Norbert Wiener, the creator of cybernetics, believed that information has unique characteristics and cannot be attributed to either energy or matter. The special status of information as a phenomenon has given rise to many definitions.

The glossary of ISO/IEC 2382:2015 "Information Technology" provides the following interpretation:

Information (in the field of information processing)- any data presented in electronic form, written on paper, spoken at a meeting or in any other medium used by a financial institution for decision-making, transfer of funds, setting rates, granting loans, processing transactions, etc., including components software processing systems.

To develop the concept of information security (IS), information is understood as information that is available for collection, storage, processing (editing, transformation), use and transmission in various ways, including in computer networks and other information systems.

Such information is of high value and can become objects of infringement by third parties. The desire to protect information from threats underlies the creation of information security systems.

Legal basis

In December 2017, the Information Security Doctrine was adopted in Russia. In the document, IB is defined as a state of protection of national interests in information sphere. In this case, national interests are understood as the totality of the interests of society, the individual and the state, each group of interests is necessary for the stable functioning of society.

Doctrine is a conceptual document. Legal relations related to ensuring information security are regulated by federal laws "On State Secrets", "On Information", "On Protection of Personal Data" and others. On the basis of the fundamental normative acts, government decrees and departmental normative acts are developed on particular issues of information protection.

Definition of information security

Before developing an information security strategy, it is necessary to accept a basic definition of the concept itself, which will allow the use of a certain set of methods and methods of protection.

Industry practitioners propose to understand information security as a stable state of protection of information, its carriers and infrastructure, which ensures the integrity and stability of information-related processes against intentional or unintentional impacts of a natural and artificial nature. Impacts are classified as IS threats that can cause damage to the subjects of information relations.

Thus, information security will be understood as a set of legal, administrative, organizational and technical measures aimed at preventing real or perceived information security threats, as well as at eliminating the consequences of incidents. The continuity of the information protection process should guarantee the fight against threats at all stages of the information cycle: in the process of collecting, storing, processing, using and transmitting information.

Information Security in this sense, it becomes one of the characteristics of the system's performance. At each point in time, the system must have a measurable level of security, and ensuring the security of the system must be a continuous process that is carried out at all time intervals during the life of the system.

The infographic uses data from our ownSearchInform.

In the theory of information security, IS subjects are understood as owners and users of information, and users not only on an ongoing basis (employees), but also users who access databases in isolated cases, for example, government agencies requesting information. In some cases, for example, in banking information security standards, shareholders are considered to be owners of information - legal entities The to which the specific data belongs.

The supporting infrastructure, from the point of view of the basics of information security, includes computers, networks, telecommunications equipment, premises, life support systems, and personnel. When analyzing security, it is necessary to study all elements of systems, paying special attention to personnel as the carrier of most internal threats.

To manage information security and assess damage, an acceptability characteristic is used, thus, damage is determined as acceptable or unacceptable. It is useful for each company to approve its own criteria for accepting damage in monetary terms or, for example, in the form of acceptable harm to reputation. In public institutions, other characteristics may be adopted, for example, the impact on the management process or a reflection of the degree of damage to the life and health of citizens. Criteria of materiality, importance and value of information may change in the course of life cycle information array, therefore, should be reviewed in a timely manner.

An information threat in the narrow sense is an objective possibility to influence the object of protection, which can lead to leakage, theft, disclosure or dissemination of information. In a broader sense, information security threats will include targeted informational impacts, the purpose of which is to cause damage to the state, organization, or individual. Such threats include, for example, defamation, deliberate misrepresentation, incorrect advertising.

Three main questions of the information security concept for any organization

What to protect?

What types of threats prevail: external or internal?

How to protect, by what methods and means?

Information security system

The information security system for a company - a legal entity includes three groups of basic concepts: integrity, availability and confidentiality. Underneath each are concepts with many characteristics.

Under integrity refers to the resistance of databases, other information arrays to accidental or intentional destruction, unauthorized changes. The concept of integrity can be seen as:

• static, expressed in the immutability, authenticity of information objects to those objects that were created according to a specific technical assignment and contain the amount of information necessary for users for their main activities, in the required configuration and sequence;
• dynamic, implying the correct execution of complex actions or transactions that do not harm the safety of information.

To control dynamic integrity, special technical tools are used that analyze the flow of information, for example, financial, and identify cases of theft, duplication, redirection, and reordering of messages. Integrity as the main characteristic is required when decisions are made on the basis of incoming or available information to take actions. Violation of the order of commands or the sequence of actions can cause great damage in the case of describing technological processes, program codes, and in other similar situations.

Availability is a property that allows authorized subjects to access or exchange data of interest to them. The key requirement of legitimation or authorization of subjects makes it possible to create different levels access. The failure of the system to provide information becomes a problem for any organization or user groups. An example is the unavailability of public service websites in the event of a system failure, which deprives many users of the opportunity to receive the necessary services or information.

Confidentiality means the property of information to be available to those users: subjects and processes for which access is initially allowed. Most companies and organizations perceive confidentiality as a key element of information security, but in practice it is difficult to fully implement it. Not all data on existing channels of information leakage is available to the authors of information security concepts, and many technical means of protection, including cryptographic ones, cannot be purchased freely, in some cases the turnover is limited.

Equal properties of information security have different values ​​for users, hence the two extreme categories in the development of data protection concepts. For companies or organizations involved in state secrets, confidentiality will be a key parameter, for public services or educational institutions, the most important parameter will be accessibility.

Information Security Digest

Objects of protection in IS concepts

The difference in subjects generates differences in the objects of protection. Main groups of protected objects:

• information resources of all kinds (a resource is a material object: HDD, other media, a document with data and details that help to identify it and attribute it to certain group subjects);
• the rights of citizens, organizations and the state to access information, the opportunity to obtain it within the framework of the law; access can be limited only by regulatory legal acts, the organization of any barriers that violate human rights is unacceptable;
• a system for creating, using and distributing data (systems and technologies, archives, libraries, regulatory documents);
• a system for the formation of public consciousness (media, Internet resources, social institutions, educational institutions).

Each object involves a special system of measures to protect against threats to information security and public order. Ensuring information security in each case should be based on a systematic approach that takes into account the specifics of the object.

Categories and media

The Russian legal system, law enforcement practice and established social relations classify information according to accessibility criteria. This allows you to clarify the essential parameters necessary to ensure information security:

• information, access to which is restricted on the basis of legal requirements (state secret, commercial secret, personal data);
• information in open access;
• publicly available information that is provided under certain conditions: paid information or data for which access is required, for example, a library ticket;
• dangerous, harmful, false and other types of information, the circulation and dissemination of which is limited either by the requirements of laws or corporate standards.

Information from the first group has two protection modes. state secret, according to the law, this is information protected by the state, the free circulation of which can harm the security of the country. This is data in the field of military, foreign policy, intelligence, counterintelligence and economic activities of the state. The owner of this data group is directly the state. The bodies authorized to take measures to protect state secrets are the Ministry of Defense, the Federal Security Service (FSB), the Foreign Intelligence Service, the Federal Service for Technical and Export Control (FSTEC).

Confidential information- a more multifaceted object of regulation. The list of information that may constitute confidential information is contained in Presidential Decree No. 188 "On Approval of the List of Confidential Information". This is personal data; secrecy of the investigation and legal proceedings; official secret; professional secrecy (medical, notarial, lawyer); trade secret; information about inventions and utility models; information contained in the personal files of convicts, as well as information on the enforcement of judicial acts.

Personal data exists in open and confidential mode. The part of personal data that is open and accessible to all users includes the first name, last name, patronymic. According to Federal Law-152 "On Personal Data", personal data subjects have the right to:

• on informational self-determination;
• to access personal personal data and make changes to them;
• to block personal data and access to them;
• to appeal against unlawful actions of third parties committed in relation to personal data;
• for compensation for damages.

The right to is enshrined in the regulations on state bodies, federal laws, licenses for working with personal data issued by Roskomnadzor or FSTEC. Companies that professionally work with personal data of a wide range of people, for example, telecom operators, must enter the register maintained by Roskomnadzor.

A separate object in the theory and practice of information security is information carriers, access to which is open and closed. When developing the IS concept, protection methods are selected depending on the type of media. Main information carriers:

• print and electronic media, social networks, other resources on the Internet;
• employees of the organization who have access to information based on their friendships, family, professional ties;
• means of communication that transmit or store information: telephones, automatic telephone exchanges, other telecommunications equipment;
• documents of all types: personal, official, state;
• software as an independent information object, especially if its version was developed specifically for a particular company;
• electronic storage media that process data automatically.

For the purposes of developing information security concepts, information security tools are usually divided into regulatory (informal) and technical (formal).

Informal means of protection are documents, rules, events, formal ones are special technical means and software. The distinction helps to distribute areas of responsibility when creating information security systems: with general protection management, administrative personnel implement regulatory methods, and IT specialists, respectively, technical ones.

The basics of information security imply the division of powers not only in terms of the use of information, but also in terms of working with its protection. This separation of powers requires several levels of control.

Formal remedies

A wide range of technical means of information security protection includes:

Physical means of protection. These are mechanical, electrical, electronic mechanisms that operate independently of information systems and create barriers to access to them. Locks, including electronic ones, screens, blinds are designed to create obstacles for the contact of destabilizing factors with systems. The group is supplemented by means of security systems, for example, video cameras, video recorders, sensors that detect movement or an excess of the degree of electromagnetic radiation in the area where technical means of removing information, embedded devices are located.

Hardware protection. These are electrical, electronic, optical, laser and other devices that are built into information and telecommunication systems. Before introducing hardware into information systems, compatibility must be verified.

Software- these are simple and systemic, complex programs designed to solve particular and complex tasks related to the provision of information security. An example of complex solutions are and: the first serve to prevent leakage, reformatting information and redirecting information flows, the second - provide protection against incidents in the field of information security. Software tools are demanding on the power of hardware devices, and additional reserves must be provided during installation.

can be tested for free for 30 days. Before installing the system, SearchInform engineers will conduct a technical audit at the customer's company.

TO specific means information security includes various cryptographic algorithms that allow you to encrypt information on the disk and redirected through external communication channels. The transformation of information can occur with the help of software and hardware methods that work in corporate information systems.

All means that guarantee the security of information should be used in conjunction, after a preliminary assessment of the value of information and comparing it with the cost of resources spent on protection. Therefore, proposals for the use of funds should be formulated already at the stage of systems development, and approval should be made at the level of management that is responsible for approving budgets.

In order to ensure security, it is necessary to monitor all modern developments, software and hardware protection tools, threats and make timely changes to their own systems of protection against unauthorized access. Only the adequacy and prompt response to threats will help achieve high level confidentiality in the company.

The first release was released in 2018. This unique program compiles psychological portraits of employees and distributes them into risk groups. This approach to ensuring information security allows you to anticipate possible incidents and take action in advance.

Informal remedies

Informal remedies are grouped into normative, administrative, and moral and ethical ones. At the first level of protection, there are regulatory tools that regulate information security as a process in the organization's activities.

• Regulatory means

In world practice, when developing regulatory tools, they are guided by information security standards, the main one is ISO / IEC 27000. The standard was created by two organizations:

• ISO - International Commission for Standardization, which develops and approves most of the internationally recognized methods for certification of the quality of production and management processes;
• IEC - the International Energy Commission, which introduced its understanding of information security systems, means and methods of its provision into the standard

The current version of ISO / IEC 27000-2016 offers ready-made standards and proven methodologies necessary for the implementation of information security. According to the authors of the methods, the basis of information security lies in the systematic and consistent implementation of all stages from development to post-control.

To obtain a certificate that confirms compliance with information security standards, it is necessary to implement all recommended practices in full. If there is no need to obtain a certificate, it is allowed to take any of the more early versions standard, starting with ISO / IEC 27000-2002, or Russian GOSTs, which are advisory in nature.

Based on the results of studying the standard, two documents are being developed that relate to information security. The main, but less formal, is the concept of enterprise information security, which determines the measures and methods for implementing an information security system for information systems of an organization. The second document that all employees of the company are required to comply with is the regulation on information security, approved at the level of the board of directors or the executive body.

In addition to the position at the company level, lists of information constituting a trade secret, annexes to employment contracts, fixing responsibility for the disclosure of confidential data, other standards and methods should be developed. Internal rules and regulations should contain implementation mechanisms and responsibilities. Most often, the measures are disciplinary in nature, and the violator must be prepared for the fact that the violation of the trade secret regime will be followed by significant sanctions, up to and including dismissal.

• Organizational and administrative measures

As part of administrative activities on the protection of information security for employees of the security services opens up scope for creativity. These are architectural and planning solutions that allow you to protect meeting rooms and executive offices from eavesdropping, and the establishment of various levels of access to information. Important organizational measures will be certification of the company's activities in accordance with ISO/IEC 27000 standards, certification of individual hardware and software systems, certification of subjects and objects for compliance with the necessary security requirements, and obtaining licenses required to work with protected information arrays.

From the point of view of regulating the activities of personnel, it will be important to design a system of requests for access to the Internet, external e-mail, and other resources. A separate element will be the receipt of an electronic digital signature to enhance the security of financial and other information that is transmitted to government agencies via e-mail channels.

• Moral and ethical measures

Moral and ethical measures determine the personal attitude of a person to confidential information or information restricted in circulation. Increasing the level of knowledge of employees regarding the impact of threats on the company's activities affects the degree of consciousness and responsibility of employees. To combat violations of the information regime, including, for example, the transmission of passwords, careless handling of media, the dissemination of confidential data in private conversations, it is necessary to emphasize the personal conscience of the employee. It will be useful to establish performance indicators for personnel, which will depend on the attitude towards corporate system IB.

Information Security Policy.

1. General provisions

This Policy information security ( Further - Politics ) defines a system of views on the problem of ensuring information security and is a systematic presentation of the goals and objectives, as well as organizational, technological and procedural aspects of ensuring the security of information of information infrastructure objects, including a set of information centers, data banks and communication systems of the organization. This Policy has been developed taking into account the requirements of the current legislation of the Russian Federation and the immediate prospects for the development of information infrastructure facilities, as well as the characteristics and capabilities of modern organizational and technical methods and hardware and software information protection.

The main provisions and requirements of the Policy apply to all structural divisions of the organization.

The policy is the methodological basis for the formation and implementation of a unified policy in the field of ensuring the security of information of information infrastructure objects, making agreed management decisions and developing practical measures aimed at ensuring information security, coordinating the activities of structural divisions of the organization when working on the creation, development and operation of information infrastructure objects. infrastructure in compliance with information security requirements.

The policy does not regulate the issues of organizing the protection of premises and ensuring the safety and physical integrity of information infrastructure components, protection against natural disasters, and failures in the power supply system, however, it involves building an information security system on the same conceptual foundations as the security system of the organization as a whole.

The implementation of the policy is ensured by the relevant guidelines, regulations, procedures, instructions, guidelines and information security assessment system in the organization.

The following terms and definitions are used in the Policy:

Automated system ( AC) — a system consisting of personnel and a set of means for automating its activities, implementing information technology for performing established functions.

Information infrastructure— a system of organizational structures that ensure the functioning and development information space and means of information interaction. The information infrastructure includes a set of information centers, data and knowledge banks, communication systems, and provides consumers with access to information resources.

Informational resources ( IR) - these are separate documents and separate arrays of documents, documents and arrays of documents in information systems ( libraries, archives, collections, databases and other information systems).

Information system (IP) - information processing system and related organizational resources ( human, technical, financial, etc.) that provide and disseminate information.

Safety - state of protection of interests ( goals) organizations under threat.

Information Security ( IS) — security associated with threats in the information sphere. Security is achieved by providing a set of IS properties - availability, integrity, confidentiality of information assets. The priority of IS properties is determined by the value of these assets for interests ( goals) organizations.

Availability of information assets − property of an organization's information security, which consists in the fact that information assets are provided to an authorized user, moreover, in the form and place required by the user, and at the time when he needs them.

Integrity of Information Assets − the property of an organization's information security to remain unchanged or correct detected changes in its information assets.

Confidentiality of Information Assets − property of the organization's IS, which consists in the fact that the processing, storage and transfer of information assets is carried out in such a way that information assets are available only to authorized users, system objects or processes.

Information security system ( NIB) — a set of protective measures, protective equipment and processes for their operation, including resource and administrative ( organizational) provision.

Unauthorized access- access to information in violation of the official powers of the employee, access to information closed to public access by persons who do not have permission to access this information or obtaining access to information by a person who has the right to access this information in an amount exceeding what is necessary to perform official duties.

2. General requirements for ensuring information security

information security requirements Further -IS ) determine the content and objectives of the organization's activities within the framework of information security management processes.

These requirements are formulated for the following areas:

• assignment and distribution of roles and trust in staff;
• life cycle stages of information infrastructure objects;
• protection against unauthorized access ( Further - NSD ), access control and registration in automated systems, in telecommunications equipment and automatic telephone exchanges, etc.;
• anti-virus protection;
• use of Internet resources;
• use of means of cryptographic protection of information;
• protection of personal data.

3. Objects to be protected

The main objects to be protected are:

• informational resources, presented in the form of documents and arrays of information, regardless of the form and type of their presentation, including, among other things, confidential and open information;
• system of formation, distribution and use of information resources, libraries, archives, databases and data banks, information technology, regulations and procedures for collecting, processing, storing and transmitting information, technical and maintenance personnel;
• information infrastructure, including information processing and analysis systems, hardware and software for its processing, transmission and display, including information exchange and telecommunications channels, information security systems and means, facilities and premises in which information infrastructure components are located.

3.1. Features of the Automated System

The AS circulates information of different categories. Protected information can be shared between different users from different subnets of a single corporate network.

A number of AS subsystems provide for interaction with external ( state and commercial, Russian and foreign) organizations via dial-up and dedicated communication channels using special means of information transmission.

The complex of technical means of the AU includes data processing tools ( workstations, database servers, mail servers etc.), means of data exchange in local computer networks with the ability to access global networks ( cabling, bridges, gateways, modems, etc.), as well as storage facilities ( including archiving) data.

The main features of the functioning of the AS include:

• the need to integrate into a single system a large number various technical means of processing and transmitting information;
• a wide variety of tasks to be solved and types of processed data;
• consolidation in single databases of information for various purposes, belonging and confidentiality levels;
• availability of channels for connecting to external networks;
• continuity of operation;
• the presence of subsystems with different requirements for security levels, physically united in a single network;
• variety of categories of users and service personnel.

In general terms, a single AS is a collection of local computer networks of departments, interconnected by means of telecommunications. Each local area network unites a number of interconnected and interacting automated subsystems ( technological areas) that ensure the solution of problems by individual structural divisions of the organization.

Informatization objects include:

• technological equipment ( computer equipment, network and cable equipment);
• informational resources;
• software ( operating systems, database management systems, general system and application software);
• automated communication and data transmission systems (telecommunication facilities);
• channels of connection;
• service premises.

3.2. Types of organizational information assets to be protected

In the AS subsystems of the organization, information of various levels of confidentiality circulates, containing information of limited distribution ( official, commercial, personal data) and public information.

The AS document flow contains:

• payment orders and financial documents;
• reports ( financial, analytical, etc.);
• information about personal accounts;
• personal data;
• other restricted information.

All information circulating in AS and contained in the following types of information assets is subject to protection:

• information constituting a commercial and official secret, access to which is limited by the organization as the owner of the information, in accordance with the provisions of the Federal Law " About information, informatization and information protection » Rights and Federal Law « About trade secret »;
• personal data, access to which is restricted in accordance with the Federal Law " About personal data »;
• open information, in terms of ensuring the integrity and availability of information.

3.3. Categories of users of the Automated system

The organization has a large number of categories of users and maintenance personnel who must have different powers to access the information resources of the AU:

• ordinary users ( end users, employees of organizational units);
• server administrators ( file servers, application servers, database servers), local computer networks and applied systems;
• system programmers ( responsible for maintenance of common software) on servers and user workstations;
• application software developers;
• specialists in the maintenance of technical means of computer technology;
• information security administrators, etc.

3.4. Vulnerability of the main components of the Automated System

The most vulnerable AS components are network workstations - workstations ( Further - workstation ) workers. Attempts of unauthorized access to information or attempts of unauthorized actions can be made from the workstation of employees ( unintentional and intentional) v computer network. Violations of the configuration of the hardware and software of workstations and unlawful interference in the processes of their functioning can lead to blocking of information, the impossibility of solving important tasks in a timely manner and the failure of individual workstations and subsystems.

Network elements such as dedicated file servers, database servers, and application servers need special protection. Shortcomings of exchange protocols and means of access control to server resources can allow unauthorized access to protected information and influence the operation of various subsystems. At the same time, attempts can be made as a remote ( from network stations) and direct ( from the server console) impact on the operation of servers and their protections.

Bridges, gateways, hubs, routers, switches and other network devices, channels and communications also need to be protected. They can be used by intruders to restructure and disrupt network operation, intercept transmitted information, analyze traffic, and implement other methods of interfering in data exchange processes.

4. Basic principles of ensuring information security

4.1. General principles of safe operation

• Timeliness of problem detection. The organization must promptly detect problems that could potentially affect its business objectives.
• Predictability of development of problems. The organization must identify causality possible problems and build on this basis an accurate forecast of their development.
• Assessing the impact of problems on business goals. The organization shall adequately assess the impact of identified problems.
• Adequacy of protective measures. The organization should choose protective measures that are adequate to the threat and attacker models, taking into account the costs of implementing such measures and the amount of possible losses from the execution of threats.
• Effectiveness of protective measures. The organization shall effectively implement the protective measures taken.
• Using experience in making and implementing decisions. The organization should accumulate, generalize and use both its own experience and the experience of other organizations at all levels of decision-making and their implementation.
• Continuity of principles of safe operation. The organization shall ensure the continuity of the implementation of the principles of safe operation.
• Controllability of protective measures. The organization shall apply only those safeguards whose correct operation can be verified, and the organization shall regularly evaluate the adequacy of the safeguards and the effectiveness of their implementation, taking into account the impact of the safeguards on the business objectives of the organization.

4.2. Special principles for ensuring information security

• The implementation of special principles for ensuring information security is aimed at increasing the level of maturity of information security management processes in the organization.
• Definition of goals. The functional and information security objectives of the organization should be explicitly defined in an internal document. Uncertainty leads to “ vagueness” organizational structure, personnel roles, information security policies and the inability to assess the adequacy of the protective measures taken.
• Knowing your customers and employees. The organization must have information about its customers, carefully select staff ( workers), develop and maintain corporate ethics, which creates a favorable trusting environment for the activities of the asset management organization.
• Personification and adequate division of roles and responsibilities. The responsibility of the organization's officials for decisions related to its assets should be personified and carried out mainly in the form of a guarantee. It should be adequate to the degree of influence on the goals of the organization, fixed in policies, monitored and improved.
• Adequacy of roles to functions and procedures and their comparability with the criteria and evaluation system. Roles should adequately reflect the functions performed and the procedures for their implementation adopted in the organization. When assigning interrelated roles, the necessary sequence of their execution should be taken into account. The role should be consistent with the criteria for evaluating the effectiveness of its implementation. The main content and quality of the role being performed are actually determined by the assessment system applied to it.
• Availability of services and facilities. The organization must ensure the availability of services and services for its customers and counterparties on time, determined by the relevant agreements ( agreements) and/or other documents.
• Observability and evaluability of IS provision. Any proposed protective measures should be designed so that the result of their application is clearly observable ( transparent) and can be assessed by a department of the organization that has the appropriate authority.

5. Goals and objectives of providing security information

5.1. Subjects of Information Relations in the Automated System

The subjects of legal relations when using AS and ensuring the security of information are:

• Organization as the owner of information resources;
• subdivisions of the organization that ensure the operation of the NPP;
• employees of structural divisions of the organization, as users and providers of information in the AS in accordance with the functions assigned to them;
• legal entities and individuals, information about which is accumulated, stored and processed in the AS;
• other legal entities and individuals involved in the process of creation and operation of the AS ( system component developers, organizations involved in providing various services in the field of information technologies and etc.).

The listed subjects of information relations are interested in providing:

• confidentiality of a certain part of the information;
• reliability ( completeness, accuracy, adequacy, integrity) information;
• protection against the imposition of false ( false, distorted) information;
• timely access to the necessary information;
• delimitation of liability for violations of legal rights ( interests) other subjects of information relations and established rules for handling information;
• the possibility of continuous monitoring and control of the processing and transmission of information;
• protection of part of the information from its illegal reproduction ( protection of copyrights, rights of the owner of information, etc.).

5.2. Purpose of Information Security

The main goal of ensuring the security of information is to protect the subjects of information relations from possible material, moral or other damage to them through accidental or deliberate unauthorized interference in the operation of the AS or unauthorized access to the information circulating in it and its illegal use.

This goal is achieved by ensuring and constantly maintaining the following properties of information and an automated system for its processing:

• availability of the processed information for registered users;
• confidentiality of a certain part of the information stored, processed and transmitted through communication channels;
• integrity and authenticity of information stored, processed and transmitted via communication channels.

5.3. Information Security Tasks

To achieve the main goal of ensuring information security, the information security system of the nuclear power plant should provide an effective solution to the following tasks:

• protection against interference in the process of functioning of the AU by unauthorized persons;
• differentiation of access of registered users to the hardware, software and information resources of the AS, that is, protection from unauthorized access;
• registration of user actions when using protected AS resources in system logs and periodic monitoring of the correctness of system user actions by analyzing the contents of these logs by specialists from security departments;
• protection against unauthorized modification and integrity control ( immutability) program execution environment and its recovery in case of violation;
• protection against unauthorized modification and control of the integrity of software used in the AU, as well as protection of the system from the introduction of unauthorized programs, including computer viruses;
• protection of information from leakage through technical channels during its processing, storage and transmission through communication channels;
• protection of information stored, processed and transmitted via communication channels from unauthorized disclosure or distortion;
• ensuring authentication of users participating in information exchange;
• ensuring the survivability of cryptographic means of protecting information in the event of a compromise of a part of the key system;
• timely identification of sources of threats to information security, causes and conditions that contribute to causing damage to interested subjects of information relations, creation of a mechanism for prompt response to threats to information security and negative trends;
• creating conditions for minimizing and localizing damage caused by illegal actions of individuals and legal entities, mitigating the negative impact and eliminating the consequences of information security breaches.

5.4. Ways to solve the problems of ensuring information security

The solution to the problems of ensuring information security is achieved:

• strict consideration of all system resources to be protected ( information, tasks, communication channels, servers, workstations);
• regulation of information processing processes and actions of employees of structural divisions of the organization, as well as actions of personnel engaged in maintenance and modification of software and hardware of the AU, on the basis of organizational and administrative documents on information security;
• completeness, real feasibility and consistency of the requirements of organizational and administrative documents on the issues of information security;
• appointment and training of employees responsible for the organization and implementation of practical measures to ensure the security of information;
• empowering each employee with the minimum necessary for the performance of their functional duties of the authority to access the resources of the AU;
• clear knowledge and strict observance by all employees using and maintaining the AS hardware and software of the requirements of organizational and administrative documents on information security;
• personal responsibility for their actions of each employee participating, within the framework of their functional duties, in the processes of automated information processing and having access to AS resources;
• implementation of technological processes of information processing using complexes of organizational and technical measures to protect software, hardware and data;
• taking effective measures to ensure the physical integrity of technical means and continuous maintenance of the required level of protection of the NPP components;
• application of technical ( software and hardware) means of protecting system resources and continuous administrative support for their use;
• delimitation of information flows and prohibition of transmission of information of limited distribution through unprotected communication channels;
• effective control over compliance by employees with information security requirements;
• constant monitoring network resources, identification of vulnerabilities, timely detection and neutralization of external and internal threats to the security of a computer network;
• legal protection of the interests of the organization from illegal actions in the field of information security.
• conducting a continuous analysis of the effectiveness and sufficiency of the measures taken and the information protection tools used, the development and implementation of proposals for improving the information protection system in the AS.

6. Threats to information security

6.1. Information security threats and their sources

The most dangerous threats to the security of information processed in AS are:

• privacy violation ( disclosure, leak) information constituting an official or commercial secret, including personal data;
• dysfunction ( disorganization of work) AS, information blocking, violation of technological processes, failure to solve problems in a timely manner;
• integrity violation ( distortion, substitution, destruction) information, software and other AS resources.

The main sources of threats to the security of AS information are:

• unfavorable natural and man-made events;
• terrorists, criminal elements;
• computer intruders carrying out purposeful destructive influences, including the use of computer viruses and other types of malicious codes and attacks;
• suppliers of software and hardware, consumables, services, etc.;
• contractors involved in the installation, commissioning of equipment and its repair;
• non-compliance with the requirements of supervisory and regulatory authorities, current legislation;
• failures, failures, destruction/damage of software and hardware;
• employees who are legal participants in the processes in the AS and act outside the scope of the granted powers;
• employees who are legal participants in the processes in the AS and act within the framework of the granted powers.

6.2. Unintentional actions leading to a breach of information security and measures to prevent them

Employees of the organization who have direct access to the information processing processes in the AS are a potential source of unintentional random actions that can lead to a violation of information security.

Main unintentional actions leading to violation of information security (actions committed by people accidentally, through ignorance, inattention or negligence, out of curiosity, but without malicious intent) and measures to prevent such actions and minimize the damage caused by them are given in Table 1.

Table 1

Main actions leading to violation of information security
Actions of employees leading to partial or complete failure of the system or disruption of hardware or software; turning off equipment or changing the operating modes of devices and programs; destruction of information resources of the system ( unintentional damage to equipment, deletion, distortion of programs or files with important information, including system ones, damage to communication channels, unintentional damage to storage media, etc.)	Organizational arrangements ( ). The use of physical means to prevent the unintentional commission of a violation. Application of technical ( hardware and software) means of restricting access to resources. Reservation of critical resources.
Unauthorized launch of programs that, if used incompetently, can cause a loss of system performance ( freezes or loops) or making irreversible changes in the system ( formatting or restructuring storage media, deleting data, etc.)	Organizational arrangements ( removal of all potentially dangerous programs from the workstation). Application of technical ( hardware and software) means of delimiting access to programs on workstations.
Unauthorized introduction and use of unaccounted programs ( gaming, training, technological and others that are not necessary for the employees to perform their official duties) with subsequent unreasonable expenditure of resources ( processor time, RAM, memory on external media, etc.)	Organizational arrangements ( introduction of bans). Application of technical ( hardware and software) means preventing unauthorized introduction and use of unrecorded programs.
Inadvertently infecting a computer with viruses	Organizational arrangements ( regulation of actions, introduction of prohibitions). Technological measures ( the use of special programs for detecting and destroying viruses). The use of hardware and software that prevent infection with computer viruses.
Disclosure, transfer or loss of access control attributes ( passwords, encryption keys or ES, identification cards, passes, etc.)	Organizational arrangements ( regulation of actions, introduction of prohibitions, increased responsibility). The use of physical means to ensure the safety of the specified details.
Ignoring organizational constraints ( established rules) when working in the system	Organizational arrangements ( ). Use of additional physical and technical means of protection.
Incompetent use, adjustment or illegal deactivation of protective equipment by security personnel	Organizational arrangements ( staff training, increased responsibility and control).
Entering erroneous data	Organizational arrangements ( increased accountability and control). Technological measures to control errors of data entry operators.

6.3. Deliberate actions to violate information security and measures to prevent them

Major intentional acts ( for selfish purposes, under duress, out of a desire for revenge, etc.), leading to a violation of the information security of the AU, and measures to prevent them and reduce the possible damage caused are given in Table 2.

table 2

The main intentional actions leading to information security breach	Measures to prevent threats and minimize damage
Physical destruction or incapacitation of all or some of the most important components of an automated system ( devices, carriers of important system information, personnel, etc.), shutdown or incapacitation of subsystems that ensure the functioning of computing systems ( power supply, communication lines, etc.)	Organizational arrangements ( regulation of actions, introduction of prohibitions). The use of physical means to prevent the intentional commission of a violation. Reservation of critical resources.
The introduction of agents into the number of system personnel ( including the administrative group responsible for security), recruitment ( by bribery, blackmail, threats, etc.) users who have certain permissions to access protected resources	Organizational arrangements ( selection, placement and work with personnel, strengthening control and responsibility). Automatic registration of personnel actions.
Theft of storage media ( printouts, magnetic disks, tapes, storage devices and entire PCs), theft of industrial waste ( printouts, records, discarded media, etc.)	Organizational arrangements ( ).
Unauthorized copying of storage media, reading residual information from RAM and external storage devices	Organizational arrangements ( organization of storage and use of media with protected information). The use of technical means of restricting access to protected resources and automatic registration of receipt of hard copies of documents.
Illegal obtaining of passwords and other details of access control ( undercover, using the negligence of users, by selection, by imitation of the system interface with software tabs, etc.) followed by disguise as a registered user.	Organizational arrangements ( regulation of actions, introduction of prohibitions, work with personnel). The use of technical means that prevent the introduction of programs to intercept passwords, keys and other details.
Unauthorized use of workstations of users with unique physical characteristics, such as the number of a workstation in the network, physical adress, address in the communication system, hardware coding unit, etc.	Organizational arrangements ( strict regulation of access to the premises and admission to work on these workstations). The use of physical and technical means of access control.
Unauthorized software modification - the introduction of software "bookmarks" and "viruses" ( Trojan horses and bugs), that is, such sections of programs that are not necessary for the implementation of the declared functions, but allow to overcome the protection system, covertly and illegally access system resources in order to register and transmit protected information or disrupt the functioning of the system	Organizational arrangements ( strict regulation of access to work). The use of physical and technical means of access control and preventing unauthorized modification of the hardware and software configuration of the workstation. Application of software integrity control tools.
Interception of data transmitted over communication channels, their analysis in order to obtain confidential information and find out exchange protocols, rules for entering the network and user authorization, with subsequent attempts to imitate them to penetrate the system	Physical protection of communication channels. Application of means of cryptographic protection of transmitted information.
Interference in the functioning of the system from public networks for the purpose of unauthorized modification of data, access to confidential information, disruption of the work of subsystems, etc.	Organizational arrangements ( regulation of connection and work in public networks). The use of special technical means of protection ( firewalls, security controls and detection of attacks on system resources, etc.).

6.4. Leakage of information through technical channels

During the operation of NPP technical means, the following channels of leakage or violation of the integrity of information, violation of the performance of technical means are possible:

• spurious electromagnetic radiation of an informative signal from technical means and information transmission lines;
• pickup of an informative signal processed by means of electronic computing equipment on wires and lines that go beyond the controlled area of ​​offices, incl. on the ground and power supply circuits;
• various electronic devices interception of information ( including "bookmarks") connected to communication channels or technical means of information processing;
• viewing information from display screens and other means of displaying it using optical means;
• impact on hardware or software in order to violate the integrity ( destruction, distortion) information, operability of technical means, means of information security and timeliness of information exchange, including electromagnetic, through specially implemented electronic and software tools ( "bookmarks").

Taking into account the specifics of processing and ensuring the security of information, the threat of leakage of confidential information ( including personal data) through technical channels are irrelevant for the organization.

6.5. Informal model of a probable intruder

An offender is a person who has attempted to perform prohibited operations ( action) by mistake, ignorance or knowingly with malicious intent ( out of selfish interests) or without it ( for the sake of play or pleasure, for the purpose of self-affirmation, etc.) and using various possibilities, methods and means for this.

The NPP protection system should be built based on the assumptions about the following possible types of intruders in the system ( taking into account the category of persons, motivation, qualifications, availability of special means, etc.):

• « Inexperienced (inattentive) user"- an employee who may attempt to perform prohibited operations, access protected AS resources in excess of his authority, enter incorrect data, etc. actions by mistake, incompetence or negligence without malicious intent and using only regular ( available to him) hardware and software.
• « amateur"- an employee trying to overcome the protection system without selfish goals and malicious intent, for self-affirmation or from" sports interest". To overcome the protection system and commit prohibited actions, he can use various methods obtaining additional permissions to access resources ( names, passwords, etc. other users), shortcomings in the construction of the protection system and available staff ( installed on the workstation) programs ( unauthorized actions by exceeding their authority to use authorized funds). In addition, he may try to use additional non-standard tools and technological software ( debuggers, utility utilities), independently developed programs or standard additional technical means.
• « Scammer"- an employee who may attempt to perform illegal technological operations, enter false data and similar actions for personal gain, under duress or out of malicious intent, but using only regular ( installed on the workstation and available to him) hardware and software on their own behalf or on behalf of another employee ( knowing his name and password, using his short absence from the workplace, etc.).
• « External intruder (intruder)"- an outsider or former employee acting purposefully out of selfish interests, out of revenge or out of curiosity, possibly in collusion with others. It can use the whole range of information security breaches, methods and means of hacking security systems that are typical for public networks ( in particular IP-based networks), including the remote implementation of software bookmarks and the use of special instrumental and technological programs, using the existing weaknesses in the exchange protocols and the system for protecting the organization's AS network nodes.
• « Internal intruder» - an employee registered as a user of the system, acting purposefully out of selfish interests or revenge, possibly in collusion with persons who are not employees of the organization. He can use the whole set of methods and means of hacking the security system, including undercover methods of obtaining access details, passive means (technical means of interception without modifying system components), methods and means of active influence ( modification of technical means, connection to data transmission channels, introduction of software tabs and use of special instrumental and technological programs), as well as combinations of impacts both from within and from public networks.

An insider may be a person from the following categories of personnel:

• registered AS end users ( employees of departments and branches);
• workers not allowed to work with the AU;
• personnel servicing NPP technical facilities ( engineers, technicians);
• employees of software development and maintenance departments ( application and system programmers);
• technical staff serving the buildings and premises of the organization ( cleaners, electricians, plumbers and other workers who have access to buildings and premises where the AU components are located);
• leaders at various levels.

• laid-off workers;
• representatives of organizations interacting on issues of ensuring the life of the organization ( energy, water, heat supply, etc.);
• representatives of firms supplying equipment, software, services, etc.;
• members of criminal organizations and competing commercial structures or persons acting on their instructions;
• persons who accidentally or intentionally penetrated networks from external networks ( "hackers").

Users and service personnel from among employees have the widest opportunities to carry out unauthorized actions, due to their certain powers to access resources and good knowledge of information processing technology. The actions of this group of violators are directly related to the violation of existing rules and instructions. This group of offenders poses a particular danger when interacting with criminal structures.

Displaced workers can use their knowledge of work technology, safeguards and access rights to achieve goals.

Criminal structures represent the most aggressive source of external threats. In order to implement their plans, these structures can openly violate the law and involve employees of the organization in their activities with all the forces and means available to them.

Hackers have the highest technical qualifications and knowledge of the weaknesses of the software used in the AS. They pose the greatest threat when interacting with working or laid-off workers and criminal structures.

Organizations involved in the development, supply and repair of equipment, information systems pose an external threat due to the fact that occasionally they have direct access to information resources. Criminal structures can use these organizations for temporary employment of their members in order to access protected information.

7. Technical policy in the field of information security

7.1. Main provisions of technical policy

The implementation of a technical policy in the field of information security should proceed from the premise that it is impossible to provide the required level of information security not only with the help of one a separate tool (Events), but also with the help of their simple set. They need to be systematically coordinated with each other ( complex application), and the individual elements of the AU being developed should be considered as part of a single information system in protected design optimal ratio technical ( hardware, software) funds and organizational measures.

The main directions of the implementation of the technical policy of ensuring the security of information of the AU is to ensure the protection of information resources from theft, loss, leakage, destruction, distortion or forgery due to unauthorized access and special effects.

Within the framework of the indicated directions of the technical policy for ensuring the security of information, the following are carried out:

• implementation of a permit system for the admission of performers ( users, service personnel) to works, documents and information of a confidential nature;
• restriction of access of performers and unauthorized persons to buildings and premises where confidential work is carried out and information and communication means are located on which ( stored, transmitted) information of a confidential nature, directly to the means of informatization and communications;
• delimitation of access for users and maintenance personnel to information resources, software tools for processing and protecting information in subsystems of various levels and purposes included in the AS;
• accounting of documents, information arrays, registration of actions of users and maintenance personnel, control over unauthorized access and actions of users, maintenance personnel and unauthorized persons;
• prevention of introduction of virus programs, software bookmarks into automated subsystems;
• cryptographic protection of information processed and transmitted by means of computer technology and communications;
• reliable storage of machine storage media, cryptographic keys ( key information) and their circulation, excluding theft, substitution and destruction;
• necessary redundancy of technical means and duplication of arrays and storage media;
• reduction in the level and information content of spurious radiation and interference generated by various elements of automated subsystems;
• electrical isolation of power supply circuits, grounding and other circuits of informatization objects that go beyond the controlled area;
• counteraction to optical and laser means of observation.

7.2. Formation of the information security mode

Taking into account the identified threats to the safety of the nuclear power plant, the information security regime should be formed as a set of methods and measures to protect the information circulating in the nuclear power plant and the infrastructure supporting it from accidental or intentional effects of a natural or artificial nature, entailing damage to the owners or users of information.

A set of measures for the formation of an information security regime includes:

• establishment in the AS of the organizational and legal regime of information security ( regulatory documents, work with personnel, office work);
• implementation of organizational and technical measures to protect restricted information from leakage through technical channels;
• organizational and software and hardware measures to prevent unauthorized actions ( access) to the information resources of the AU;
• a set of measures to control the functioning of means and systems for protecting information resources of limited distribution after accidental or deliberate impacts.

8. Measures, methods and means of ensuring information security

8.1. Organizational arrangements

Organizational arrangements- these are organizational measures that regulate the processes of functioning of the AS, the use of their resources, the activities of maintenance personnel, as well as the procedure for users to interact with the system in such a way as to most hinder or exclude the possibility of implementing security threats and reduce the amount of damage if they are implemented.

8.1.1. Formation of security policy

The main goal of organizational measures is to form an information security policy that reflects approaches to information protection, and ensure its implementation by allocating the necessary resources and monitoring the state of affairs.

From a practical point of view, it is advisable to divide the NPP security policy into two levels. The top level includes decisions that affect the activities of the organization as a whole. Examples of such solutions might be:

• formation or revision of a comprehensive information security program, determination of those responsible for its implementation;
• formulating goals, setting tasks, determining areas of activity in the field of information security;
• making decisions on the implementation of the security program, which are considered at the level of the organization as a whole;
• provision of normative ( legal) databases of security issues, etc.

The lower-level policy defines the procedures and rules for achieving goals and solving information security problems and details (regulates) these rules:

• what is the scope of the information security policy;
• what are the roles and responsibilities of officials responsible for implementing the information security policy;
• who has access rights to restricted information;
• who and under what conditions can read and modify information, etc.

The lower level policy should:

• provide for the regulation of information relations, excluding the possibility of arbitrary, monopoly or unauthorized actions in relation to confidential information resources;
• determine coalition and hierarchical principles and methods for sharing secrets and restricting access to restricted information;
• choose software and hardware cryptographic protection, counteracting unauthorized access, authentication, authorization, identification and other protective mechanisms that ensure the implementation of the rights and responsibilities of subjects of information relations.

8.1.2. Regulation of access to technical facilities

The operation of secure workstations and the Bank's servers should be carried out in premises equipped with reliable automatic locks, alarm systems and constantly guarded or monitored, which excludes the possibility of unauthorized entry into the premises of unauthorized persons and ensures the physical safety of protected resources located in the premises ( AWS, documents, access details, etc.). The placement and installation of technical means of such workstations should exclude the possibility of visual viewing of the input ( derived) information by persons who are not related to it. Cleaning of premises with equipment installed in them should be carried out in the presence of the person responsible for whom these technical means are assigned, or the duty officer of the unit, in compliance with measures that exclude access by unauthorized persons to protected resources.

During the processing of restricted information, only personnel authorized to work with this information should be present in the premises.

At the end of the working day, premises with installed protected workstations must be taken under guard.

For the storage of official documents and machine media with protected information, employees are provided with metal cabinets, as well as means for destroying documents.

Technical means that are used to process or store confidential information must be sealed.

8.1.3. Regulation of the admission of employees to the use of information resources

Within the framework of the permit system, it is established: who, to whom, what information and for what type of access can provide and under what conditions; access control system, which involves the definition for all AS users of information and software resources available to them for specific operations ( read, write, modify, delete, execute) using the specified software and hardware access tools.

The admission of workers to work with the AU and access to their resources must be strictly regulated. Any changes in the composition and powers of users of subsystems of the AU should be made in the prescribed manner.

The main users of information in the AS are employees of the structural divisions of the organization. The level of authority of each user is determined individually, observing the following requirements:

• open and confidential information are placed on different servers, if possible;
• each employee enjoys only the rights assigned to him in relation to the information with which he needs to work in accordance with his official duties;
• the boss has the right to view the information of his subordinates;
• the most critical technological operations should be carried out according to the rule "two hands"- the correctness of the entered information is confirmed by another official who does not have the right to enter information.

All employees admitted to work in the NPP and NPP maintenance personnel must be personally liable for violations of the established procedure for automated processing of information, rules for the storage, use and transfer of protected system resources at their disposal. Each employee, when hiring, must sign the Commitment to comply with the requirements for the preservation of confidential information and responsibility for their violation, as well as the implementation of the rules for working with protected information in the AS.

Processing of protected information in subsystems of the AU should be carried out in accordance with approved technological instructions ( orders) for these subsystems.

For users protected by workstations, the necessary technological instructions should be developed, including requirements for ensuring the security of information.

8.1.4. Regulation of the processes of maintaining databases and modifying information resources

All operations for maintaining databases in the AU and the admission of employees to work with these databases must be strictly regulated. Any changes in the composition and powers of AS database users must be made in the prescribed manner.

Distribution of names, generation of passwords, maintenance of the rules for delimiting access to databases is entrusted to employees of the Department of Information Technologies. In this case, both regular and additional means of protecting the DBMS and operating systems can be used.

8.1.5. Regulation of maintenance processes and modification of hardware and software resources

System resources to be protected ( tasks, programs, workstation) are subject to strict accounting ( based on the use of appropriate forms or specialized databases).

The hardware and software configuration of automated workstations, where protected information is processed or from which access to protected resources is possible, must correspond to the range of functional duties assigned to users of this workstation. All unused (extra) information input-output devices ( COM, USB, LPT ports, floppy disk drives, CD and other storage media) on such workstations must be disabled (deleted), unnecessary software and data from the workstation disks must also be deleted.

To simplify maintenance, maintenance and organization of protection, workstations should be equipped with software and configured in a unified way ( in accordance with established rules).

Commissioning of new workstations and all changes in the configuration of hardware and software, existing workstations in the AS of the organization should be carried out only in accordance with the established procedure.

All software ( developed by the organization's specialists, obtained or purchased from manufacturers) should be tested in the prescribed manner and transferred to the organization's program depository. In AS subsystems, only software tools received in the established order from the depository should be installed and used. The use of software in the AS that is not included in the program depository should be prohibited.

Development of software, testing of developed and acquired software, transfer of software into operation must be carried out in accordance with the established procedure.

8.1.6. User training and education

Prior to granting access to the AS, its users, as well as management and maintenance personnel, must be familiar with the list of confidential information and their level of authority, as well as organizational, administrative, regulatory, technical and operational documentation that defines the requirements and procedure for processing such information.

Protection of information in all of the above areas is possible only after the development of a certain discipline among users, i.e. norms that are mandatory for all those who work in the AS. Such norms include the prohibition of any intentional or unintentional actions that disrupt the normal operation of the AS, cause additional resource costs, violate the integrity of stored and processed information, and violate the interests of legitimate users.

All employees who use specific subsystems of the AU in their work must be familiar with the organizational and administrative documents for the protection of the AU in the part that concerns them, they must know and strictly follow the technological instructions and general obligations to ensure the security of information. Bringing the requirements of these documents to the persons admitted to the processing of protected information should be carried out by the heads of departments against signature.

8.1.7. Responsibility for violation of information security requirements

For each serious violation of information security requirements by employees of the organization, an internal investigation should be carried out. Appropriate measures of influence should be applied to the perpetrators. The degree of responsibility of personnel for actions committed in violation of the established rules for ensuring secure automated processing of information should be determined by the damage caused, the presence of malicious intent and other factors.

To implement the principle of personal responsibility of users for their actions, it is necessary:

• individual identification of users and processes initiated by them, i.e. establishing an identifier for them, on the basis of which access differentiation will be carried out in accordance with the principle of reasonableness of access;
• user authentication ( authentication) based on passwords, keys on a different physical basis, etc.;
• registration ( logging) operation of mechanisms for controlling access to information system resources, indicating the date and time, identifiers of the requesting and requested resources, type of interaction and its result;
• reaction to attempts of unauthorized access ( alarm, blocking, etc.).

8.2. Technical means of protection

Technical ( hardware and software) means of protection - various electronic devices and special programs, which are part of the AU and perform (independently or in combination with other means) protection functions ( identification and authentication of users, access control to resources, event registration, cryptographic protection of information, etc.).

Taking into account all the requirements and principles for ensuring the security of information in the AS in all areas of protection, the following means should be included in the protection system:

• means of authenticating users and AS elements ( terminals, tasks, database elements, etc.) corresponding to the degree of confidentiality of information and processed data;
• means of differentiating access to data;
• means of cryptographic protection of information in data transmission lines and in databases;
• means of registering appeals and monitoring the use of protected information;
• means of responding to detected UA or attempts to UA;
• means of reducing the level and information content of spurious radiation and pickups;
• means of protection against optical means of observation;
• means of protection against viruses and malicious programs;
• means of electrical decoupling of both NPP elements and structural elements of the premises in which the equipment is located.

The following main tasks are assigned to the technical means of protection against unauthorized access:

• identification and authentication of users using names and/or special hardware ( Touch Memory, Smart Card, etc.);
• regulation of user access to physical devices of workstations ( drives, I/O ports);
• selective (discretionary) access control to logical drives, directories and files;
• authoritative (mandatory) differentiation of access to protected data on the workstation and on the file server;
• creation of a closed software environment allowed to run programs located both on local and network drives;
• protection against penetration of computer viruses and malicious programs;
• integrity control of protection system modules, disk system areas and arbitrary file lists in automatic mode and by administrator commands;
• registration of user actions in a protected log, the presence of several levels of registration;
• protection of the data of the protection system on the file server from access by all users, including the network administrator;
• centralized management of access control settings on network workstations;
• registration of all UA events occurring at workstations;
• operational control over the work of network users, changing the operating modes of workstations and the possibility of blocking ( if necessary) of any network station.

The successful application of technical means of protection assumes that the fulfillment of the requirements listed below is ensured by organizational measures and the physical means of protection used:

• the physical integrity of all components of the AU is ensured;
• every worker system user) has a unique system name and the minimum authority necessary to perform its functional duties to access system resources;
• use of instrumental and technological programs on workstations ( test utilities, debuggers, etc.) that allow attempts to hack or circumvent security measures is limited and strictly regulated;
• there are no programming users in the secure system, and the development and debugging of programs is carried out outside the secure system;
• all changes in the configuration of hardware and software are made in a strictly established manner;
• network hardware ( hubs, switches, routers, etc.) is located in places inaccessible to strangers ( special rooms, cabinets, etc.);
• the information security service provides continuous management and administrative support for the operation of information protection tools.

8.2.1. Means of identification and authentication of users

In order to prevent unauthorized persons from accessing the AS, it is necessary to ensure that the system recognizes each legitimate user (or limited groups of users). For this, in the system ( in a protected place) should store a number of attributes of each user by which this user can be identified. In the future, when entering the system, and, if necessary, when performing certain actions in the system, the user must identify himself, i.e. specify the identifier assigned to it in the system. In addition, various types of devices can be used for identification: magnetic cards, key inserts, floppy disks, etc.

Authentication ( authentication) users should be carried out through the use of passwords (secret words) or special means of authentication verification unique characteristics(parameters) of users.

8.2.2. Means for restricting access to resources of the Automated System

After recognizing the user, the system must authorize the user, that is, determine what rights are granted to the user, i.e. what data and how it can use it, what programs it can execute, when, for how long and from what terminals it can work, what system resources it can use, etc. User authorization must be carried out using the following mechanisms for implementing access control:

• mechanisms for selective access control based on the use of attribute schemes, permission lists, etc.;
• mechanisms for authoritative access control based on the use of resource sensitivity labels and user access levels;
• mechanisms to ensure a closed environment of trusted software ( individual for each user lists of programs allowed to run) supported by mechanisms for identifying and authenticating users when they log in to the system.

The areas of responsibility and tasks of specific technical means of protection are established based on their capabilities and performance characteristics described in the documentation for these means.

Technical means of access control should be an integral part of a unified access control system:

• to the controlled territory;
• in separate rooms;
• to AS elements and information security system elements ( physical access);
• to AS resources ( software-mathematical access);
• to information repositories ( storage media, volumes, files, data sets, archives, references, records, etc.);
• to active resources ( application programs, tasks, request forms, etc.);
• to the operating system, system programs and security programs, etc.

8.2.3. Means for ensuring and monitoring the integrity of software and information resources

Integrity control of programs, processed information and protection means, in order to ensure the invariance of the software environment determined by the provided processing technology, and protection against unauthorized correction of information, should be provided:

• means of calculating checksums;
• means electronic signature;
• means of comparing critical resources with their reference copies ( and recovery in case of integrity violation);
• means of access control ( deny access with modify or delete rights).

In order to protect information and programs from unauthorized destruction or distortion, it is necessary to ensure:

• duplication of system tables and data;
• duplexing and mirroring of data on disks;
• transaction tracking;
• periodic integrity checks operating system and user programs, as well as user files;
• anti-virus protection and control;
• backing up data according to a predetermined scheme.

8.2.4. Security event controls

Controls should ensure that all events are detected and recorded ( user actions, UA attempts, etc.), which may lead to a violation of the security policy and lead to crisis situations. Controls should provide the ability to:

• constant monitoring of key network nodes and network-forming communication equipment, as well as network activity in key network segments;
• control over the use of corporate and public network services by users;
• maintenance and analysis of security event logs;
• timely detection of external and internal threats to information security.

When logging security events, the following information should be recorded in the system log:

• date and time of the event;
• subject identifier ( user, program) performing the registered action;
• action ( if an access request is registered, then the object and type of access are noted).

Controls should provide detection and recording of the following events:

• user login;
• user login to the network;
• unsuccessful login or network attempt ( wrong password entry);
• connection to a file server;
• launching the program;
• completion of the program;
• an attempt to launch a program that is not available for launch;
• an attempt to gain access to an inaccessible directory;
• an attempt to read / write information from a disk that is inaccessible to the user;
• an attempt to launch the program from a disk that is inaccessible to the user;
• violation of the integrity of programs and data of the protection system, etc.

The following main ways of responding to discovered facts of UA should be supported ( possibly with the participation of a security administrator):

• notification of the owner of information about UA to his data;
• removal of the program ( tasks) from further execution;
• notifying the database administrator and security administrator;
• terminal shutdown ( workstation), from which UA attempts to access information or illegal actions on the network were carried out;
• exclusion of the violator from the list of registered users;
• giving an alarm, etc.

8.2.5. Cryptographic means of information protection

One of the most important elements of the AS information security system should be the use of cryptographic methods and means of protecting information from unauthorized access when it is transmitted over communication channels and stored on computer media.

All means of cryptographic information protection in the AS should be based on the basic cryptographic core. For the right to use cryptographic media, an organization must have licenses established by law.

The key system of cryptographic protection means used in the AS should provide cryptographic survivability and multi-level protection against compromise of key information, separation of users by levels of protection and zones of their interaction between themselves and users of other levels.

Confidentiality and imitation protection of information during its transmission over communication channels should be ensured through the use of subscriber and channel encryption in the system. The combination of subscriber and channel encryption of information should ensure its end-to-end protection along the entire path of passage, protect information in case of its erroneous redirection due to failures and malfunctions of the hardware and software of switching centers.

The AS, which is a system with distributed information resources, should also use the means of generating and verifying an electronic signature, which ensure the integrity and legal evidence of the authenticity of messages, as well as authentication of users, subscriber stations and confirmation of the time of sending messages. In this case, standardized electronic signature algorithms should be used.

8.3. Information Security Management

Management of the information security system in the AS is a targeted impact on the components of the security system ( organizational, technical, software and cryptographic) in order to achieve the required indicators and standards of security of information circulating in the NPP in the context of the implementation of the main security threats.

The main goal of organizing the management of the information security system is to increase the reliability of information protection in the process of its processing, storage and transmission.

Management of the information security system is implemented by a specialized control subsystem, which is a set of controls, technical, software and cryptographic tools, as well as organizational measures and interacting with each other control points of various levels.

The functions of the control subsystem are: informational, control and auxiliary.

The information function consists in continuous monitoring of the state of the protection system, checking the compliance of security indicators with acceptable values ​​and immediately informing security operators about situations that arise in the nuclear power plant that can lead to a breach of information security. There are two requirements for monitoring the state of the protection system: completeness and reliability. Completeness characterizes the degree of coverage of all means of protection and parameters of their functioning. The reliability of control characterizes the degree of adequacy of the values ​​of the controlled parameters to their true value. As a result of processing control data, information on the state of the protection system is generated, which is generalized and transmitted to higher control points.

The control function is to form plans for the implementation of technological operations of the nuclear power plant, taking into account the requirements for information security in the conditions prevailing for this moment time, as well as in determining the location of the situation of information vulnerability and preventing its leakage due to the prompt blocking of NPP sections where information security threats arise. Management functions include accounting, storage, and issuance of documents and information media, passwords and keys. At the same time, the generation of passwords, keys, maintenance of access control tools, acceptance of new software included in the AS software environment, control of compliance of the software environment with the standard, as well as control over the progress of the technological process of processing confidential information is assigned to employees of the Department of Information Technology and the Department of Economic Security.

The auxiliary functions of the control subsystem include accounting for all operations performed in the AS with protected information, the formation of reporting documents and the collection of statistical data in order to analyze and identify potential information leakage channels.

8.4. Monitoring the effectiveness of the protection system

Monitoring the effectiveness of the information security system is carried out in order to timely detect and prevent information leakage due to unauthorized access to it, as well as to prevent possible special effects aimed at destroying information, destroying informatization tools.

Evaluation of the effectiveness of information protection measures is carried out using organizational, technical and software controls for compliance with the established requirements.

Control can be carried out both with the help of standard means of the information security system, and with the help of special means of control and technological monitoring.

8.5. Features of ensuring information security of personal data

The classification of personal data is carried out in accordance with the severity of the consequences of the loss of the security properties of personal data for the subject of personal data.

• About personal data ” to special categories of personal data;
• personal data classified in accordance with the Federal Law " About personal data ” to biometric personal data;
• personal data that cannot be attributed to special categories of personal data, to biometric personal data, to publicly available or depersonalized personal data;
• personal data classified in accordance with the Federal Law " About personal data ” to publicly available or de-identified personal data.

The transfer of personal data to a third party must be carried out on the basis of the Federal Law or the consent of the subject of personal data. In the event that an organization entrusts the processing of personal data to a third party on the basis of an agreement, an essential condition of such an agreement is the obligation of the third party to ensure the confidentiality of personal data and the security of personal data during their processing.

The organization must stop processing personal data and destroy the collected personal data, unless otherwise provided by the legislation of the Russian Federation, within the time limits established by the legislation of the Russian Federation in the following cases:

• upon reaching the purposes of processing or when it is no longer necessary to achieve them;
• at the request of the subject of personal data or the Authorized body for the protection of the rights of subjects of personal data - if the personal data is incomplete, outdated, unreliable, illegally obtained or not necessary for the stated purpose of processing;
• when the subject of personal data withdraws consent to the processing of their personal data, if such consent is required in accordance with the legislation of the Russian Federation;
• if it is impossible for the operator to eliminate the violations committed in the processing of personal data.

The organization should define and document:

• the procedure for the destruction of personal data ( including material carriers of personal data);
• the procedure for processing requests from personal data subjects ( or their legal representatives) regarding the processing of their personal data;
• the procedure for actions in case of requests from the Authorized Body for the Protection of the Rights of Personal Data Subjects or other supervisory authorities exercising control and supervision in the field of personal data;
• approach to attributing AS to information systems of personal data ( Further - ISPD );
• list of ISPDs. The list of ISPDs should include AS, the purpose of which is the processing of personal data.

For each ISPD, the following must be determined and documented:

• purpose of personal data processing;
• the volume and content of the processed personal data;
• list of actions with personal data and methods of their processing.

The volume and content of personal data, as well as the list of actions and methods of processing personal data must comply with the purposes of processing. In the event that in order to carry out the information technology process, the implementation of which is supported by ISPD, there is no need to process certain personal data, these personal data must be deleted.

The requirements for ensuring the security of personal data in ISPD are generally implemented by a set of organizational, technological, technical and software measures, tools and mechanisms for protecting information.

Organization of execution and ( or) the implementation of the requirements for ensuring the security of personal data should be carried out by a structural unit or an official (employee) of the organization responsible for ensuring the security of personal data, or on a contractual basis by an organization - a counterparty of an organization that has a license for the technical protection of confidential information.

The creation of an organization's ISPD should include the development and approval ( statement) the organizational, administrative, design and operational documentation for the system being created provided for by the terms of reference. The documentation should reflect the issues of ensuring the security of the processed personal data.

The development of concepts, technical specifications, design, creation and testing, acceptance and commissioning of ISPD should be carried out by agreement and under the control of a structural unit or an official (employee) responsible for ensuring the security of personal data.

All information assets belonging to the ISPD of the organization must be protected from the impact malicious code. The organization must define and document the requirements for ensuring the security of personal data by means of anti-virus protection and the procedure for monitoring the implementation of these requirements.

The organization must define an access control system that allows access control to communication ports, input/output devices, removable media, and external drives ISPD information.

The heads of operating and servicing ISPD divisions of the organization ensure the security of personal data during their processing in ISPD.

Employees who process personal data in ISPD must act in accordance with the instructions ( management, regulations, etc.), which is part of the operational documentation for ISPD, and comply with the requirements of documents for ensuring IS.

Responsibilities for the administration of protection tools and protection mechanisms that implement the requirements for ensuring the organization's ISPD information security are assigned by orders ( orders) for specialists of the Information Technology Department.

The procedure for the actions of specialists of the Information Technology Department and personnel involved in the processing of personal data must be determined by instructions ( guidelines), which are prepared by the ISPD developer as part of the operational documentation for ISPD.

The specified instructions ( guides):

• establish requirements for the qualification of personnel in the field of information security, as well as an up-to-date list of protected objects and rules for updating it;
• contain full and up-to-date by time) user authorization data;
• contain data on information processing technology to the extent necessary for an information security specialist;
• set the order and frequency of analysis of event logs ( journal archives);
• regulate other activities.

The configuration parameters of the means of protection and mechanisms for protecting information from unauthorized access, used in the area of ​​responsibility of specialists of the Department of Information Technologies, are determined in the operational documentation for ISPD. The order and frequency of checks of the set configuration parameters are established in the operational documentation or regulated by an internal document, while checks should be carried out at least once a year.

The organization must define and document the procedure for access to the premises where the ISPD technical means are located and personal data carriers are stored, which provides for control of access to the premises by unauthorized persons and the presence of obstacles to unauthorized entry into the premises. The specified procedure must be developed by a structural unit or an official ( worker) responsible for ensuring the physical security regime and approved by the structural unit or official ( worker), responsible for ensuring the security of personal data, and the Department of Economic Security.

ISPD users and maintenance personnel should not carry out unauthorized and ( or) not registered ( uncontrolled) copying personal data. To this end, organizational and technical measures should prohibit unauthorized and ( or) not registered ( uncontrolled) copying personal data, including using alienable ( interchangeable) storage media, mobile devices for copying and transferring information, communication ports and input/output devices that implement various interfaces ( including wireless), storage devices of mobile devices ( e.g. laptops, PDAs, smartphones, mobile phones ), as well as photo and video devices.

The control of personal security is carried out by an information security specialist, both with the help of standard means of the information security system, and with the help of special means of control and technological monitoring.

Download ZIP file (65475)

Documents came in handy - put "like" or:

If there is a threat, there must be methods of protection and countermeasures.. Methods are the means to achieve the set goals and the order of methods of using the forces to protect confidential information.

The principle of human action on the subconscious is designed to achieve positive results. The experience of professionals in the field of information security has quite clearly defined the set of means, forces and techniques aimed at guaranteeing information security or information reliability.

Ensuring information reliability or information security is achieved through the following actions aimed at:

• Identification of threats is expressed in a decent analysis and control of the admissible occurrence of potential or real threats, as well as timely measures to prevent them;
• threat prevention is achieved by ensuring information security or information reliability in favor of anticipation and their occurrence
  to detect threats with risk analysis;
• Inclusion of measures to eliminate the threat or criminal acts and localization of criminal acts;
• detection of threats, achieved by identifying specific criminal acts and real threats;
• elimination of consequences regarding threats and criminal specific actions. Restoring the status quo (Fig. 1).

Information protection methods:

• obstacle - a means of physically blocking the actions of an attacker regarding critical information
• access control - means of protecting information by regulating the use of all IP resources in IT. Such methods should protect against information
• Encryption algorithms - methods are implemented both during storage and during information processing. When transmitting information, this is the main and only method of protection
• Regulation is the creation of conditions for the storage and processing of information in an information system, under which standard and protection standards are implemented to the greatest extent
• Coercion is a means of protection that forces users to comply with the rules for working in an information system
• Motivation - a means of protection that encourages users of an information system not to violate the rules, at the expense of ethical and moral standards
• Hardware - devices that are embedded in computing mechanisms or connected using interfaces
• physical means - various engineering structures that protect personnel, information, devices, things from intruders
• Software - software that is embedded in the information system to implement protection
• Organizational means - are achieved on the basis of regulatory documents that regulate the work of employees in such a way as to realize the maximum protection of the information system

Prevention of illegal actions and possible ones can be provided by various means and measures, ranging from respect for relations between employees by organizational methods to protection by hardware, physical, software and methods (or or). Prevention of threats is also possible by the stage of obtaining information about preparatory actions, prepared acts, planned thefts and other elements of criminal actions. For such purposes, it is necessary with informants in different fields of action with different tasks. Some observe and give an objective assessment of the current situation. Others evaluate the relationships of employees within the team in various parts of the enterprise. Still others work among criminal groups and competitors.

Picture 1

To prevent threats, the activity of the information and analytical security service plays a very important role based on the analysis of the special situation and the activities of intruders and competitors. If you have access to the Internet, the security service. And also or .

Protection against disclosure of data is reduced to the creation of a catalog of information that represents a trade secret in the enterprise. This catalog of information must be communicated to every employee in the enterprise, with a written commitment from that employee to keep this secret. One of the important actions is the system of control over the preservation of the integrity and confidentiality of trade secrets.

The protection of confidential information from leakage works on the basis of accounting, identification and control of probable leakage paths in specific situations, as well as the implementation of technical, organizational, organizational and technical measures for their destruction.

Protection of confidential information from unauthorized access operates on the basis of the implementation of technical, organizational, organizational and technical procedures to counteract unauthorized access. As well as control of methods of unauthorized access and analysis.

In practice, all activities use technical ones to some extent, and they are divided into three groups (Fig. 2):

• organizational (in the field of technical means);
• technical.
• organizational and technical;

Figure 2

Defensive action reference

Protective work, as well as techniques and procedures for maintaining information security, are classified according to the characteristics and objects of protection, which are divided into the following parameters:

By orientation - protective methods can be classified as actions, a course for the protection of personnel, financial and tangible assets and information as a fund.

By methods - this is detection (for example:) or, prevention, detection, suppression and restoration.

By directions - this is protection based on legal methods, organizational and engineering actions.

In terms of coverage, protective equipment can be aimed at protecting the perimeter of the enterprise, individual premises, buildings, specific groups of equipment, technical means and systems, individual elements(houses, premises, equipment) dangerous from the point of view of UA to them.

The reason for the information can be people, waste, technical means, etc. Information carriers can be acoustic and electromagnetic fields, or substances (product, paper, material). The propagation medium is hard media or airspace.

The offender may have all the necessary means of receiving electromagnetic and acoustic energy, aerial surveillance and the ability to analyze information presentation materials.

Representation of information in material forms. To exclude misappropriation of confidential information, it is necessary to process the signal or the source of information by muted or other encryption means.

With an increase in the rate of use and distribution of information networks ( or ) and PCs, the role of various factors causing disclosure, leakage and unauthorized access to information increases. These are:

• errors;
• malicious or unauthorized actions of employees and users;
• hardware defaults or bugs in programs;
• natural disasters, wreckage of various origins and dangers;
• user and staff errors;
• errors at .

In this regard, the main goals of protecting information in information networks and PC is:

• prevention of information leakage and losses, interference and interception at all degrees of influence, for all objects geographically separated;
• ensuring the rights of users and legal norms in connection with ACCESS to information and other resources, involving an administrative review of information activities, including actions of personal responsibility for following the operating modes and rules of use;

Figure 3

conclusions

1. Ensuring information reliability or security is achieved by organizational, technical and organizational-technical procedures, any of which is provided by unique methods, means and measures that have appropriate parameters.

2. A variety of actions and conditions that contribute to the illegal or unlawful assimilation of confidential data forces the use of at least a variety of methods, means, and forces to ensure information security or reliability.

3. The main objectives of information protection are to guarantee the confidentiality, integrity and sufficiency of information resources. And also to introduce it into the system.

4. Methods for ensuring information security should be aimed at a proactive temperament of actions aimed at early ways to prevent possible threats to trade secrets.

Information Security, as well as information protection, the task is complex, aimed at ensuring security, implemented by the introduction of a security system. The problem of information security is multifaceted and complex and covers a number of important tasks. The problems of information security are constantly aggravated by the processes of penetration into all spheres of society of technical means for processing and transmitting data, and, above all, computer systems.

To date, three basic principles that information security should provide:

data integrity - protection against failures leading to the loss of information, as well as protection against unauthorized creation or destruction of data;

confidentiality of information;

When developing computer systems, the failure or errors in which can lead to serious consequences, computer security issues become a priority. There are many known measures aimed at ensuring computer security, the main ones being technical, organizational and legal.

Ensuring the security of information is expensive, not only because of the cost of purchasing or installing security, but also because it is difficult to expertly determine the boundaries of reasonable security and ensure that the system is properly maintained in a healthy state.

Security tools should not be designed, purchased, or installed until an appropriate analysis has been made.

The site analyzes information security and its place in the national security system, identifies vital interests in the information sphere and threats to them. The issues of information warfare, information weapons, principles, main tasks and functions of ensuring information security, functions of the state system for ensuring information security, domestic and foreign standards in the field of information security are considered. Considerable attention is also paid to the legal issues of information security.

The general issues of information security in automated data processing systems (ASOD), the subject and objects of information protection, and the tasks of information protection in ASOD are also considered. The types of intentional security threats and methods of information protection in ASOD are considered. Methods and means of authenticating users and delimiting their access to computer resources, access control to equipment, use of simple and dynamically changing passwords, scheme modification methods simple passwords, functional methods.

Basic principles of building an information security system.

When building an information security system for an object, one should be guided by the following principles:

The continuity of the process of improving and developing the information security system, which consists in substantiating and implementing the most rational methods, methods and ways of protecting information, continuous monitoring, identifying bottlenecks and weaknesses and potential channels for information leakage and unauthorized access.

Comprehensive use of the entire arsenal of available means of protection at all stages of production and information processing. At the same time, all the means, methods and measures used are combined into a single, integral mechanism - an information security system.

Monitoring the functioning, updating and supplementing protection mechanisms depending on changes in possible internal and external threats.

Proper training of users and compliance with all established privacy practices. Without this requirement, no information security system can provide the required level of protection.

The most important condition security are legality, sufficiency, balance of interests of the individual and the enterprise, mutual responsibility of personnel and management, interaction with state law enforcement agencies.

10) Stages of building information security

Stages of construction.

1. Comprehensive analysis of the information system

enterprises at various levels. Risk analysis.

2. Development of organizational and administrative and

regulatory documents.

3. Training, professional development and

retraining of specialists.

4. Annual reassessment of the state of information

enterprise security

11) Firewall

Firewalls and antivirus packages.

A firewall (sometimes called a firewall) helps improve the security of your computer. It restricts the information that comes to your computer from other computers, giving you more control over the data on your computer and providing your computer with a line of defense against people or programs (including viruses and worms) that try to connect to your computer without authorization. You can think of a firewall as a border post that checks for information (often referred to as traffic) coming from the Internet or local network. During this check, the firewall rejects or allows information to the computer according to the settings you have configured.

What does the firewall protect against?

A firewall MAY:

1. Block computer viruses and worms from accessing your computer.

2. Prompt the user to choose to block or allow certain connection requests.

3. Keep records (security log) - at the request of the user - recording allowed and blocked attempts to connect to the computer.

What does the firewall not protect against?

He can not:

1. Detect or neutralize computer viruses and worms if they have already entered the computer.

3. Block spam or unsolicited mail so that it doesn't go to your inbox.

HARDWARE AND SOFTWARE FIREWALLS

Hardware firewalls- individual devices that are very fast, reliable, but very expensive, so they are usually used only to protect large computer networks. For home users, firewalls built into routers, switches, wireless access points, etc. are optimal. Combined router-firewalls provide double protection against attacks.

Software firewall is a security program. In principle, it is similar to a hardware firewall, but more “friendly” to the user: it has more ready-made settings and often has wizards that help with configuration. With it, you can allow or deny other programs access to the Internet.

Antivirus program (antivirus)- any program for detecting computer viruses, as well as unwanted (considered malicious) programs in general and restoring files infected (modified) by such programs, as well as for prevention - preventing infection (modification) of files or the operating system with malicious code.

12) Classification of computing systems

Depending on the territorial location of subscriber systems

Computer networks can be divided into three main classes:

global networks (WAN - Wide Area Network);

regional networks (MAN - Metropolitan Area Network);

Local networks (LAN - Local Area Network).

Basic LAN topologies

The topology of a LAN is a geometric diagram of the connections of network nodes.

Topologies of computer networks can be very different, but

only three are typical for local area networks:

Ring,

star-shaped.

Any computer network can be viewed as a collection

Knot- any device directly connected to

transmission medium of the network.

Ring topology provides for the connection of network nodes of a closed curve - a cable of the transmission medium. The output of one network node is connected to the input of another. Information is passed around the ring from node to node. Each intermediate node between transmitter and receiver relays the sent message. The receiving node recognizes and receives only messages addressed to it.

The ring topology is ideal for networks that occupy a relatively small space. It does not have a central node, which increases the reliability of the network. Information relaying allows using any types of cables as a transmission medium.

The consistent discipline of servicing the nodes of such a network reduces its performance, and the failure of one of the nodes violates the integrity of the ring and requires the adoption of special measures to preserve the information transmission path.

Bus topology- one of the simplest. It is associated with the use of a coaxial cable as a transmission medium. Data from the transmitting network node is distributed over the bus in both directions. Intermediate nodes do not translate incoming messages. Information arrives at all nodes, but only the one to which it is addressed receives the message. The service discipline is parallel.

This provides a high performance LAN with a bus topology. The network is easy to expand and configure, and adapt to different systems The bus topology network is resistant to possible malfunctions individual nodes.

Bus topology networks are the most common at present. It should be noted that they are short and do not allow the use of different types of cable within the same network.

Star topology is based on the concept of a central node to which peripheral nodes are connected. Each peripheral node has its own separate communication line with the central node. All information is transmitted through the central node, which relays, switches and routes information flows in the network.

The star topology greatly simplifies the interaction of LAN nodes with each other, allows the use of simpler network adapters. At the same time, the performance of a LAN with a star topology is entirely dependent on the central node.

In real computer networks, more developed topologies can be used, which in some cases represent combinations of the considered ones.

The choice of a particular topology is determined by the scope of the LAN, the geographical location of its nodes and the dimension of the network as a whole.

Internet- a worldwide information computer network, which is an association of many regional computer networks and computers that exchange information with each other via public telecommunications channels (leased analog and digital telephone lines, optical communication channels and radio channels, including satellite communication lines).

Provider- network service provider - a person or organization that provides services for connecting to computer networks.

Host (from the English host - "the host who receives guests")- any device that provides services in the "client-server" format in server mode on any interfaces and is uniquely identified on these interfaces. In a more particular case, a host can be understood as any computer, server connected to a local or global network.

network protocol- a set of rules and actions (sequence of actions) that allows you to connect and exchange data between two or more devices included in the network.

IP address (IP address, short for Internet Protocol Address)- unique network address node in a computer network built using the IP protocol. The Internet requires global address uniqueness; in the case of working in a local network, the uniqueness of the address within the network is required. In the IPv4 version of the protocol, an IP address is 4 bytes long.

Domain name- a symbolic name that helps to find the addresses of Internet servers.

13) Peer-to-Peer Tasks

Software and hardware means of protection against unauthorized access include measures of identification, authentication and access control to the information system.

Identification is the assignment of unique identifiers to access subjects.

This includes radio frequency tags, biometric technologies, magnetic cards, universal magnetic keys, logins for entering the system, etc.

Authentication - verification of the ownership of the access subject to the presented identifier and confirmation of its authenticity.

Authentication procedures include passwords, pin codes, smart cards, usb keys, digital signatures, session keys, etc. The procedural part of the means of identification and authentication is interconnected and, in fact, represents the basic basis of all software and hardware tools for ensuring information security, since all other services are designed to serve specific subjects correctly recognized by the information system. In general terms, identification allows the subject to identify himself to the information system, and with the help of authentication, the information system confirms that the subject is really who he claims to be. Based on the passage of this operation, an operation is performed to provide access to the information system. Access control procedures allow authorized entities to perform actions permitted by the regulations, and the information system to control these actions for the correctness and correctness of the result obtained. Access control allows the system to hide from users data to which they do not have access.

The next means of software and hardware protection is logging and auditing of information.

Logging includes the collection, accumulation and storage of information about events, actions, results that took place during the operation of the information system, individual users, processes and all software and hardware that are part of the enterprise information system.

Since each component of the information system has a predetermined set of possible events in accordance with the programmed classifiers, the events, actions and results are divided into:

• external, caused by the actions of other components,
• internal, caused by the actions of the component itself,
• client, caused by the actions of users and administrators.

Information audit consists in carrying out operational analysis in real time or in a given period.

Based on the results of the analysis, either a report is generated on the events that have taken place, or an automatic response to an emergency situation is initiated.

The implementation of logging and auditing solves the following tasks:

• ensuring accountability of users and administrators;
• enabling the reconstruction of the sequence of events;
• detection of attempts to violate information security;
• providing information to identify and analyze problems.

Often, information protection is impossible without the use of cryptographic means. They are used to provide encryption, integrity and authentication services when the means of authentication are stored in encrypted form by the user. There are two main encryption methods: symmetric and asymmetric.

Integrity control allows you to establish the authenticity and identity of an object, which is a data array, individual portions of data, a data source, and also to ensure the impossibility of marking the action performed in the system with an array of information. The implementation of integrity control is based on data conversion technologies using encryption and digital certificates.

Other important aspect is the use of shielding, a technology that allows, by delimiting the access of subjects to information resources, to control all information flows between the enterprise information system and external objects, data arrays, subjects and counter-subjects. Flow control consists in filtering them and, if necessary, transforming the transmitted information.

The task of shielding is to protect internal information from potentially hostile external factors and actors. The main form of shielding implementation is firewalls or firewalls of various types and architectures.

Since one of the signs of information security is the availability of information resources, ensuring a high level of availability is an important direction in the implementation of software and hardware measures. In particular, two areas are divided: ensuring fault tolerance, i.e. failover of the system, the ability to work when errors occur, and the provision of safe and quick recovery after failures, i.e. serviceability of the system.

The main requirement for information systems is that they always work with a given efficiency, minimum downtime and response speed.

In accordance with this, the availability of information resources is ensured by:

• the use of a structural architecture, which means that individual modules can be disabled or quickly replaced if necessary without affecting other elements of the information system;
• ensuring fault tolerance due to: the use of autonomous elements of the supporting infrastructure, the introduction of excess capacity in the configuration of software and hardware, redundancy of hardware, replication of information resources within the system, Reserve copy data, etc.
• ensuring maintainability by reducing the time for diagnosing and eliminating failures and their consequences.

Another type of information security means is secure communication channels.

The functioning of information systems is inevitably associated with the transfer of data, therefore, it is also necessary for enterprises to ensure the protection of transmitted information resources using secure communication channels. The possibility of unauthorized access to data during the transmission of traffic through open communication channels is due to their general availability. Since "communications throughout their entire length cannot be physically protected, therefore it is better to initially proceed from the assumption of their vulnerability and provide protection accordingly" . For this, tunneling technologies are used, the essence of which is to encapsulate data, i.e. pack or wrap the transmitted data packets, including all service attributes, in their own envelopes. Accordingly, the tunnel is a secure connection through open communication channels, through which cryptographically protected data packets are transmitted. Tunneling is used to ensure traffic confidentiality by hiding service information and ensuring the confidentiality and integrity of transmitted data when used together with cryptographic elements of an information system. The combination of tunneling and encryption makes it possible to implement a virtual private network. At the same time, the endpoints of tunnels that implement virtual private networks are firewalls that serve the connection of organizations to external networks.

Firewalls as points of implementation of virtual private networks service

Thus, tunneling and encryption are additional transformations performed in the process of filtering network traffic along with address translation. The ends of the tunnels, in addition to corporate firewalls, can be personal and mobile computers of employees, more precisely, their personal firewalls and firewalls. Thanks to this approach, the functioning of secure communication channels is ensured.

Information security procedures

Information security procedures are usually divided into administrative and organizational levels.

• Administrative procedures include general actions taken by the organization's management to regulate all work, actions, operations in the field of ensuring and maintaining information security, implemented by allocating the necessary resources and monitoring the effectiveness of the measures taken.
• The organizational level represents the procedures for ensuring information security, including personnel management, physical protection, maintaining the operability of the software and hardware infrastructure, promptly eliminating security breaches and planning recovery work.

On the other hand, the distinction between administrative and organizational procedures is meaningless, since the procedures of one level cannot exist separately from another level, thereby violating the relationship of protection. physical layer, personal and organizational protection in the concept of information security. In practice, when ensuring information security, organizations do not neglect administrative or organizational procedures, therefore it is more logical to consider them as an integrated approach, since both levels affect the physical, organizational and personal levels of information protection.

The basis of complex procedures for ensuring information security is the security policy.

Information security policy

Information security policy in an organization, it is a set of documented decisions made by the management of the organization and aimed at protecting information and its associated resources.

In organizational and managerial terms, the information security policy can be a single document or drawn up in the form of several independent documents or orders, but in any case it should cover the following aspects of protecting the organization's information system:

• protection of information system objects, information resources and direct operations with them;
• protection of all operations related to the processing of information in the system, including processing software;
• protection of communication channels, including wired, radio channels, infrared, hardware, etc.;
• protection of the hardware complex from side electromagnetic radiation;
• management of the security system, including maintenance, upgrades and administrative actions.

Each of the aspects should be described in detail and documented in the internal documents of the organization. Internal documents cover three levels of the protection process: upper, middle and lower.

Top-level information security policy documents reflect the organization's basic approach to protecting its own information and compliance with national and/or international standards. In practice, there is only one top-level document in an organization, entitled "Information Security Concept", "Information Security Regulation", etc. Formally, these documents are not of confidential value, their distribution is not limited, but they can be issued in an edition for internal use and open publication.

The middle-level documents are strictly confidential and relate to specific aspects of the information security of the organization: the means of information protection used, the security of databases, communications, cryptographic tools and other information and economic processes of the organization. Documentation is implemented in the form of internal technical and organizational standards.

Documents of the lower level are divided into two types: work regulations and operating instructions. The work regulations are strictly confidential and are intended only for persons who, on duty, carry out work on the administration of individual information security services. Operating instructions can be either confidential or public; they are intended for the organization's personnel and describe the procedure for working with individual elements of the organization's information system.

World experience shows that the information security policy is always documented only in large companies with a developed information system that imposes increased requirements for information security, medium-sized enterprises most often have only a partially documented information security policy, small organizations in the vast majority do not care about documenting the security policy. Regardless of whether the documentation format is holistic or distributed, the basic aspect is the security mode.

There are two different approaches that form the basis information security policy:

1. "Everything that is not forbidden is allowed."
2. "Everything that is not allowed is prohibited."

The fundamental defect of the first approach is that in practice it is impossible to foresee all dangerous cases and prohibit them. Without a doubt, only the second approach should be used.

Organizational level of information security

From the point of view of information security, organizational procedures for ensuring information security are presented as "regulation of production activities and relationships between performers on a legal basis that excludes or significantly hinders the misappropriation of confidential information and the manifestation of internal and external threats" .

Personnel management measures aimed at organizing work with personnel in order to ensure information security include the separation of duties and the minimization of privileges. The division of duties prescribes such a distribution of competencies and areas of responsibility, in which one person is not able to disrupt a process that is critical to the organization. This reduces the chance of errors and abuse. Privilege minimization dictates that users be given only the level of access that is appropriate for their job function. This reduces the damage from accidental or intentional incorrect actions.

Physical protection means the development and adoption of measures for the direct protection of buildings that house the information resources of the organization, adjacent territories, infrastructure elements, computing equipment, data carriers and hardware communication channels. These include physical access control, fire protection, supporting infrastructure protection, eavesdropping protection, and mobile system protection.

Maintaining the health of the software and hardware infrastructure is to prevent stochastic errors that threaten to damage the hardware complex, disrupt programs and lose data. The main directions in this aspect are to provide user and software support, configuration management, backup, media management, documentation and preventive maintenance.

Rapid resolution of security breaches has three main objectives:

1. Incident localization and damage reduction;
2. Identification of the offender;
3. Prevention of repeated violations.

Finally, recovery planning allows you to prepare for accidents, reduce damage from them and maintain at least a minimal amount of ability to function.

The use of software and hardware and secure communication channels should be implemented in the organization on the basis of an integrated approach to the development and approval of all administrative and organizational regulatory procedures for ensuring information security. Otherwise, the adoption of separate measures does not guarantee the protection of information, and often, on the contrary, provokes leaks of confidential information, loss of critical data, damage to the hardware infrastructure and disruption of the software components of the organization's information system.

Information security methods

Modern enterprises are characterized by a distributed information system that allows you to take into account the distributed offices and warehouses of the company, financial accounting and management control, information from the customer base, taking into account the selection of indicators, and so on. Thus, the array of data is very significant, and the vast majority of it is information that is of priority importance for the company in commercial and economic terms. In fact, ensuring the confidentiality of data that has commercial value is one of the main tasks of ensuring information security in the company.

Ensuring information security at the enterprise should be regulated by the following documents:

1. Information security regulation. It includes the formulation of goals and objectives for ensuring information security, a list of internal regulations on information security tools and a regulation on the administration of a company's distributed information system. Access to the regulations is limited to the management of the organization and the head of the automation department.
2. Regulations for the technical support of information protection. Documents are confidential, access is limited to employees of the automation department and higher management.
3. Regulations for the administration of a distributed information protection system. Access to the regulations is limited to employees of the automation department responsible for administering the information system and senior management.

At the same time, these documents should not be limited, but the lower levels should also be worked out. Otherwise, if the enterprise does not have other documents related to information security, this will indicate an insufficient degree of administrative information security, since there are no lower-level documents, in particular, instructions for operating individual elements of the information system.

Mandatory organizational procedures include:

• the main measures to differentiate personnel by the level of access to information resources,
• physical protection of the company's offices from direct penetration and threats of destruction, loss or interception of data,
• maintaining the functionality of the hardware and software infrastructure is organized in the form of automated backup, remote verification of storage media, user and software support is provided upon request.

This should also include regulated measures to respond to and eliminate cases of information security violations.

In practice, it is often observed that enterprises are not sufficiently attentive to this issue. All activities in this direction are carried out exclusively in working order, which increases the time to eliminate cases of violations and does not guarantee the prevention of repeated violations of information security. In addition, the practice of planning actions to eliminate the consequences after accidents, information leaks, data loss and critical situations is completely absent. All this significantly worsens the information security of the enterprise.

At the level of software and hardware, a three-level information security system should be implemented.

Minimum criteria for ensuring information security:

1. Access control module:

• implemented closed entrance into the information system, it is impossible to enter the system outside of verified workplaces;
• access with limited functionality from mobile personal computers was implemented for employees;
• authorization is carried out according to logins and passwords formed by administrators.

2. Encryption and integrity control module:

• an asymmetric encryption method for transmitted data is used;
• arrays of critical data are stored in databases in encrypted form, which does not allow access to them even if the company's information system is hacked;
• integrity control is provided by a simple digital signature all information resources stored, processed or transmitted within the information system.

3. Shielding module:

• implemented a system of filters in firewalls, allowing you to control all information flows through communication channels;
• external connections to global information resources and public communication channels can only be made through a limited set of verified workstations that have a limited connection to the corporate information system;
• secure access from employees' workplaces to perform their official duties is implemented through a two-level system of proxy servers.

Finally, with the help of tunneling technologies, a virtual private network must be implemented in an enterprise in accordance with a typical construction model to provide secure communication channels between various company departments, partners and company customers.

Despite the fact that communications are directly carried out over networks with potentially low level trust, tunneling technologies, thanks to the use of cryptographic tools, ensure reliable protection of all transmitted data.

conclusions

The main goal of all measures taken in the field of information security is to protect the interests of the enterprise, one way or another related to the information resources that it has. Although the interests of enterprises are not limited to a specific area, they all center around the availability, integrity and confidentiality of information.

The problem of ensuring information security is explained by two main reasons.

1. The information resources accumulated by the enterprise are valuable.
2. Critical dependence on information technologies causes their wide application.

Given the wide variety of existing threats to information security, such as the destruction of important information, unauthorized use of confidential data, interruptions in the operation of the enterprise due to violations of the information system, we can conclude that all this objectively leads to large material losses.

In ensuring information security, a significant role is played by software and hardware tools aimed at controlling computer entities, i.e. hardware, software elements, data, forming the last and highest priority frontier of information security. The transmission of data must also be secure in the context of maintaining its confidentiality, integrity and availability. Therefore, in modern conditions, tunneling technologies are used in combination with cryptographic means to provide secure communication channels.

Literature

1. Galatenko V.A. Information security standards. - M.: Internet University of Information Technologies, 2006.
2. Partyka T.L., Popov I.I. Information Security. – M.: Forum, 2012.