example, in banking information security standards, shareholders are classified as information owners - legal entities who own certain data.

The supporting infrastructure, from the point of view of information security basics, includes computers, networks, telecommunications equipment, premises, life support systems, and personnel. When analyzing security, it is necessary to study all elements of the systems, paying special attention to personnel as the carrier of most internal threats.

For information security management and damage assessment, the characteristic of acceptability is used, so damage is determined as acceptable or unacceptable. It is useful for each company to establish its own criteria for the admissibility of damage in monetary form or, for example, in the form of acceptable harm to reputation. In public institutions, other characteristics can be adopted, for example, the influence on the management process or the reflection of the degree of damage to the life and health of citizens. The criteria for the materiality, importance and value of information may change during life cycle information array, therefore, should be reviewed in a timely manner.

An information threat in the narrow sense is an objective possibility to influence the object of protection, which can lead to leakage, theft, disclosure or dissemination of information. In a broader sense, information security threats will include directed informational impacts, the purpose of which is to harm the state, organization, and individual. Such threats include, for example, defamation, deliberate misrepresentation, and inappropriate advertising.

Three main questions of information security concept for any organization

    What to protect?

    What types of threats prevail: external or internal?

    How to protect, by what methods and means?

IS system

The information security system for a company - a legal entity includes three groups of basic concepts: integrity, availability and confidentiality. Underneath each are concepts with many characteristics.

Under integrity means the stability of databases, other information arrays to accidental or deliberate destruction, unauthorized changes. Integrity can be viewed as:

  • static, expressed in the immutability, authenticity of information objects to those objects that were created according to a specific technical task and contain the amount of information required by users for their main activities, in the required configuration and sequence;
  • dynamic, implying the correct execution of complex actions or transactions, without harming the safety of information.

To control the dynamic integrity, special technical means are used that analyze the flow of information, for example, financial ones, and identify cases of theft, duplication, redirection, and reordering of messages. Integrity as a key characteristic is required when decisions are made to take actions based on incoming or available information. Violation of the order of the commands or the sequence of actions can cause great damage in the case of describing technological processes, program codes and in other similar situations.

Availability is a property that allows authorized subjects to access or exchange data of interest to them. The key requirement of legitimation or authorization of subjects makes it possible to create different levels of access. The failure of the system to provide information becomes a problem for any organization or user group. An example is the inaccessibility of public service sites in the event of a system failure, which deprives many users of the opportunity to receive the necessary services or information.

Confidentiality means the property of information to be available to those users: subjects and processes that are initially allowed access. Most companies and organizations perceive confidentiality as a key element of information security, but in practice it is difficult to fully implement it. Not all data on the existing channels of information leakage are available to the authors of information security concepts, and many technical means of protection, including cryptographic ones, cannot be purchased freely, in some cases the turnover is limited.

Equal properties of information security have different values \u200b\u200bfor users, hence the two extreme categories when developing data protection concepts. For companies or organizations associated with state secrets, confidentiality will become a key parameter, for public services or educational institutions, the most important parameter is accessibility.

Information Security Digest

Protected objects in information security concepts

The difference in subjects gives rise to differences in the objects of protection. The main groups of protected objects:

  • informational resources of all types (a resource means a material object: hDD, another medium, a document with data and details that help to identify it and assign it to a certain group of subjects);
  • the rights of citizens, organizations and the state to access information, the ability to obtain it within the framework of the law; access can be limited only by regulatory legal acts, the organization of any barriers that violate human rights is inadmissible;
  • system of creation, use and distribution of data (systems and technologies, archives, libraries, regulatory documents);
  • the system of formation of public consciousness (media, Internet resources, social institutions, educational institutions).

Each object assumes a special system of measures to protect against threats to information security and public order. Ensuring information security in each case should be based on a systematic approach that takes into account the specifics of the facility.

Categories and storage media

The Russian legal system, law enforcement practice and established social relations classify information according to the criteria of accessibility. This allows you to clarify the essential parameters required to ensure information security:

  • information, access to which is limited on the basis of legal requirements (state secrets, commercial secrets, personal data);
  • information in the public domain;
  • publicly available information that is provided under certain conditions: paid information or data for which you need to issue an admission, for example, a library card;
  • dangerous, harmful, false and other types of information, the circulation and distribution of which is limited either by the requirements of laws or corporate standards.

Information from the first group has two arming modes. State secret, according to the law, this information is protected by the state, the free distribution of which can harm the security of the country. These are data in the field of military, foreign policy, intelligence, counterintelligence and economic activities of the state. The owner of this data group is the state itself. The bodies authorized to take measures to protect state secrets are the Ministry of Defense, the Federal Security Service (FSB), the Foreign Intelligence Service, and the Federal Service for Technical and Export Control (FSTEC).

Confidential information - a more versatile subject of regulation. The list of information that may constitute confidential information is contained in Presidential Decree No. 188 "On Approving the List of Confidential Information". This is personal data; secrecy of investigation and legal proceedings; official secret; professional secret (medical, notarial, lawyer's); trade secret; information about inventions and utility models; information contained in the personal files of convicts, as well as information on the compulsory execution of judicial acts.

Personal data exists in an open and confidential mode. Part of personal data open and accessible to all users includes name, surname, patronymic. According to FZ-152 "On Personal Data", personal data subjects have the right to:

  • informational self-determination;
  • to access personal personal data and make changes to them;
  • to block personal data and access to them;
  • to appeal against illegal actions of third parties committed in relation to personal data;
  • for compensation for damage caused.

The right to this is enshrined in the regulations on state bodies, federal laws, licenses for working with personal data issued by Roskomnadzor or FSTEC. Companies that professionally work with personal data of a wide range of people, for example, telecom operators, must enter the register, which is maintained by Roskomnadzor.

A separate object in the theory and practice of information security are information carriers, access to which is open and closed. When developing an information security concept, protection methods are selected depending on the type of media. Main storage media:

  • print and electronic media, social networks, other resources on the Internet;
  • employees of the organization who have access to information on the basis of their friendships, family, professional ties;
  • communication facilities that transmit or store information: telephones, automatic telephone exchanges, other telecommunication equipment;
  • documents of all types: personal, official, government;
  • software as an independent information object, especially if its version has been modified specifically for a specific company;
  • electronic storage media that process data in an automatic manner.

For the purpose of developing concepts of information security, information security means are usually divided into normative (informal) and technical (formal).

Informal means of protection are documents, rules, events, formal means are special technical means and software. Delineation helps to distribute areas of responsibility when creating information security systems: with general management of protection, administrative staff implements regulatory methods, and IT specialists, respectively, technical ones.

The basics of information security imply the delineation of powers not only in terms of using information, but also in terms of working with its protection. This delineation of powers also requires several levels of control.


Formal remedies

A wide range of technical means of information security includes:

Physical protective equipment. These are mechanical, electrical, electronic mechanisms that function independently of information systems and create barriers to access to them. Locks, including electronic ones, screens, blinds are designed to create obstacles for the contact of destabilizing factors with systems. The group is supplemented by security systems, for example, video cameras, video recorders, sensors that detect movement or excess of the degree of electromagnetic radiation in the area of \u200b\u200blocation of technical means of information retrieval, embedded devices.

Hardware protection. These are electrical, electronic, optical, laser and other devices that are embedded in information and telecommunication systems. Before introducing hardware into information systems, it is necessary to ensure compatibility.

Software are simple and systemic, complex programs designed to solve specific and complex problems related to information security. Examples of integrated solutions are: the former serve to prevent leakage, reformat information and redirect information flows, the latter provide protection against incidents in the field of information security. Software is demanding on the power of hardware devices, and additional reserves must be provided during installation.

can be tested for free for 30 days. Before installing the system, SearchInform engineers will conduct a technical audit at the customer's company.

TO specific means information security includes various cryptographic algorithms that encrypt information on the disk and redirected through external communication channels. Information transformation can be performed using software and hardware methods operating in corporate information systems.

All means that guarantee the security of information should be used in combination, after a preliminary assessment of the value of the information and comparing it with the cost of resources spent on security. Therefore, proposals for the use of funds should be formulated already at the stage of developing systems, and approval should be made at the level of management responsible for approving budgets.

In order to ensure security, it is necessary to monitor all modern developments, software and hardware protection tools, threats, and promptly make changes to our own protection systems against unauthorized access. Only adequate and prompt response to threats will help to achieve a high level of confidentiality in the company's work.

The first release was released in 2018. This unique program creates psychological profiles of employees and assigns them to risk groups. This approach to ensuring information security allows you to anticipate possible incidents and take action in advance.

Informal remedies

Informal remedies are grouped into normative, administrative, and moral-ethical. At the first level of protection are the regulatory means that regulate information security as a process in the organization's activities.

  • Regulatory means

In world practice, when developing regulatory tools, they are guided by IS protection standards, the main one is ISO / IEC 27000. The standard was created by two organizations:

  • ISO - International Commission for Standardization, which develops and approves most of the internationally recognized methodologies for certification of the quality of production and management processes;
  • IEC - International Energy Commission, which introduced into the standard its understanding of information security systems, means and methods of ensuring it

The current version of ISO / IEC 27000-2016 offers ready-made standards and proven methods necessary for the implementation of information security. According to the authors of the methods, the basis of information security lies in the consistency and consistent implementation of all stages from development to post-control.

To obtain a certificate that confirms compliance with information security standards, it is necessary to implement all recommended techniques in full. If there is no need to obtain a certificate, any of the more early versions standard, starting with ISO / IEC 27000-2002, or Russian GOSTs, which are advisory in nature.

Based on the results of studying the standard, two documents are being developed that relate to information security. The main, but less formal, is the concept of an enterprise's information security, which defines the measures and methods of introducing an information security system for information systems of an organization. The second document that all employees of the company must comply with is the information security regulation approved at the level of the board of directors or the executive body.

In addition to the position at the company level, lists of information constituting a trade secret, annexes to employment contracts, securing responsibility for the disclosure of confidential data, other standards and methods should be developed. Internal rules and regulations should contain implementation mechanisms and measures of responsibility. Most often, the measures are disciplinary in nature, and the violator must be prepared for the fact that the violation of the trade secret regime will be followed by significant sanctions, up to and including dismissal.

  • Organizational and administrative measures

As part of the administrative activities for the protection of information security, there is scope for creativity for security personnel. These are architectural and planning solutions that allow to protect meeting rooms and management offices from eavesdropping, and the establishment of various levels of access to information. Important organizational measures will be certification of the company's activities in accordance with ISO / IEC 27000 standards, certification of individual hardware and software systems, certification of subjects and objects for compliance with the necessary security requirements, and obtaining licenses necessary to work with protected arrays of information.

From the point of view of regulating the activities of personnel, it will be important to formulate a system of requests for access to the Internet, external e-mail, and other resources. A separate element will be obtaining an electronic digital signature to enhance the security of financial and other information that is transmitted to government agencies via e-mail channels.

  • Moral and ethical measures

Moral and ethical measures determine a person's personal attitude to confidential information or information limited in circulation. Increasing the level of knowledge of employees regarding the impact of threats on the company's activities affects the degree of consciousness and responsibility of employees. To combat violations of the information regime, including, for example, the transfer of passwords, careless handling of media, the dissemination of confidential data in private conversations, it is required to focus on the personal conscientiousness of the employee. It will be useful to establish performance indicators of personnel, which will depend on the attitude towards the corporate information security system.

The definition of information as information of various kinds, presented in any form and being objects of various processes, corresponds to the following interpretation of the concept of "information protection" in the law "On information, information technology and information protection".

Information protection is the adoption of legal, organizational and technical measures aimed at:

  • 1) ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information;
  • 2) observance of confidentiality of information of limited access,
  • 3) the exercise of the right to access information.

In accordance with the guidelines of the FSTEC of Russia information security - this is the state of protection of information processed by computer technology or an automated system from internal and external threats.

In accordance with GOST R 50922-96 protection of information - activities to prevent leakage of protected information, unauthorized and unintended impacts on protected information.

It reflects the countering of two types of threats - unauthorized receipt (leakage) of protected information and impact on protected information.

Thus, the protection of information is understood as a set of measures and actions aimed at ensuring its security in the process of collection, transmission, processing and storage.

In a narrow sense, the above definition of the concept of "information security" is primarily identical to the concept of "information security" (Fig. 1.5). Note that information security is the state of its protection from the destabilizing effects of the external environment (man and nature) and internal threats to the system or network in which it is located or may be located, i.e. confidentiality, integrity and availability of information.

We emphasize once again that confidentiality of information - it is a status (requirement) determined by its owner and determining the required degree of its protection. Essentially, confidentiality of information is a requirement for information to be known only by admitted and verified (authorized)

Figure: 1.5.

system subjects (users, processes, programs). For the rest of the subjects of the system, this information should be unknown.

Integrity of information - it is the ability of information (requirement for information) to keep the semantic content unchanged (in relation to the original data), i.e. its resistance to accidental or deliberate distortion or destruction.

Availability of information - it is the ability (requirement) of an object - an information system (network) - to ensure timely unimpeded access of authorized subjects (users, subscribers) to information of interest to them or to carry out timely information exchange between them.

Subject - it is an active component of the system that can cause the formation of a flow of information from an object to a subject or a change in the state of the system. An object - a passive component of the system that processes, stores, receives or transmits information. Access to an object means access to the information it contains.

We emphasize that access to the information - the ability to obtain and use information, i.e. the possibility of its reception, familiarization with information, processing, in particular, copying, modification or destruction of information.

Distinguish between authorized and unauthorized access to information. Authorized access to information - it is access to information that does not violate the established rules of access control. Access control rules are used to regulate the access rights of access subjects to access objects.

Unauthorized access to information characterized by a violation of the established rules of access control.

A user, a program or a process carrying out unauthorized access to information is violating the access control rules (one of the elements of the security policy). Unauthorized access is the most common type of computer and network breach.

Note that in the interpretation of the concept of "information security" given here (as ensuring the security of information - confidentiality, integrity and availability of information), the concept of "information security" corresponds. In accordance with GOST R ISO / IEC 17799-2005 information Security - a protection mechanism that ensures confidentiality (access to information of only authorized users), integrity (reliability and completeness of information and methods of its processing) and availability (access to information and related assets of authorized users as needed). In the standard of JSC Russian Railways (STO RZD 1.18.002-2009) "Information Security Management. General Provisions "Information security is also defined as the state of information security, which ensures its characteristics such as confidentiality, integrity and availability.

Implementation of activities to ensure information security Russian Federation entrusted to the state, which in accordance with the law is the main subject of security. Note that the state is an organization of political power, covering a certain territory and serving simultaneously as a means of ensuring the interests of the whole society and as a special mechanism of control and suppression.

In the Doctrine of Information Security of the Russian Federation (2000), the information security of the Russian Federation is understood as the state of protection of its national interests in the information sphere, which are determined by a set of balanced interests of the individual, society and the state.

There are four main components of the national interests of the Russian Federation in the information sphere:

  • 1) observance of constitutional human and civil rights and freedoms in the field of obtaining information and using it, ensuring the spiritual renewal of Russia, preserving and strengthening the moral values \u200b\u200bof society, the traditions of patriotism and humanism, the cultural and scientific potential of the country;
  • 2) information support of the state policy of the Russian Federation, associated, inter alia, with ensuring citizens' access to open state information resources;
  • 3) development of modern information technologies, the domestic information industry, meeting the needs of the domestic market with its products and the entry of these products into the world market; ensuring the accumulation, preservation and effective use domestic information resources;
  • 4) protection of national information resources from unauthorized access, ensuring the security of information and telecommunication systems.

Thus, the purpose of ensuring the information security of the Russian Federation is, first of all, to protect the vital balanced interests of subjects of information relations in the information sphere - citizens, communities of people, enterprises, organizations, corporations, the state.

With all the variety of types of organizations, directions and scale of their activities, the number of participants, their essential assets are information, supporting its processes, information systems and network infrastructure, i.e. information assets. The confidentiality, integrity and availability of information can significantly contribute to the competitiveness, liquidity, profitability, legal compliance and business reputation of an organization.

The content of their information security lies in the security of targeted activities related to information and information infrastructure, information services provided, and other information assets of the organization. These include information systems and resources, intellectual property objects, property rights to these objects, personal non-property rights of members of an organization, the right to maintain the established regime of access to information constituting a secret protected by law, for example, commercial secrets and personal data. These components of the organization as an object of information security are protected from external and internal threats.

Under information security of an organization, corporation, enterprise we will understand the state of protection of information assets (resources) - information and information infrastructure, other information assets, which provides an acceptable risk of damage in the face of external and internal, random and deliberate threats.

The main goal of ensuring information security of organizations is to minimize or achieve an acceptable risk or economic damage in case of violation of information security - compromise of its confidentiality, violation of integrity and availability.

When developing requirements for the security of the organization as a whole and the security of its "information dimension" - information security, analysis and assessment of security, management of information security of the organization, as a rule, the methodology of acceptable (or unacceptable) risk of the organization's activities is used (Fig. 1.6). The magnitude of the risk is determined by the expected danger of the occurrence of unfavorable


Figure: 1.6.

safety of the consequences caused by the manifestation of threats to the organization's activities (the likelihood of the threat being realized and the value of the resource).

The main tasks of ensuring information security of an organization, corporation, enterprise include:

  • - identification of the most important, as well as weak and informationally vulnerable objects;
  • - assessment and forecasting of sources of threats to information security and methods of their implementation;
  • - development of a corporate information security policy, a set of measures and mechanisms for its implementation;
  • - development of a regulatory framework for ensuring information security of the corporation, coordinating the activities of management bodies to ensure information security;
  • - development of measures to ensure information security in the event of a threat or emergencies;
  • - development of a hierarchical system for ensuring information security, improving its organization, forms, methods and means of preventing, countering and neutralizing threats to information security;
  • - ensuring the safe integration of a corporate system or network into global information networks and systems.

The broad interpretation of the concept of "information protection" provides for a set of measures to ensure the security of information presented in any material form, the security of the functioning of information systems and telecommunication networks and the use of information technologies. And in this sense, it coincides with the emerging concept of “information security” of information or telecommunication systems (currently not defined by legislative acts).

The given modern interpretation of information security (in a broad sense - as ensuring the security of information and information infrastructure - information systems and technologies) does not have a sufficiently clear border with the process of ensuring information security.

At the same time, the content of the processes of ensuring information security and information protection (and, accordingly, the concepts of information security and information security) differ in the level of hierarchy and complexity of the organization of protected objects, and the nature of the threats. Provision of information security of objects implies "information protection" and "information protection", ensuring the security (security) of information and information infrastructure from the manifestation of threats. Both concepts imply the use of a set of measures and means of protection - legal, organizational and technological (technical) with an emphasis on one or another group of them.

Let's accept the following interpretation of the concepts of "information security" and "information security".

First, note that the concept safety is defined as "a condition in which there is no danger, there is protection from danger", and in the general case as the impossibility of causing harm to someone or something due to the manifestation of threats, i.e. them security (state of security) from threats. Concept security we will consider it in two ways - as an activity and a means of activity - and also include the subjects of support.

In accordance with the work in the structure of the concept of "information security" we will single out the object of information security, threats to this object and ensuring its information security from the manifestation of threats (Fig. 1.7).

In the context of the global problem of safe development, individuals, society (communities of people, organizations, including corporations, enterprises, etc.) and the state are considered as the main objects of information security.

In the most general form for these objects, information security can be defined as the impossibility of harming the properties of a security object or the properties of its structural components, conditioned by information and information infrastructure, i.e. as security (state of security) of their "information dimension".

On the basis of the above, it is possible to determine the content of information security of a person, society and the state as the security of their "information dimension".

Information security of a person consists in the impossibility of harming him as a person, whose social activity is largely based on the understanding of the information received.


Figure: 1.7.

communication, information interactions with other individuals and which often uses information as a subject of activity.

Information security of a society lies in the impossibility of harming its spiritual sphere, cultural values, social regulators of human behavior, information infrastructure and messages transmitted with its help.

Information security of the state lies in the impossibility of causing harm to its activities in performing the functions of managing public affairs related to the use of information and information infrastructure of society. Sometimes, accepting the importance of the information security component associated with the impact on the psyche and consciousness of a person and public consciousness, information and psychological security is singled out in it.

Information security characterized by activities to prevent harm to the properties of the security object caused by information and information infrastructure, as well as the means and subjects of this activity.

Thus, ensuring information security is seen primarily as a solution to the global problem of safe development of world civilization, states, communities of people, an individual, the existence of nature. At the same time, the concept of "information security" characterizes the state of protection of a person, society, state, nature under conditions of the possible action of two types of generalized threats: compromise (disclosure) of secrets belonging to them, as well as the negative (accidental or deliberate) impact of information on their information subsystems (consciousness and the psyche of an individual, mass consciousness, the information sphere (environment), society and the state, information-sensitive elements of natural objects).

Under information security a person, society, state we will understand the state of protection of their "information dimension" (vital interests of a person, society, state in the information sphere; information assets of an organization, corporation, enterprise; information and information infrastructure itself) from the manifestation of external and internal, accidental and deliberate threats.

Specific wording will be given in the next paragraph.

In recent years, the concept of "information security" has spread (but is not enshrined in legislation) to such information security objects as information and automated systems, corporate and telecommunications networks. Let's take for them the following interpretation of the concept of "information security".

Information security of a corporate information system or network represents a state of security of information located or circulating in it and its information infrastructure, which ensures the stable functioning of a system or network under conditions of destabilizing factors (threats).

Confidential information is of great interest to competing firms. It is she who becomes the cause of encroachments by intruders.

Many problems are associated with underestimating the importance of the threat, as a result of which it can turn into collapse and bankruptcy for the enterprise. Even a single case of employee negligence can cause a company multi-million dollar losses and loss of customer confidence.

Data on the composition, status and activities of the company are exposed to threats. The sources of such threats are its competitors, corrupt officials and criminals. Of particular value to them is familiarization with the protected information, as well as its modification in order to cause financial damage.

Information leakage can lead to such an outcome even by 20%. Sometimes the loss of company secrets can happen by accident, due to inexperience of staff or due to lack of security systems.

For information that is the property of the enterprise, there may be threats of the following types.

Threats to the confidentiality of information and programs. May occur after illegal access to data, communication channels or programs. Data containing or sent from a computer can be intercepted through leakage channels.

For this, special equipment is used that analyzes the electromagnetic radiation received while working on a computer.

Risk of damage. Unlawful actions of hackers can result in distorted routing or loss of transmitted information.

Accessibility threat. Such situations prevent the legitimate user from using the services and resources. This happens after they are captured, received data on them, or the lines are blocked by intruders. Such an incident may distort the accuracy and timeliness of the information transmitted.

There are three important conditions that will allow a Russian citizen: an ideal business plan, a well-thought-out accounting and personnel policy, and the availability of free funds.

Preparation of documents for opening an LLC requires a certain amount of time. It takes about 1-2 days to open a bank account. Read about what documents you need to open an LLC here.

The risk of refusal to execute transactions. Refusal of the user from the information transmitted by him in order to avoid liability.

Internal threats. Such threats pose a great danger to the enterprise. They come from inexperienced managers, incompetent or unskilled personnel.

Sometimes employees of an enterprise can provoke a deliberately internal leak of information, thereby showing their dissatisfaction with their salary, work or colleagues. They can easily present all the valuable information of the enterprise to its competitors, try to destroy it, or deliberately introduce a virus into computers.

Ensuring information security of the enterprise

The most important accounting processes are automated by the corresponding class of systems, the security of which is achieved by a whole range of technical and organizational measures.

They include an antivirus system, firewall and electromagnetic radiation protection. The systems protect information on electronic media, data transmitted through communication channels, delimit access to diverse documents, create backup copies and restore confidential information after damage.

Full information security at the enterprise must be and be under full control all year round, in real time around the clock. At the same time, the system takes into account the entire life cycle of information, starting from the moment it appears and until its complete destruction or loss of significance for the enterprise.

For the safety and prevention of data loss in the information security industry, security systems are being developed. Their work is based on sophisticated software packages with a wide range of options to prevent any data loss.

The specificity of programs is that for their correct functioning, a legible and debugged model of the internal circulation of data and documents is required. Security analysis of all steps when using information is based on working with databases.

Information security can be ensured through online tools, as well as products and solutions offered on all kinds of Internet resources.

The developers of some of these services managed to competently create an information security system that protects against external and internal threats, while ensuring the perfect balance of price and functionality. The offered flexible modular complexes combine the work of hardware and software.

Kinds

The logic of the functioning of information security systems involves the following actions.

Predicting and quickly recognizing data security threats, motives and conditions that contributed to damage to the enterprise and caused disruptions in its work and development.

Creation of such working conditions in which the level of danger and the likelihood of damage to the enterprise are minimized.

Compensation for damage and minimization of the impact of identified damage attempts.

Information protection means can be:

  • technical;
  • software;
  • cryptographic;
  • organizational;
  • legislative.

Organization of information security at the enterprise

All entrepreneurs always strive to ensure accessibility and confidentiality of information. To develop a suitable information protection, the nature of possible threats, as well as the forms and methods of their occurrence, are taken into account.

Organization of information security in an enterprise is carried out in such a way that a hacker can face multiple levels of protection. As a result, the attacker is unable to penetrate the protected area.

Most effective way information protection includes a cryptographically strong encryption algorithm for data transmission. The system encrypts the information itself, and not just access to it, which is also relevant for.

The structure of access to information should be multilevel, and therefore only select employees are allowed to access it. Right full access only trustworthy persons should have access to the entire volume of information.

The list of information concerning confidential information is approved by the head of the enterprise. Any violations in this area should be punished with certain sanctions.

Protection models are provided for by the relevant GOSTs and are standardized by a number of complex measures. Currently developed special utilitiesmonitoring the network status and any information security alerts around the clock.

It should be borne in mind that inexpensive wireless networks cannot provide the required level of protection.

To avoid accidental loss of data due to inexperience of employees, administrators should conduct training sessions. This allows the enterprise to monitor the readiness of employees to work and gives managers confidence that all employees are able to comply with information security measures.

The atmosphere of a market economy and a high level of competition make company leaders always be on the alert and quickly respond to any difficulties. Over the past 20 years, information technology has been able to enter all areas of development, management and business.

From the real world, business has long turned into a virtual one, it is enough to remember how it became popular, which has its own laws. Currently, virtual threats to the information security of an enterprise can inflict enormous real harm on it. By underestimating the problem, executives risk their business, reputation, and authority.

Most businesses regularly suffer losses due to data breaches. The protection of enterprise information should be a priority in the course of business formation and conduct. Ensuring information security is the key to success, profit and achievement of enterprise goals.

Firmware for protection against unauthorized access includes measures for identification, authentication and control of access to the information system.

Identification is the assignment of unique identifiers to access subjects.

This includes RFID tags, biometric technologies, magnetic cards, universal magnetic keys, login logins, etc.

Authentication - checking that the access subject belongs to the presented identifier and confirming its authenticity.

Authentication procedures include passwords, pin codes, smart cards, usb keys, digital signatures, session keys, etc. The procedural part of the identification and authentication means is interconnected and, in fact, represents basic framework of all software and hardware means of ensuring information security, since all other services are designed to serve specific subjects, correctly recognized by the information system. In general, identification allows the subject to identify himself for the information system, and with the help of authentication information system confirms that the subject is indeed who he claims to be. Based on the passage of this operation, an operation is performed to provide access to the information system. Access control procedures allow authorized entities to perform actions permitted by the regulations, and the information system to control these actions for the correctness and correctness of the result. Access control allows the system to hide from users data to which they do not have access.

The next means of software and hardware protection is information logging and auditing.

Logging includes the collection, accumulation and storage of information about events, actions, results that took place during the operation of the information system, individual users, processes and all software and hardware that are part of the enterprise information system.

Since each component of the information system has a predetermined set of possible events in accordance with the programmed classifiers, events, actions and results are divided into:

  • external, caused by the actions of other components,
  • internal, caused by the actions of the component itself,
  • client-side caused by the actions of users and administrators.
Information audit consists in carrying out operational analysis in real time or in a given period.

Based on the analysis results, either a report on the events that have taken place is generated, or an automatic response to an emergency situation is initiated.

The implementation of logging and auditing solves the following tasks:

  • keeping users and administrators accountable;
  • providing the ability to reconstruct the sequence of events;
  • detection of attempts to breach information security;
  • providing information to identify and analyze problems.

Information protection is often impossible without the use of cryptographic means. They are used to ensure the operation of encryption, integrity control and authentication services, when the means of authentication are stored by the user in encrypted form. There are two main encryption methods: symmetric and asymmetric.

Integrity control allows you to establish the authenticity and identity of an object, which is an array of data, individual pieces of data, a data source, as well as to ensure that it is impossible to mark an action performed in the system with an array of information. Integrity control implementation is based on data transformation technologies using encryption and digital certificates.

Another important aspect is the use of shielding, a technology that allows, by delimiting the access of subjects to information resources, to control all information flows between the information system of the enterprise and external objects, data arrays, subjects and counter-subjects. Stream control consists in filtering them and, if necessary, converting the transmitted information.

The task of shielding is to protect internal information from potentially hostile external factors and subjects. The main form of implementation of shielding are firewalls or firewalls of various types and architectures.

Since one of the signs of information security is the availability of information resources, ensuring a high level of availability is an important direction in the implementation of software and hardware measures. In particular, two areas are divided: ensuring fault tolerance, i.e. neutralizing system failures, the ability to operate when errors occur, and ensuring safe and fast recovery from failures, i.e. system maintainability.

The main requirement for information systems is that they always work with a given efficiency, minimum time of unavailability and speed of response.

In accordance with this, the availability of information resources is ensured by:

  • the use of a structural architecture, which means that individual modules can be disabled or quickly replaced, if necessary, without affecting other elements of the information system;
  • ensuring fault tolerance due to: the use of autonomous elements of the supporting infrastructure, the introduction of excess capacity in the configuration of software and hardware, hardware redundancy, replication of information resources within the system, data backup, etc.
  • ensuring serviceability by reducing the timing of diagnosing and eliminating failures and their consequences.

Another type of information security means are secure communication channels.

The functioning of information systems is inevitably associated with the transfer of data, therefore, enterprises must also ensure the protection of the transferred information resources using secure communication channels. The possibility of unauthorized access to data when transmitting traffic through open communication channels is due to their public availability. Since "communications along their entire length cannot be physically protected, it is therefore better to initially proceed from the assumption of their vulnerability and, accordingly, provide protection." For this, tunneling technologies are used, the essence of which is to encapsulate data, i.e. pack or wrap the transmitted data packets, including all service attributes, in their own envelopes. Accordingly, a tunnel is a secure connection through open communication channels over which cryptographically protected data packets are transmitted. Tunneling is used to ensure the confidentiality of traffic by hiding service information and ensuring the confidentiality and integrity of the transmitted data when used in conjunction with cryptographic elements of the information system. The combination of tunneling and encryption allows for a virtual private network. At the same time, the endpoints of tunnels that implement virtual private networks are firewalls that serve the connection of organizations to external networks.

Firewalls as Points of Implementation of a VPN Service

Thus, tunneling and encryption are additional transformations performed in the process of filtering network traffic along with address translation. Tunnel ends, in addition to corporate firewalls, can be personal and mobile computers employees, more precisely, their personal firewalls and firewalls. This approach ensures the functioning of secure communication channels.

Information security procedures

Information security procedures are usually differentiated at the administrative and organizational levels.

  • Administrative procedures include general actions taken by the organization's management to regulate all work, actions, operations in the field of ensuring and maintaining information security, implemented by allocating the necessary resources and monitoring the effectiveness of measures taken.
  • The organizational level represents procedures for ensuring information security, including personnel management, physical protection, maintaining the operability of the hardware and software infrastructure, promptly eliminating security breaches and planning recovery work.

On the other hand, the distinction between administrative and organizational procedures is meaningless, since the procedures of one level cannot exist separately from another, thereby violating the relationship of protection physical layer, personal and organizational protection in the concept of information security. In practice, while ensuring information security of an organization, administrative or organizational procedures are not neglected, therefore it is more logical to consider them as an integrated approach, since both levels affect the physical, organizational and personal levels of information protection.

The basis for complex procedures for ensuring information security is the security policy.

Information security policy

Information security policy in an organization, it is a set of documented decisions made by the organization's management and aimed at protecting information and associated resources.

In organizational and managerial terms, the information security policy can be a single document or drawn up in the form of several independent documents or orders, but in any case, it should cover the following aspects of protecting the organization's information system:

  • protection of information system objects, information resources and direct operations with them;
  • protection of all operations related to information processing in the system, including processing software;
  • protection of communication channels, including wired, radio, infrared, hardware, etc .;
  • protection of the hardware complex from collateral electromagnetic radiation;
  • security management, including maintenance, upgrades, and administrative actions.

Each of the aspects should be described in detail and documented in the internal documents of the organization. Internal documents cover three levels of the security process: upper, middle and lower.

The high-level information security policy documents reflect the organization's main approach to protecting its own information and compliance with national and / or international standards. In practice, the organization has only one top-level document entitled "Information Security Concept", "Information Security Regulations", etc. Formally, these documents are not of confidential value, their distribution is not limited, but they can be released in the editorial office for internal use and open publication.

Middle-level documents are strictly confidential and relate to specific aspects of the organization's information security: information security tools used, database security, communications, cryptographic tools and other information and economic processes of the organization. Documentation is implemented in the form of internal technical and organizational standards.

The lower-level documents are divided into two types: work regulations and operating instructions. The work regulations are strictly confidential and are intended only for persons on duty, carrying out work on the administration of individual information security services. Operating instructions can be either confidential or public; they are intended for the organization's personnel and describe the procedure for working with individual elements of the organization's information system.

World experience shows that information security policy is always documented only in large companies that have a developed information system that impose increased requirements for information security, medium-sized enterprises most often have only a partially documented information security policy, small organizations in the overwhelming majority do not care about documenting security policy. Regardless of whether the documenting format is holistic or distributed, security is the basic aspect.

There are two different approaches that form the basis information security policy:

  1. "Anything that is not prohibited is permitted."
  2. "Anything that is not permitted is prohibited."

The fundamental defect of the first approach is that in practice it is impossible to foresee all dangerous cases and to prohibit them. There is no doubt that only the second approach should be used.

Organizational level of information security

From the point of view of information protection, organizational procedures for ensuring information security are presented as "the regulation of production activities and the relationship of performers on a legal basis that excludes or significantly complicates the illegal acquisition of confidential information and the manifestation of internal and external threats."

Personnel management measures aimed at organizing work with personnel in order to ensure information security include segregation of duties and minimization of privileges. Segregation of duties prescribes a distribution of competencies and areas of responsibility in which one person is not able to disrupt a critical process for the organization. This reduces the likelihood of error and abuse. Privilege minimization prescribes granting users only the level of access that corresponds to the need to perform their official duties. This reduces damage from accidental or deliberate misconduct.

Physical protection means the development and adoption of measures for the direct protection of buildings in which information resources of an organization are located, adjacent territories, infrastructure elements, computers, data carriers and hardware communication channels. This includes physical access control, fire prevention, supporting infrastructure protection, data eavesdropping protection, and mobile systems protection.

Maintaining the operability of the software and hardware infrastructure consists in preventing stochastic errors that threaten to damage the hardware complex, malfunction of programs and loss of data. The main directions in this aspect are to provide user and software support, configuration management, backup, media management, documentation and preventive work.

Prompt elimination of security violations has three main goals:

  1. Localization of the incident and reduction of the damage caused;
  2. Identification of the offender;
  3. Prevention of repeated violations.

Finally, planning for recovery works allows you to prepare for accidents, reduce damage from them and maintain the ability to function at least to a minimum.

The use of software and hardware and secure communication channels should be implemented in the organization on the basis of an integrated approach to the development and approval of all administrative and organizational regulatory procedures for ensuring information security. Otherwise, the adoption of individual measures does not guarantee the protection of information, and often, on the contrary, provokes leaks of confidential information, loss of critical data, damage to the hardware infrastructure and disruption of the software components of the organization's information system.

Information security methods

Modern enterprises are characterized by a distributed information system, which allows taking into account the company's distributed offices and warehouses, financial accounting and management control, information from the client base, taking into account a sample by indicators, and so on. Thus, the data set is very significant, and in the overwhelming majority it is information that is of priority importance for the company in commercial and economic terms. In fact, ensuring the confidentiality of data of commercial value is one of the main tasks of ensuring information security in a company.

Ensuring information security at the enterprise should be regulated by the following documents:

  1. Information security regulations. It includes the formulation of goals and objectives for ensuring information security, a list of internal regulations on information protection means and a regulation on the administration of the company's distributed information system. Access to the regulations is limited to the management of the organization and the head of the automation department.
  2. Regulations for technical support of information protection. The documents are confidential, access is limited to employees of the automation department and senior management.
  3. Regulations for the administration of a distributed information security system. Access to the regulations is limited to the employees of the automation department responsible for the administration of the information system, and to higher management.

At the same time, these documents should not be limited, but also the lower levels should be worked out. Otherwise, if the enterprise does not have other documents related to information security, then this will indicate an insufficient degree of administrative support for the protection of information, since there are no lower-level documents, in particular operating instructions individual elements information system.

Mandatory organizational procedures include:

  • basic measures to differentiate personnel by the level of access to information resources,
  • physical protection of company offices from direct penetration and threats of destruction, loss or interception of data,
  • maintaining the operability of the software and hardware infrastructure is organized in the form of automated backup, remote verification of storage media, user and software support is provided upon request.

This should also include regulated measures to respond to and eliminate cases of information security breaches.

In practice, it is often observed that enterprises do not pay enough attention to this issue. All actions in this direction are carried out exclusively in a working order, which increases the time to eliminate cases of violations and does not guarantee the prevention of repeated violations of information security. In addition, the practice of planning actions to eliminate the consequences of accidents, information leaks, data loss and critical situations is completely absent. All this significantly worsens the information security of the enterprise.

At the level of software and hardware, a three-level information security system should be implemented.

Minimum information security criteria:

1. Access control module:

  • a closed entrance to the information system is implemented, it is impossible to enter the system outside the verified workplaces;
  • access with limited functionality from mobile personal computers is implemented for employees;
  • authorization is carried out using logins and passwords generated by administrators.

2. Module for encryption and integrity control:

  • an asymmetric encryption method for transmitted data is used;
  • arrays of critical data are stored in databases in an encrypted form, which does not allow access to them even if the company's information system is hacked;
  • integrity control is ensured by simple digitally signed all information resources stored, processed or transmitted within the information system.

3. Shielding module:

  • implemented a filter system in firewallsallowing to control all information flows through communication channels;
  • external connections with global information resources and public communication channels can be carried out only through a limited set of verified workstations that have a limited connection to the corporate information system;
  • secure access from workplaces of employees to perform their official duties is implemented through a two-tier system of proxy servers.

Finally, with tunneling technologies, the enterprise must implement a virtual private network in accordance with the typical design model to provide secure communication channels between various departments of the company, partners and customers of the company.

Despite the fact that communications are directly carried out over networks with a potentially low level of trust, tunneling technologies, using cryptographic tools, can ensure reliable protection of all transmitted data.

conclusions

The main goal of all measures taken in the field of information security is to protect the interests of the enterprise, one way or another related to the information resources that it has. While businesses' interests are not limited to a specific area, they all center around the availability, integrity and confidentiality of information.

The problem of ensuring information security is explained by two main reasons.

  1. The information resources accumulated by the enterprise are valuable.
  2. Critical dependence on information technologies determines their widespread use.

Given the wide variety of existing threats to information security, such as destruction important information, unauthorized use of confidential data, interruptions in the work of the enterprise due to violations of the information system, it can be concluded that all this objectively leads to large material losses.

In ensuring information security, a significant role is played by software and hardware tools aimed at controlling computer entities, i.e. equipment, software elements, data, forming the last and highest priority line of information security. Data transmission must also be secure in the context of maintaining its confidentiality, integrity and availability. Therefore, in modern conditions, tunneling technologies are used in combination with cryptographic means to provide secure communication channels.

Literature

  1. Galatenko V.A. Information security standards. - M .: Internet University of Information Technologies, 2006.
  2. Partyka T.L., Popov I.I. Information Security. - M .: Forum, 2012.

Ensuring information security is a complex socio-social, legal, economic and scientific problem. Only complex solution its goals and objectives simultaneously in several planes will be able to exert its regulatory influence on ensuring the country's information security. The work carried out in this area should have not only a practical focus, but also a scientific basis.

The main goals of ensuring information security are determined on the basis of sustainable priorities of national and economic security that meet the long-term interests of social development, which include:

Preservation and strengthening of Russian statehood and political stability in society;

Preservation and development of democratic institutions of society, ensuring the rights and freedoms of citizens, strengthening the rule of law and law and order;

Ensuring a worthy place and role of the country in the world community;

Ensuring the territorial integrity of the country;

Ensuring progressive socio-economic development;

Preservation of national cultural values \u200b\u200band traditions.

In accordance with the indicated priorities, the main tasks of ensuring information security are:

Identification, assessment and forecasting of sources of threats to information security;

Development of a state policy for ensuring information security, a set of measures and mechanisms for its implementation;

Development of a regulatory framework for ensuring information security, coordinating the activities of state authorities and enterprises to ensure information security;

Development of an information security system, improving its organization, forms, methods and means of preventing, countering and neutralizing threats to information security and eliminating the consequences of its violation;

Ensuring active participation of the country in the processes of creating the use of global information networks and systems.

The most important principles of information security are:

1) the legality of measures to identify and prevent violations in the information sphere;

2) continuity of implementation and improvement of means and methods of control and protection of the information system;

3) economic feasibility, i.e. comparability of possible damage and costs of ensuring information security

4) the complexity of using the entire arsenal of available means of protection in all divisions of the company and at all stages of the information process.

The implementation of the information protection process includes several stages:

Determination of the object of protection: the right to protect the information resource, the cost estimate of the information resource and its main elements, the duration of the life cycle of the information resource, the trajectory of the information process by the functional divisions of the company;

Identification of sources of threats (competitors, criminals, employees, etc.), goals of threats (familiarization, modification, destruction, etc.), possible channels for the implementation of threats (disclosure, leakage, etc.);

Determination of the necessary protection measures;

Assessment of their effectiveness and economic feasibility;

Implementation of the measures taken, taking into account the selected criteria;

Bringing the measures taken to the personnel, monitoring their effectiveness and eliminating (preventing) the consequences of threats.

The implementation of the described stages, in fact, is a process of managing the information security of an object and is provided by a control system that includes, in addition to the controlled (protected) object itself, means of monitoring its state, a mechanism for comparing the current state with the required one, as well as a mechanism for controlling actions for localization and preventing damage from threats. In this case, it is advisable to consider the achievement of a minimum of information damage as the management criterion, and the purpose of management is to ensure the required state of the object in the sense of its information security.

Information security methods are divided into legal, organizational, technical and economic.

TO legal methods ensuring information security includes the development of regulatory legal acts regulating relations in the information sphere, and regulatory methodological documents on information security. The most important areas of this activity are:

Amendments and additions to the legislation governing relations in the field of information security, in order to create and improve the information security system, eliminate internal contradictions in federal legislation, contradictions related to international agreements, and also in order to concretize legal norms establishing responsibility for offenses in the field of information security;

Legislative delineation of powers in the field of ensuring the definition of goals, objectives and mechanisms for participation in this activity of public associations, organizations and citizens;

Development and adoption of regulatory legal acts establishing liability of legal entities and individuals for unauthorized access to information, its illegal copying, distortion and illegal use, deliberate dissemination of inaccurate information, illegal disclosure of confidential information, use of official information or information containing information for criminal and selfish purposes. commercial secrets;

Clarification of the status of foreign news agencies, mass media and journalists, as well as investors when attracting foreign investment for the development of domestic information infrastructure;

Legislative consolidation of the priority of the development of national communication networks and domestic production of space communication satellites;

Determination of the status of organizations providing services to global information and communication networks and legal regulation the activities of these organizations;

Creation of a legal basis for the formation of regional structures for ensuring information security.

Organizational and technical information security methods are:

Creation and improvement of the state information security system;

Strengthening the law enforcement activity of the authorities, including the prevention and suppression of offenses in the information sphere, as well as the identification, exposure and prosecution of persons who have committed crimes and other offenses in this area;

Development, use and improvement of information security tools and methods for monitoring the effectiveness of these tools, development of secure telecommunication systems, increasing the reliability of special software;

Creation of systems and means to prevent unauthorized access to processed information and special effects that cause destruction, destruction, distortion of information, as well as changing the normal modes of operation of systems and means of informatization and communication;

Identification of technical devices and programs that pose a threat to the normal functioning of information and communication systems, prevention of interception of information through technical channels, the use of cryptographic means of protecting information during its storage, processing and transmission through communication channels, control over the implementation of special requirements for information protection;

Certification of information security means, licensing of activities in the field of state secret protection, standardization of methods and means of information security;

Improvement of the certification system for telecommunications equipment and software automated systems information processing according to information security requirements;

Control over the actions of personnel in protected information systems, training in the field of ensuring information security of the state;

Formation of a system for monitoring indicators and characteristics of information security in the most important spheres of life and activities of society and the state.

Economic methods information security assurance include:

Development of programs for ensuring information security of the state and determination of the procedure for their financing;

Improvement of the system of financing of work related to the implementation of legal and organizational and technical methods of information protection, creation of a system for insurance of information risks of individuals and legal entities.

Along with the widespread use of standard methods and tools for the economy, the priority areas of information security are:

Development and adoption of legal provisions establishing liability of legal entities and individuals for unauthorized access and theft of information, deliberate dissemination of inaccurate information, disclosure of commercial secrets, leakage of confidential information;

Building a system of state statistical reporting that ensures the reliability, completeness, comparability and security of information by introducing strict legal responsibility for primary sources of information, organizing effective control over their activities and the activities of statistical information processing and analysis services, limiting its commercialization, using special organizational and software and hardware information protection means;

Creation and improvement special means protection of financial and commercial information;

Development of a set of organizational and technical measures to improve technology information activities and information protection in economic, financial, industrial and other economic structures, taking into account the information security requirements specific to the economy;

Improvement of the system of professional selection and training of personnel, systems of selection, processing, analysis and dissemination of economic information.

Public policy ensuring information security forms the directions of activities of public authorities and administration in the field of information security, including guarantees of the rights of all subjects to information, securing the duties and responsibilities of the state and its bodies for the information security of the country, and is based on maintaining a balance of interests of the individual, society and the state in information sphere.

The state policy for information security is based on the following basic provisions:

Restriction of access to information is an exception to general principle openness of information, and is carried out only on the basis of legislation;

Responsibility for the safety of information, its classification and declassification is personified;

Access to any information, as well as the imposed restrictions on access, are carried out taking into account the property rights to this information determined by law;

Formation by the state of a regulatory and legal framework governing the rights, obligations and responsibilities of all entities operating in the information sphere;

Legal and individualscollecting, accumulating and processing personal data and confidential information are liable before the law for their safety and use;

Providing the state with legal means to protect society from false, distorted and inaccurate information coming through the media;

Implementation of state control over the creation and use of information security means through their mandatory certification and licensing of activities in the field of information security;

Carrying out a protectionist policy of the state that supports the activities of domestic manufacturers of information technology and information protection and takes measures to protect the internal market from the penetration of low-quality information media and information products;

State support in providing citizens with access to world information resources, global information networks,

Formation by the state of a federal information security program, uniting the efforts of state organizations and commercial structures in creating a single information security system for the country;

The state makes efforts to counteract the information expansion of other countries, supports the internationalization of global information networks and systems.

On the basis of the stated principles and provisions, the general directions of the formation and implementation of information security policy in the political, economic and other spheres of state activity are determined.

State policy as a mechanism for harmonizing the interests of subjects of information relations and finding compromise solutions provides for the formation and organization of effective work various councils, committees and commissions with a wide representation of specialists and all interested structures. The mechanisms for the implementation of state policy should be flexible and timely reflect the changes taking place in the economic and political life of the country.

Legal support of information security of the state is a priority in the formation of mechanisms for the implementation of information security policy and includes:

1) rule-making activities to create legislation regulating relations in society related to ensuring information security;

2) executive and law enforcement activities for the implementation of legislation in the field of information, informatization and information protection by public authorities and management, organizations, citizens.

Normative activity in the field of information security provides:

Assessment of the state of the current legislation and development of a program for its improvement;

Creation of organizational and legal mechanisms for ensuring information security;

Formation of the legal status of all subjects in the information security system, users of information and telecommunication systems and determination of their responsibility for ensuring information security;

Development of an organizational and legal mechanism for collecting and analyzing statistical data on the impact of information security threats and their consequences, taking into account all types of information;

Development of legislative and other regulations governing the procedure for eliminating the consequences of the impact of threats, restoring violated rights and resources, and implementing compensatory measures.

Executive and enforcement activities provides for the development of procedures for the application of legislation and regulations to entities who have committed crimes and misconduct when working with confidential information and violated the rules of information interactions. All activities on the legal support of information security are based on three fundamental provisions of law: compliance with the rule of law, ensuring a balance of interests of individual subjects and the state, the inevitability of punishment.

Compliance with the law presupposes the existence of laws and other regulatory provisions, their application and execution by subjects of law in the field of information security.

12.3. STATE OF INFORMATION SECURITY IN RUSSIA

Assessment of the state of information security of the state involves the assessment of existing threats. Clause 2 of the "Doctrine of information security of the Russian Federation" 1 identifies the following threats to the information security of the Russian Federation:

Threats to the constitutional rights and freedoms of man and citizen in the field of spiritual life and information activities, individual, group and public consciousness, the spiritual revival of Russia;

Threats to information support of the state policy of the Russian Federation;

Threats to the development of the domestic information industry, including the industry of informatization, telecommunications and communications, meeting the needs of the domestic market for its products and the entry of these products to the world market, as well as ensuring the accumulation, safety and effective use of domestic information resources;

__________________________________________________________________

Threats to the security of information and telecommunication systems, both already deployed and created on the territory of Russia.

External sources of threats to Russia's information security include:

1) the activities of foreign political, economic, military, intelligence and information structuresdirected against the Russian Federation in the information sphere;

2) the desire of a number of countries to dominate and infringe on Russia's interests in the world information space, to oust it from the external and internal information markets;

3) aggravation of international competition for the possession of information technologies and resources;

4) the activities of international terrorist organizations;

5) increasing the technological gap between the world's leading powers and building up their capabilities to counter the creation of competitive Russian information technologies;

6) activities of space, air, sea and ground technical and other means (types) of intelligence of foreign states;

7) the development by a number of states of concepts of information wars, providing for the creation of means of dangerous impact on the information spheres of other countries of the world, disruption of the normal functioning of information and telecommunication systems, the safety of information resources, and obtaining unauthorized access to them.

Internal sources of threats to Russia's information security include:

1) the critical state of domestic industries;

2) an unfavorable criminal environment, accompanied by tendencies for the merging of state and criminal structures in the information sphere, for criminal structures to gain access to confidential information, increase the influence of organized crime on the life of society, reduce the degree of protection of the legitimate interests of citizens, society and the state in the information sphere;

3) insufficient coordination of the activities of federal bodies of state power, bodies of state power of the constituent entities of the Russian Federation on the formation and implementation of a unified state policy in the field of ensuring information security of the Russian Federation;

4) insufficient elaboration of the regulatory legal framework governing relations in the information sphere, as well as insufficient law enforcement practice;

5) underdevelopment of civil society institutions and insufficient control over the development of the information market in Russia;

6) insufficient economic power of the state;

7) a decrease in the effectiveness of the education and training system, an insufficient number of qualified personnel in the field of information security;

8) Russia's lag behind the leading countries in the world in terms of the level of informatization of federal government bodies, credit and finance, industry, agriculture, education, health care, services and everyday life of citizens.

In recent years, Russia has implemented a set of measures to improve the provision of its information security. Measures have been taken to ensure information security in federal government bodies, government bodies of the constituent entities of the Russian Federation, at enterprises, institutions and organizations, regardless of the form of ownership. Work has been launched to create a secure information and telecommunications system for special purposes in the interests of state authorities.

The state system for protecting information, the system for protecting state secrets and the certification system for information protection means contribute to the successful solution of issues of ensuring information security of the Russian Federation.

The structure of the state information protection system consists of:

State authorities and administrations of the Russian Federation and the constituent entities of the Russian Federation, solving the problems of ensuring information security within their competence;

State and interdepartmental commissions and councils specializing in information security issues;

State Technical Commission under the President of the Russian Federation;

Federal Security Service of the Russian Federation;

Ministry of Internal Affairs of the Russian Federation;

Ministry of Defense of the Russian Federation;

Federal Agency for Government Communications and Information under the President of the Russian Federation;

Russian Foreign Intelligence Service;

Structural and intersectoral divisions for the protection of information of public authorities;

Leading and leading research, scientific and technical, design and engineering organizations for the protection of information;

Educational institutions that train and retrain personnel to work in the information security system.

The State Technical Commission under the President of the Russian Federation, being the body government controlled, carries out a unified technical policy and coordinates work in the field of information protection, heads the state system for protecting information from technical intelligence, is responsible for ensuring the protection of information from its leakage through technical channels in Russia, monitors the effectiveness of the protection measures taken.

A special place in the information security system is occupied by state and public organizations that exercise control over the activities of state and non-state media.

To date, a legislative and regulatory framework has been formed in the field of information security in Russia, which includes:

1. Laws of the Russian Federation:

The Constitution of the Russian Federation;

"On banks and banking activities";

"On security";

"On Foreign Intelligence";

"On state secrets";

"About communication";

"On certification of products and services";

"On the Mass Media";

"On standardization";

"On information, information technology and information protection";

"On the Bodies of the Federal Security Service in the Russian Federation";

"On the obligatory copy of the documents";

“On participation in international information exchange”;

"O6 electronic digital signature", etc.

2. Normative legal acts of the President of the Russian Federation:

"Doctrine of information security of the Russian Federation";

"On the National Security Strategy of the Russian Federation until 2020";

"On some issues of the interdepartmental commission for the protection of state secrets";

"On the list of information classified as state secrets";

"On the foundations of state policy in the field of informatization";

"On approval of the list of confidential information", etc.

H. Regulatory legal acts of the Government of the Russian Federation:

"On certification of information security tools";

"On licensing the activities of enterprises, institutions and organizations to carry out work related to the use of information constituting a state secret, the creation of information security tools, as well as the implementation of measures and (or) the provision of services to protect state secrets";

“On the approval of the rules for classifying information constituting a state secret to various degrees of secrecy”;

"On licensing of certain types of activities", etc.

4. Guiding documents of the State Technical Commission of Russia:

“Concept of protection of computer equipment and automated systems from unauthorized access to information”;

“Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information ";

“Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection ";

"Protection of information. Special protective signs. Classification and general requirements»;

"Protection against unauthorized access to information. Part 1. Software means of information protection. Classification according to the level of control of the absence of non-declared opportunities ”.

5. Civil Code of the Russian Federation (part four).

6. The Criminal Code of the Russian Federation.

International cooperation in the field of ensuring information security is an integral part of the economic, political, military, cultural and other types of interaction between the countries of the world community. Such cooperation should help to improve the information security of all members of the world community, including Russia. The peculiarity of the international cooperation of the Russian Federation in the field of information security lies in the fact that it is carried out in the conditions of heightened international competition for the possession of technological and information resources, for dominance in the sales markets, increasing the technological gap between the leading powers of the world and increasing their capabilities for creating "information weapons" ... This could lead to a new stage in the development of the arms race in the information sphere.

International cooperation in the field of information security is based on the following regulatory framework:

Agreement with the Republic of Kazakhstan of January 13, 1995, with Moscow (Resolution of the Government of the Russian Federation of May 15, 1994 Nch 679);

Agreement with Ukraine of June 14, 1996, Kiev (Decree of the Government of the Russian Federation of June 7, 1996 Ns 655);

Agreement with the Republic of Belarus (Draft);

Issuance of certificates and licenses for international information exchange ( the federal law dated July 4, 1996 X 85-FZ).

The main areas of international cooperation that meet the interests of the Russian Federation are:

Prevention of unauthorized access to confidential information in international banking networks and channels of information support of world trade, to confidential information in international economic and political unions, blocs and organizations, to information in international law enforcement organizations fighting international organized crime and international terrorism;

Prohibition of the development, distribution and use of "information weapons";

Ensuring the security of international information exchange, including the safety of information during its transmission through national telecommunication networks and communication channels;

Coordination of the activities of law enforcement agencies of states participating in international cooperation in the prevention of computer crimes;

Participation in international conferences and exhibitions on the problem of information security.

In the course of cooperation, special attention should be paid to the problems of interaction with the CIS countries, taking into account the prospects for creating a single information space on the territory the former USSR, within which practically unified telecommunication systems and communication lines are used.

At the same time, an analysis of the state of information security in Russia shows that its level does not fully meet the needs of society and the state. The current conditions of the political and socio-economic development of the country exacerbate the contradictions between the needs of society to expand the free exchange of information and the need to preserve certain regulated restrictions on its distribution.

The rights of citizens to inviolability of private life, personal and family secrets, and secrecy of correspondence enshrined in the Constitution of the Russian Federation do not have sufficient legal, organizational and technical support. The protection of personal data collected by federal state authorities is poorly organized.

There is a lack of clarity in the conduct of state policy in the field of the formation of the Russian information space, the development of the mass media system, the organization of international information exchange and the integration of the Russian information space into the global information space, which creates conditions for ousting Russian news agencies and mass media from the domestic information market and deformation structures of international information exchange.

There is insufficient government support for the activities of Russian news agencies to promote their products to the international information market.

The situation with ensuring the safety of information constituting a state secret is deteriorating.

Serious damage has been inflicted on the personnel potential of scientific and production teams operating in the field of creating information technology, telecommunications and communications, as a result of the mass exodus of the most qualified specialists from these teams.

The lag of domestic information technologies forces the state authorities of the Russian Federation, when creating information systems, to follow the path of purchasing imported equipment and attracting foreign firms, which increases the likelihood of unauthorized access to processed information and increases Russia's dependence on foreign manufacturers of computer and telecommunications equipment, as well as software. provision.

In connection with the intensive introduction of foreign information technologies in the spheres of activity of the individual, society and the state, as well as with the widespread use of open information and telecommunication systems, the integration of domestic and international information systems, the threats of using “information weapons” against the information infrastructure of Russia have increased. Efforts to adequately and comprehensively counter these threats are being carried out with insufficient coordination and weak budgetary funding.

Control questions

1. What is the place of information security in the system of economic security of the state? Show by examples the importance of information security in ensuring the economic security of the state?

2. What is the reason for the increased importance of information security in the modern period?

3. Describe the main categories of information security: information, informatization, document, information process, information system, information resources, personal data, confidential information.

4. What are the interests of the individual, society and the state in the information sphere?

5. What are the types of information security threats?

6. Name the ways of impact of threats on information security objects.

7. Explain the concept of "information war".

8. List the external sources of threats to information security in Russia.

9. List the internal sources of threats to information security in Russia.

10. What regulations ensure information security on the territory of the Russian Federation?

11. What international normative acts in the field of information protection do you know?

12. What is the essence of the state policy for information security?

13. List the methods of ensuring information security.

14. Describe the structure of the state information protection system

15. Give an assessment of the state of information security in Russia.

Type

Related entries:

Folders and files. What is a folder? What are files and foldersFolders and files. What is a folder? What are files and folders Editing the context menuEditing the context menu What is an optical drive and floppy driveWhat is an optical drive and floppy drive Customizing the Windows7 ToolbarCustomizing the Windows7 Toolbar Beautiful icon for program folderBeautiful icon for program folder
New or popular