• Legal protection of confidential information. Means for protecting confidential information

    • - commercial;
    • - official;
    • - personal (personal) with the exception of state secrets (Articles 727, 771, 1032 of the Civil Code of the Russian Federation, Article 16 of the Customs Code of the Russian Federation, Decree of the President of the Russian Federation of March 6, 1997 No. 188 “On approval of the list of confidential information”).

    Legal features of confidential information are documentation, restriction of access to information in accordance with the law and lack of free access to it on a legal basis.

    “A trade secret is a type of secret that includes information established and protected by its owner in any area of ​​his commercial activity, access to which is limited in the interests of the owner of the information.” A trade secret is one of the main types of secrets, since the success of an enterprise producing products or services is determined by the ability to compete, and therefore to be able to see how it is possible to achieve an increase in profits compared to competitors.

    Information constituting a trade secret can include any business information, except for the restrictions imposed by the Decree of the Government of the Russian Federation “On the list of information that cannot constitute a trade secret” dated December 5, 1991 No. 35.

    In Russia, legislation in the field of protecting rights to confidential commercial information is just beginning to take shape. What is new in regulating relations in this area is the adoption of the Federal Law of July 29, 2004 No. 98-FZ “On Trade Secrets.”

    The general impression that remains after reading the text of the Law can be defined as contradictory. On the one hand, a single regulatory act has emerged that defines in detail the regime and procedure for protecting information that constitutes a trade secret. On the other hand, the Law is far from flawless. When it was created, the legislator introduced norms that, in the opinion of researchers, make it difficult to protect trade secrets and restore violated rights.

    The law does not exclude the application of general rules on trade secrets provided for in Art. 139 of the Civil Code of the Russian Federation, and names the Civil Code of the Russian Federation and other federal laws as sources. Thus, the Law complements the existing regulatory framework and only partially replaces it.

    However, even when reading the definition of a trade secret, we see terminological inconsistencies between the Law and the Civil Code of the Russian Federation. The law defines the concept of a trade secret through the property of information: a trade secret is “confidentiality of information” (Clause 1, Article 3 of the Law) (English: confidence - secrecy). The Civil Code of the Russian Federation considers a trade secret primarily as a type of information that has “commercial value due to its unknownness to third parties,” in respect of which measures are applied to protect its confidentiality (Article 139 of the Civil Code of the Russian Federation). Despite the insignificance at first glance of the discrepancy between the concepts, we received two different definitions that compete in their legal force.

    The law distinguishes between the form in which valuable information exists and the content of the information itself. This includes “scientific, technical, technological, production, financial, economic or other information, including those that constitute trade secrets (know-how)” (Clause 2 of Article 3 of the Law.

    The list of types of information that may have commercial value is open.

    The law still gives the owner (possessor) of information the right to independently determine its value.

    The definition of a trade secret contained in the Law reflects the nature of the Law itself. The main emphasis in it is on procedures for the protection of commercial information. According to the Law, they are the ones who make it possible to provide the necessary minimum conditions for the protection of a violated right in court, and also distinguish between legal and illegal access as an element of an offense.

    In this regard, it is difficult to understand the definition of the owner of information constituting a trade secret given in the Law. In accordance with paragraph 4 of Art. 3 of the Law is a person who possesses such information “legally”. Thus, by proving the fact of violation of the right, it will be necessary to establish the legality of its ownership. It is possible to document the rights to a trade secret if, for example, they are subject to state registration (patents, certificates). In this case, the interests of the owner are protected by patent and copyright law. If a trade secret consists of agreements recorded on audio media, or these are unpatented ideas, it will be quite difficult to prove the primacy and legality of possession of such information.

    Obviously, it will be necessary to confirm the objective connection of the information with its owner. For example, information about the owner organization, its transactions, etc. must contain an indication of the owner organization and be protected by special links on the confidentiality media, as provided for in clause 5, part 1, art. 10 of the Law.

    The Law refers to the transfer of information only on a tangible medium (clause 6 of Article 3 of the Law) and under the terms of a special agreement. In this part, the Law limits the volume of information protected under secret regime in comparison with the definition given in the Civil Code of the Russian Federation, in Art. 139 which does not mention material media, but deals with the protection of confidential information.

    Consequently, guided by the Law, cases of, for example, disclosure of information that is not recorded on tangible media are excluded from legal protection. In particular, this may be information about any decisions made by the organization to promote its product, and similar information.

    On the one hand, this approach simplifies the process of proof, on the other hand, it limits the possibilities of protecting the interests of the owner of the information.

    The law introduces for the first time a definition of the concept of “trade secret regime”. When considering the legal basis for protecting trade secrets, the trade secret regime should be given special attention. Failure to comply with it entails the loss of the opportunity to protect the violated right to a trade secret (Part 1 of Article 7 and Part 2 of Article 10 of the Law).

    The system of conditions that make up the trade secret regime is very voluminous and requires significant costs on the part of the owner or recipient of the trade secret.

    In particular, Part 1 of Art. 10 of the Law provides:

    • - determination of the list of information constituting a trade secret;
    • - restricting access to information constituting a trade secret by establishing a procedure for handling this information and monitoring compliance with such a procedure;
    • - accounting of persons who received access to information constituting a trade secret and (or) persons to whom such information was provided or transferred;
    • - regulation of relations regarding the use of information constituting a trade secret by employees on the basis of employment contracts and contractors on the basis of civil law contracts;
    • - affixing on tangible media (documents) that contain information constituting a trade secret, the stamp “Trade Secret” indicating the owner of this information (for legal entities - full name and location, for individual entrepreneurs- last name, first name, patronymic of a citizen who is an individual entrepreneur, and place of residence).

    The owner of a trade secret must establish a certain procedure for the circulation of confidential information, as well as provide additional staffing units to control such circulation. In addition, it is necessary to bring into compliance or develop again a large package of internal regulatory documentation.

    At a minimum, the organization that owns the trade secret must:

    • - develop provisions on trade secrets and on the document flow of all information carriers labeled “Trade Secret”;
    • - issue an order to the organization regarding access to trade secrets;
    • - provide in the employment contract additional conditions regarding the employee’s voluntary obligation to comply with the trade secret regime.

    Thus, on the one hand, the Law expanded the powers of state bodies to control the economic activities of organizations. On the other hand, the process of protecting the rights of information owners has become significantly more complicated.

    Information related to proprietary information is not usually the subject of independent transactions, but its disclosure may cause property damage to the organization and damage to its business reputation.

    The need for a systematic legal regulation the institution of official secrets is caused by a number of reasons, including: the absence in the legislation of a unified approach to the corresponding category of restricted access information; numerous examples of illegal dissemination (sale) of information accumulated in government bodies and relating either to an individual or to the activities of business entities; restrictions on the dissemination of information imposed at their discretion by heads of government bodies and state (municipal) employees on the provision of information to citizens, public organizations, and the media.

    The level of regulatory regulation of the procedure for handling official information of limited distribution, the institution of which can now be perceived as an analogue of official secrets of the socialist period, cannot be considered satisfactory for a number of reasons. The only regulatory act regulating this group of legal relations is the “Regulation on the procedure for handling official information of limited distribution in federal executive authorities,” approved by Decree of the Government of the Russian Federation of November 3, 1994 No. 1233 (DSP). This Regulation applies only to the activities of federal executive authorities, although similar information is generated and received by any state authorities and local governments. Many important conditions, which determine the procedure for classifying information as official information, are not established in the Regulations and are given to the heads of federal executive authorities, which cannot be considered correct, since restrictions on access to information should be established only by federal law. Thus, the level of legal regulation is clearly insufficient; moreover, at the level of a decree of the Government of the Russian Federation, it is impossible to build a long-term and stable system for protecting information that has a long storage period, especially when it comes to establishing a number of civil law norms. Despite the almost complete absence of regulatory regulation in the field of classifying information as official secrets, their protection and the establishment of sanctions for the unlawful dissemination of such information, this category is present in a large number of federal laws (about 40), including: Federal Law "On the Fundamentals of the Russian Civil Service" Federation", Federal Law "On the Government of the Russian Federation", Federal Law "On Service in the Customs Authorities of the Russian Federation", Federal Law "On the Central Bank of the Russian Federation (Bank of Russia)", Federal Law "On the Fundamentals of the Municipal Service of the Russian Federation", Federal Law "On the Restructuring of Credit Institutions" ", Federal Law "On the Securities Market", etc. At the same time, the absence of a clearly defined legal institution of official secrets has led to a variety of legal approaches that have been enshrined in legislation. Thus, the Federal Law “On the Restructuring of Credit Institutions” mentions the official secrets of a credit organization (Article 41); the Federal Law “On measures to protect the economic interests of the Russian Federation in foreign trade in goods” circulates “confidential information” in executive authorities (Article 41). 18), in the Federal Law “On the Fundamentals of the Civil Service of the Russian Federation” and a number of other laws, the term “official information” is used; in the Federal Law “On the Customs Tariff” information constituting a trade secret and confidential information circulates in the customs authority (Article 14). Federal Law No. 119-FZ of August 20, 2004 “On State Protection of Victims, Witnesses and Other Participants in Criminal Proceedings” provides, among a number of security measures in relation to the protected person, ensuring the confidentiality of information about him.

    This information, by its content, constitutes an official secret and the legislative consolidation of mechanisms for disposing of this information will help the implementation of this Federal Law. These examples indicate that not only the terminology, but also the content of the institution of protecting proprietary information is not clearly reflected in the legislation.

    The legislation addresses the issue of the structure of confidential information and the relationship between different types of secrets. In this regard, the inclusion of the category “official secret” in the provisions of Article 139 of the Civil Code of the Russian Federation, where the corresponding information on systemic grounds is practically merged with a commercial secret, is of particular concern, although, following sound legal logic, these systems of restrictions on access to information by their nature should be are different. In the country's electronic markets and through the sending of unsolicited e-mail messages (so-called "spam"), CDs containing databases with information about personalities and organizations are distributed uncontrollably. For example, DB “Customs”, State Traffic Safety Inspectorate, BTI (Bureau of Technical Inventory), “Registration”, “Foreign Economic Activity”, Unified State Register of Enterprises (Unified State Registration of Enterprises), “Apartment Owners”, “Income of Individuals”, “Ministry of Internal Affairs File” (criminal records etc.), OVIR (registered passports), DB "Ministry of Justice", "Sirena" (transportation of private individuals by rail in Russia), DB on non-cash payments of enterprises with suppliers and consumers and others. Obviously, such information cannot be accessed to the market without the participation of government officials.

    Currently, legislators have prepared a draft law “On Official Secrets”, regulating the protection of such information.

    Personal (personal) data includes last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income of an individual. Personal data must also include information related to entry into a job (service), its completion and dismissal; data about the spouse, children and other family members of the owner, data allowing to determine the place of residence, postal address, telephone and other individual means of communication of the civil servant, as well as his wife (her spouse), children and other members of his family, data allowing to determine location of real estate objects owned by a civil servant or in his use, information about income, property and obligations of a property nature, information about facts, events and circumstances of a citizen’s private life, allowing his identity to be identified, information that has become known to an employee of the registration authority civil status in connection with the state registration of a civil status act, language proficiency (native language, Russian language, another language or other languages), general education (primary general, basic general, secondary (complete) general) and professional (primary vocational, secondary vocational , higher professional, postgraduate professional), living conditions (type of living quarters, time of construction of the house, size of the total and living space, number of living rooms, types of improvement of living quarters), sources of livelihood (income from work or other occupation, pension, including a disability pension, scholarship, allowance, other type of government support, other source of livelihood). By defining personal data as an open list of information, regardless of the form in which it is presented, the legislator thereby retains the possibility of expanding it as the social status of its owner changes at a specific stage of his life path.

    Personal data belongs to the category of confidential information, which implies the absence of free access to it and the presence of an effective system for its protection. The inclusion of personal data in the category of confidential information is aimed at preventing unauthorized actions to destroy, modify, distort, copy, block information, and prevent other forms of illegal interference in the personal life of a citizen.

    The legal basis for building a personal data protection system is the provisions of the Constitution of the Russian Federation. Articles 22 and 23 contain rules proclaiming fundamental individual rights relating to private life. They enshrine the right to privacy, personal and family secrets. The collection, storage, use and dissemination of information about a person’s private life without his consent is prohibited.

    When forming the legislative basis for the processing of personal data, the legislator takes as a basis the norms of international law containing the basic principles of working with personal data in the process of their processing. Initially, these principles were enshrined in the International Convention for the Protection of Personality with regard to Automatic Processing of Personal Data ETS N 108 (January 28, 1981), which became the unifying principle for the relevant national legislation. The system for the protection of personal data then developed in Directive 95/46/EC of the European Union and Parliament of October 24, 1995 on the protection of the rights of individuals with regard to the processing of personal data and the free movement of such data and Directive 97/66/EC of December 15, 1997 . on the processing of personal data and privacy protection in the telecommunications sector. These documents contain a list of basic measures to protect personal data accumulated in automated databases from accidental or unauthorized destruction or accidental loss, as well as from unauthorized access, modification or distribution.

    The main federal law protecting the confidentiality of personal data is the Law “On Personal Data”, adopted on July 27, 2006.

    The Law defines the principles and conditions for the processing of personal data. By establishing a general prohibition on the processing of personal data without the consent of the subject of personal data, the Law provides for cases when such consent is not required.

    Relations regarding the processing of special categories of personal data (information about race, nationality, political views, religious or philosophical beliefs, state of health, intimate life) are separately regulated. Processing of these categories of information is not permitted without the prior consent of the subject of personal data, except in cases where personal data is publicly available and data processing is necessary to ensure the life and health of the person; processing is carried out in connection with the administration of justice, as well as other circumstances.

    The most important guarantee of the rights of the subject of personal data is the obligation of operators and third parties who have access to personal data to ensure their confidentiality (except in cases of depersonalization and publicly available personal data), as well as the right of the subject of personal data to protect their rights and legitimate interests, including for damages and (or) compensation for moral damage in court. Control and supervision over the processing of personal data is entrusted to the federal executive body exercising control and supervision functions in the field of information technology and communications, which is endowed with the corresponding rights and responsibilities. In particular, the authorized body has the right to inspect the information system for processing personal data, make demands for blocking, deleting unreliable or illegally obtained personal data, establish a permanent or temporary ban on the processing of personal data, and conduct investigations through administrative proceedings regarding violations of the law. The principles of cross-border data transfer are established, which must ensure adequate protection of the rights of personal data subjects.

    In addition to the above-mentioned acts, the legislator also includes other laws in the system of legislation in the field of personal data:

    The Labor Code of the Russian Federation, Chapter 14 of which sets out the fundamental requirements for the protection of employee personal data. Hiring an employee based on business qualities involves the use of certain methods of collecting information about the employee, so that they sufficiently fully identify a pre-established range of criteria necessary to occupy a particular position, i.e. the employer actually collects the employee’s personal data;

    Customs Code of the Russian Federation dated May 28, 2003 N 61-FZ, regulating the procedure for processing personal data of persons carrying out activities related to the movement of goods and vehicles across the customs border or carrying out activities in the field of customs affairs, for the purpose of customs control and collection of customs duties. payments;

    Federal Law of July 27, 2006 N 149-FZ “On information, information technology and on the protection of information" gives a general definition of personal data, lays down the basic principles of legal regulation of activities related to personal data. It also introduces liability for violation of their confidentiality, as well as the mandatory licensing for non-governmental organizations and individuals of activities related to the processing and provision of personal data data;

    Federal Law of November 15, 1997 N 143-FZ “On Civil Status Acts” regulates the procedure for protecting confidential information in the process of registering acts of civil status.

    In addition, issues of legal regulation of work with personal data are raised in Federal Laws of October 22, 2004 N 125-FZ “On Archiving in the Russian Federation”, dated August 12, 1995 N 144-FZ “On Operational Investigative Activities” , dated June 12, 2002 N 67-FZ “On the basic guarantees of electoral rights and the right to participate in a referendum of citizens of the Russian Federation”, Tax Code of the Russian Federation, Fundamentals of the legislation of the Russian Federation on the protection of the health of citizens dated July 22, 1993 N 5487-1, Laws of the Russian Federation of July 21, 1993 N 5485-1 "On State Secrets", dated March 28, 1998 N 53-FZ "On Military Duty and Military Service", Federal Laws of April 1, 1996 N 27-FZ " On individual (personalized) accounting in the compulsory pension insurance system”, dated August 8, 2001 N 129-FZ “On state registration of legal entities and individual entrepreneurs” and a number of others. In the Civil Code of the Russian Federation, Article 152 protects the honor, dignity and business reputation of a citizen. In the Criminal Code of the Russian Federation in Art. 137 establishes criminal liability “for the illegal collection or dissemination of information about the private life of a person that constitutes his personal or family secret.”

    Today, threats associated with unauthorized access to confidential data can have a significant impact on an organization's operations. Possible damage from the disclosure of corporate secrets may include both direct financial losses, for example, as a result of the transfer of commercial information to competitors and the costs of eliminating the resulting consequences, and indirect ones - bad reputation and loss of promising projects. The consequences of losing a laptop with details for accessing bank accounts, financial plans and other private documents cannot be underestimated.

    One of the most dangerous threats today is unauthorized access. According to a study by the Institute computer security, last year 65% of companies registered incidents related to unauthorized access to data. Moreover, due to unauthorized access, each company lost in 2014–2015. on average $353 thousand. Moreover, compared to 2012–2013. losses increased sixfold. Thus, the total losses suffered by over 600 surveyed firms for the year exceeded $38 million (see chart).

    Compounding the problem, unauthorized access to sensitive information is often followed by theft. As a result of this combination of two extremely dangerous threats, the company's losses can increase several times (depending on the value of the stolen data). In addition, companies often encounter physical theft. mobile computers, as a result of which both threats of unauthorized access and theft of sensitive information are realized. By the way, the cost itself portable device often incomparable with the cost of the data recorded on it.

    The problems that arise for an enterprise in the event of an information leak are especially illustrative of the theft of laptops. Suffice it to recall the recent incidents when five laptops containing private information of the company’s clients were stolen from the Ernst & Young company over the course of several months: Cisco, IBM, Sun Microsystems, BP, Nokia, etc. Here, such a difficult-to-measure indicator of the damage caused was manifested to the highest degree , as a deterioration of the image and a decrease in customer confidence. Meanwhile, many companies are experiencing similar difficulties.

    Thus, in March 2006, Fidelity lost a laptop with private data of 200 thousand HP employees, and in February the auditing company PricewaterhouseCoopers lost a laptop with sensitive information of 4 thousand patients of an American hospital. If we continue the list, it will include such well-known companies as Bank of America, Kodak, Ameritrade, Ameriprise, Verizon, and others.

    Thus, in addition to protecting confidential information from unauthorized access, it is necessary to protect the physical media. It should be taken into account that such a security system must be absolutely transparent and not cause difficulties for the user when accessing sensitive data either in a corporate environment or when working remotely (at home or on a business trip).

    Until now, nothing more effective in the field of protecting information from unauthorized access than data encryption has been invented. As long as the cryptographic keys are kept intact, encryption ensures the security of sensitive data.

    Encryption technologies

    In order to protect information from unauthorized access, encryption technologies are used. However, users who do not have adequate knowledge of encryption methods may be given the false impression that all sensitive data is securely protected. Let's look at the main data encryption technologies.

    • File-by-file encryption. The user himself selects the files that should be encrypted. This approach does not require deep integration of the encryption tool into the system, and, therefore, allows manufacturers of cryptographic tools to implement a multi-platform solution for Windows, Linux, MAC OS X, etc.
    • Directory encryption. The user creates folders in which all data is automatically encrypted. Unlike the previous approach, encryption occurs on the fly, and not at the user's request. In general, directory encryption is quite convenient and transparent, although it is based on the same file-by-file encryption. This approach requires deep interaction with the operating system, and therefore depends on the platform used.
    • Encryption of virtual disks. The concept of virtual disks is implemented in some compression utilities, for example, Stacker or Microsoft DriveSpace. Encrypting virtual disks involves creating a large hidden file on your hard drive. This file is subsequently available to the user as a separate disk (the operating system “sees” it as a new logical disk). For example, drive X:\. All information stored on the virtual disk is encrypted. The main difference from previous approaches is that the cryptographic software does not need to encrypt each file individually. Here, data is encrypted automatically only when it is written to virtual disk or read from it. In this case, data is processed at the sector level (usually 512 bytes in size).
    • Encrypt the entire disk. In this case, absolutely everything is encrypted: the Windows boot sector, everything system files and any other information on the disk.
    • Protecting the boot process. If the entire disk is encrypted, the operating system will not be able to start until some mechanism decrypts the boot files. Therefore, encrypting the entire disk necessarily means protecting the boot process. Typically, the user is required to enter a password so that the operating system can start. If the user enters the password correctly, the encryption program will have access to the encryption keys, allowing further data to be read from the disk.

    Thus, there are several ways to encrypt data. Some of them are less reliable, some are faster, and some are not suitable for protecting important information at all. To be able to evaluate the suitability of certain methods, consider the problems that a cryptographic application faces when protecting data.

    Features of operating systems

    Let us dwell on some features of operating systems, which, despite all their positive functions, sometimes only interfere with the reliable protection of confidential information. The following are the most common system mechanisms that leave a number of “loopholes” for an attacker, and are relevant for both laptops and PDAs.

    • Temporary files. Many programs (including the operating system) use temporary files to store intermediate data while they are running. Often an exact copy of the file opened by the program is entered into a temporary file, which makes it possible to full recovery data in case of unexpected failures. Of course, the payload of temporary files is large, but, being unencrypted, such files pose a direct threat to corporate secrets.
    • Page files (or swap files). Swap file technology is very popular in modern operating systems, allowing any application to be provided with an almost unlimited amount of RAM. So, if the operating system does not have enough memory resources, it automatically writes data from RAM to the hard drive (to the page file). As soon as there is a need to use the stored information, the operating system retrieves data from the swap file and, if necessary, places other information in this storage. In the same way as in the previous case, secret information in unencrypted form can easily get into the paging file.
    • File alignment. File Windows system places data in clusters that can occupy up to 64 sectors. Even if the file is a few bytes long, it will still take up an entire cluster. File large size will be split into chunks, each the size of a file system cluster. The remainder of the split (usually the last few bytes) will still occupy the entire cluster. Thus, the last sector of the file contains random information that was in the PC’s RAM at the time the file was written to disk. There may be passwords and encryption keys. In other words, the last cluster of any file can contain quite sensitive information, ranging from random information from RAM to data from electronic messages and text documents, which were previously stored in this place.
    • Basket. When a user deletes a file, Windows moves it to the Recycle Bin. As long as the Recycle Bin is not emptied, the file can be easily recovered. However, even if you empty the Recycle Bin, the data will still physically remain on the disk. In other words, deleted information can very often be found and restored (if no other data was written over it). There are a huge number of application programs, some of them are free and freely distributed over the Internet.
    • Windows Registry. The Windows system itself, like large number applications stores its specific data in the system registry. For example, a web browser stores in the registry domain names the pages visited by the user. Even text Word editor saves the name of the last opened file in the registry. In this case, the registry is used by the OS at boot. Accordingly, if any encryption method is launched after Windows has loaded, its results may be compromised.
    • Windows NT File System (NTFS). A file system with built-in access control (like Windows NT) is considered secure. The fact that the user must enter a password to access their personal files leaves a false impression that personal files and data are securely protected. However, even a file system with built-in Access Control Lists (ACLs), such as NTFS, provides absolutely no protection against an attacker who has physical access to the hard drive or administrator rights on the computer. In both cases, the criminal can gain access to sensitive data. To do this, he will need an inexpensive (or even free) disk editor to read the text information on the disk to which he has physical access.
    • Sleep mode. This mode is very popular on laptops, as it allows you to save battery power when the computer is turned on but not in use. When the laptop goes into sleep mode, the operating system copies absolutely all data in RAM to disk. This way, when the computer wakes up, the operating system can easily restore its previous state. Obviously, in this case, sensitive information can easily get onto the hard drive.
    • Hidden sections hard drive. A hidden partition is a partition that the operating system does not show to the user at all. Some applications (such as those that save power on laptops) use hidden partitions to store data on them instead of files on regular partitions. With this approach, information posted on hidden section, is not protected at all and can easily be read by anyone using a disk editor.
    • Free space and space between sections. Sectors at the very end of the disk do not belong to any partition; sometimes they are displayed as free. Another unprotected area is the space between partitions. Unfortunately, some applications, as well as viruses, can store their data there. Even if you format your hard drive, this information will remain intact. It can be easily restored.

    Thus, to effectively protect data, it is not enough to simply encrypt it. Care must be taken to ensure that copies of secret information do not leak into temporary and swap files, as well as into other “hidden places” of the operating system, where they are vulnerable to an attacker.

    Suitability of different data encryption approaches

    Let's look at how different approaches to data encryption cope with the peculiarities of operating systems.

    Per-file encryption

    This method is mainly used to send encrypted files via e-mail or over the Internet. In this case, the user encrypts a specific file that needs to be protected from third parties and sends it to the recipient. This approach suffers from low speed, especially when it comes to large volumes of information (after all, you need to encrypt every file attached to a letter). Another problem is that only the original file is encrypted, while temporary files and the page file are left completely unprotected, so protection is only provided against an attacker trying to intercept a message on the Internet, but not against a criminal who stole a laptop or PDA. Thus, we can conclude: file-by-file encryption does not protect temporary files, and its use to protect important information is unacceptable. However, the concept is suitable for sending small amounts of information over a network from computer to computer.

    Folder encryption

    Unlike file-by-file encryption, this approach allows you to transfer files to a folder where they will be encrypted automatically. This makes working with protected data much more convenient. Since folder encryption is based on file-by-file encryption, both methods do not provide reliable protection for temporary files, swap files, do not physically delete data from the disk, etc. Moreover, directory encryption has a very wasteful impact on memory and processor resources. It takes time from the processor to constantly encrypt/decrypt files, and additional disk space (sometimes more than 2 KB) is allocated for each protected file on the disk. All this makes directory encryption very resource-intensive and slow. To summarize, although this method is quite transparent, it cannot be recommended for protecting sensitive information. Especially if an attacker can gain access to temporary files or swap files.

    Encryption of virtual disks

    This concept involves creating a large hidden file located on the hard drive. The operating system treats it as a separate logical drive. The user can place software on such a disk and compress it to save space. Let's consider the advantages and disadvantages of this method.

    First of all, the use of virtual disks creates an increased load on operating system resources. The fact is that every time you access a virtual disk, the operating system has to redirect the request to another physical object - a file. This certainly has a negative impact on performance. Due to the fact that the system does not identify the virtual disk with the physical one, problems may arise with the protection of temporary files and the paging file. Compared to directory encryption, the concept of virtual disks has both pros and cons. For example, an encrypted virtual disk protects file names located in virtual file tables. However, this virtual disk cannot be expanded as easily as a regular folder, which is very inconvenient. To summarize, we can say that encrypting virtual disks is much more reliable than the two previous methods, but it can leave temporary files and swap files unprotected if developers do not specifically take care of this.

    Whole disk encryption

    This concept is based not on file-by-file, but by sector-by-sector encryption. In other words, any file written to the disk will be encrypted. Cryptographic programs encrypt data before the operating system places it on disk. To do this, a cryptographic program intercepts all attempts by the operating system to write data to physical disk(at the sector level) and performs encryption operations on the fly. Thanks to this approach, temporary files, the swap file, and everything will also be encrypted. deleted files. The logical consequence of this method should be a significant reduction in the overall level of PC performance. This is precisely the problem that many encryption tool developers are working on, although several successful implementations of such products already exist. To sum it up: encrypting the entire disk allows you to avoid situations where any part of the important data or an exact copy of it remains somewhere on the disk in unencrypted form.

    Protecting the boot process. As already noted, it is advisable to protect the boot process by encrypting the entire disk. In this case, no one will be able to start the operating system without going through the authentication procedure at the beginning of boot. And for this you need to know the password. If an attacker has physical access to a hard drive with sensitive data, then he will not be able to quickly determine where the encrypted system files are located and where - important information. Please note: If cryptographic software encrypts the entire drive but does not protect the boot process, then it is not encrypting system files and boot sectors. That is, the disk is not completely encrypted.

    Thus, today, to reliably protect confidential data on laptops, you should use encryption technology either for virtual disks or for the entire disk. However, in the latter case, you need to make sure that the cryptographic tool does not consume computer resources to such an extent that it interferes with users' work. Note that Russian companies do not yet produce entire disk encryption tools, although several such products already exist in Western markets. In addition, protecting data on a PDA is somewhat simpler, since due to the small volumes of stored information, developers can afford to encrypt all data, for example on a flash card.

    Encryption using strong authentication

    Securely storing data requires not only powerful and well-implemented cryptographic technologies, but also the means to provide personalized access. In this regard, using strong two-factor authentication based on hardware keys or smart cards is the most effective way to store encryption keys, passwords, digital certificates, etc. To successfully pass the strong authentication procedure, the user must present a token (USB key or smart card). card) to the operating system (for example, insert it into one of the computer’s USB ports or into a smart card reader), and then prove your ownership of this electronic key (that is, enter the password). Thus, the task of an attacker trying to gain access to sensitive data is greatly complicated: he needs not only to know the password, but also to have a physical medium that only legal users have.

    The internal structure of the electronic key assumes the presence of an electronic chip and a small amount of non-volatile memory. Using an electronic chip, data is encrypted and decrypted based on the cryptographic algorithms embedded in the device. Passwords are stored in non-volatile memory electronic keys, access codes and other secret information. The hardware key itself is protected from theft by a PIN code, and special mechanisms built into the key protect this password from brute force.

    Results

    Thus, effective data protection involves the use of reliable encryption tools (based on virtual disk technologies or covering the entire disk) and strong authentication tools (tokens and smart cards). Among the file-by-file encryption tools, ideal for sending files over the Internet, it is worth noting the well-known PGP program, which can satisfy almost all user requests.

    At the present stage of development of society, the greatest value is acquired not by a new, but always valuable resource called information. Information is becoming today the main resource for scientific, technical and socio-economic development of the world community. Almost any activity in today's society is closely related to the receipt, accumulation, storage, processing and use of various information flows. The integrity of the modern world as a community is ensured mainly through intensive information exchange.

    Therefore, in the new conditions, a lot of problems arise related to ensuring the safety and confidentiality of commercial information as a type of intellectual property.

    List of sources and literature used

    1. Lopatin V.N. Information security.
    2. Fundamentals of Information Security: Textbook / V. A. Minaev , S. V. Skryl , A. P. Fisun , V. E. Potanin , S. V. Dvoryankin .
    3. GOST ST 50922-96. Information protection. Basic terms and definitions.
    4. www.intuit.ru

    In Odnoklassniki

    Submitting your good work to the knowledge base is easy. Use the form below

    good job to the site">

    Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

    • Introduction
      • 1.2 Value of information
      • 1.4 Threats and confidential information protection system
      • Chapter 2. Organization of work with documents containing confidential information
      • 2.1 Regulatory and methodological basis for confidential records management
      • 2.2 Organization of access and procedures for personnel to work with confidential information, documents and databases
      • 2.3 Technological basis for processing confidential documents
      • Chapter 3. Protection of restricted access information at JSC "ChZPSN - Profnastil"
      • 3.1 Characteristics of JSC "ChZPSN - Profnastil"
      • 3.2 Information security system at JSC "ChZPSN - Profnastil"
      • 3.3 Improving the security system for restricted access information
      • Conclusion
      • List of sources and literature used

    Introduction

    One of the most important components The national security of any country is now unanimously called its information security. Problems of ensuring information security are becoming increasingly complex and conceptually significant due to the massive transition of information technologies in management to a paperless, automated basis.

    The choice of the topic of this final qualifying work is due to the fact that in the modern Russian market economy, a prerequisite for the success of an entrepreneur in business, making a profit and maintaining the integrity of the organizational structure created by him is ensuring economic security his activities. And one of the main components of economic security is information security.

    The object of research in this work is the formation and functioning of information resources in the organization's management system.

    The research base is OJSC "ChZPSN - Profnastil"

    The subject of the study is activities to ensure the security of information resources in the organization's management system.

    The purpose of the study is to analyze modern technologies, methods, methods and means of protecting confidential information of an enterprise.

    The objectives of the study, in accordance with the goal, include:

    1. Reveal the main components of information security;

    2. Determine the composition of information that should be classified as confidential;

    3. Identify the most common threats, distribution channels and privacy leaks;

    4. Consider methods and means of protecting confidential information;

    5. Analyze the regulatory framework for confidential records management;

    6. Study the security policy in organizing access to confidential information and the procedure for personnel working with confidential documents;

    7. Consider technological systems for processing confidential documents;

    8. Assess the information security system of the enterprise JSC ChZPSN - Profnastil and provide recommendations for its improvement.

    The following research methods were used in the work: cognitive methods (description, analysis, observation, survey); general scientific methods (analysis of publications on the topic), as well as such a documentary method as analysis of enterprise documentation.

    The regulatory framework for final qualifying work is based primarily on the Constitution as the fundamental law of the Russian Federation) (1). Article 23 of the Constitution of the Russian Federation guarantees the right to personal and family secrets, privacy of correspondence, telephone conversations, postal, telegraph and other communications. However, restriction of this right is allowed only on the basis of a court decision. The Constitution of the Russian Federation does not allow (Article 24) the collection, storage, use and dissemination of information about the private life of a person without his consent (1).

    The rules for regulating relations arising when handling confidential information are also contained in the Civil Code of the Russian Federation. At the same time, confidential information is classified as intangible benefits in the Civil Code of the Russian Federation (Article 150) (2).

    Criteria by which information is considered an official and commercial secret , are contained in Article 139 of the Civil Code of the Russian Federation. It states that information constitutes an official or commercial secret in the case when:

    1. This information has actual or potential value due to its unknownness to third parties;

    2. There is no free access to this information on a legal basis and the owner of the information takes measures to protect its confidentiality (2).

    In addition, the definition of confidentiality of commercial information is contained in Article 727 of the Civil Code of the Russian Federation (2).

    On July 27, 2006, two federal laws that were most important for the protection of confidential information were adopted: No. 149-FZ “On Information, Information Technologies and Information Protection” (8) and No. 152-FZ “On Personal Data” (9). They provide basic concepts of information and its protection. Such as “information”, “information confidentiality”, “personal data”, etc.

    On January 10, 2002, the President of the Russian Federation signed a very important law “On Electronic Digital Signature” (5), developing and specifying the provisions of the above law “On Information...” (8).

    The following laws of the Russian Federation are also fundamental in the field of confidential information security:

    1. “On state secrets” dated July 22, 2004 (4);

    2. “On Trade Secrets” dated July 29, 2004 (it contains information constituting a trade secret, trade secret regime, disclosure of information constituting a trade secret) (6);

    3. “On approval of the List of confidential information” (11);

    4. On approval of the List of information that cannot constitute a commercial secret" (13).

    The standard establishing the basic terms and definitions in the field of information security is GOST R 50922-96 (29).

    The regulatory and methodological basis for confidential paperwork is presented in detail in the second chapter of this work. In the final qualifying work, the works of leading document specialists were used: I.V. Kudryaeva (83), A.I. Aleksentseva (31; 32), T.V. Kuznetsova (45; 67; 102), A.V. Pshenko (98), L.V. Sankina (92), E.A. Stepanova (81; 96).

    The concept of information security and its main components are set out in the works of V.A. Galatenko (82), V.N. Yarochkina (56), G. Zotova (66).

    K. Ilyin (52) in his works considers issues of information security in electronic document management). Aspects of information security are described in articles by V.Ya. Ishcheinova (76; 77), M.V. Metsatunyan (77), A.A. Malyuka (74), V.K. Senchagova (93), E.A. Stepanova (96).

    The information security system is described in the works of E.A. Stepanova (81), Z. Bogatyrenko (74), T.A. Korolkova (69), G.G. Aralbaeva (100), A.A. Shiverskogo (103), V.N. Martynov and V.M. Martynova (49).

    The works of the following authors are devoted to the legal regulation of restricted access information: A.A. Antopolsky (33), E.A. Stepanova (81), I.L. Bachilo (37, 38), O. Gavrilova (41). The latter, in his article, points out the imperfection of legislation in the area under consideration.

    R.N. devoted his works to technologies for processing confidential documents. Moseev (75), M.I. Petrov (89), V.I. Andreeva (34), V.V. Galakhov (44), A.I. Aleksentseva (32).

    In the process of preparing the work, scientific, educational, practical, methodological recommendations on organizing the protection of confidential information prepared by such leading experts in this field as A.I. Aleksentsev (31; 32) and E.A. Stepanov (81; 96).

    Works by I.L. Bachilo (38), K.B. Gelman-Vinogradova (43), N.A. Khramtsovskaya (48), V.M. Kravtsova (51) are devoted to controversial aspects of information security.

    In general, we can say that the problem of information security, in general, is provided by sources; the source base makes it possible to highlight the assigned tasks. The significance of the literature on this issue is great and corresponds to its relevance.

    But in our country there is no regulatory legal act that would establish a uniform procedure for recording, storing, and using documents containing confidential information. And according to analysts whose articles were used in the work, E.A. Voynikanis (40), T.A. Partyki (57), V.A. Mazurov (71) and others, this is hardly advisable.

    Unpublished sources used in the work include an extract from the Charter of OJSC "ChZPSN - Profnastil" (Appendix 11), documents of the current office work of the enterprise.

    The final qualifying work consists of an introduction, three chapters, a conclusion, a list of used sources and literature, and applications.

    The introduction formulates the relevance and practical significance of the topic, the purpose of the research, objectives, the degree of development of the problem under study, the object, subject, basis of the study, research tools, the structure and content of the final qualifying work

    The first chapter: “Fundamentals of information security and information protection” contains the history of the issue and the basic concepts of information security. Such as, value of information, confidentiality. Paragraph 1.2 indicates the channels of distribution and information leakage; the next section discusses the threat system and the system for protecting confidential information.

    Chapter "Organization of work with confidential documents." consists of the regulatory and methodological foundations of confidential office work, followed by the work procedure for employees and the organization of their access to confidential information. The technology for working with the indicated information is described in the last paragraph of the second chapter.

    In the third chapter, using the example of the enterprise JSC ChZPSN - Profnastil, the system for protecting information of limited access and analysis of work with confidential documents are considered. Recommendations, changes and additions are given to the technology of confidential office work that has been formed at the enterprise.

    The conclusion contains conclusions on the final qualified work.

    The list of used sources and literature includes 110 titles.

    The work is supplemented by appendices that present: regulations, instructions that regulate the procedure for handling documents containing information with limited access at the enterprise, sample document forms, registration forms, an extract from the Charter of OJSC "ChZPSN - Profnastil".

    Chapter 1. Fundamentals of information security and information protection

    1.1 Evolution of the term “information security” and the concept of confidentiality

    It has long been believed that whoever has the information controls the situation. Therefore, even at the dawn of human society, intelligence activities arise. Therefore, state and commercial secrets (the composition of porcelain, silk) appear, and during wars - military secrets (disposition of troops, weapons). The desire to keep secret from others what gives advantage and power seems to be the main motivation of people in historical perspective. Many owners, in order to protect their interests, classify information and carefully protect it or patent it. Classification of information leads to constant improvement of means and methods for obtaining protected information; and to improve the means and methods of information security (89, p.45).

    In world practice, the terms “industrial secret”, “trade secret”, “secret of credit relations” were first used, i.e. the name of the secret was linked to a specific field of activity. The Russian lawyer V. Rosenberg made an attempt to combine these names into one - “trade secret” and even published a book of the same name in 1910. However, this term did not catch on. Both in the Russian Empire and abroad, the term “trade secret” was finally established, uniting the secret of any activity aimed at making a profit (46, p. 20).

    From the second half of the 19th century. Various definitions of the concept of trade secret also appear, primarily in the field of criminal and civil legislation. For example, German legislation defined trade secrets as the secret of the technical processes of manufacturing a product and the secret of its sales operations or, as expressed in higher language, the secret of the production of goods and the secret of their distribution.

    In Russia, according to the Criminal Code of 1903, trade secrets were understood as special production methods used or intended to be used, and in another edition - individual characteristics of production and trade processes. The secret of production processes was classified as a property secret, and trade - as a business secret.

    In Russia, in November 1917, trade secrets were abolished. During the NEP, it was unofficially “reborn”, but later it was used only by foreign trade enterprises of the USSR in contacts with other countries, but there was no domestic legislative basis for it. Scientific activity in this area also ceased (31, p.78).

    In the second half of the 80s. entrepreneurial activity required the development of related regulatory documents, including those related to trade secrets. First of all, it was necessary to formulate a definition of a trade secret. This definition was made in the Law “On Enterprises in the USSR”. It says: “A commercial secret of an enterprise is understood as information that is not a state secret, related to production, technological information, management, finance and other activities of the enterprise, the disclosure (transfer, leakage) of which may harm its interests.”

    Trade secret in the modern interpretation is information, data, information, objects, the disclosure, transfer or leakage of which by third parties may harm the interests or safety of the owner (32, p. 13).

    ISO/IEC 17799 defines information security as ensuring the confidentiality, integrity and availability of information. (56, p.212).

    Security is not only protection from criminal attacks, but also ensuring the safety of (especially electronic) documents and information, as well as measures to protect critical documents and ensure continuity and/or restoration of activities in the event of disasters (71, p. 5 8).

    Information security should be understood as the protection of subjects of information relations. Its main components are confidentiality, integrity, and availability (82, p. 15).

    In the Information Security Doctrine of the Russian Federation (19), the term “information security” denotes the state of protection of national interests in the information sphere, determined by the totality of balanced interests of the individual, society and the state.

    Confidentiality - protection from unauthorized access (83, p. 17). The following definition of confidentiality is given by the Federal Law “On Information, Information Technologies and Information Protection” (8) Article 2.Clause 7: Confidentiality is a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without its consent owner.

    The security of information resources (information) is understood as the security of information in time and space from any objective and subjective threats (dangers) that arise under normal operating conditions of a company in extreme situations: natural disasters, other uncontrollable events, passive and active attempts by an attacker to create a potential or real threat unauthorized access to documents, files, databases (61, p. 32).

    Confidentiality - rules and conditions for the safety of data and information transfer. There is a distinction between external confidentiality - as a condition of non-disclosure of information to the external environment, and internal confidentiality - among personnel.

    The security of valuable documented information (documents) is determined by the degree of its protection from the consequences of extreme situations, including natural disasters, as well as passive and active attempts by an attacker to create a potential or real threat (danger) of unauthorized access to documents using organizational and technical channels, as a result what can happen is theft and misuse of information by an attacker for his own purposes, its modification, substitution, falsification, destruction (68, p. 36).

    Secrecy is the rules and condition of access and access to information objects (89, p. 50).

    Thus, the phrase “information security” is not limited to protection against unauthorized access to information.

    This is a fundamentally broad concept. An information subject may suffer (suffer losses and/or receive moral damage) not only from unauthorized access, but also from a system breakdown that causes an interruption in work.

    Although confidentiality is synonymous with secrecy, the term is widely used exclusively to refer to restricted information resources that are not classified as state secrets.

    Confidentiality reflects the restriction that the owner of information imposes on access to it by other persons, i.e. the owner establishes the legal regime of this information in accordance with the law (91, p. 208).

    1.2 Value of information

    Protected information includes: secret information (information containing state secrets), confidential (information containing commercial secrets, secrets relating to the personal life and activities of citizens) (100, p. 38).

    There are always management documents, the leakage of the contents of which is undesirable or simply harmful, since it can be used directly or indirectly to the detriment of its authors. Such information and, accordingly, the documents containing it are considered confidential (closed, protected). Documented information of limited access always belongs to one of the types of secrets - state or non-state. In accordance with this, documents are divided into secret and unclassified. A mandatory feature (criterion for belonging) of a secret document is the presence in it of information that constitutes a state secret in accordance with the law. Unclassified documents that include information classified as non-state secrets (official, commercial, banking, professional, industrial, etc.) or containing personal data of citizens are called confidential.

    Information - information about persons, objects, facts, events, phenomena and processes, regardless of the form of their presentation (8).

    The legislation of the Russian Federation establishes that documented information (documents) is publicly available, with the exception of those classified by law as restricted access (11).

    In this case, documented information with limited access is divided into information classified as state secrets and confidential information. Both of these types of information are subject to protection from illegal dissemination (disclosure) and are classified as secrets protected by law.

    A mandatory feature of a confidential document is the presence in it of information to be protected. The peculiarity of such a document is that it simultaneously represents not only the information itself - a mandatory object of protection, but also a mass storage medium of information, the main source of accumulation and dissemination of this information, including its leakage. That is, information is confidential, first of all, and only then the documents in which this information is recorded become confidential. The category of confidential information includes all types of restricted information protected by law - commercial, official, personal. With the exception of state secrets (94, p.78).

    Information can be divided into three categories (82, p.33).

    The first is unclassified (or open), which is intended for use both within the company and outside it.

    The second is for official use, which is intended only for use within the company. It is divided, in turn, into two subcategories:

    1. Available to all employees of the company;

    2. Available for certain categories of employees, but can be transferred in full to another employee to perform the necessary work.

    The third is classified information (or restricted information), which is intended for use only by specially authorized employees of the company and is not intended for transfer to other employees in full or in parts.

    Information of the second and third categories is usually called confidential (35, p.9).

    Confidential information may also constitute a certain set of open information, just as a certain set of information for official use may constitute restricted access information. Therefore, it is necessary to clearly define the conditions under which the classification of information can and should be increased (55, p.83).

    For example, at JSC ChZPSN - Profnastil, information about the details of concluded contracts, as well as which of the employees concludes them, is confidential. At the same time, open information includes data on personnel, their distribution among departments, and the official responsibilities of employees. On their website, the news regularly reports about which enterprises (in what profile) the company is negotiating, with whom it intends to conclude a contract, etc. It is clear that taken together, the above three sources of open information (personnel, job responsibilities, information about concluded contracts) can form confidential information about the employee entering into a specific contract.

    The conditions under which information can be classified as confidential are listed in Article 13, Part 1 of the Civil Code of the Russian Federation (2). These include:

    1. The actual or potential commercial value of the information due to its unknownness to third parties;

    2. Lack of free access to this information on a legal basis;

    3. The owner of the information takes the necessary measures to protect its confidentiality.

    Thus, ensuring the confidentiality of document information contains three aspects:

    1. Determining the composition of information that should be classified as confidential;

    2. Determining the circle of employees who should have access to this or that confidential information and establishing appropriate relationships with them;

    3. Organization of office work with confidential documents. (99, pp. 7-9).

    If these conditions are not met, the organization will not have grounds to hold anyone accountable for disclosing confidential information.

    According to the Federal Law “On Information, Information Technologies and Information Protection” (8), the following cannot constitute a trade secret:

    1. Constituent documents (decision to create an enterprise or founders’ agreement) and Charter;

    2. Documents giving the right to engage in entrepreneurial activities (registration certificates, licenses, patents);

    3. Information on established forms of reporting on financial and economic activities and other information necessary to verify the correctness of calculation and payment of taxes and other obligatory payments to the state budget system of the Russian Federation;

    4. Documents on solvency;

    5. Information on the number, composition of employees, their wages and working conditions, as well as the availability of available jobs;

    6. Documents on payment of taxes and obligatory payments;

    7. Information about environmental pollution, violation of antimonopoly legislation, non-compliance with safe working conditions, sales of products harmful to public health, as well as other violations of the legislation of the Russian Federation and the extent of damage caused;

    8. Information on the participation of enterprise officials in cooperatives, small enterprises, partnerships, joint-stock companies, associations and other organizations engaged in business activities.

    The listed information of enterprises and persons engaged in entrepreneurial activities, heads of state and municipal enterprises are required to submit at the request of authorities, management, supervisory and law enforcement agencies, other legal entities entitled to this in accordance with the legislation of the Russian Federation, as well as the workforce of the enterprise (21).

    Information on issues included by law in the concept of state secrets cannot be classified as confidential (12). As for the issues of working with documents containing such information, in accordance with the Law of the Russian Federation “On State Secrets” (4), it is determined that citizens, officials and organizations should be guided only by legislative acts regulating the protection of state secrets.

    According to the law, confidential information is documented information, access to which is limited in accordance with the legislation of the Russian Federation (11). Confidential information is considered to be such information, the disclosure of which could harm the interests of the company (35, p.6). It can also be said that the assignment of confidentiality to certain information, among other things, contributes to the preservation of trade secrets (8).

    The generalized concept of confidential information is largely specified in the “List of Confidential Information” (11). According to it, confidential information is grouped into several main categories.

    Firstly, this is information about the facts, events and circumstances of a citizen’s private life, allowing identification of an individual (personal data), with the exception of information subject to dissemination in the media in cases established by federal law.

    The second category of specified information is information constituting the secret of investigation and legal proceedings. . The list further defines a group of official information, access to which is limited by government authorities in accordance with the Civil Code of the Russian Federation (2, p. 52) and federal law (official secrets).

    Another group of information in the list indicates information related to professional activities, access to which is limited in accordance with the Constitution of the Russian Federation (1, p. 25) and federal law (medical, notary, lawyer (16), confidentiality of correspondence, telephone conversations, postal items(10), telegraphic or other messages (17) and so on).

    The next group of confidential information includes information related to commercial activities, access to which is limited in accordance with the Civil Code of the Russian Federation (2) and federal laws (trade secrets) (6).

    The list of confidential information ends with information about the essence of the invention, utility model or industrial design before official publication about them (53, p. 51; 82, p. 33).

    Documented information used by an entrepreneur in business and management of an enterprise, organization, bank, company or other structure is his own or private information that is of significant value to him, his intellectual property.

    The value of information can be a cost category that characterizes a specific amount of profit when it is used or the amount of losses when it is lost. Information often becomes valuable due to its legal significance for the company or business development, for example, constituent documents, programs and plans, agreements with partners and intermediaries, etc. The value of information may also reflect its future scientific, technical or technological significance (58, p. 224).

    Information that has intellectual value for an entrepreneur is usually divided into two types:

    1. Technical, technological: methods of manufacturing products, software, production indicators, chemical formulas, test results of prototypes, quality control data, etc. (53, p.50);

    2. Business: cost indicators, market research results, customer lists, economic forecasts, market strategy, etc.

    Valuable information is protected by law (patent, copyright, related law), a trademark, or is included in the category of information that constitutes a company secret (58, p. 54).

    Thus, as a rule, all information circulating within an organization can be divided into two parts - open and confidential (65, p.5).

    The commercial value of information, as a rule, is short-lived and is determined by the time required for a competitor to develop the same idea or to steal it and reproduce it, publish it and make the information publicly known. The degree of value of information and the reliability of its protection are directly dependent.

    Identification and regulation of the actual composition of information that is valuable to the entrepreneur and constitutes a company secret are fundamental parts of the information security system. The composition of valuable information is recorded in a special list that determines the period (term) and level (class) of its confidentiality (i.e., inaccessibility to everyone), a list of company employees who are granted the right to use this information in their work. The list, which is based on the typical composition of protected information from companies in this profile, is a permanent working material for the company’s management, security services and confidential documentation. It is a classified list of typical and specific valuable information about the work being carried out, products being manufactured, scientific and business ideas, and technological innovations. The list includes truly valuable information about each work of the company (51, pp. 45-51).

    Additionally, a list of documents in which this information is reflected (documented) can be compiled. The list also includes documents that do not contain protected information, but are valuable to the company and subject to protection. The lists are compiled individually by each company in accordance with the recommendations of a special commission and approved by the first head of the company. The same commission regularly makes current changes to the lists in accordance with the dynamics of the company’s performance of specific work.

    Documents containing valuable information are part of the company’s information resources, which can be: a) open (available for personnel without special permission) and b) limited for personnel access (classified as one of the types of secrets - state or non-state) .

    The list of information classified as confidential information, as well as the list of employees admitted to it, is drawn up by order for the company.

    1.3 Channels of distribution and leakage of confidential information

    Source information always spreads to the external environment. Channels for the dissemination of information are objective in nature, characterized by activity and include: business, management, trade, scientific, regulated communications; information networks; natural technical channels.

    The information dissemination channel is a path for moving valuable information from one source to another in an authorized mode (permitted) or due to objective laws or due to objective laws (83, p. 48).

    The term “leakage of confidential information” is probably not the most euphonious, but it more succinctly reflects the essence of the phenomenon than other terms. It has long been entrenched in the scientific literature and regulatory documents (99, p. 11). Leakage of confidential information constitutes unlawful, i.e. unauthorized release of such information beyond the protected zone of its operation or the established circle of persons who have the right to work with it, if this release led to the receipt of information (familiarization with it) by persons who do not have authorized access to it. Leakage of confidential information means not only its receipt by persons who do not work at the enterprise; unauthorized access to confidential information by persons of a given enterprise also leads to leakage (104, p. 75).

    The loss and leakage of confidential documented information is caused by the vulnerability of the information. The vulnerability of information should be understood as the inability of information to independently withstand destabilizing influences, i.e. such influences that violate its established status (94, p.89). Violation of the status of any documented information consists of a violation of its physical safety (in general or with a given owner in full or in part), logical structure and content, and accessibility for authorized users. Violation of the status of confidential documented information additionally includes violation of its confidentiality (closedness to unauthorized persons). The vulnerability of documented information is a collective concept. It does not exist at all, but appears in various forms. These include: theft of a storage medium or information displayed on it (theft); loss of storage media (loss); unauthorized destruction of a storage medium or information displayed in it (destruction, distortion of information (unauthorized change, unauthorized modification, forgery, falsification); blocking of information; disclosure of information (distribution, disclosure).

    The term "destruction" is used mainly in relation to information on magnetic media. Existing options names: modification, forgery, falsification are not entirely adequate to the term “distortion”, they have nuances, but their essence is the same - unauthorized partial or complete change in the composition of the original information (36, p. 59).

    Blocking information here means blocking access to it by authorized users, not by attackers.

    Disclosure of information is a form of manifestation of the vulnerability of confidential information only.

    This or that form of vulnerability of documented information can be realized as a result of intentional or accidental destabilizing influence in various ways on the information carrier or on the information itself from sources of influence. Such sources can be people, technical means of processing and transmitting information, communications, natural disasters, etc. Methods of destabilizing influence on information are its copying (photography), recording, transmission, removal, infection of information processing programs with a virus, violation of processing and storage technology information, withdrawal (or failure) and disruption of the operating mode of technical means of processing and transmitting information, physical impact on information, etc.

    The vulnerability of documented information leads or may lead to loss or leakage of information. (97, p.12).

    The loss of documented information is caused by theft and loss of storage media, unauthorized destruction of storage media or only the information displayed on them, distortion and blocking of information. The loss can be complete or partial, irreversible or temporary (when information is blocked), but in any case it causes damage to the owner of the information.

    Its disclosure leads to leakage of confidential documented information. As some authors note (77, p.94; 94, p.12) in the literature and even in regulatory documents, the term “leakage of confidential information” is often replaced or identified with the terms: “disclosure of confidential information”, “dissemination of confidential information”. This approach, from the point of view of specialists, is unlawful. Disclosure or dissemination of confidential information means unauthorized delivery of it to consumers who do not have the right to access it. Moreover, such delivery must be carried out by someone, come from someone. A leak occurs when confidential information is disclosed (unauthorized distribution), but is not limited to it. A leak can also occur as a result of the loss of a medium of confidential documented information, as well as theft of the information medium or the information displayed on it while the medium is kept safe by its owner (possessor). This doesn't mean it will happen. A lost carrier may fall into the wrong hands, or it may be “grabbed” by a garbage collection machine and destroyed in the manner established for garbage. In the latter case, no leakage of confidential information occurs. The theft of confidential documented information is also not always associated with its receipt by persons who do not have access to it. There are many examples where the theft of confidential information carriers was carried out from work colleagues by persons who had access to this information for the purpose of “helping out” or causing harm to a colleague. Such media are usually were destroyed by the persons who kidnapped them. But in any case, the loss and theft of confidential information, if they do not lead to its leakage, always create a threat of leakage. Therefore, we can say that the leakage of confidential information is caused by its disclosure and can result from theft and loss. The difficulty lies in the fact that it is often impossible to divide, firstly, the very fact of disclosure or theft of confidential information while the information carrier is kept safe by its owner (possessor), and secondly, whether the information got to unauthorized persons as a result of its theft or loss.

    The owner of a trade secret is an individual or legal entity who legally possesses information constituting a trade secret and the corresponding rights in full (91, p. 123).

    Information that constitutes a trade secret does not exist on its own. It is displayed in various media that can save, accumulate, and transmit it. With their help, information is also used. (8; 91, p.123)

    An information carrier is an individual or a material object, including a physical field, in which information is reflected in the form of symbols, images, signals, technical solutions and processes (8; 68, p. 37).

    From this definition it follows, firstly, that material objects are not only what can be seen or touched, but also physical fields, as well as the human brain, and secondly, that information in media is displayed not only by symbols, i.e. . letters, numbers, signs, but also images in the form of drawings, drawings, diagrams, etc. iconic models, signals in physical fields, technical solutions in products, technical processes in product manufacturing technology (39, p. 65).

    The types of material objects as information carriers are different. They can be magnetic tapes, magnetic and laser disks, photo, film, video and audio tapes, various types of industrial products, technological processes, etc. But the most widespread type is paper-based media (46, p. 11). The information in them is recorded in handwritten, typewritten, electronic, typographical ways in the form of text, drawing, diagram, picture, formula, graph, map, etc. In these media, information is displayed in the form of symbols and images. Such information of the Federal Law “On Information...” (8) is classified as documented information and represents various types of documents.

    Recently, there have been significant adjustments to the forms and means of obtaining confidential information through informal means. Of course, this mainly concerns the impact on a person as a carrier of confidential information.

    A person as an object of influence is more susceptible to informal influences than technical means and other carriers of confidential information, due to a certain legal vulnerability at the current moment, individual human weaknesses and life circumstances (64, p. 82).

    Such informal influence is, as a rule, hidden, illegal in nature and can be carried out either individually or by a group of people.

    The following types of information leakage channels are possible for a person who is a carrier of confidential information: speech channel, physical channel and technical channel.

    Speech channel of leakage - information is transmitted from the owner of confidential information through words personally to the object interested in receiving this information (29).

    Physical channel of leakage - information is transmitted from the owner of confidential information (carrier) through paper, electronic, magnetic (encrypted or open) or other means to an object interested in receiving this information (36, p. 62).

    Technical leakage channel - information is transmitted through technical means (29).

    Forms of influence on a person who is a carrier of protected information can be open and hidden (33).

    Open influence on the owner (carrier) of confidential information for receipt by the interested object implies direct contact (101, p. 256).

    The hidden influence on the owner (carrier) of confidential information for its receipt by the interested object is carried out indirectly (101, p. 256).

    The means of informal influence of the owner (carrier) of confidential information to obtain certain information from him through an open speech channel are a person or a group of people who interact through: promises of something, requests, suggestions (107, p. 12).

    As a result, the owner (carrier) of confidential information is forced to change his behavior, his official obligations and transfer the required information (91, p. 239).

    Hidden influence through the speech channel on the owner (carrier) of confidential information is carried out through indirect coercion - blackmail through a third party, unintentional or intentional eavesdropping, etc.

    The mentioned means of influence, in the end, accustom the owner (carrier) of confidential information to his tolerance (tolerance) of the influences exerted on him (85, p. 220).

    Forms of influence on the owner (carrier) of confidential information through a physical leak channel can also be open and hidden.

    Open influence is carried out through force (physical) intimidation (beatings) or force with a fatal outcome, after receiving (beatings) or force with a fatal outcome, after receiving information (95, p. 78).

    The hidden impact is more subtle and extensive in terms of the use of funds. This can be represented in the form of the following structure of influence (95, p.79). Interested object - interests and needs of the carrier of confidential information.

    Consequently, the interested object acts covertly (indirectly) on the interests and needs of the person who owns the confidential information.

    Such hidden influence can be based on: fear, blackmail, manipulation of facts, bribery, bribery, intimacy, corruption, persuasion, provision of services, assurances about the future of a person who is a carrier of confidential information. (94, p.87)

    The form of influence on the owner (carrier) of confidential information through technical channels can also be open or hidden.

    Open (direct) means - fax, telephone (including mobile systems), Internet, radio communications, telecommunications, media.

    Hidden means include: listening using technical means, viewing from a display screen and other means of displaying it, unauthorized access to a personal computer and software and hardware.

    All considered means of influence, regardless of their forms, have an informal impact on the person who is the carrier of confidential information, and are associated with illegal and criminal methods of obtaining confidential information (72).

    The possibility of manipulating the individual characteristics of the owner (carrier) of confidential information with his social needs in order to obtain it must be taken into account when placing, selecting personnel and implementing personnel policies when organizing work with confidential information.

    You should always remember that the fact of documenting information (applying it to any tangible medium) increases the risk of information leakage. A material medium is always easier to steal, and there is a high degree that the necessary information is not distorted, as happens when information is disclosed orally.

    Threats to the safety, integrity and secrecy of confidentiality) of restricted access information are practically realized through the risk of the formation of channels for the unauthorized receipt (extraction) of valuable information and documents by an attacker. These channels are a set of unprotected or weakly protected by the organization directions of possible information leakage, which the attacker uses to obtain the necessary information, deliberate illegal access to protected and protected information.

    Each specific enterprise has its own set of channels for unauthorized access to information; in this case, ideal companies do not exist.

    This depends on many factors: the volume of protected and protected information; types of protected and protected information (constituting a state secret, or some other secret - official, commercial, banking, etc.); professional level of personnel, location of buildings and premises, etc.

    The functioning of channels for unauthorized access to information necessarily entails information leakage, as well as the disappearance of its carrier.

    If we are talking about information leakage due to the fault of personnel, the term “disclosure of information” is used. A person can disclose information orally, in writing, by obtaining information using technical means (copiers, scanners, etc.), using gestures, facial expressions, and conventional signals. And transmit it personally, through intermediaries, through communication channels, etc. (56, p.458).

    Leakage (disclosure) of information is characterized by two conditions:

    1. Information goes directly to the person interested in it, the attacker;

    2. Information passes to a random third party.

    In this case, a third party is understood as any outsider who has received information due to circumstances beyond the control of this person, or the irresponsibility of personnel, who does not have the right to own the information, and, most importantly, this person is not interested in this information (37, p.5 ). However, information from a third party can easily pass to an attacker. In this case, a third party, due to circumstances set up by the attacker, acts as a “blotter” for intercepting the necessary information.

    The transfer of information to a third party seems to be a fairly common occurrence, and it can be called unintentional, spontaneous, although the fact of disclosure of information does occur.

    Unintentional transfer of information to a third party occurs as a result of:

    1. Loss or improper destruction of a document on any medium, a package of documents, a file, confidential records;

    2. Ignoring or deliberate failure by the employee to comply with the requirements for the protection of documented information;

    3. Excessive talkativeness of workers in the absence of an intruder - with work colleagues, relatives, friends, other persons in public places: cafes, transport, etc. (recently this has become noticeable with the spread of mobile communications);

    4. Work with documented information with limited access to the organization in the presence of unauthorized persons, unauthorized transfer of it to another employee;

    5. Use of information with limited access in open documents, publications, interviews, personal notes, diaries, etc.;

    6. Absence of secrecy (confidentiality) stamps on information on documents, markings with the corresponding stamps on technical media;

    7. The presence in the texts of open documents of unnecessary information with limited access;

    8. Unauthorized copying (scanning) of documents, including electronic ones, by an employee for official or collection purposes.

    Unlike a third party, an attacker or his accomplice purposefully obtains specific information and deliberately, illegally establishes contact with the source of this information or transforms the channels of its objective dissemination into channels of its disclosure or leakage.

    Organizational channels of information leakage are distinguished by a wide variety of types and are based on the establishment of various, including legal, relationships between the attacker and the enterprise or employees of the enterprise for subsequent unauthorized access to the information of interest.

    The main types of organizational channels can be:

    1. An attacker is hired by an enterprise, usually in a technical or support position (computer operator, forwarder, courier, cleaner, janitor, security guard, driver, etc.);

    2. Participation in the work of the enterprise as a partner, intermediary, client, use of various fraudulent methods;

    3. The attacker’s search for an accomplice (initiative assistant) working in the organization, who becomes his accomplice;

    4. The establishment by the attacker of a trusting relationship with an employee of the organization (for common interests, up to joint drinking and love relationships) or a regular visitor, an employee of another organization who has information of interest to the attacker;

    5. Use of the organization’s communication links - participation in negotiations, meetings, exhibitions, presentations, correspondence, including electronic correspondence, with the organization or its specific employees, etc.;

    6. Using erroneous actions of personnel or deliberately provoking these actions by an attacker;

    7. Secret or fictitious entry into enterprise buildings and premises, criminal, forceful access to information, that is, theft of documents, floppy disks, hard drives (hard drives) or computers themselves, blackmail and inducement to cooperate of individual employees, bribery and blackmail of employees, creation of extreme situations, etc.;

    8. Obtaining the necessary information from a third (random) person.

    Organizational channels are selected or formed by the attacker individually in accordance with his professional skills and specific situation, and it is extremely difficult to predict them. Detection of organizational channels requires serious search and analytical work (75, p. 32).

    Wide possibilities for unauthorized receipt of information with limited access are created by the technical support of the organization’s financial document flow technologies. Any managerial and financial activity is always associated with the discussion of information in offices or via communication lines and channels (conducting video and conference calls), carrying out calculations and analyzing situations on computers, producing and reproducing documents, etc.

    Similar documents

      Organizational and administrative documentation. Requirements for registration, procedure for handling confidential documents. Ways to maintain confidential records management. Secret archives. Ensuring the security of confidential office work.

      course work, added 01/15/2017

      Directions for ensuring the security of information resources. Features of dismissal of employees holding confidential information. Personnel access to confidential information, documents and databases. Protecting information during meetings.

      course work, added 11/20/2012

      Features of working with personnel who possess confidential secrets. Peculiarities of hiring and transferring employees to jobs related to the possession of confidential information. Personnel access to confidential information, documents and databases.

      course work, added 06/09/2011

      Analysis of the information security system at the enterprise. Information Protection Service. Information security threats specific to the enterprise. Methods and means of information security. Model of an information system from a security perspective.

      course work, added 02/03/2011

      Features of dismissal of employees who possess confidential information. Carrying out personnel transfer to work related to secret information. Methods for conducting personnel certification. Preparation of documentation and orders for the enterprise.

      abstract, added 12/27/2013

      The concept of "confidential information". The procedure for classifying commercial information as a trade secret. General characteristics OJSC "Svyaznoy Ural" Improving the mechanism for protecting confidential information in the enterprise. Analysis of the effectiveness of recommendations.

      course work, added 09/26/2012

      Concept and transfer of personal data. Information protection and control. Criminal, administrative and disciplinary liability for violation of the rules for working with personal data. The main rules for conducting confidential office work.

      course work, added 11/19/2014

      The essence of information and its classification. Analysis of information classified as a trade secret. Research of possible threats and channels of information leakage. Analysis of protective measures. Analysis of ensuring the reliability and protection of information in Tism-Yugnefteprodukt LLC.

      thesis, added 10/23/2013

      Security of information and supporting infrastructure from accidental or intentional impacts of natural and artificial nature. Protection of information during negotiations and in the work of the personnel department, preparation of a confidential meeting.

      abstract, added 01/27/2010

      In solving the problem of information security, a special place is occupied by the construction of an effective system for organizing work with personnel possessing confidential information. In business structures, personnel includes all employees.

    Confidential information protection surveys are relevant for every modern enterprise. Confidential company data must be protected from leaks, losses, and other fraudulent activities, as this can lead to critical consequences for the business. It is important to understand what data needs protection and to determine the ways and methods of organizing information security.

    Data that needs protection

    Information that is extremely important for business should have limited access within the enterprise, and its use is subject to strict regulation. Data that needs to be carefully protected includes:

    • trade secret;
    • production documentation of a secret nature;
    • company know-how;
    • customer base;
    • personal data of employees;
    • other data that the company considers necessary to protect from leakage.

    Confidentiality of information is often violated as a result of fraudulent actions by employees, the introduction of malware, and fraudulent operations by external attackers. It doesn’t matter from which side the threat comes, you need to secure confidential data in a complex consisting of several separate blocks:

    • determining the list of assets to be protected;
    • development of documentation regulating and limiting access to company data;
    • determining the circle of people who will have access to the CI;
    • defining response procedures;
    • risk assessment;
    • introduction of technical means for CI protection.

    Federal laws establish requirements for limiting access to confidential information. These requirements must be met by persons accessing such data. They do not have the right to transfer this data to third parties if their owner does not give his consent (Article 2, paragraph 7 of the Federal Law of the Russian Federation “On Information, Information Technologies and Information Protection”).

    Federal laws require protecting the foundations of the constitutional system, rights, interests, people's health, moral principles, ensuring the security of the state and the defense capability of the country. In this regard, it is imperative to comply with the CI, access to which is limited by federal laws. These regulations define:

    • under what conditions the information is classified as an official, commercial or other secret;
    • mandatory compliance with confidentiality conditions;
    • responsibility for disclosure of CI.

    Information received by employees of companies and organizations engaged in certain types of activities must be protected in accordance with the requirements of the law for the protection of confidential information, if in accordance with the Federal Law they are assigned such responsibilities. Data related to professional secrets can be provided to third parties if this is prescribed by the Federal Law or there is a court decision (when considering cases of disclosure of private information, identifying cases of theft, etc.).

    Protecting confidential information in practice

    During the work process, the employer and employee make an exchange a large number information of various nature, including confidential correspondence, work with internal documents (for example, personal data of an employee, company developments).

    The degree of reliability of information protection is directly dependent on how valuable it is for the company. The complex of legal, organizational, technical and other measures provided for these purposes consists of various means, methods and activities. They can significantly reduce the vulnerability of protected information and prevent unauthorized access to it, record and prevent its leakage or disclosure.

    Legal methods must be applied by all companies, regardless of the simplicity of the protection system used. If this component is missing or not fully observed, the company will not be able to ensure the protection of the CI and will not be able to legally hold accountable those responsible for its loss or disclosure. Legal protection is mainly the legal preparation of documentation and proper work with the organization’s employees. People are the basis of the system for protecting valuable confidential information. In this case, it is necessary to select effective methods of working with employees. When enterprises develop measures to ensure the safety of CIs, management issues should be a priority.

    Information protection in the enterprise

    If civil law and labor disputes arise regarding disclosure, theft or other harmful actions in relation to trade secrets, the decision about the involvement of certain persons will depend on the correctness of creating a system for protecting this information in the organization.

    Particular attention should be paid to identifying documentation that constitutes a trade secret, marking it with appropriate inscriptions indicating the owner of the information, its name, location and circle of persons who have access to it.

    Employees, when hired and during their work activities as the CI base is formed, must familiarize themselves with local acts regulating the use of trade secrets and strictly comply with the requirements for handling them.

    Employment contracts must stipulate clauses on non-disclosure by the employee of certain information that the employer provides him with for use in his work, and liability for violation of these requirements.

    IT information protection

    An important place in the protection of computer data is occupied by the provision of technical measures, since in the modern high-tech information world, corporate espionage, unauthorized access to enterprise data, and the risks of data loss as a result of viral cyber attacks are quite common. Today, not only large companies are faced with the problem of information leakage, but also medium and small businesses feel the need to protect confidential data.

    Violators can take advantage of any error made in information protection, for example, if the means to ensure it were chosen incorrectly, installed or configured incorrectly.

    Hacking, Internet hacking, and theft of confidential information, which today is becoming more valuable than gold, require company owners to reliably protect it and prevent attempts to steal and damage this data. The success of the business directly depends on this.

    Many companies use modern, highly effective cyber defense systems that perform complex tasks of detecting threats, preventing them and protecting against leaks. It is necessary to use high-quality, modern and reliable nodes that are able to quickly respond to messages from information block protection systems. In large organizations, due to the complexity of interaction schemes, multi-level infrastructure and large volumes of information, it is very difficult to monitor data flows and identify intrusions into the system. This is where a “smart” system can come to the rescue, which can identify, analyze and perform other actions with threats in order to prevent their negative consequences in a timely manner.

    To detect, store, identify sources, recipients, and methods of information leakage, various IT technologies are used, among which it is worth highlighting DLP and SIEM systems that work in an integrated and comprehensive manner.

    DLP systems to prevent data loss

    To prevent the theft of confidential company information, which can cause irreparable harm to the business (data on investments, customer base, know-how, etc.), it is necessary to ensure the reliability of its safety. (Data Loss Prevention) is a reliable protector against CI theft. They protect information simultaneously through several channels that may be vulnerable to attacks:

    • USB connectors;
    • locally operating and network-connected printers;
    • external drives;
    • Internet network;
    • postal services;
    • accounts, etc.

    The main purpose of the DLP system is to control the situation, analyze it and create conditions for efficient and safe work. Its task is to analyze the system without informing company employees about the use of this method of tracking worker nodes. Employees are not even aware of the existence of such protection.

    The DLP system controls the data transmitted through a variety of channels. It updates them and identifies information according to its importance in terms of confidentiality. In simple terms, DLP filters data and monitors its safety, evaluates each individual information, and makes a decision about the possibility of skipping it. If a leak is detected, the system will block it.

    Using this program allows you not only to save data, but also to determine who sent it. If, for example, a company employee decides to “sell” information to a third party, the system will identify such an action and send this data to the archive for storage. This will allow you to analyze information, taking it from the archive at any time, detect the sender, and establish where and for what purpose this data was sent.

    Specialized DLP systems are complex and multifunctional programs that provide a high degree of protection of confidential information. They are advisable to use for a wide variety of enterprises that require special protection of confidential information:

    • private information;
    • intellectual property;
    • financial data;
    • medical information;
    • credit card data, etc.

    SIEM systems

    Experts consider the program (Security Information and Event Management) an effective way to ensure information security, which allows you to summarize and combine all the logs of ongoing processes on various resources and other sources (DLP systems, software, network devices, IDS, OS logs, routers, servers, workstations). users, etc.).

    If the threat was not identified in a timely manner, and the existing security system worked to repel the attack (which does not always happen), the “history” of such attacks subsequently becomes inaccessible. The SIEM will collect this data across the entire network and store it for a certain period of time. This allows you to use the event log at any time using the SIEM to use its data for analysis.

    In addition, this system allows you to use convenient built-in tools to analyze and process incidents that have occurred. It converts hard-to-read formats of information about incidents, sorts them, selects the most significant ones, and eliminates the insignificant ones.

    Special SIEM rules specify the conditions for the accumulation of suspicious events. It will report them when such a quantity (three or more) has accumulated that it indicates a possible threat. Example - incorrect entry password. If a single event of entering an incorrect password is recorded, the SIEM will not report this, since cases of one-time password errors during login occur quite often. But recording repeated attempts to enter an invalid password while logging into the same account may indicate unauthorized access.

    Any company today needs such systems if it is important for it to maintain its information security. SIEM and DLP provide complete and reliable information protection for the company, help avoid leaks and allow you to identify who is trying to harm the employer by stealing, destroying or damaging information.

    Today we will talk about leaks and means of protecting confidential information.

    The term confidential information means confidential, not subject to publicity, secret. Disclosure of it may be classified as a criminal offense. Any person who has access to such information has no right to disclose it to other persons without the consent of the copyright holder.

    Contents

    Confidential Information and Law

    Decree of the President of the Russian Federation No. 188 of March 6, 1997 defines information that is confidential. These include:

    1. Commerce related information.
    2. Information related to work activities.
    3. Medical, lawyer, personal (correspondence, telephone conversations, etc.) confidentiality.
    4. The secrecy of the investigation, legal proceedings, information about the convicted.
    5. Personal data of citizens, information about their personal life.

    A trade secret is information that allows its owner to gain a competitive advantage, benefit from the provision of services or the sale of goods. Insider information about the company (change of management, etc.) that can affect the price of shares.

    Official secret - information available in government bodies; documents are marked “For official use” and are not subject to disclosure to third parties.

    Professional secrecy includes investigative, lawyer, judicial, notarial, etc. secrecy.

    Any personal data (full name, place of work, address, etc.), information about the private life of a citizen.

    Leakage of such information may occur in the following cases:

    1. Ineffective storage and access to confidential information, bad system protection.
    2. Constant change of personnel, personnel errors, difficult psychological climate in the team.
    3. Poor staff training in effective information security techniques.
    4. Inability of the organization's management to control the work of employees with classified information.
    5. Uncontrolled possibility of unauthorized persons entering the premises where information is stored.

    Information leakage paths

    They can be organizational and technical.

    Organizational channels:

    1. Applying to work for an organization in order to obtain classified information.
    2. Obtaining information of interest from partners and clients using methods of deception, misrepresentation.
    3. Criminal access to obtain information (theft of documents, theft of a hard drive with information).

    Technical channels:

    1. Copying the original document of classified information or its electronic version.
    2. Recording a confidential conversation on electronic media (dictaphone, smartphone and other recording devices).
    3. Oral transmission of the contents of a restricted document to third parties who do not have the right to access it.
    4. Criminal acquisition of information using radio bookmarks, secretly installed microphones and video cameras.

    Information protection measures

    The system for protecting classified information assumes:

    1. Preventing unauthorized access to it.
    2. Closing leakage channels.
    3. Regulations for working with confidential information.

    The enterprise security service must organize the practical implementation of the information security system, personnel training, and monitoring compliance with regulatory requirements.

    Organizational methods

    1. Development of a system for processing confidential data.
    2. Informing the company's personnel about the responsibility for disclosing confidential documents, copying or falsifying them.
    3. Drawing up a list of restricted access documents, delineating personnel according to access to available information.
    4. Selection of personnel for processing confidential materials, instructing employees.

    Technical methods

    1. Use of cryptographic means when email correspondence, conducting telephone conversations over secure communication lines.
    2. Checking the room where negotiations are taking place for the absence of radio bombs, microphones, and video cameras.
    3. Personnel access to protected premises using identifying means, code, password.
    4. Use on computers and others electronic devices software and hardware protection methods.

    The company's information security policy includes:

    1. Appointment of a person responsible for security in the organization.
    2. Monitoring the use of software and hardware protection tools.
    3. Responsibility of heads of departments and services for ensuring information security.
    4. Introduction of access control for employees and visitors.
    5. Drawing up a list of access of persons to confidential information.

    Information security organization

    Computers operating on a local network, servers, and routers must be reliably protected from unauthorized removal of information. To do this:

    1. A responsible employee is assigned for the operation of each computer.
    2. The system unit is sealed by an IT service employee.
    3. Installation of any programs is carried out by IT service specialists.
    4. Passwords must be generated by IT service employees and issued against signature.
    5. Prohibited use third party sources information, all storage media are marked.
    6. Use only one computer to prepare important documents. It keeps a log of users.
    7. Software and hardware must be certified.
    8. Protection of information media (external drives) from unauthorized access.

    The system for working with confidential information guarantees the information security of the organization and allows you to preserve important information from leaks. This contributes to the sustainable functioning of the enterprise for a long time.

    There are no similar entries.

    Read more: