Annotation: The lecture deals with the basic concepts of information security. Familiarization with the Federal Law "On Information, Information Technologies and Information Protection".

GOST " Data protection. Basic terms and definitions" introduces the concept information security as a state of information security, in which it is provided confidentiality, availability and integrity .

• Confidentiality- the state of information in which access to it is carried out only by subjects who have the right to it.
• Integrity- the state of information in which there is no any change in it or the change is carried out only intentionally by the subjects that have the right to it;
• Availability- the state of information, in which the subjects with the right of access can exercise it without hindrance.

Information security threats- a set of conditions and factors that create a potential or real danger of information security breach [ , ]. Attack an attempt to implement a threat is called, and the one who makes such an attempt - intruder. Potential attackers are called sources of threat.

The threat is the result of vulnerabilities or vulnerabilities in the information system. Vulnerabilities can arise for various reasons, for example, as a result of unintentional mistakes by programmers when writing programs.

Threats can be classified according to several criteria:

• on properties of information(availability, integrity, confidentiality), against which threats are directed in the first place;
• by the components of information systems that threats are aimed at (data, programs, hardware, supporting infrastructure);
• according to the method of implementation (accidental / intentional, natural / man-made actions);
• by the location of the source of threats (inside/outside the considered IS).

Ensuring information security is challenging task, whose solution requires A complex approach. There are the following levels of information protection:

1. legislative - laws, regulations and other documents of the Russian Federation and the international community;
2. administrative - a set of measures taken locally by the management of the organization;
3. procedural level - security measures implemented by people;
4. software and hardware level- direct means of protecting information.

The legislative level is the basis for building an information security system, as it gives basic concepts subject area and determines the punishment for potential intruders. This level plays a coordinating and guiding role and helps maintain a negative (and punitive) attitude in society towards people who violate information security.

1.2. Federal Law "On information, information technologies and information protection"

In Russian legislation, the basic law in the field of information protection is the Federal Law "On Information, Information Technologies and Information Protection" dated July 27, 2006, No. 149-FZ. Therefore, the basic concepts and decisions enshrined in the law require close consideration.

The law regulates relations arising from:

• exercising the right to search, receive, transfer, produce and disseminate information;
• application information technologies;
• ensuring the protection of information.

The law provides basic definitions in the field of information protection. Here are some of them:

• information- information (messages, data) regardless of the form of their presentation;
• Information Technology- processes, methods for searching, collecting, storing, processing, providing, disseminating information and methods for implementing such processes and methods;
• Information system- a set of information contained in databases and information technologies and technical means that ensure its processing;
• owner of information- a person who has independently created information or who has received, on the basis of a law or an agreement, the right to allow or restrict access to information determined by any signs;
• information system operator- a citizen or legal entity engaged in the operation of an information system, including the processing of information contained in its databases.
• confidentiality of information- a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without the consent of its owner.

Article 4 of the Law formulates the principles of legal regulation of relations in the field of information, information technology and information protection:

1. freedom to seek, receive, transmit, produce and distribute information in any legal way;
2. establishment of restrictions on access to information only by federal laws;
3. openness of information about the activities of state bodies and local self-government bodies and free access to such information, except in cases established by federal laws;
4. equality of languages ​​of the peoples of the Russian Federation in the creation of information systems and their operation;
5. ensuring the security of the Russian Federation in the creation of information systems, their operation and protection of the information contained in them;
6. reliability of information and timeliness of its provision;
7. privacy, the inadmissibility of collecting, storing, using and disseminating information about the private life of a person without his consent;
8. the inadmissibility of establishing by regulatory legal acts any advantages of using some information technologies over others, unless the mandatory use of certain information technologies for the creation and operation of state information systems is established by federal laws.

All information is divided into public and limited access. Publicly available information includes generally known information and other information, access to which is not limited. The law defines information to which access cannot be restricted, such as information about the environment or the activities of government agencies. It is also stipulated that Access limitation to information is established by federal laws in order to protect the foundations of the constitutional order, morality, health, rights and legitimate interests of other persons, to ensure the defense of the country and the security of the state. It is mandatory to maintain the confidentiality of information, access to which is limited by federal laws.

It is prohibited to require a citizen (individual) to provide information about his private life, including information constituting a personal or family secret, and to receive such information against the will of the citizen (individual), unless otherwise provided by federal laws.

1. information freely distributed;
2. information provided by agreement of the persons participating in the relevant relationship;
3. information that, in accordance with federal laws, is subject to provision or dissemination;
4. information whose dissemination in the Russian Federation is restricted or prohibited.

The law establishes the equivalence of an electronic message signed with an electronic digital signature or other analogue of a handwritten signature, and a document signed with one's own hand.

The following definition of information security is given - it is the adoption of legal, organizational and technical measures aimed at:

1. ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information;
2. confidentiality of information limited access;
3. exercising the right to access information.

The owner of information, the operator of the information system, in cases established by the legislation of the Russian Federation, are obliged to ensure:

1. prevention of unauthorized access to information and (or) its transfer to persons who do not have the right to access information;
2. timely detection of facts of unauthorized access to information;
3. prevention of the possibility of adverse consequences of violation of the order of access to information;
4. prevention of impact on the technical means of information processing, as a result of which their functioning is disrupted;
5. the possibility of immediate recovery of information modified or destroyed due to unauthorized access to it;
6. constant control over ensuring the level of information security.

Thus, the Federal Law "On information, information technologies and information protection" creates the legal basis for information exchange in the Russian Federation and determines the rights and obligations of its subjects.

Rapidly developing computer information technologies are making noticeable changes in our lives. Information has become a commodity that can be bought, sold, exchanged. At the same time, the cost of information is often hundreds of times higher than the cost of computer system in which it is stored.

The well-being, and sometimes the life of many people, depends on the degree of information technology security. Such is the payment for the complication and ubiquity of automated information processing systems.

Under information security refers to the security of an information system from accidental or intentional interference that harms the owners or users of information.

In practice, three aspects of information security are the most important:

• availability(possibility to receive the required information service within a reasonable time);
• integrity(relevance and consistency of information, its protection from destruction and unauthorized changes);
• confidentiality(protection against unauthorized reading).

Violations of the availability, integrity and confidentiality of information can be caused by various dangerous effects on information computer systems.

The main threats to information security

A modern information system is a complex system consisting of a large number of components of varying degrees of autonomy that are interconnected and exchange data. Almost every component can be exposed to external influences or fail. The components of an automated information system can be divided into the following groups:

• hardware- computers and their components (processors, monitors, terminals, peripherals- disk drives, printers, controllers, cables, communication lines, etc.);
• software- purchased programs, source, object, boot modules; operating systems and system programs (compilers, linkers, etc.), utilities, diagnostic programs, etc.;
• data- stored temporarily and permanently, on magnetic media, printed, archives, system logs, etc.;
• staff- service personnel and users.

Hazardous impacts on a computer information system can be divided into accidental and intentional. An analysis of the experience of designing, manufacturing and operating information systems shows that information is subjected to various random influences at all stages of the system life cycle. Causes random influences during operation can be:

• emergencies due to natural disasters and power outages;
• equipment failures and failures;
• software bugs;
• errors in the work of personnel;
• interference in communication lines due to environmental influences.

Intentional Impacts- These are targeted actions of the offender. An employee, a visitor, a competitor, a mercenary can act as an intruder. The actions of the violator may be due to various motives:

• employee's dissatisfaction with his career;
• a bribe;
• curiosity;
• competitive struggle;
• striving for self-assertion at any cost.

You can make a hypothetical model of a potential intruder:

• qualification of the violator at the level of the developer of this system;
• the violator can be both an outsider and a legitimate user of the system;
• the violator knows the information about the principles of the system;
• the offender chooses the weakest link in the defense.

The most common and diverse type of computer violations is unauthorized access(NSD). NSD uses any error in the protection system and is possible with an irrational choice of protection tools, their incorrect installation and configuration.

Let's classify the UA channels, through which it is possible to carry out the theft, change or destruction of information:

• Through a person:
  • theft of storage media;
  • reading information from the screen or keyboard;
  • reading information from a printout.
• Through the program:
  • interception of passwords;
  • decryption of encrypted information;
  • copying information from media.
• Through hardware:
  • connection of specially designed hardware providing access to information;
  • interception of spurious electromagnetic radiation from equipment, communication lines, power supply networks, etc.

Particular attention should be paid to the threats to which computer networks may be exposed. The main feature of any computer network is that its components are distributed in space. Communication between network nodes is carried out physically using network lines and programmatically using the message mechanism. In this case, control messages and data sent between network nodes are transmitted in the form of exchange packets. Computer networks are characterized by the fact that so-called remote attacks. An intruder can be located thousands of kilometers from the attacked object, and not only a specific computer, but also information transmitted over network communication channels can be attacked.

Ensuring information security

The formation of an information security regime is a complex problem. Measures to address it can be divided into five levels:

1. legislative (laws, regulations, standards, etc.);
2. moral and ethical (all kinds of norms of behavior, non-compliance with which leads to a drop in the prestige of a particular person or an entire organization);
3. administrative (general actions taken by the management of the organization);
4. physical (mechanical, electro- and electronic-mechanical obstacles on possible ways penetration of potential intruders);
5. hardware-software ( electronic devices And special programs information security).

A single set of all these measures aimed at countering security threats in order to minimize the possibility of damage form protection system.

A reliable protection system must comply with the following principles:

• The cost of protective equipment should be less than the amount of possible damage.
• Each user must have the minimum set of privileges required to work.
• Protection is the more effective, the easier it is for the user to work with it.
• Possibility of switching off in case of emergency.
• Specialists related to the protection system must fully understand the principles of its functioning and, in case of difficult situations, adequately respond to them.
• The entire information processing system must be protected.
• The developers of the protection system should not be among those whom this system will control.
• The protection system must provide evidence of the correctness of its work.
• Persons involved in ensuring information security should be personally responsible.
• It is expedient to divide protected objects into groups so that violation of protection in one of the groups does not affect the security of others.
• A reliable protection system must be fully tested and agreed upon.
• Protection becomes more efficient and flexible if it allows the administrator to change its settings.
• The security system should be designed with the assumption that users will make serious mistakes and generally have the worst of intentions.
• The most important and critical decisions must be made by a human.
• The existence of security mechanisms should be kept as hidden as possible from the users whose work is under control.

Hardware and software information security

Despite the fact that modern operating systems for personal computers, such as Windows 2000, Windows XP and Windows NT, have their own protection subsystems, the relevance of creating additional protection tools remains. The fact is that most systems are not able to protect data that is outside of them, for example, during network information exchange.

Hardware and software information security tools can be divided into five groups:

1. Systems of identification (recognition) and authentication (authentication) of users.
2. Disk data encryption systems.
3. Encryption systems for data transmitted over networks.
4. Electronic data authentication systems.
5. Cryptographic key management tools.

1. User identification and authentication systems

They are used to restrict access of random and illegal users to the resources of a computer system. The general algorithm of such systems is to obtain from the user information proving his identity, verify its authenticity and then provide (or not provide) this user with the ability to work with the system.

When building these systems, the problem of choosing information arises, on the basis of which the procedures for identifying and authenticating the user are carried out. The following types can be distinguished:

• secret information that the user has (password, secret key, personal identifier, etc.); the user must remember this information or special storage facilities can be used for it;
• physiological parameters of a person (fingerprints, drawing of the iris, etc.) or behavioral characteristics (features of working on the keyboard, etc.).

Systems based on the first type of information are considered traditional. Systems that use the second type of information are called biometric. It should be noted the emerging trend of advanced development of biometric identification systems.

2. Disk data encryption systems

To render information useless to the adversary, a set of data transformation methods is used, called cryptography[from Greek. cryptos- hidden and grapho- writing].

Encryption systems can perform cryptographic transformations of data at the file level or at the disk level. The programs of the first type include archivers such as ARJ and RAR, which allow the use of cryptographic methods to protect archive files. An example of a second type of system is the Diskreet encryption program, which is part of the popular software package Norton Utilities, Best Crypto.

Another classification feature of disk data encryption systems is the way they operate. According to the method of functioning, the disk data encryption system is divided into two classes:

• "transparent" encryption systems;
• systems specifically called in to perform encryption.

In transparent encryption systems (on-the-fly encryption), cryptographic transformations are carried out in real time, imperceptibly to the user. For example, a user writes a document prepared in a text editor to a protected disk, and the protection system encrypts it during the writing process.

Second-class systems are usually utilities that need to be specifically invoked to perform encryption. These include, for example, archivers with built-in password protection.

Most systems that offer to set a password for a document do not encrypt the information, but only provide a password request when accessing the document. These systems include MS Office, 1C and many others.

3. Encryption systems for data transmitted over networks

There are two main encryption methods: channel encryption and terminal (subscriber) encryption.

When channel encryption all information transmitted over a communication channel, including service information, is protected. This encryption method has the following advantage - embedding encryption procedures at the data link layer allows the use of hardware, which improves system performance. However, this approach also has significant drawbacks:

• service data encryption complicates the network packet routing mechanism and requires data decryption in intermediate communication devices (gateways, repeaters, etc.);
• Encryption of service information can lead to the appearance of statistical patterns in encrypted data, which affects the reliability of protection and imposes restrictions on the use of cryptographic algorithms.

End-to-end (subscriber) encryption allows you to ensure the confidentiality of data transmitted between two subscribers. In this case, only the content of messages is protected, all service information remains open. The disadvantage is the ability to analyze information about the structure of the message exchange, such as the sender and recipient, the time and conditions of data transmission, as well as the amount of data transmitted.

4. Electronic data authentication systems

When exchanging data over networks, the problem arises of authenticating the author of the document and the document itself, i.e. establishing the author's identity and checking the absence of changes in the received document. For data authentication, a message authentication code (imitation insertion) or an electronic signature is used.

Imitation insert is generated from open data by means of a special encryption transformation using a secret key and transmitted over a communication channel at the end of the encrypted data. The spoof insertion is verified by the receiver, who owns the secret key, by repeating the procedure previously performed by the sender on the received public data.

Electronic digital signature represents a relatively small amount of additional authentication information transmitted along with the signed text. The sender generates a digital signature using the sender's private key. The recipient verifies the signature using the sender's public key.

Thus, the principles of symmetric encryption are used to implement imitation insertion, and to implement electronic signature- asymmetric. We will study these two encryption systems in more detail later.

5. Cryptographic Key Management Tools

The security of any cryptosystem is determined by the cryptographic keys used. In the case of weak key management, an attacker can get hold of key information and gain complete access to all information on a system or network.

There are the following types of key management functions: generation, storage, and distribution of keys.

Ways key generation for symmetric and asymmetric cryptosystems are different. To generate keys of symmetric cryptosystems, hardware and software tools for generating random numbers are used. Key generation for asymmetric cryptosystems is more difficult, since the keys must have certain mathematical properties. We will dwell on this issue in more detail when studying symmetric and asymmetric cryptosystems.

Function storage involves the organization of secure storage, accounting and deletion of key information. To ensure the secure storage of keys, they are encrypted using other keys. This approach leads to the concept of a key hierarchy. The key hierarchy typically includes a master key (i.e., a master key), a key encryption key, and a data encryption key. It should be noted that the generation and storage of the master key is a critical cryptographic issue.

Distribution- the most responsible process in key management. This process must ensure that the keys to be distributed are kept secret and must be prompt and accurate. Keys are distributed between network users in two ways:

• using a direct exchange of session keys;
• using one or more key distribution centers.

List of documents

1. ABOUT THE STATE SECRET. Law of the Russian Federation No. 5485-1 of July 21, 1993 (as amended by Federal Law No. 131-FZ of October 6, 1997).
2. ABOUT INFORMATION, INFORMATIZATION AND PROTECTION OF INFORMATION. Federal Law of the Russian Federation of February 20, 1995 No. 24-FZ. Adopted by the State Duma on January 25, 1995.
3. ON LEGAL PROTECTION OF PROGRAMS FOR ELECTRONIC COMPUTERS AND DATABASES. Law of the Russian Federation of February 23, 1992 No. 3524-1.
4. ABOUT ELECTRONIC DIGITAL SIGNATURE. Federal Law of the Russian Federation of January 10, 2002 No. 1-FZ.
5. ABOUT COPYRIGHT AND RELATED RIGHTS. Law of the Russian Federation of July 9, 1993 No. 5351-1.
6. ABOUT THE FEDERAL BODIES OF GOVERNMENT COMMUNICATIONS AND INFORMATION. Law of the Russian Federation (as amended by Decree of the President of the Russian Federation of December 24, 1993 No. 2288; Federal Law of November 7, 2000 No. 135-FZ.
7. Regulations on the accreditation of testing laboratories and certification bodies of information security tools for information security requirements / State Technical Commission under the President of the Russian Federation.
8. Instructions on the procedure for marking certificates of conformity, their copies and certification information security equipment / State Technical Commission under the President of the Russian Federation.
9. Regulations on the certification of informatization objects for information security requirements / State Technical Commission under the President of the Russian Federation.
10. Regulations on the certification of information security tools for information security requirements: with additions in accordance with Decree of the Government of the Russian Federation of June 26, 1995 No. 608 "On certification of information security tools" / State Technical Commission under the President of the Russian Federation.
11. Regulations on state licensing of activities in the field of information security / State Technical Commission under the President of the Russian Federation.
12. Automated systems. Protection against unauthorized access to information. Classification of automated systems and information security requirements: Guiding document / State Technical Commission under the President of the Russian Federation.
13. Money protection concept computer science and automated systems from unauthorized access to information: Guidance document / State Technical Commission under the President of the Russian Federation.
14. Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information: Guidance document / State Technical Commission under the President of the Russian Federation.
15. Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information: Guidance document / State Technical Commission under the President of the Russian Federation.
16. Data protection. Special security marks. Classification and general requirements: Guiding document / State Technical Commission under the President of the Russian Federation.
17. Protection against unauthorized access to information. Terms and definitions: Guiding document / State Technical Commission under the President of the Russian Federation.

Ensuring information security is a complex social, legal, economic, and scientific problem. Only a comprehensive solution of its goals and objectives simultaneously in several planes will be able to exert its regulatory impact on ensuring the information security of the country. The work carried out in this area should have not only a practical orientation, but also a scientific justification.

The main goals of ensuring information security are determined on the basis of sustainable national and economic security priorities that meet the long-term interests of social development, which include:

Preservation and strengthening of Russian statehood and political stability in society;

Preservation and development of democratic institutions of society, ensuring the rights and freedoms of citizens, strengthening law and order;

Ensuring a worthy place and role of the country in the world community;

Ensuring the territorial integrity of the country;

Ensuring progressive socio-economic development;

Preservation of national cultural values ​​and traditions.

In accordance with the specified priorities, the main tasks of ensuring information security are:

Identification, assessment and forecasting of sources of threats to information security;

Development of a state policy for ensuring information security, a set of measures and mechanisms for its implementation;

Development of a regulatory framework for ensuring information security, coordination of activities of state authorities and enterprises to ensure information security;

Development of the information security system, improvement of its organization, forms, methods and means of preventing, parrying and neutralizing threats to information security and eliminating the consequences of its violation;

Ensuring the active participation of the country in the processes of creating the use of global information networks and systems.

The most important principles for ensuring information security are:

1) the legality of measures to detect and prevent offenses in information sphere;

2) continuity of implementation and improvement of means and methods of control and protection of the information system;

3) economic feasibility, i.e. comparability of possible damage and costs of ensuring information security

4) the complexity of using the entire arsenal of available means of protection in all departments of the company and at all stages of the information process.

The implementation of the information security process includes several stages:

Definition of the object of protection: the rights to protect the information resource, the valuation of the information resource and its main elements, the duration of the life cycle of the information resource, the trajectory of the information process by the functional divisions of the company;

Identification of sources of threats (competitors, criminals, employees, etc.), targets of threats (familiarization, modification, destruction, etc.), possible channels for the implementation of threats (disclosure, leakage, etc.);

Determining the necessary protective measures;

Assessment of their effectiveness and economic feasibility;

Implementation of the measures taken, taking into account the selected criteria;

Communicating the measures taken to the personnel, monitoring their effectiveness and eliminating (preventing) the consequences of threats.

The implementation of the described stages, in fact, is the process of managing the information security of an object and is provided by a control system that includes, in addition to the managed (protected) object itself, means of monitoring its state, a mechanism for comparing the current state with the required one, as well as a mechanism for control actions for localization and prevention of damage due to threats. In this case, it is advisable to consider the achievement of a minimum of information damage as a control criterion, and the goal of control is to ensure the required state of the object in the sense of its information security.

Methods for ensuring information security are divided into legal, organizational, technical and economic.

TO legal methods ensuring information security includes the development of legal acts regulating relations in the information sphere, and regulatory methodological documents on issues of ensuring information security. The most important areas of this activity are:

Introducing amendments and additions to the legislation governing relations in the field of information security in order to create and improve the information security system, eliminate internal contradictions in federal legislation, contradictions associated with international agreements, as well as in order to specify the legal norms establishing responsibility for offenses in the field of information security;

Legislative delineation of powers in the field of ensuring the definition of goals, objectives and mechanisms for the participation of public associations, organizations and citizens in this activity;

Development and adoption of normative legal acts establishing the responsibility of legal entities and individuals for unauthorized access to information, its illegal copying, distortion and illegal use, deliberate dissemination of false information, illegal disclosure confidential information, use for criminal and mercenary purposes official information or information containing commercial secrets;

Clarification of the status of foreign news agencies, mass media and journalists, as well as investors when attracting foreign investment for the development of domestic information infrastructure;

Legislative consolidation of the priority of development of national communication networks and domestic production of space communication satellites;

Determination of the status of organizations providing services of global information and communication networks and legal regulation of the activities of these organizations;

Creation of a legal framework for the formation of regional information security structures.

organizational and technical information security methods are:

Creation and improvement of the system for ensuring the information security of the state;

Strengthening the law enforcement activities of the authorities, including the prevention and suppression of offenses in the information sphere, as well as the identification, exposure and prosecution of persons who have committed crimes and other offenses in this area;

Development, use and improvement of information security tools and methods for monitoring the effectiveness of these tools, development of secure telecommunication systems, increasing the reliability of special software;

Creation of systems and means to prevent unauthorized access to processed information and special effects that cause destruction, destruction, distortion of information, as well as changes in the regular modes of operation of systems and means of informatization and communication;

Revealing technical devices and programs that pose a danger to the normal functioning of information and communication systems, preventing the interception of information through technical channels, the use of cryptographic means of protecting information during its storage, processing and transmission through communication channels, monitoring the implementation of special requirements for information protection;

Certification of information security tools, licensing of activities in the field of state secret protection, standardization of methods and means of information protection;

Improving the certification system for telecommunications equipment and software for automated information processing systems according to information security requirements;

Control over the actions of personnel in secure information systems, training in the field of ensuring information security of the state;

Formation of a monitoring system for indicators and characteristics of information security in the most important areas of life and activity of society and the state.

Economic Methods ensuring information security include:

Development of programs for ensuring information security of the state and determining the procedure for their financing;

Improving the system of financing work related to the implementation of legal and organizational and technical methods of information protection, creating a system for insuring information risks for individuals and legal entities.

Along with the widespread use standard methods and funds for the economy, the priority areas for ensuring information security are:

Development and adoption of legal provisions establishing the responsibility of legal entities and individuals for unauthorized access and theft of information, deliberate dissemination of false information, disclosure of trade secrets, leakage of confidential information;

Building a system of state statistical reporting that ensures the reliability, completeness, comparability and security of information by introducing strict legal liability for primary sources of information, organizing effective control over their activities and the activities of services for processing and analyzing statistical information, limiting its commercialization, using special organizational and software and hardware means of information protection;

Creation and improvement of special means of protecting financial and commercial information;

Development of a complex of organizational and technical measures to improve technology information activities and protection of information in economic, financial, industrial and other economic structures, taking into account the requirements of information security specific to the sphere of economy;

Improving the system of professional selection and training of personnel, systems for selecting, processing, analyzing and disseminating economic information.

Public policy ensuring information security forms the directions of activity of public authorities and management in the field of ensuring information security, including guarantees of the rights of all subjects to information, fixing the duties and responsibilities of the state and its bodies for the information security of the country, and is based on maintaining a balance of interests of the individual, society and the state in information sphere.

The state policy for ensuring information security is based on the following main provisions:

Restriction of access to information is an exception to the general principle of openness of information, and is carried out only on the basis of legislation;

Responsibility for the safety of information, its classification and declassification is personified;

Access to any information, as well as imposed access restrictions, are carried out taking into account the property rights to this information determined by law;

Formation by the state of a regulatory framework that regulates the rights, duties and responsibilities of all entities operating in the information sphere;

Legal and individuals, collecting, accumulating and processing personal data and confidential information, are liable before the law for their safety and use;

Provision by the state of legal means of protecting society from false, distorted and unreliable information coming through the media;

Implementation of state control over the creation and use of information security tools through their mandatory certification and licensing of activities in the field of information security;

Carrying out a protectionist policy of the state that supports the activities of domestic manufacturers of informatization and information protection tools and takes measures to protect the domestic market from the penetration of low-quality media and information products into it;

State support in providing citizens with access to world information resources, global information networks,

Formation by the state of the federal program of information security, uniting efforts government organizations and commercial structures in creating a unified information security system of the country;

The state is making efforts to counter the information expansion of other countries, supports the internationalization of global information networks and systems.

On the basis of the stated principles and provisions, general directions for the formation and implementation of information security policy in the political, economic and other spheres of state activity are determined.

State policy, as a mechanism for coordinating the interests of the subjects of information relations and finding compromise solutions, provides for the formation and organization of the effective work of various councils, committees and commissions with a wide representation of specialists and all interested structures. The mechanisms for the implementation of state policy should be flexible and reflect in a timely manner the changes taking place in the economic and political life of the country.

Legal support of information security of the state is a priority area for the formation of mechanisms for implementing the information security policy and includes:

1) rule-making activities to create legislation governing relations in society related to ensuring information security;

2) executive and law enforcement activities for the implementation of legislation in the field of information, informatization and information protection by public authorities and administration, organizations, citizens.

Rule-making activity in the field of information security provides:

Assessment of the state of the current legislation and development of a program for its improvement;

Creation of organizational and legal mechanisms for ensuring information security;

Formation of the legal status of all subjects in the information security system, users of information and telecommunication systems and determination of their responsibility for ensuring information security;

Development of an organizational and legal mechanism for collecting and analyzing statistical data on the impact of information security threats and their consequences, taking into account all types of information;

Development of legislative and other regulations governing the procedure for eliminating the consequences of the impact of threats, restoring violated rights and resources, and implementing compensatory measures.

Executive and law enforcement activities provides for the development of procedures for the application of legislation and regulations to subjects who have committed crimes and misdemeanors when working with confidential information and violated the rules of information interactions. All activities for the legal support of information security are based on three fundamental provisions of law: compliance with the law, ensuring a balance of interests of individual subjects and the state, and the inevitability of punishment.

Compliance with the rule of law implies the existence of laws and other regulations, their application and enforcement by subjects of law in the field of information security.

12.3. THE STATE OF INFORMATION SECURITY IN RUSSIA

Assessment of the state of information security of the state involves an assessment of existing threats. Clause 2 of the “Information Security Doctrine of the Russian Federation” 1 identifies the following threats to the information security of the Russian Federation:

Threats to the constitutional rights and freedoms of man and citizen in the field of spiritual life and information activity, individual, group and public consciousness, the spiritual revival of Russia;

Threats to the information support of the state policy of the Russian Federation;

Threats to the development of the domestic information industry, including the industry of informatization, telecommunications and communications, to meeting the needs of the domestic market in its products and the entry of these products to the world market, as well as to ensuring the accumulation, preservation and efficient use of domestic information resources;

__________________________________________________________________

Threats to the security of information and telecommunication systems, both already deployed and being created on the territory of Russia.

External sources of threats to Russia's information security include:

1) activities of foreign political, economic, military, intelligence and information structures directed against the Russian Federation in the information sphere;

2) the desire of a number of countries to dominate and infringe upon the interests of Russia in the global information space, ousting it from the external and internal information markets;

3) aggravation of international competition for the possession of information technologies and resources;

4) activities of international terrorist organizations;

5) increasing the technological gap between the leading powers of the world, building up their capabilities to counteract the creation of competitive Russian information technologies;

6) activities of space, air, sea and ground technical and other means (types) of reconnaissance of foreign states;

7) the development by a number of states of the concepts of information wars, which provide for the creation of means of dangerous influence on the information spheres of other countries of the world, the disruption of the normal functioning of information and telecommunication systems, the safety of information resources, and obtaining unauthorized access to them.

Internal sources of threats to Russia's information security include:

1) the critical state of domestic industries;

2) an unfavorable criminogenic situation, accompanied by trends in the merging of state and criminal structures in the information sphere, obtaining access to confidential information by criminal structures, strengthening the influence of organized crime on society, reducing the degree of protection of the legitimate interests of citizens, society and the state in the information sphere;

3) insufficient coordination of the activities of federal state authorities, state authorities of the constituent entities of the Russian Federation in the formation and implementation of a unified state policy in the field of ensuring the information security of the Russian Federation;

4) insufficient development of the regulatory legal framework governing relations in the information sphere, as well as insufficient law enforcement practice;

5) underdevelopment of civil society institutions and insufficient control over the development of the Russian information market;

6) insufficient economic power of the state;

7) decrease in the efficiency of the education and upbringing system, insufficient number of qualified personnel in the field of information security;

8) Russia's lag behind the leading countries of the world in terms of the level of informatization of federal government bodies, the credit and financial sector, industry, agriculture, education, healthcare, the service sector and the life of citizens.

In recent years, Russia has implemented a set of measures to improve its information security. Measures have been taken to ensure information security in federal government bodies, government bodies of the constituent entities of the Russian Federation, at enterprises, institutions and organizations, regardless of the form of ownership. Work has been launched to create a secure information and telecommunication system for special purposes in the interests of public authorities.

The state system of information protection, the system of protection of state secrets and the system of certification of information security tools contribute to the successful solution of issues of ensuring information security of the Russian Federation.

Structure state system information security are:

Bodies of state power and administration of the Russian Federation and subjects of the Russian Federation, solving the tasks of ensuring information security within their competence;

State and interdepartmental commissions and councils specializing in information security issues;

State Technical Commission under the President of the Russian Federation;

Federal Security Service of the Russian Federation;

Ministry of Internal Affairs of the Russian Federation;

Ministry of Defense of the Russian Federation;

Federal Agency for Government Communications and Information under the President of the Russian Federation;

Foreign Intelligence Service of the Russian Federation;

Structural and intersectoral divisions for the protection of information of public authorities;

Head and leading research, scientific and technical, design and engineering organizations for information security;

Educational establishments that carry out training and retraining of personnel for work in the information security system.

The State Technical Commission under the President of the Russian Federation, being a government body, implements a unified technical policy and coordinates work in the field of information security, heads the state system for protecting information from technical intelligence, is responsible for ensuring the protection of information from leakage through technical channels on the territory of Russia, monitors the effectiveness of the protection measures taken.

A special place in the information security system is occupied by state and public organizations that exercise control over the activities of state and non-state mass media.

To date, a legislative and regulatory framework has been formed in the field of information security in Russia, which includes:

1. Laws of the Russian Federation:

the Constitution of the Russian Federation;

“On banks and banking activity”;

"On Security";

"On Foreign Intelligence";

"On State Secrets";

"About communication";

"On certification of products and services";

"About mass media";

"On standardization";

“On information, information technologies and information protection”;

“On Bodies of the Federal Security Service in the Russian Federation”;

"On the obligatory copy of documents";

“On participation in international information exchange”;

"O6 digital signature", etc.

2. Regulatory legal acts of the President of the Russian Federation:

"Information Security Doctrine of the Russian Federation";

"On the national security strategy of the Russian Federation until 2020";

"On some issues of the interdepartmental commission for the protection of state secrets";

"On the list of information classified as state secrets";

"On the foundations of state policy in the field of informatization";

"On approval of the list of confidential information", etc.

Z. Normative legal acts of the Government of the Russian Federation:

"On certification of information security tools";

“On Licensing the Activities of Enterprises, Institutions and Organizations for Carrying out Works Related to the Use of Information Constituting State Secrets, the Creation of Information Security Tools, as well as the Implementation of Measures and (or) the Provision of Services for the Protection of State Secrets”;

"On the approval of the rules for classifying information constituting a state secret to various degrees of secrecy";

"On Licensing Certain Types of Activities", etc.

4. Guiding documents of the State Technical Commission of Russia:

"The concept of protection of computer equipment and automated systems from unauthorized access to information";

«Means of computer technology. Protection against unauthorized access to information. Indicators of security from unauthorized access to information”;

«Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection”;

"Data protection. Special security marks. Classification and general requirements”;

"Protection against unauthorized access to information. Part 1. Information security software. Classification by the level of control of the absence of non-declared capabilities.

5. Civil Code of the Russian Federation (part four).

6. Criminal Code of the Russian Federation.

International cooperation in the field of ensuring information security is an integral part of the economic, political, military, cultural and other types of interaction between countries that are part of the world community. Such cooperation should enhance the information security of all members of the world community, including Russia. The peculiarity of the international cooperation of the Russian Federation in the field of information security lies in the fact that it is carried out in the context of increased international competition for the possession of technological and information resources, for dominance in the sales markets, strengthening the technological gap between the leading powers of the world and building up their capabilities to create "information weapons". This may lead to a new stage in the development of the arms race in the information sphere.

International cooperation in the field of information security is based on the following regulatory framework:

Agreement with the Republic of Kazakhstan of January 13, 1995, with Moscow (Decree of the Government of the Russian Federation of May 15, 1994 Nch 679);

Agreement with Ukraine of June 14, 1996, Kyiv (Decree of the Government of the Russian Federation of June 7, 1996 Ns 655);

Agreement with the Republic of Belarus (Draft);

Issuance of certificates and licenses for international information exchange (Federal Law of July 4, 1996 X 85-FZ).

The main areas of international cooperation that meet the interests of the Russian Federation are:

Prevention of unauthorized access to confidential information in international banking networks and channels information support world trade, to confidential information in international economic and political unions, blocs and organizations, to information in international law enforcement organizations fighting international organized crime and international terrorism;

Prohibition of the development, distribution and use of "information weapons";

Ensuring the security of international information exchange, including the safety of information during its transmission through national telecommunication networks and communication channels;

Coordination of activities of law enforcement agencies of states - participants of international cooperation to prevent computer crimes;

Participation in the international conferences and exhibitions on the issue of information security.

Particular attention in the course of cooperation should be paid to the problems of interaction with the CIS countries, taking into account the prospects for creating a unified information space on the territory of the former USSR, within which practically unified telecommunication systems and communication lines are used.

At the same time, an analysis of the state of information security in Russia shows that its level does not fully meet the needs of society and the state. The current conditions of the political and socio-economic development of the country cause an aggravation of contradictions between the needs of society to expand the free exchange of information and the need to maintain certain regulated restrictions on its dissemination.

Enshrined in the Constitution of the Russian Federation, the rights of citizens to privacy, personal and family secrets, privacy of correspondence do not have sufficient legal, organizational and technical support. The protection of personal data collected by federal state authorities is unsatisfactorily organized.

There is no clarity in the implementation of state policy in the field of the formation of the Russian information space, the development of the mass media system, the organization of international information exchange and the integration of the Russian information space into the world information space, which creates conditions for the displacement of Russian news agencies, the media from the domestic information market and deformation structures of international information exchange.

There is insufficient government support for the activities of Russian news agencies to promote their products on the international information market.

The situation with ensuring the safety of information constituting a state secret is deteriorating.

Serious damage has been inflicted on the personnel potential of scientific and production teams operating in the field of creating informatization, telecommunications and communications, as a result of the mass departure of the most qualified specialists from these teams.

The lag of domestic information technologies forces the state authorities of the Russian Federation, when creating information systems, to follow the path of purchasing imported equipment and attracting foreign firms, which increases the likelihood of unauthorized access to processed information and increases Russia's dependence on foreign manufacturers of computer and telecommunications equipment, as well as software. security.

In connection with the intensive introduction of foreign information technologies in the spheres of activity of the individual, society and the state, as well as with the widespread use of open information and telecommunication systems, the integration of domestic and international information systems, the threat of using "information weapons" against the information infrastructure of Russia has increased. Work on an adequate comprehensive response to these threats is being carried out with insufficient coordination and weak budget financing.

test questions

1. What is the place of information security in the system of economic security of the state? Show on examples the importance of information security in ensuring the economic security of the state?

2. What is the reason for the increasing importance of information security in the modern period?

3. Describe the main categories of information security: information, informatization, document, information process, information system, information resources, personal data, confidential information.

4. What are the interests of the individual, society and the state in the information sphere?

5. What types of information security threats exist?

6. Name the ways in which threats affect information security objects.

7. Explain the concept of "information war".

8. List external sources threats to Russia's information security.

9. List the internal sources of threats to the information security of Russia.

10. What regulations ensure information security on the territory of the Russian Federation?

11. What international regulations in the field of information security do you know?

12. What is the essence of the state policy of ensuring information security?

13. List the methods of ensuring information security.

14. Describe the structure of the state information security system

15. Give an assessment of the state of information security in Russia.

Information Security Policy.

1. General provisions

This Information Security Policy ( Further - Politics ) defines a system of views on the problem of ensuring information security and is a systematic presentation of the goals and objectives, as well as organizational, technological and procedural aspects of ensuring the security of information of information infrastructure objects, including a set of information centers, data banks and communication systems of the organization. This Policy has been developed taking into account the requirements of the current legislation of the Russian Federation and the immediate prospects for the development of information infrastructure facilities, as well as the characteristics and capabilities of modern organizational and technical methods and hardware and software information protection.

The main provisions and requirements of the Policy apply to all structural divisions of the organization.

The policy is the methodological basis for the formation and implementation of a unified policy in the field of ensuring the security of information of information infrastructure objects, making agreed management decisions and developing practical measures aimed at ensuring information security, coordinating the activities of structural divisions of the organization when working on the creation, development and operation of information infrastructure objects. infrastructure in compliance with information security requirements.

The policy does not regulate the issues of organizing the protection of premises and ensuring the safety and physical integrity of the components of the information infrastructure, protection against natural disasters, and failures in the power supply system, however, it involves building an information security system on the same conceptual foundations as the security system of the organization as a whole.

The implementation of the policy is ensured by the relevant guidelines, regulations, procedures, instructions, guidelines and information security assessment system in the organization.

The following terms and definitions are used in the Policy:

Automated system ( AC) — a system consisting of personnel and a set of means for automating its activities, implementing information technology for performing established functions.

Information infrastructure— a system of organizational structures that ensure the functioning and development of the information space and means of information interaction. The information infrastructure includes a set of information centers, data and knowledge banks, communication systems, and provides consumers with access to information resources.

Informational resources ( IR) - these are separate documents and separate arrays of documents, documents and arrays of documents in information systems ( libraries, archives, collections, databases and other information systems).

Information system (IP) - information processing system and related organizational resources ( human, technical, financial, etc.) that provide and disseminate information.

Security - state of protection of interests ( goals) organizations under threat.

Information Security ( IS) — security associated with threats in the information sphere. Security is achieved by providing a set of IS properties - availability, integrity, confidentiality of information assets. The priority of IS properties is determined by the value of these assets for interests ( goals) organizations.

Availability of information assets − property of an organization's information security, which consists in the fact that information assets are provided to an authorized user, and in the form and place required by the user, and at the time when he needs them.

Integrity of Information Assets − the property of an organization's information security to remain unchanged or correct detected changes in its information assets.

Confidentiality of Information Assets − property of the organization's IS, which consists in the fact that the processing, storage and transfer of information assets is carried out in such a way that information assets are available only to authorized users, system objects or processes.

Information security system ( NIB) — a set of protective measures, protective equipment and processes for their operation, including resource and administrative ( organizational) provision.

Unauthorized access- access to information in violation of the official powers of the employee, access to information closed to public access by persons who do not have permission to access this information or obtaining access to information by a person who has the right to access this information in an amount exceeding what is necessary to perform official duties.

2. General requirements for ensuring information security

information security requirements Further -IS ) determine the content and objectives of the organization's activities within the framework of information security management processes.

These requirements are formulated for the following areas:

• assignment and distribution of roles and trust in staff;
• life cycle stages of information infrastructure objects;
• protection against unauthorized access ( Further - NSD ), access control and registration in automated systems, in telecommunications equipment and automatic telephone exchanges, etc.;
• anti-virus protection;
• use of Internet resources;
• use of means of cryptographic protection of information;
• protection of personal data.

3. Objects to be protected

The main objects to be protected are:

• informational resources, presented in the form of documents and arrays of information, regardless of the form and type of their presentation, including, among other things, confidential and open information;
• system of formation, distribution and use of information resources, libraries, archives, databases and data banks, information technologies, regulations and procedures for collecting, processing, storing and transmitting information, technical and maintenance personnel;
• information infrastructure, including information processing and analysis systems, hardware and software for its processing, transmission and display, including information exchange and telecommunications channels, information security systems and means, facilities and premises in which information infrastructure components are located.

3.1. Features of the Automated System

The AS circulates information of different categories. Protected information can be shared between different users from different subnets of a single corporate network.

A number of AS subsystems provide for interaction with external ( state and commercial, Russian and foreign) organizations via dial-up and dedicated communication channels using special means of information transmission.

The complex of technical means of the AU includes data processing tools ( workstations, database servers, mail servers etc.), means of data exchange in local computer networks with the ability to access global networks ( cabling, bridges, gateways, modems, etc.), as well as storage facilities ( including archiving) data.

The main features of the functioning of the AS include:

• the need to integrate into a single system a large number various technical means of processing and transmitting information;
• a wide variety of tasks to be solved and types of processed data;
• consolidation in single databases of information for various purposes, belonging and confidentiality levels;
• availability of channels for connecting to external networks;
• continuity of operation;
• the presence of subsystems with different requirements for security levels, physically united in a single network;
• variety of categories of users and service personnel.

In general, a single AS is a collection of local computer networks of departments, interconnected by means of telecommunications. Each local area network unites a number of interconnected and interacting automated subsystems ( technological areas) that ensure the solution of problems by individual structural divisions of the organization.

Informatization objects include:

• technological equipment ( computer equipment, network and cable equipment);
• informational resources;
• software ( operating systems, database management systems, general system and application software);
• automated communication and data transmission systems (telecommunication means);
• channels of connection;
• service premises.

3.2. Types of organizational information assets to be protected

In the AS subsystems of the organization, information of various levels of confidentiality circulates, containing information of limited distribution ( official, commercial, personal data) and public information.

The AS document flow contains:

• payment orders and financial documents;
• reports ( financial, analytical, etc.);
• information about personal accounts;
• personal data;
• other restricted information.

All information circulating in AS and contained in the following types of information assets is subject to protection:

• information constituting a commercial and official secret, access to which is limited by the organization as the owner of the information, in accordance with the provisions of the Federal Law " About information, informatization and information protection » Rights and Federal Law « About trade secret »;
• personal data, access to which is restricted in accordance with the Federal Law " About personal data »;
• open information, in terms of ensuring the integrity and availability of information.

3.3. Categories of users of the Automated system

The organization has a large number of categories of users and maintenance personnel who must have different powers to access the information resources of the AS:

• ordinary users ( end users, employees of organizational units);
• server administrators ( file servers, application servers, database servers), local computer networks and applied systems;
• system programmers ( responsible for maintenance of common software) on servers and user workstations;
• application software developers;
• specialists in the maintenance of technical means of computer technology;
• information security administrators, etc.

3.4. Vulnerability of the main components of the Automated System

The most vulnerable AS components are network workstations - workstations ( Further - workstation ) workers. Attempts of unauthorized access to information or attempts of unauthorized actions can be made from the workstation of employees ( unintentional and intentional) in a computer network. Violations of the configuration of the hardware and software of workstations and unlawful interference in the processes of their functioning can lead to blocking of information, the impossibility of solving important tasks in a timely manner and the failure of individual workstations and subsystems.

Network elements such as dedicated file servers, database servers, and application servers need special protection. Shortcomings of exchange protocols and means of access control to server resources can allow unauthorized access to protected information and influence the operation of various subsystems. At the same time, attempts can be made as a remote ( from network stations) and direct ( from the server console) impact on the operation of servers and their protections.

Bridges, gateways, hubs, routers, switches and other network devices, channels and communications also need to be protected. They can be used by intruders to restructure and disrupt network operation, intercept transmitted information, analyze traffic, and implement other methods of interfering in data exchange processes.

4. Basic principles of ensuring information security

4.1. General principles of safe operation

• Timeliness of problem detection. The organization must promptly detect problems that could potentially affect its business objectives.
• Predictability of development of problems. The organization must identify causality possible problems and build on this basis an accurate forecast of their development.
• Assessing the impact of problems on business goals. The organization shall adequately assess the impact of identified problems.
• Adequacy of protective measures. The organization should choose protective measures that are adequate to the threat and attacker models, taking into account the costs of implementing such measures and the amount of possible losses from the execution of threats.
• Effectiveness of protective measures. The organization shall effectively implement the protective measures taken.
• Using experience in making and implementing decisions. The organization should accumulate, generalize and use both its own experience and the experience of other organizations at all levels of decision-making and their implementation.
• Continuity of principles of safe operation. The organization shall ensure the continuity of the implementation of the principles of safe operation.
• Controllability of protective measures. The organization shall apply only those safeguards whose correct operation can be verified, and the organization shall regularly evaluate the adequacy of the safeguards and the effectiveness of their implementation, taking into account the impact of the safeguards on the business objectives of the organization.

4.2. Special principles for ensuring information security

• The implementation of special principles for ensuring information security is aimed at increasing the level of maturity of information security management processes in an organization.
• Definition of goals. The functional and information security objectives of the organization should be explicitly defined in an internal document. Uncertainty leads to “ vagueness” organizational structure, personnel roles, information security policies and the inability to assess the adequacy of the protective measures taken.
• Knowing your customers and employees. The organization must have information about its customers, carefully select staff ( workers), develop and maintain corporate ethics, which creates a favorable trusting environment for the activities of the asset management organization.
• Personification and adequate division of roles and responsibilities. The responsibility of the organization's officials for decisions related to its assets should be personified and carried out mainly in the form of a guarantee. It should be adequate to the degree of influence on the goals of the organization, fixed in policies, monitored and improved.
• Adequacy of roles to functions and procedures and their comparability with the criteria and evaluation system. Roles should adequately reflect the functions performed and the procedures for their implementation adopted in the organization. When assigning interrelated roles, the necessary sequence of their execution should be taken into account. The role should be consistent with the criteria for evaluating the effectiveness of its implementation. The main content and quality of the role being performed are actually determined by the assessment system applied to it.
• Availability of services and facilities. The organization must ensure the availability of services and services for its customers and counterparties on time, determined by the relevant agreements ( agreements) and/or other documents.
• Observability and evaluability of IS provision. Any proposed protective measures should be designed so that the result of their application is clearly observable ( transparent) and can be assessed by a department of the organization that has the appropriate authority.

5. Goals and objectives of providing security information

5.1. Subjects of Information Relations in the Automated System

The subjects of legal relations when using AS and ensuring the security of information are:

• Organization as the owner of information resources;
• subdivisions of the organization that ensure the operation of the NPP;
• employees of structural divisions of the organization, as users and providers of information in the AS in accordance with the functions assigned to them;
• legal entities and individuals, information about which is accumulated, stored and processed in the AS;
• other legal entities and individuals involved in the process of creation and operation of the AS ( developers of the system components, organizations involved in the provision of various services in the field of information technology, etc.).

The listed subjects of information relations are interested in providing:

• confidentiality of a certain part of the information;
• reliability ( completeness, accuracy, adequacy, integrity) information;
• protection against the imposition of false ( false, distorted) information;
• timely access to the necessary information;
• delimitation of liability for violations of legal rights ( interests) other subjects of information relations and established rules for handling information;
• the possibility of continuous monitoring and control of the processing and transmission of information;
• protection of part of the information from its illegal reproduction ( protection of copyrights, rights of the owner of information, etc.).

5.2. Purpose of Information Security

The main goal of ensuring the security of information is to protect the subjects of information relations from possible material, moral or other damage to them through accidental or deliberate unauthorized interference in the operation of the AS or unauthorized access to the information circulating in it and its illegal use.

This goal is achieved by ensuring and constantly maintaining the following properties of information and an automated system for its processing:

• availability of the processed information for registered users;
• confidentiality of a certain part of the information stored, processed and transmitted through communication channels;
• integrity and authenticity of information stored, processed and transmitted via communication channels.

5.3. Information Security Tasks

To achieve the main goal of ensuring information security, the information security system of the nuclear power plant should provide an effective solution to the following tasks:

• protection against interference in the process of functioning of the AU by unauthorized persons;
• differentiation of access of registered users to the hardware, software and information resources of the AS, that is, protection from unauthorized access;
• registration of user actions when using protected AS resources in system logs and periodic monitoring of the correctness of system user actions by analyzing the contents of these logs by specialists from security departments;
• protection against unauthorized modification and integrity control ( immutability) program execution environment and its recovery in case of violation;
• protection against unauthorized modification and control of the integrity of software used in the AU, as well as protection of the system from the introduction of unauthorized programs, including computer viruses;
• protection of information from leakage through technical channels during its processing, storage and transmission through communication channels;
• protection of information stored, processed and transmitted via communication channels from unauthorized disclosure or distortion;
• ensuring authentication of users participating in information exchange;
• ensuring the survivability of cryptographic means of protecting information in the event of a compromise of a part of the key system;
• timely identification of sources of threats to information security, causes and conditions that contribute to causing damage to interested subjects of information relations, creation of a mechanism for prompt response to threats to information security and negative trends;
• creating conditions for minimizing and localizing damage caused by illegal actions of individuals and legal entities, mitigating the negative impact and eliminating the consequences of information security breaches.

5.4. Ways to solve the problems of ensuring information security

The solution to the problems of ensuring information security is achieved:

• strict consideration of all system resources to be protected ( information, tasks, communication channels, servers, workstations);
• regulation of information processing processes and actions of employees of structural divisions of the organization, as well as actions of personnel engaged in maintenance and modification of software and hardware of the AU, on the basis of organizational and administrative documents on information security;
• completeness, real feasibility and consistency of the requirements of organizational and administrative documents on the issues of information security;
• appointment and training of employees responsible for the organization and implementation of practical measures to ensure the security of information;
• empowering each employee with the minimum necessary for the performance of their functional duties of the authority to access the resources of the AU;
• clear knowledge and strict observance by all employees using and maintaining the AS hardware and software of the requirements of organizational and administrative documents on information security;
• personal responsibility for their actions of each employee participating, within the framework of their functional duties, in the processes of automated information processing and having access to AS resources;
• implementation of technological processes of information processing using complexes of organizational and technical measures to protect software, hardware and data;
• taking effective measures to ensure the physical integrity of technical means and continuous maintenance of the required level of protection of the NPP components;
• application of technical ( software and hardware) means of protecting system resources and continuous administrative support for their use;
• delimitation of information flows and prohibition of transmission of information of limited distribution through unprotected communication channels;
• effective control over compliance by employees with information security requirements;
• constant monitoring network resources, identification of vulnerabilities, timely detection and neutralization of external and internal threats to the security of a computer network;
• legal protection of the interests of the organization from illegal actions in the field of information security.
• conducting a continuous analysis of the effectiveness and sufficiency of the measures taken and the information protection tools used, the development and implementation of proposals for improving the information protection system in the AS.

6. Threats to information security

6.1. Information security threats and their sources

The most dangerous threats to the security of information processed in AS are:

• privacy violation ( disclosure, leak) information constituting an official or commercial secret, including personal data;
• dysfunction ( disorganization of work) AS, information blocking, violation of technological processes, failure to solve problems in a timely manner;
• integrity violation ( distortion, substitution, destruction) information, software and other AS resources.

The main sources of threats to the security of AS information are:

• unfavorable natural and man-made events;
• terrorists, criminal elements;
• computer intruders carrying out purposeful destructive influences, including the use of computer viruses and other types of malicious codes and attacks;
• suppliers of software and hardware, consumables, services, etc.;
• contractors involved in the installation, commissioning of equipment and its repair;
• non-compliance with the requirements of supervisory and regulatory authorities, current legislation;
• failures, failures, destruction/damage of software and hardware;
• employees who are legal participants in the processes in the AS and act outside the scope of the granted powers;
• employees who are legal participants in the processes in the AS and act within the framework of the granted powers.

6.2. Unintentional actions leading to a breach of information security and measures to prevent them

Employees of the organization who have direct access to information processing processes in the AS are a potential source of unintentional random actions that can lead to a breach of information security.

Main unintentional actions leading to violation of information security (actions committed by people accidentally, through ignorance, inattention or negligence, out of curiosity, but without malicious intent) and measures to prevent such actions and minimize the damage caused by them are given in Table 1.

Table 1

Main actions leading to violation of information security
Actions of employees leading to partial or complete failure of the system or disruption of hardware or software; turning off equipment or changing the operating modes of devices and programs; destruction of information resources of the system ( unintentional damage to equipment, removal, distortion of programs or files from important information, including system ones, damage to communication channels, unintentional damage to storage media, etc.)	Organizational arrangements ( ). The use of physical means to prevent the unintentional commission of a violation. Application of technical ( hardware and software) means of restricting access to resources. Reservation of critical resources.
Unauthorized launch of programs that, if used incompetently, can cause a loss of system performance ( freezes or loops) or making irreversible changes in the system ( formatting or restructuring storage media, deleting data, etc.)	Organizational arrangements ( removal of all potentially dangerous programs from the workstation). Application of technical ( hardware and software) means of delimiting access to programs on workstations.
Unauthorized introduction and use of unaccounted programs ( gaming, training, technological and others that are not necessary for the employees to perform their official duties) with subsequent unreasonable expenditure of resources ( cpu time, random access memory, memory on external media, etc.)	Organizational arrangements ( introduction of bans). Application of technical ( hardware and software) means preventing unauthorized introduction and use of unrecorded programs.
Inadvertently infecting a computer with viruses	Organizational arrangements ( regulation of actions, introduction of prohibitions). Technological measures ( the use of special programs for detecting and destroying viruses). The use of hardware and software that prevent infection with computer viruses.
Disclosure, transfer or loss of access control attributes ( passwords, encryption keys or ES, identification cards, passes, etc.)	Organizational arrangements ( regulation of actions, introduction of prohibitions, increased responsibility). The use of physical means to ensure the safety of the specified details.
Ignoring organizational constraints ( established rules) when working in the system	Organizational arrangements ( ). Use of additional physical and technical means of protection.
Incompetent use, adjustment or illegal deactivation of protective equipment by security personnel	Organizational arrangements ( staff training, increased responsibility and control).
Entering erroneous data	Organizational arrangements ( increased accountability and control). Technological measures to control errors of data entry operators.

6.3. Deliberate actions to violate information security and measures to prevent them

Major intentional acts ( for selfish purposes, under duress, out of a desire for revenge, etc.), leading to a violation of the information security of the AU, and measures to prevent them and reduce the possible damage caused are given in Table 2.

table 2

The main intentional actions leading to information security breach	Measures to prevent threats and minimize damage
Physical destruction or incapacitation of all or some of the most important components of an automated system ( devices, carriers of important system information, employees, etc.), shutdown or incapacitation of subsystems that ensure the functioning of computing systems ( power supply, communication lines, etc.)	Organizational arrangements ( regulation of actions, introduction of prohibitions). The use of physical means to prevent the intentional commission of a violation. Reservation of critical resources.
The introduction of agents into the number of system personnel ( including the administrative group responsible for security), recruitment ( by bribery, blackmail, threats, etc.) users who have certain permissions to access protected resources	Organizational arrangements ( selection, placement and work with personnel, strengthening control and responsibility). Automatic registration of personnel actions.
Theft of storage media ( printouts, magnetic disks, tapes, storage devices and entire PCs), theft of industrial waste ( printouts, records, discarded media, etc.)	Organizational arrangements ( ).
Unauthorized copying of storage media, reading residual information from RAM and external storage devices	Organizational arrangements ( organization of storage and use of media with protected information). The use of technical means of restricting access to protected resources and automatic registration of receipt of hard copies of documents.
Illegal obtaining of passwords and other details of access control ( undercover, using the negligence of users, by selection, by imitation of the system interface with software tabs, etc.) followed by disguise as a registered user.	Organizational arrangements ( regulation of actions, introduction of prohibitions, work with personnel). The use of technical means that prevent the introduction of programs to intercept passwords, keys and other details.
Unauthorized use of workstations of users with unique physical characteristics, such as the number of a workstation in the network, physical address, address in the communication system, hardware coding unit, etc.	Organizational arrangements ( strict regulation of access to the premises and admission to work on these workstations). The use of physical and technical means of access control.
Unauthorized software modification - the introduction of software "bookmarks" and "viruses" ( Trojan horses and bugs), that is, such sections of programs that are not needed for the implementation of the declared functions, but allow to overcome the protection system, covertly and illegally access system resources in order to register and transmit protected information or disrupt the functioning of the system	Organizational arrangements ( strict regulation of access to work). The use of physical and technical means of access control and preventing unauthorized modification of the hardware and software configuration of the workstation. Application of software integrity control tools.
Interception of data transmitted over communication channels, their analysis in order to obtain confidential information and find out exchange protocols, rules for entering the network and user authorization, with subsequent attempts to imitate them to penetrate the system	Physical protection of communication channels. Application of means of cryptographic protection of transmitted information.
Interference in the functioning of the system from public networks for the purpose of unauthorized modification of data, access to confidential information, disruption of the work of subsystems, etc.	Organizational arrangements ( regulation of connection and work in public networks). The use of special technical means of protection ( firewalls, security controls and detection of attacks on system resources, etc.).

6.4. Leakage of information through technical channels

During the operation of NPP technical means, the following channels of leakage or violation of the integrity of information, violation of the performance of technical means are possible:

• spurious electromagnetic radiation of an informative signal from technical means and information transmission lines;
• pickup of an informative signal processed by means of electronic computing equipment on wires and lines that go beyond the controlled area of ​​offices, incl. on the ground and power supply circuits;
• various electronic devices for intercepting information ( including "bookmarks") connected to communication channels or technical means of information processing;
• viewing information from display screens and other means of displaying it using optical means;
• impact on hardware or software in order to violate the integrity ( destruction, distortion) information, operability of technical means, means of information security and timeliness of information exchange, including electromagnetic, through specially implemented electronic and software tools ( "bookmarks").

Taking into account the specifics of processing and ensuring the security of information, the threat of leakage of confidential information ( including personal data) through technical channels are irrelevant for the organization.

6.5. Informal model of a probable intruder

An offender is a person who has attempted to perform prohibited operations ( action) by mistake, ignorance or knowingly with malicious intent ( out of selfish interests) or without it ( for the sake of play or pleasure, for the purpose of self-affirmation, etc.) and using various possibilities, methods and means for this.

The NPP protection system should be built based on the assumptions about the following possible types of intruders in the system ( taking into account the category of persons, motivation, qualifications, availability of special means, etc.):

• « Inexperienced (inattentive) user"- an employee who may attempt to perform prohibited operations, access protected AS resources in excess of his authority, enter incorrect data, etc. actions by mistake, incompetence or negligence without malicious intent and using only regular ( available to him) hardware and software.
• « amateur"- an employee trying to overcome the protection system without selfish goals and malicious intent, for self-affirmation or from" sports interest". To overcome the protection system and commit prohibited actions, he can use various methods obtaining additional permissions to access resources ( names, passwords, etc. other users), shortcomings in the construction of the protection system and available staff ( installed on the workstation) programs ( unauthorized actions by exceeding their authority to use authorized funds). In addition, he may try to use additional non-standard tools and technological software ( debuggers, utility utilities), independently developed programs or standard additional technical means.
• « Scammer"- an employee who may attempt to perform illegal technological operations, enter false data and similar actions for personal gain, under duress or out of malicious intent, but using only regular ( installed on the workstation and available to him) hardware and software on their own behalf or on behalf of another employee ( knowing his name and password, using his short absence from the workplace, etc.).
• « External intruder (intruder)"- an outsider or former employee acting purposefully out of selfish interests, out of revenge or out of curiosity, possibly in collusion with others. It can use the whole range of information security breaches, methods and means of hacking security systems that are typical for public networks ( in particular IP-based networks), including the remote implementation of software bookmarks and the use of special instrumental and technological programs, using the existing weaknesses in the exchange protocols and the protection system for the organization's AS network nodes.
• « Internal intruder» - an employee registered as a user of the system, acting purposefully out of selfish interests or revenge, possibly in collusion with persons who are not employees of the organization. He can use the whole set of methods and means of hacking the security system, including undercover methods of obtaining access details, passive means (technical means of interception without modifying system components), methods and means of active influence ( modification of technical means, connection to data transmission channels, introduction of software tabs and use of special instrumental and technological programs), as well as combinations of impacts both from within and from public networks.

An insider may be a person from the following categories of personnel:

• registered AS end users ( employees of departments and branches);
• workers not allowed to work with the AU;
• personnel servicing NPP technical facilities ( engineers, technicians);
• employees of software development and maintenance departments ( application and system programmers);
• technical staff serving the buildings and premises of the organization ( cleaners, electricians, plumbers and other workers who have access to buildings and premises where the AU components are located);
• leaders at various levels.

• laid-off workers;
• representatives of organizations interacting on issues of ensuring the life of the organization ( energy, water, heat supply, etc.);
• representatives of firms supplying equipment, software, services, etc.;
• members of criminal organizations and competing commercial structures or persons acting on their instructions;
• persons who accidentally or intentionally penetrated networks from external networks ( "hackers").

Users and maintenance personnel from among employees have the widest opportunities to carry out unauthorized actions, due to the fact that they have certain powers to access resources and good knowledge information processing technologies. The actions of this group of violators are directly related to the violation of existing rules and instructions. This group of offenders poses a particular danger when interacting with criminal structures.

Displaced workers can use their knowledge of work technology, safeguards and access rights to achieve goals.

Criminal structures represent the most aggressive source of external threats. In order to implement their plans, these structures can openly violate the law and involve employees of the organization in their activities with all the forces and means available to them.

Hackers have the highest technical qualifications and knowledge of the weaknesses of the software used in the AS. They pose the greatest threat when interacting with working or laid-off workers and criminal structures.

Organizations involved in the development, supply and repair of equipment, information systems pose an external threat due to the fact that occasionally they have direct access to information resources. Criminal structures can use these organizations for temporary employment of their members in order to access protected information.

7. Technical policy in the field of information security

7.1. Main provisions of technical policy

The implementation of a technical policy in the field of information security should proceed from the premise that it is impossible to provide the required level of information security not only with the help of one a separate tool (Events), but also with the help of their simple set. They need to be systematically coordinated with each other ( complex application), and individual elements of the AS should be considered as part of a unified information system in a secure design with optimal ratio technical ( hardware, software) funds and organizational measures.

The main directions of the implementation of the technical policy of ensuring the security of information of the AU is to ensure the protection of information resources from theft, loss, leakage, destruction, distortion or forgery due to unauthorized access and special effects.

Within the framework of the indicated directions of the technical policy for ensuring the security of information, the following are carried out:

• implementation of a permit system for the admission of performers ( users, service personnel) to works, documents and information of a confidential nature;
• restricting the access of performers and unauthorized persons to buildings and premises where confidential work is carried out and information and communication means are located on which ( stored, transmitted) information of a confidential nature, directly to the means of informatization and communications;
• delimitation of access for users and maintenance personnel to information resources, software tools for processing and protecting information in subsystems of various levels and purposes included in the AS;
• accounting of documents, information arrays, registration of actions of users and maintenance personnel, control over unauthorized access and actions of users, maintenance personnel and unauthorized persons;
• prevention of introduction of virus programs, software bookmarks into automated subsystems;
• cryptographic protection of information processed and transmitted by means of computer technology and communications;
• reliable storage of machine storage media, cryptographic keys ( key information) and their circulation, excluding theft, substitution and destruction;
• necessary redundancy of technical means and duplication of arrays and storage media;
• reduction in the level and information content of spurious radiation and interference generated by various elements of automated subsystems;
• electrical isolation of power supply circuits, grounding and other circuits of informatization objects that go beyond the controlled area;
• opposition to optical and laser products observations.

7.2. Formation of the information security mode

Taking into account the identified threats to the safety of the nuclear power plant, the information security regime should be formed as a set of methods and measures to protect the information circulating in the nuclear power plant and the infrastructure supporting it from accidental or intentional effects of a natural or artificial nature, entailing damage to the owners or users of information.

A set of measures for the formation of an information security regime includes:

• establishment in the AS of the organizational and legal regime of information security ( regulatory documents, work with personnel, office work);
• implementation of organizational and technical measures to protect restricted information from leakage through technical channels;
• organizational and software and hardware measures to prevent unauthorized actions ( access) to the information resources of the AU;
• a set of measures to control the functioning of means and systems for protecting information resources of limited distribution after accidental or deliberate impacts.

8. Measures, methods and means of ensuring information security

8.1. Organizational arrangements

Organizational arrangements- these are organizational measures that regulate the processes of functioning of the AS, the use of their resources, the activities of maintenance personnel, as well as the procedure for users to interact with the system in such a way as to most hinder or exclude the possibility of implementing security threats and reduce the amount of damage if they are implemented.

8.1.1. Formation of security policy

The main goal of organizational measures is to form an information security policy that reflects approaches to information protection, and ensure its implementation by allocating the necessary resources and monitoring the state of affairs.

From a practical point of view, it is advisable to divide the NPP security policy into two levels. The top level includes decisions that affect the activities of the organization as a whole. Examples of such solutions might be:

• formation or revision of a comprehensive information security program, determination of those responsible for its implementation;
• formulating goals, setting tasks, determining areas of activity in the field of information security;
• making decisions on the implementation of the security program, which are considered at the level of the organization as a whole;
• provision of normative ( legal) databases of security issues, etc.

The lower-level policy defines the procedures and rules for achieving goals and solving information security problems and details (regulates) these rules:

• what is the scope of the information security policy;
• what are the roles and responsibilities of officials responsible for implementing the information security policy;
• who has access rights to restricted information;
• who and under what conditions can read and modify information, etc.

The lower level policy should:

• provide for the regulation of information relations, excluding the possibility of arbitrary, monopoly or unauthorized actions in relation to confidential information resources;
• determine coalition and hierarchical principles and methods for sharing secrets and restricting access to restricted information;
• choose software and hardware cryptographic protection, counteracting unauthorized access, authentication, authorization, identification and other protective mechanisms that ensure the implementation of the rights and responsibilities of subjects of information relations.

8.1.2. Regulation of access to technical facilities

The operation of secure workstations and the Bank's servers should be carried out in premises equipped with reliable automatic locks, alarm systems and constantly guarded or monitored, excluding the possibility of unauthorized entry into the premises of unauthorized persons and ensuring the physical safety of protected resources located in the premises ( AWS, documents, access details, etc.). The placement and installation of technical means of such workstations should exclude the possibility of visual viewing of the input ( derived) information by persons who are not related to it. Cleaning of premises with equipment installed in them should be carried out in the presence of the person responsible for whom these technical means are assigned, or the duty officer of the unit, in compliance with measures that exclude access by unauthorized persons to protected resources.

During the processing of restricted information, only personnel authorized to work with this information should be present in the premises.

At the end of the working day, premises with installed protected workstations must be taken under guard.

For the storage of official documents and machine media with protected information, employees are provided with metal cabinets, as well as means for destroying documents.

Technical means that are used to process or store confidential information must be sealed.

8.1.3. Regulation of the admission of employees to the use of information resources

Within the framework of the permit system, it is established: who, to whom, what information and for what type of access can provide and under what conditions; access control system, which involves the definition for all AS users of information and software resources available to them for specific operations ( read, write, modify, delete, execute) using the specified software and hardware access tools.

The admission of workers to work with the AU and access to their resources must be strictly regulated. Any changes in the composition and powers of users of subsystems of the AU should be made in the prescribed manner.

The main users of information in the AS are employees of the structural divisions of the organization. The level of authority of each user is determined individually, observing the following requirements:

• open and confidential information are placed on different servers, if possible;
• each employee enjoys only the rights assigned to him in relation to the information with which he needs to work in accordance with his official duties;
• the boss has the right to view the information of his subordinates;
• the most critical technological operations should be carried out according to the rule "two hands"- the correctness of the entered information is confirmed by another official who does not have the right to enter information.

All employees admitted to work in the NPP and NPP maintenance personnel must be personally liable for violations of the established procedure for automated processing of information, rules for the storage, use and transfer of protected system resources at their disposal. Each employee, when hiring, must sign the Commitment to comply with the requirements for the preservation of confidential information and responsibility for their violation, as well as the implementation of the rules for working with protected information in the AS.

Processing of protected information in subsystems of the AU should be carried out in accordance with approved technological instructions ( orders) for these subsystems.

For users protected by workstations, the necessary technological instructions should be developed, including requirements for ensuring the security of information.

8.1.4. Regulation of the processes of maintaining databases and modifying information resources

All operations for maintaining databases in the AU and the admission of employees to work with these databases must be strictly regulated. Any changes in the composition and powers of AS database users must be made in the prescribed manner.

Distribution of names, generation of passwords, maintenance of the rules for delimiting access to databases is entrusted to employees of the Department of Information Technologies. In this case, both regular and additional funds protection of DBMS and operating systems.

8.1.5. Regulation of maintenance processes and modification of hardware and software resources

System resources to be protected ( tasks, programs, workstation) are subject to strict accounting ( based on the use of appropriate forms or specialized databases).

The hardware and software configuration of automated workstations, where protected information is processed or from which access to protected resources is possible, must correspond to the range of functional duties assigned to users of this workstation. All unused (extra) information input-output devices ( COM, USB, LPT ports, floppy disk drives, CD and other storage media) on such workstations must be disabled (deleted), unnecessary software and data from the workstation disks must also be deleted.

To simplify maintenance, maintenance and organization of protection, workstations should be equipped with software and configured in a unified way ( in accordance with established rules).

Commissioning of new workstations and all changes in the configuration of hardware and software, existing workstations in the AS of the organization should be carried out only in accordance with the established procedure.

All software ( developed by the organization's specialists, obtained or purchased from manufacturers) should be tested in the prescribed manner and transferred to the organization's program depository. In AS subsystems, only software tools received in the established order from the depository should be installed and used. The use of software in the AS that is not included in the program depository should be prohibited.

Development of software, testing of developed and acquired software, transfer of software into operation must be carried out in accordance with the established procedure.

8.1.6. User training and education

Prior to granting access to the AS, its users, as well as management and maintenance personnel, must be familiar with the list of confidential information and their level of authority, as well as organizational, administrative, regulatory, technical and operational documentation that defines the requirements and procedure for processing such information.

Protection of information in all of the above areas is possible only after the development of a certain discipline among users, i.e. norms that are mandatory for all those who work in the AS. Such norms include the prohibition of any intentional or unintentional actions that disrupt the normal operation of the AS, cause additional resource costs, violate the integrity of stored and processed information, and violate the interests of legitimate users.

All employees who use specific subsystems of the AU in their work must be familiar with the organizational and administrative documents for the protection of the AU in the part that concerns them, they must know and strictly follow the technological instructions and general obligations to ensure the security of information. Bringing the requirements of these documents to the persons admitted to the processing of protected information should be carried out by the heads of departments against signature.

8.1.7. Responsibility for violation of information security requirements

For each serious violation of information security requirements by employees of the organization, an internal investigation should be carried out. Appropriate measures of influence should be applied to the perpetrators. The degree of responsibility of personnel for actions committed in violation of the established rules for ensuring secure automated processing of information should be determined by the damage caused, the presence of malicious intent and other factors.

To implement the principle of personal responsibility of users for their actions, it is necessary:

• individual identification of users and processes initiated by them, i.e. establishing an identifier for them, on the basis of which access differentiation will be carried out in accordance with the principle of reasonableness of access;
• user authentication ( authentication) based on passwords, keys on a different physical basis, etc.;
• registration ( logging) operation of mechanisms for controlling access to information system resources, indicating the date and time, identifiers of the requesting and requested resources, type of interaction and its result;
• reaction to attempts of unauthorized access ( alarm, blocking, etc.).

8.2. Technical means of protection

Technical ( hardware and software) means of protection - various electronic devices and special programs that are part of the AU and perform (independently or in combination with other means) protection functions ( identification and authentication of users, access control to resources, event registration, cryptographic protection of information, etc.).

Taking into account all the requirements and principles for ensuring the security of information in the AS in all areas of protection, the following means should be included in the protection system:

• means of authenticating users and AS elements ( terminals, tasks, database elements, etc.) corresponding to the degree of confidentiality of information and processed data;
• means of differentiating access to data;
• means of cryptographic protection of information in data transmission lines and in databases;
• means of registering appeals and monitoring the use of protected information;
• means of responding to detected UA or attempts to UA;
• means of reducing the level and information content of spurious radiation and pickups;
• means of protection against optical means of observation;
• means of protection against viruses and malicious programs;
• means of electrical decoupling of both NPP elements and structural elements of the premises in which the equipment is located.

The following main tasks are assigned to the technical means of protection against unauthorized access:

• identification and authentication of users using names and/or special hardware ( Touch Memory, Smart Card, etc.);
• regulation of user access to physical devices of workstations ( drives, I/O ports);
• selective (discretionary) control of access to logical drives, directories and files;
• authoritative (mandatory) differentiation of access to protected data on the workstation and on the file server;
• creation of a closed software environment allowed to run programs located both on local and network drives;
• protection against penetration of computer viruses and malicious programs;
• integrity control of protection system modules, disk system areas and arbitrary lists of files in automatic mode and by administrator commands;
• registration of user actions in a protected log, the presence of several levels of registration;
• protecting the data of the protection system on the file server from access by all users, including the network administrator;
• centralized management of access control settings on network workstations;
• registration of all UA events occurring at workstations;
• operational control over the work of network users, changing the operating modes of workstations and the possibility of blocking ( if necessary) of any network station.

The successful application of technical means of protection assumes that the fulfillment of the requirements listed below is ensured by organizational measures and the physical means of protection used:

• the physical integrity of all components of the AU is ensured;
• every worker system user) has a unique system name and the minimum authority necessary to perform its functional duties to access system resources;
• use of instrumental and technological programs on workstations ( test utilities, debuggers, etc.) that allow attempts to hack or circumvent security measures is limited and strictly regulated;
• there are no programming users in the secure system, and the development and debugging of programs is carried out outside the secure system;
• all changes in the configuration of hardware and software are made in a strictly established manner;
• network hardware ( hubs, switches, routers, etc.) is located in places inaccessible to strangers ( special rooms, cabinets, etc.);
• the information security service provides continuous management and administrative support for the operation of information security tools.

8.2.1. Means of identification and authentication of users

In order to prevent unauthorized persons from accessing the AS, it is necessary to ensure that the system recognizes each legitimate user (or limited groups of users). For this, in the system ( in a protected place) should store a number of attributes of each user by which this user can be identified. In the future, when entering the system, and, if necessary, when performing certain actions in the system, the user must identify himself, i.e. specify the identifier assigned to it in the system. In addition, various types of devices can be used for identification: magnetic cards, key inserts, floppy disks, etc.

Authentication ( authentication) of users should be carried out based on the use of passwords (secret words) or special means of authentication to check the unique characteristics (parameters) of users.

8.2.2. Means for restricting access to resources of the Automated System

After recognizing the user, the system must authorize the user, that is, determine what rights are granted to the user, i.e. what data and how it can use it, what programs it can execute, when, for how long and from what terminals it can work, what system resources it can use, etc. User authorization must be carried out using the following mechanisms for implementing access control:

• mechanisms for selective access control based on the use of attribute schemes, permission lists, etc.;
• mechanisms for authoritative access control based on the use of resource sensitivity labels and user access levels;
• mechanisms to ensure a closed environment of trusted software ( individual for each user lists of programs allowed to run) supported by mechanisms for identifying and authenticating users when they log in to the system.

The areas of responsibility and tasks of specific technical means of protection are established based on their capabilities and performance characteristics described in the documentation for these means.

Technical means of access control should be an integral part of a unified access control system:

• to the controlled territory;
• in separate rooms;
• to AS elements and information security system elements ( physical access);
• to AS resources ( software-mathematical access);
• to information repositories ( storage media, volumes, files, data sets, archives, references, records, etc.);
• to active resources ( application programs, tasks, request forms, etc.);
• to the operating system system programs and protection programs, etc.

8.2.3. Means for ensuring and monitoring the integrity of software and information resources

Integrity control of programs, processed information and protection means, in order to ensure the invariance of the software environment determined by the provided processing technology, and protection against unauthorized correction of information, should be provided:

• means of calculating checksums;
• means of electronic signature;
• means of comparing critical resources with their reference copies ( and recovery in case of integrity violation);
• means of access control ( deny access with modify or delete rights).

In order to protect information and programs from unauthorized destruction or distortion, it is necessary to ensure:

• duplication of system tables and data;
• duplexing and mirroring of data on disks;
• transaction tracking;
• periodic integrity checks operating system and user programs, as well as user files;
• anti-virus protection and control;
• backing up data according to a predetermined scheme.

8.2.4. Security event controls

Controls should ensure that all events are detected and recorded ( user actions, UA attempts, etc.), which may lead to a violation of the security policy and lead to crisis situations. Controls should provide the ability to:

• constant monitoring of key network nodes and network-forming communication equipment, as well as network activity in key network segments;
• control over the use of corporate and public network services by users;
• maintenance and analysis of security event logs;
• timely detection of external and internal threats to information security.

When logging security events in system log the following information should be recorded:

• date and time of the event;
• subject identifier ( user, program) performing the registered action;
• action ( if an access request is registered, then the object and type of access are noted).

Controls should provide detection and recording of the following events:

• user login;
• user login to the network;
• unsuccessful login or network attempt ( wrong password entry);
• connection to a file server;
• launching the program;
• completion of the program;
• an attempt to launch a program that is not available for launch;
• an attempt to gain access to an inaccessible directory;
• an attempt to read / write information from a disk that is inaccessible to the user;
• an attempt to launch the program from a disk that is inaccessible to the user;
• violation of the integrity of programs and data of the protection system, etc.

The following main ways of responding to discovered facts of UA should be supported ( possibly with the participation of a security administrator):

• notification of the owner of information about UA to his data;
• removal of the program ( tasks) from further execution;
• notifying the database administrator and security administrator;
• terminal shutdown ( workstation), from which UA attempts to access information or illegal actions on the network were carried out;
• exclusion of the violator from the list of registered users;
• giving an alarm, etc.

8.2.5. Cryptographic means of information protection

One of the most important elements of the information security system of the AU should be the use of cryptographic methods and means of protecting information from unauthorized access during its transmission over communication channels and storage on computer media.

All means of cryptographic information protection in the AS should be based on the basic cryptographic core. For the right to use cryptographic media, an organization must have licenses established by law.

The key system of cryptographic protection means used in the AS should provide cryptographic survivability and multi-level protection against compromise of key information, separation of users by levels of protection and zones of their interaction between themselves and users of other levels.

Confidentiality and imitation protection of information during its transmission over communication channels should be ensured through the use of subscriber and channel encryption in the system. The combination of subscriber and channel encryption of information should ensure its end-to-end protection along the entire path of passage, protect information in case of its erroneous redirection due to failures and malfunctions of the hardware and software of switching centers.

The AS, which is a system with distributed information resources, should also use the means of generating and verifying an electronic signature, which ensure the integrity and legal evidence of the authenticity of messages, as well as authentication of users, subscriber stations and confirmation of the time of sending messages. In this case, standardized electronic signature algorithms should be used.

8.3. Information Security Management

Management of the information security system in the AS is a targeted impact on the components of the security system ( organizational, technical, software and cryptographic) in order to achieve the required indicators and standards of security of information circulating in the NPP in the context of the implementation of the main security threats.

The main goal of organizing the management of the information security system is to increase the reliability of information protection in the process of its processing, storage and transmission.

Management of the information security system is implemented by a specialized control subsystem, which is a set of controls, technical, software and cryptographic tools, as well as organizational measures and interacting with each other control points of various levels.

The functions of the control subsystem are: informational, control and auxiliary.

The information function consists in continuous monitoring of the state of the protection system, checking the compliance of security indicators with acceptable values ​​and immediately informing security operators about situations that arise in the nuclear power plant that can lead to a breach of information security. There are two requirements for monitoring the state of the protection system: completeness and reliability. Completeness characterizes the degree of coverage of all means of protection and parameters of their functioning. The reliability of control characterizes the degree of adequacy of the values ​​of the controlled parameters to their true value. As a result of processing control data, information on the state of the protection system is generated, which is generalized and transmitted to higher control points.

The control function consists in the formation of plans for the implementation of technological operations of the NPP, taking into account the information security requirements in the conditions prevailing for a given point in time, as well as in determining the location of the information vulnerability situation and preventing its leakage by promptly blocking sections of the NPP where information security threats arise . Management functions include accounting, storage, and issuance of documents and information media, passwords and keys. At the same time, the generation of passwords, keys, maintenance of access control tools, acceptance of new software included in the AS software environment, control of compliance of the software environment with the standard, as well as control over the progress of the technological process of processing confidential information is assigned to employees of the Department of Information Technology and the Department of Economic Security.

TO helper functions management subsystems include accounting for all operations performed in the AS with protected information, the formation of reporting documents and the collection of statistical data in order to analyze and identify potential information leakage channels.

8.4. Monitoring the effectiveness of the protection system

Monitoring the effectiveness of the information security system is carried out in order to timely detect and prevent information leakage due to unauthorized access to it, as well as to prevent possible special effects aimed at destroying information, destroying informatization tools.

Evaluation of the effectiveness of information protection measures is carried out using organizational, technical and software controls for compliance with the established requirements.

Control can be carried out both with the help of standard means of the information security system, and with the help of special means of control and technological monitoring.

8.5. Features of ensuring information security of personal data

The classification of personal data is carried out in accordance with the severity of the consequences of the loss of the security properties of personal data for the subject of personal data.

• About personal data ” to special categories of personal data;
• personal data classified in accordance with the Federal Law " About personal data ” to biometric personal data;
• personal data that cannot be attributed to special categories of personal data, to biometric personal data, to publicly available or depersonalized personal data;
• personal data classified in accordance with the Federal Law " About personal data ” to publicly available or de-identified personal data.

The transfer of personal data to a third party must be carried out on the basis of the Federal Law or the consent of the subject of personal data. In the event that an organization entrusts the processing of personal data to a third party on the basis of an agreement, an essential condition of such an agreement is the obligation of the third party to ensure the confidentiality of personal data and the security of personal data during their processing.

The organization must stop processing personal data and destroy the collected personal data, unless otherwise provided by the legislation of the Russian Federation, within the time limits established by the legislation of the Russian Federation in the following cases:

• upon reaching the purposes of processing or when it is no longer necessary to achieve them;
• at the request of the subject of personal data or the Authorized body for the protection of the rights of subjects of personal data - if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
• when the subject of personal data withdraws consent to the processing of their personal data, if such consent is required in accordance with the legislation of the Russian Federation;
• if it is impossible for the operator to eliminate the violations committed in the processing of personal data.

The organization should define and document:

• the procedure for the destruction of personal data ( including material carriers of personal data);
• the procedure for processing requests from personal data subjects ( or their legal representatives) regarding the processing of their personal data;
• the procedure for actions in case of requests from the Authorized Body for the Protection of the Rights of Personal Data Subjects or other supervisory authorities exercising control and supervision in the field of personal data;
• approach to attributing AS to information systems personal data ( Further - ISPD );
• list of ISPDs. The list of ISPDs should include AS, the purpose of which is the processing of personal data.

For each ISPD, the following must be determined and documented:

• purpose of personal data processing;
• the volume and content of the processed personal data;
• list of actions with personal data and methods of their processing.

The volume and content of personal data, as well as the list of actions and methods of processing personal data must comply with the purposes of processing. In the event that in order to carry out the information technology process, the implementation of which is supported by ISPD, there is no need to process certain personal data, these personal data must be deleted.

The requirements for ensuring the security of personal data in ISPD are generally implemented by a set of organizational, technological, technical and software measures, tools and mechanisms for protecting information.

Organization of execution and ( or) the implementation of the requirements for ensuring the security of personal data should be carried out by a structural unit or an official (employee) of the organization responsible for ensuring the security of personal data, or on a contractual basis by an organization - a counterparty of an organization that has a license for the technical protection of confidential information.

The creation of an organization's ISPD should include the development and approval ( statement) the organizational, administrative, design and operational documentation for the system being created provided for by the terms of reference. The documentation should reflect the issues of ensuring the security of the processed personal data.

The development of concepts, technical specifications, design, creation and testing, acceptance and commissioning of ISPD should be carried out by agreement and under the control of a structural unit or an official (employee) responsible for ensuring the security of personal data.

All information assets belonging to the organization's ISPD must be protected from the effects of malicious code. The organization must define and document the requirements for ensuring the security of personal data by means of anti-virus protection and the procedure for monitoring the implementation of these requirements.

The organization must define an access control system that allows access control to communication ports, input/output devices, removable media, and external drives ISPD information.

The heads of operating and servicing ISPD divisions of the organization ensure the security of personal data during their processing in ISPD.

Employees who process personal data in ISPD must act in accordance with the instructions ( management, regulations, etc.), which is part of the operational documentation for ISPD, and comply with the requirements of documents for ensuring IS.

Responsibilities for the administration of protection tools and protection mechanisms that implement the requirements for ensuring the organization's ISPD information security are assigned by orders ( orders) for specialists of the Information Technology Department.

The procedure for the actions of specialists of the Information Technology Department and personnel involved in the processing of personal data must be determined by instructions ( guidelines), which are prepared by the ISPD developer as part of the operational documentation for ISPD.

The specified instructions ( guides):

• establish requirements for the qualification of personnel in the field of information security, as well as an up-to-date list of protected objects and rules for updating it;
• contain full and up-to-date by time) user authorization data;
• contain data on information processing technology to the extent necessary for an information security specialist;
• set the order and frequency of analysis of event logs ( journal archives);
• regulate other activities.

The configuration parameters of the means of protection and mechanisms for protecting information from unauthorized access, used in the area of ​​responsibility of specialists of the Department of Information Technologies, are determined in the operational documentation for ISPD. The order and frequency of checks of the set configuration parameters are established in the operational documentation or regulated by an internal document, while checks should be carried out at least once a year.

The organization must define and document the procedure for access to the premises where the ISPD technical means are located and personal data carriers are stored, which provides for control of access to the premises by unauthorized persons and the presence of obstacles to unauthorized entry into the premises. The specified procedure must be developed by a structural unit or an official ( worker) responsible for ensuring the physical security regime and approved by the structural unit or official ( worker), responsible for ensuring the security of personal data, and the Department of Economic Security.

ISPD users and maintenance personnel should not carry out unauthorized and ( or) not registered ( uncontrolled) copying personal data. To this end, organizational and technical measures should prohibit unauthorized and ( or) not registered ( uncontrolled) copying personal data, including using alienable ( interchangeable) storage media, mobile devices for copying and transferring information, communication ports and input/output devices that implement various interfaces ( including wireless), storage devices of mobile devices ( e.g. laptops, PDAs, smartphones, mobile phones), as well as photo and video devices.

The control of personal security is carried out by an information security specialist, both with the help of standard means of the information security system, and with the help of special means of control and technological monitoring.

Download ZIP file (65475)

Documents came in handy - put "like" or: