Novikov organizational and legal support of information security. Data protection using cryptographic methods

Issues of protecting information resources are closely related not only to the solution of scientific and technical problems, but also to issues of legal regulation of relations in the process of informatization. The need for organizational and legal support for information protection arises from the fact that information is recognized as a commodity, a product of social production, and the legal establishment of ownership of information.
This formulation of the question takes on a special meaning and character in the conditions of democratization of society, the formation of a market economy, and the inclusion of our state in the world economic community.

Organizational and legal support is a multidimensional concept, including laws, decisions, regulations and rules. Moreover, in relation to the protection of information processed in an automated system, it has a number of fundamental specific features due to the following circumstances:

· presentation of information in an unusual and unreadable binary form for humans;

· use of storage media, records on which are not available for simple visual viewing

· the ability to copy information multiple times without leaving any traces;

· ease of changing any elements of information without leaving traces such as erasures, corrections, etc.;

· the impossibility of traditionally sealing documents with traditional signatures with all the regulatory and legal aspects of these signatures;

availability large number non-traditional destabilizing factors affecting information security.
Based on the above circumstances, a set of issues resolved by organizational and legal support can be grouped into three classes:

· organizational and legal basis for information protection in the AS;

· technical and mathematical aspects of organizational and legal support;

· legal aspects of organizational and legal support for protection.

From practical considerations it is clear that the organizational and legal basis for information protection should include:

· identification of departments and persons responsible for organizing information security;

· regulatory, guidance and methodological materials (documents) on information protection;

· penalties for violation of protection rules;

· procedure for resolving disputes and conflict situations on information security issues.

Under technical and mathematical aspects organizational and legal support is understood as a set of technical means, mathematical methods, models, algorithms and programs. The main ones of these conditions are the following:

· recording on the document personal identifiers (“signatures”) of the persons who produced the document and (or) are responsible for it;

· recording (if necessary) on the document personal identifiers (signatures) of persons who have become familiar with the content of the relevant information;

· the impossibility of imperceptibly (without leaving traces) changing the content of information even by fakes who have sanctions to access it,

· i.e. recording the facts of any (both authorized and unauthorized) changes in information;

· recording the fact of any (both unauthorized and authorized) copying of protected information.

Under legal aspects organizational and legal support for information protection in the AS is understood as a set of laws and other regulations with the help of which the following goals are achieved;

· it is mandatory for all persons related to the AS to comply with all information protection rules;

· sanctions for violation of protection rules are legitimized;

· technical and mathematical solutions to issues of organizational and legal support for information protection are being legitimized (acquiring legal force);

· procedural procedures for resolving situations are legitimized. emerging in the process: the functioning of protection systems.

Evolution of approaches to provision information security. Basic concepts and definitions.

Information Security represents an independent part of security, the role and importance of which is steadily increasing every year. Its special role is explained by global processes that are characteristic of the socio-economic development of civilization. Advanced, economically and technologically developed countries have entered the stage of post-industrial society, in which the main productive forces, along with the processing of matter and energy, are occupied with information processes in all spheres of human activity and life.

Some major security aspects include:

1. environmental safety;

2. demographic security;

3. physical security;

4. economic security;

5. social security;

6. ethnocultural security;

7. information security;

8. military security;

9. technological safety.

Comprehensive protection system information - a set of forces, means, methods and measures used to ensure at a given level of information protection at this facility.

Using the information criterion of development, one can assess changes in the information content of material systems during evolutionary self-organization or self-disorganization. Moreover, on the main progressive line of evolution, there is a continuous accumulation of information in systems, and thus, this criterion acts as a vector for the progressive development of material systems. The information criterion of evolution expresses a fairly obvious phenomenological vector-genetic connection between the growth of the information content of evolving systems.

Depending on who acts as the subject or object of security - an individual, social group, society as a whole, a state or a community of states distinguishes the following main levels of security:

1. personal or individual safety;

2. societal (public) safety or public safety;

3. national security or state security;

4. international or collective security;

5. world or global security.

Security servers (firewalls, proxy servers)

Ensuring the information security of an organization is today one of the highest priorities facing any business. Security when employees work on the Internet and protection against malware is an integral part of any information system. How well your organization is protected directly depends on the reliability of the server, security and the quality of the Firewall system settings.

Let's consider 2 security servers: firewalls and proxy servers


A firewall is a system or combination of systems that allows you to divide a network into two or more parts and implement a set of rules that determine the conditions for the passage of packets from one part to another (see Fig. 1). As a rule, this boundary is drawn between the enterprise local network and INTERNET, although it can also be drawn inside local network enterprises. The firewall allows all traffic to pass through it. For each packet that passes, the firewall decides whether to allow it or discard it.

Firewalls provide several types of protection:

· They can block unwanted traffic

· They can only direct incoming traffic to trusted internal systems

· They can hide vulnerable systems that cannot be otherwise secured from Internet attacks.

· They can log traffic to and from the internal network

· They can hide information such as system names, network topology, types network devices and internal user IDs, from the Internet

· They can provide stronger authentication than what standard applications provide.

All firewalls can be divided into three types:

· packet filters

application level servers (application gateways)

· connection level servers (circuit gateways)

All types can occur simultaneously in the same firewall.

Batch filters

Packet filter firewalls decide whether to allow or discard a packet by looking at the IP addresses, flags, or TCP port numbers in the packet's header. The IP address and port number are network and transport layer information, respectively, but packet filters also use application layer information, because All standard services in TCP/IP are associated with a specific port number.


^ Analysis of foreign and domestic experience in organizational and legal support for information protection

Leading foreign countries have now accumulated significant experience in solving the problems discussed here. Essential in this regard is the versatility of the measures being developed and applied, which are not limited to regulatory and legal acts alone, although their significance is predominant. From this point of view, we can highlight the following aspects of resolving issues of organizational and legal support for information protection:

Informing the general public and interested specialists about the essence of the problem of information protection, the need for and ways to solve it;

Developing uniformity in the definition and interpretation of basic concepts related to the problem of protection;

Development of technical and mathematical foundations necessary to resolve issues of organizational and legal support for information security;

Development and approval of standards in the field of information security; - creation of the legislative framework necessary to ensure the protection of information.

Let us consider in more detail the essence of the highlighted aspects.

^ Informing about the essence of the protection problem, the need and ways to solve it. In the foreign press (especially in the USA), issues of ensuring information security in information computing systems and networks have been covered for a long time, intensively and on a large scale. Suffice it to say that the first publications on the problems under consideration appeared about *0 years ago; have they already become history? their total number is currently measured in the thousands. Every year, specialized conferences and seminars are held at which various theoretical and practical issues of information security are discussed. The training programs for all specialists in computer technology and its use certainly include sections related to information security -

It should be noted that foreign publications played a significant role in informing domestic specialists about the essence of the problem and ways to solve it, especially considering that until recently all work on information protection in our country was closed. Among recent foreign works, the monograph “Protection of Computers and Networks. Strategy of the 90s” stands out. In other words, this is not just another publication, but a programmatic and promising development.

Acquaintance with this book provides sufficient grounds for a number of important conclusions, namely: firstly, foreign experts classify the problem of information security in computer systems and networks as one of the most pressing problems of development and effective use computer technology, secondly, foreign experts classify the problem of protection as a complex and multidimensional problem; thirdly, foreign experts are not satisfied with the current state of solving the problem under consideration, and the most important areas of work for the 90s are considered to be work on a system-organizing plan.

If we talk about domestic publications in the field of information security, they began with a series of articles in the journal “Foreign Radio Electronics” for 1975-1976. The articles were of a review nature (according to foreign press data), were combined thematically and gave general idea about the whole range of information security problems and approaches to solving them. They caused a great resonance among specialists and played the role of a detonator, initiating a significant increase in interest in the problem, its research and development. Monographic publications and specialized journals appeared.

^ Development of uniformity in terminology on protection issues.

When solving any new problem, ensuring terminological unity is of paramount importance, i.e. formation of the most complete list of terms necessary to display all the main aspects of the problem, their definition and interpretation in order to ensure an unambiguous understanding of each of the terms. The complexity and labor intensity of this problem is evidenced by the fact that in our country this work has not yet been fully completed. It is necessary to draw the attention of readers to the dictionary of terms prepared and published in the USA back in 1987. The dictionary contains 428 pp. contains about 3000 terms. An undoubted advantage of the dictionary is also that the most important terms are not just defined, but are interpreted in sufficient detail and illustrated with diagrams and drawings.

The presence of a dictionary of terms creates the prerequisites for the targeted development of all work on information security, therefore the creation and wide dissemination of such a dictionary in Russia is one of the main organizational prerequisites for the implementation of a secure information management system.

^ Development of technical and mathematical foundations necessary to resolve issues of organizational and legal support for information security. As follows from Fig. 1, the central task of creating a technical and mathematical base is the development of effective and reliable methods for recording in computer memory such an analogue of a person’s signature, which, on the one hand, could be implemented relatively easily modern means computer technology, and on the other hand, it would perform all the basic functions of hand-painted painting. By now, almost all experts have recognized that the most promising way to solve this problem is to use special methods cryptographic transformation of information, which are most often called digital signature systems.

Analyzing the development of these works abroad, it would be appropriate to note that in leading countries, (and especially in the USA) work in the field of cryptography, intended for general use (i.e. not for special purposes) and satisfying general interest, has been going on for a long time and very intensively. To confirm what has been said, let us cite at least the fact that the lists of references attached to journal articles on this problem often contain up to 150 titles of completely open sources. Russian readers can form a fairly objective idea of ​​the nature and level of developments in the translation into Russian of the thematic issue of the works of the Institute of Electrical and Radio Electronics Engineers.

From what has been said, the importance and necessity of the full development of work to create technical and mathematical foundations clearly follows organizational support information protection, today especially for commercial systems.

^ Development and approval of standards in the field of information security. Both abroad and in our country, more attention is paid to this issue. For example, the US national standard for cryptographic information closure DES is widely known. Moreover, here not only the encryption algorithm itself is approved as a standard, but also the means of its implementation and methods of use. A number of different organizations in the United States and European countries are involved in standardization issues in the field of data protection, and a special subcommittee TC/8C20 of the International Organization for Standardization has been created to review the developed standards.

In our country, state regulatory documents on the protection of information processed by computer technology and communications began to be created back in the 60s, but they acquired a national character with the formation of the State Technical Commission of the USSR in 1973.

To date, guidelines for the protection of computer equipment and automated systems from unauthorized access have been developed and put into effect by the State Technical Commission, the standard for the cryptographic conversion algorithm described in the fourth chapter, the standard for digital signature and a hash function.

^ Creation of the legislative framework necessary to ensure the protection of information. The absolute need to create a legislative framework is obvious, therefore, in leading Western countries, and now in Russia, quite a lot of attention is paid to this issue.

The problem of legislative regulation of information processing processes began to be discussed for the first time abroad in the 60s and, in particular, in the United States in connection with the proposal to create a national data bank. Currently, at the international level, a stable system of views has been formed on information as the most valuable resource for the life support of society, legal regulation in the sphere of which should go in the following three directions.

^ PROTECTION OF INDIVIDUAL RIGHTS TO PRIVATE LIFE This aspect is not new to the world community. The basic principles for establishing the limits of interference in private life by the state and other entities are determined by the fundamental norms of the UN, namely the Declaration of Human Rights. By the end of the 70s, two principles were formulated, which were subsequently reflected in the national legislation on computer science in a number of Western countries:

Establishing limits on invasion of privacy using computer systems;

Introduction of administrative mechanisms to protect citizens from such interference.

Examples of documents related to this area are the European Parliament resolution “On the protection of individual rights in connection with the progress of computer science” (1979) and the EU Convention “On the protection of persons with regard to automated processing of personal data” (1980).

^ PROTECTION OF STATE INTERESTS. The problem is solved with the help of sufficiently developed national legislation that defines national priorities in this area. The integration of EU member states has required coordination of efforts in this area, as a result of which the general principles of classification of information are reflected in the EU Convention on the Protection of Secrecy.

^ PROTECTION OF BUSINESS AND FINANCIAL ACTIVITIES. This aspect of the problem is solved by creating a legislative mechanism that defines the concept of “trade secret” and establishes the conditions for fair competition and the qualification of industrial espionage as an element of unfair competition.

This area also includes the creation of mechanisms for protecting copyright, in particular the rights of authors of software products. The latter aspect is reflected in the EU Directive on the Protection of Computer Programs and Databases (1990).

The conceptual framework and principles of information protection developed at the international level are reflected in the national legislation of leading Western countries. Below are some examples of their existing legislation:

UK - Data Surveillance Bill (1969). Data Protection Act (1984);

France - Law on Informatics, Card Indexes and Freedoms (1978);

Germany - Law on the protection of personal data against abuse of data processing (1977). Data Protection Act (1978);

USA - Privacy Act (1974). Computer Abuse Act (1986), Computer Security Act (1987);

Canada Computer and Information Crimes Act (1985).

The most developed legislation in this area is in force in the United States (over a hundred different pieces of legislation). US legislation covers:

Defining and consolidating state policy in the field of informatization,

Ensuring developed production and technologies;

The fight against monopolism and stimulation of priority areas;

Organization of information systems;

Protection of consumer rights, especially the rights of citizens to information, protection of information about citizens;

Regulation of the rights of computer program developers.

In most countries, legislation establishes liability for violation of the procedure for processing and using personal data; Computer crimes are regarded as crimes that pose a particular danger to citizens, society and the state, and entail significantly more severe penalties than similar crimes committed without the use of computer technology. Actions that create a threat of harm, for example, an attempt to penetrate the system, are also considered crimes. , introduction of a virus program, etc.

Speaking about the domestic experience of legal support for informatization and information protection, we should note that this issue was first raised in our country in the 70s in connection with the development of automated control systems at various levels. However, the regulatory framework at that time did not go beyond departmental acts, several government decrees and similar acts at the republican level. Therefore, the legislative regulation of informatization processes by the beginning of the 90s could not be called satisfactory. It was urgently necessary to create a legal basis for the informatization of Russia, to provide legislative efficient use information resource of society, regulate legal relations at all stages and phases of informatization, protect individual rights in the conditions of informatization, form a mechanism for ensuring information security.

1991 can be marked as the beginning of active legislative activity in this direction. At the same time, legislators rightly focused their attention on the following most pressing problems for Russia:

The problem of the right to information;

The problem of ownership of certain types of information;

The problem of recognizing information as a commodity object.

To date, the “Declaration of Rights and Freedoms of Man and Citizen”, adopted by the Resolution of the Supreme Council Russian Federation November 22, 1991, and the Constitution of the Russian Federation, adopted in 1993, enshrines the general right of citizens to information. Limitations on this right may be established by law only for the purposes of

Protection of personal, family, professional, commercial and state secrets, as well as morality. The list of information constituting a state secret is established by law.

The basic law of the Russian Federation “On information, informatization and information protection” was adopted, as well as special laws “On state secrets”, “On the legal protection of computer programs and databases”, “On the legal protection of integrated circuit topologies”, “On international information exchange” " Issues of legal support for information protection are also reflected in the Law of the Russian Federation “On Security”, adopted in March 1992.

The State Duma of the Russian Federation continues to work on legislation in the field of protecting dacha water treatment plants. Real step towards strengthening legal basis entrepreneurial activity will be the legislative consolidation in Russia of the institution of trade secrets. One of the goals of the Law of the Russian Federation "On Trade Secrets", the first hearing of which has already taken place in the State Duma, is to create on the part of the state the necessary guarantees for the protection of subjects by granting them the right to classify valuable information as a trade secret to protect its owner from industrial espionage and dishonest competition.

^ Basic approaches to the development of organizational and legal support Organizational and legal basis for protecting information in the automated system

The central link that implements the content of the organizational and legal framework (see Fig. 1) is the information protection (security) service specially created within the AS. The organization of such services is provided for both by the Law “On Information, Informatization and Information Protection” and the Law of the Russian Federation “On Security”, where Article 27 states:

"... for the practical implementation of the requirements and rules for information protection, maintaining information systems in a protected state, operating special software and hardware and ensuring organizational measures to protect information systems processing information with limited access, information security services can be created in non-state structures... "Enterprises, organizations and institutions processing information with limited access, which is the property of the state, create information security services without fail."

Based on the above tasks of the information security service, its main functions can be formulated:

Formation of requirements for the protection system in the process of creating an NPP;

Participation in the design of the protection system;

Participation in testing and acceptance of the protection system and its constituent elements;

Planning, organizing and ensuring the functioning of the information security system during the operation of the NPP;

Distribution of necessary security details among users: passwords, additional identifying information, security keys, etc.;

Organization of generation and installation of technical equipment identifier codes;

Organization and introduction into the AS memory of service arrays of the protection system;

Monitoring the functioning of the protection system and its elements;

Organization of preventive checks of the reliability of the protection system;

Training system users and personnel in the rules for processing protected information;

Monitoring compliance by users and plant personnel with the rules for handling protected information during its automated processing;

Taking measures in case of attempts of unauthorized access to information and violations of the rules of operation of the security system.

The second most important problem in creating an organizational and legal framework is the completion of a system of guidelines and methodological documents on information protection. Here, from a practical point of view, one could be guided by the following;

All documents existing in the country regulating the rules for handling information that has a restrictive stamp fully apply to information circulating during the operation of the plant;

In order to take into account the specific features of the accumulation, storage and processing of data in the AS, special guidelines and methodological materials are developed and approved, which must have legal force;

In order to interpret and detail the provisions and requirements of these materials in relation to specific conditions in each nuclear power plant, they must be developed and approved in the prescribed manner

Instructions for users, AS operators, duty shifts of the data bank administration, security service, as well as technical documentation of the security system.

When deciding on liability for violation of security rules, it is first necessary to establish whether it led to a leak of protected data. In this case, the perpetrators are held accountable in accordance with existing laws. For violation of protection rules that do not result in a data leak, administrative penalties are established as provided for by labor legislation.

Resolution of controversial and conflict situations related to the distribution and use of security system details (passwords, keys, etc.) should be within the competence of the information security service, and situations related to the interpretation of security documents should be within the competence of the authorities and persons who approved the relevant documents.

^ Technical and mathematical aspects. The conducted research shows that all the problems associated with solving the considered problems of recording various facts of interaction with protected information (both authorized and unauthorized) can be divided into two groups - general and specific. In this case, general means such problems, the solution of which can be carried out by general means of access control. Specific problems include fixing a signature on a document submitted to the AS in electronic form. This signature is called electronic or digital.

In-depth studies of this problem both in our country and abroad show that the most promising way to implement an electronic (digital) signature is to use cryptographic methods of data conversion. The scope of application of a digital signature is extremely wide - from conducting financial and banking paperless transactions to monitoring the implementation of international treaties and protecting copyrights.

The signature problem is especially important when transmitting messages over telecommunication networks. In this case, the following malicious actions are potentially possible: refusal, when the sending subscriber, after a lapse of time, refuses the transmitted message; falsification, when the recipient subscriber forges the message; change when the recipient subscriber makes changes to the message; masking, when the sending subscriber disguises himself as another subscriber. Under these conditions, ensuring the protection of each of the parties participating in the exchange is carried out by maintaining special protocols. To verify a message, the protocol must contain the following mandatory provisions:

The sender adds his digital signature to the transmitted message, which is Additional information, depending on the transmitted data, the name of the message recipient and some private information that only the sender has;

The recipient must be able to verify that the signature received as part of the message is the correct signature of the sender;

Obtaining the correct signature of the sender is only possible by using proprietary information that the sender has;

To exclude the possibility reuse For legacy messages, the signature must be time dependent.

^ Legal aspects. Legal support for information protection covers relationships arising in the formation and use of information resources based on the creation, collection, processing, accumulation, storage, search, distribution and provision of documented information to the consumer, in the creation and use of information technologies and means of supporting them, in the protection of the rights of subjects , involved in information processes and informatization. The basis for constructing the concept of legal support is the division of all information resources into categories of open and limited access, and information of limited access, according to the terms of its legal regime, is in turn divided into classified as state secret and confidential.

In the system of legal support for information security, a place is occupied by law enforcement legislation, which includes rules on liability for violations in the field of information technology and logically completes the complex of organizational, legal and technical measures and means of protecting information and its processing systems. It should be aimed not only and not so much at punishing criminal attacks on information and information systems but at preventing them.

For the purpose of an integrated approach to the formation of legislation on the problems of information and informatization in Russia, in April 1992, the “Program for the Preparation of Legislative and Regulatory Support for Work in the Field of Informatization” was approved. In accordance with this Program, it was planned to develop the basic Law of the Russian Federation “On Information, Informatization and Information Protection”, as well as special laws “On State Secrets”, “On Commercial Secrets”, “On Liability for Abuses when Working with Information”, etc. .

The Basic Law “On Information, Informatization and Information Protection” occupies a central place in the entire system of legal support for information security. The law is the first in the legislative practice of Russia.

Determines the responsibilities of the state in the field of formation of information resources and informatization, the main directions of state policy in this area;

Reinforces the rights of citizens, organizations, and the state to information;

Establishes the legal regime of information resources based on the application in this area of ​​the procedure for documentation, ownership of documents and arrays of documents for information systems, dividing information on the basis of access into open and with limited access, the procedure for the legal protection of information;

Develops a legal regime for recognition of documents received from an automated information system, legal force, including based on confirmation with an electronic digital signature;

Defines information resources as an element of property and an object of ownership;

Establishes the basic rights and responsibilities of the state, organizations, citizens in the process of creating information systems, creating and developing scientific and technical systems. production base of informatization, formation of a market for information products and services in this area;

Distinguishes between ownership rights and authorship rights to information systems, technologies and means of supporting them;

Establishes rules and general requirements for liability for violation of legislation in the field of informatization and information protection in systems for processing it, guarantees for subjects in the process of exercising the right to information, guarantees of security in the field of information.

The Law provides a special chapter devoted to information protection. This chapter establishes that all documented information, the handling of which could cause damage to its owner, possessor, user or other person, is subject to protection. The protection mode is set:

in relation to information classified as state secret by authorized bodies on the basis of the Law of the Russian Federation “On State Secrets”;

in relation to confidential documented information by the owner of information resources or an authorized person on the basis of this law;

in relation to personal data - by a separate federal law.

At the official level, the state information protection system in Russia was formed in 1973 as part of the activities of the USSR State Commission for Countering Foreign Technical Intelligence. Since 1992, the problems of information security in the new economic and legal conditions have moved beyond the scope of defense topics and thereby led to the creation of a more advanced information security system on a national scale. The creation of such a system, first of all, required the development of the necessary regulatory framework: the Concept national security of the Russian Federation, the Information Security Doctrine of the Russian Federation and a number of other documents.

^ National Security Strategy of the Russian Federation

Presidential Decree No. 537 of May 12, 2009 approved the National Security Strategy of the Russian Federation (Strategy) until 2020.

In this regard, the previous Concept of National Security of the Russian Federation, approved in December 1997 and modified in January 2000, was declared invalid.

The National Security Strategy is a system of views on ensuring in the Russian Federation the security of the individual, society and state from external and internal threats in the economic, political, social, international, spiritual, information, military, military-industrial, environmental spheres, as well as in the field of science and education.

Russia's national interests in the information sphere lie in observing the constitutional rights and freedoms of citizens in the field of obtaining and using information, in the development of modern telecommunications technologies, and in protecting state information resources from unauthorized access.

The state of the domestic economy, the imperfection of the system of organization of state power and civil society, the socio-political polarization of society and the criminalization of public relations, the growth of organized crime and the increase in the scale of terrorism, the aggravation of interethnic and complicated international relations create a wide range of internal and external threats national security of our country.

Threats to the national security of the Russian Federation in the information sphere are manifested in the desire of a number of countries to dominate the world space, to be squeezed out of the external and internal information market; in the development by a number of states of the concept of information wars, which provides for the creation of means of dangerous influence on the information spheres of other countries of the world; in violation of the normal functioning of information and telecommunication systems, as well as the safety of information resources by gaining unauthorized access to them.

During the implementation of this Strategy, threats to information security are prevented by improving the security of the functioning of information and telecommunication systems of critical infrastructure and facilities increased danger in the Russian Federation, increasing the level of security of corporate and individual information systems, creating unified system information and telecommunication support for the needs of the national security system.

The most important tasks in the field of ensuring information security of the Russian Federation are:

Implementation of the constitutional rights and freedoms of citizens of the Russian Federation in the field of information activities;

Improving and protecting the domestic information infrastructure, integrating Russia into the global information space;

Countering the threat

Federal Law of July 27, 2006 N 152-FZ (as amended on April 5, 2013) On personal data

personal data - any information relating to directly or indirectly determined or determined to an individual(to the subject of personal data);

Personal data operator (according to the law on personal data) is a state body, municipal body, legal entity or individual that organizes and (or) carries out the processing of personal data, as well as determining the purposes and content of the processing of personal data.

Personal data information system - an information system that is a set of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without the use of such tools;

Article 19. Measures to ensure the security of personal data during their processing

When processing personal data, the operator is obliged to take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions regarding personal data.

Ensuring the security of personal data is achieved, in particular:

1) identification of threats to the security of personal data during their processing in personal data information systems;

2) the application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation;

3) the use of information security means that have passed the compliance assessment procedure in accordance with the established procedure;

4) assessing the effectiveness of measures taken to ensure the security of personal data before putting into operation the personal data information system;

5) taking into account computer storage media of personal data;

6) detecting facts of unauthorized access to personal data and taking measures;

7) restoration of personal data modified or destroyed due to unauthorized access to it;

8) establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;

9) control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.

For the purposes of this article

threats to the security of personal data are understood as a set of conditions and factors that create the danger of unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, provision, distribution of personal data, as well as other unlawful actions in their processing of personal data in the information system.

The level of security of personal data is understood as a complex indicator characterizing the requirements, the implementation of which ensures the neutralization of certain threats to the security of personal data during their processing in personal data information systems.

Package of documents on the protection of personal data

Regulations on the protection of personal data;

Regulations on the information protection unit;

Order on the appointment of persons responsible for processing personal data;

Information security concept;

Information security policy;

List of personal data subject to protection;

Order to conduct an internal audit;

Report on the results of the internal audit;

Act of classification of personal data information system;

Regulations on the delimitation of access rights to processed personal data;

Personal data security threat model;

Action plan for the protection of personal data;

The procedure for reserving hardware and software, databases and information security tools;

Internal audit plan;

Logbook of PD security control activities;

A log of requests from personal data subjects regarding the fulfillment of their legal rights;

Instructions for the administrator of the personal data information system;

Instructions for the user of the personal data information system;

Instructions for the security administrator of the personal data information system;

User instructions for ensuring the security of personal data processing in the event of emergency situations;

List of accounting for information security tools used, operational and technical documentation for them;

Typical Terms of Reference for the development of a system for ensuring the security of information of a computer facility;

A preliminary design for the creation of a system for ensuring the security of information of a computer facility;

Regulations on the Electronic Log of requests from users of personal data information systems (draft order);

Stages of work. Thus, the organization of personal data protection should be carried out in several stages:

Inventory of information resources.

Restricting employee access to personal data.

Documentary regulation of work with personal data.

Formation of a model of threats to the security of personal data.

Classification of personal data information systems (PDIS) of educational institutions.

Drawing up and sending to the authorized body a notification about the processing of personal data.

Bringing the personal data protection system into compliance with regulatory requirements.

Creation of an ISPD information security subsystem and its certification (certification) for ISPD classes K1, K2.

Organization of operation and security control of ISPD.

1. Inventory of information resources

Inventory of information resources is the identification of the presence and processing of personal data in all information systems and traditional data warehouses operated in the organization.

At this stage, you should: approve the regulation on the protection of personal data, formulate a concept and define an information security policy and draw up a list of personal data to be protected.

2. Restricting employee access to personal data

Only those employees who need it to perform their official (job) duties should have permission to process personal data.

At this stage you should: limit, to the extent necessary, both electronic and physical access to personal data

3. Documentary regulation of work with personal data

According to Article 86 of the Labor Code of the Russian Federation, employees and their representatives must be familiarized, against signature, with those employer documents that establish the procedure for processing personal data of employees, as well as their rights and obligations in this area.

The subject of personal data independently decides the issue of transferring it to someone else, documenting his intention.

At this stage, you should: collect consent for the processing of personal data, issue an order appointing persons responsible for processing personal data and regulations on delimiting access rights to processed personal data, draw up instructions for the ISPD administrator, ISPD user and ISPD security administrator.

4. Formation of a model of threats to the security of personal data

A private model of threats to the security of personal data stored in the information system is formed on the basis of the following documents approved by the Federal Service for Technical and Export Control (FSTEC):

Basic model of threats to the security of personal data when processed in ISPD;

Methodology for identifying current threats to the security of personal data during their processing in ISPD;

At this stage, it is necessary to form a model of threats to the security of personal data processed and stored in an educational institution.

5. Classification of ISPD see question No. 18

6. Leaving and sending notification to the authorized body

A notification about the processing of personal data is drawn up on the operator’s letterhead and sent to the territorial body of Roskomnadzor of the Ministry of Communications and Mass Communications of the Russian Federation on paper or in the form of an electronic document signed by an authorized person. The form indicates data about the processor, the purpose of processing, categories of data, categories of subjects, whose data is being processed, the legal basis for processing, the date of its start, the term (condition) for its termination, etc.

7. Bringing the system into compliance with regulatory requirements

At this stage, you should: create a list of accounting for information security tools used, operational and technical documentation for them; regulations on the information protection unit; methodological recommendations for organizing information security when processing personal data; user instructions for ensuring the security of PD processing in the event of emergency situations, as well as approve an action plan for PD protection.

8 . Certification (certification) ISPDn

To ensure the security of ISPD, it is necessary to take measures to organize and provide technical support for the protection of processed personal data. Mandatory certification (attestation) is used to assess the compliance of class 1 and 2 ISPD with the requirements for PD security.

The following informatization objects are subject to mandatory certification:

Automated systems of various levels and purposes.

Communication systems, reception, processing and transmission of data.

Display and reproduction systems.

Premises intended for confidential negotiations.

9. Organization of ISPD operation and security control

Measures to ensure the security of personal data during their processing in information systems include:

control over compliance with the conditions for the use of information security tools provided for in the operational and technical documentation;

investigation and drawing up conclusions on facts of non-compliance with the storage conditions of PD media, the use of information security tools that may lead to a violation of PD confidentiality.

Responsibility for violation of Federal Law No. 152 On personal data

Administrative liability: fine or fine with confiscation of uncertified security and encryption tools. Administrative Code, art. 13.11, 13.12, 13.14

Disciplinary liability: dismissal of the offending employee. Labor Code of the Russian Federation, art. 81 and 90

Criminal liability: from correctional labor and deprivation of the right to hold certain positions to arrest. Criminal Code, Art. 137, 140, 272

Information security in the information society. Ensuring information security.
The concept of “information security” has become widespread in both international and national political documents and legal regulations.
For the first time, the concept of “information security” appeared in national legislation and political documents in Art. 2 of the Law of the Russian Federation dated 03/05/1992 No. 2446-1 “On Security”, where “information security” was highlighted as one of the components of the security of the Russian Federation. At the same time, the concept of “national security of the Russian Federation” was introduced, which meant “the security of its multinational people as the bearer of sovereignty and the only source of power in the Russian Federation.” For the first time in Russia it was defined in 1997 in the Concept of National Security of the Russian Federation. In the new edition Federal Law dated December 28, 2010 No. 390-FZ “On Security”, the terms “security” and “national security” are used as synonyms.

In the draft concept of information security of the Russian Federation (1997), Russia’s national interests in the information sphere covered three main aspects:
- observance of constitutional rights and freedoms of citizens;
- development of modern telecommunication technologies;
- protection of state information resources from unauthorized access.
Separately, national interests in the spiritual sphere were highlighted, which included the preservation and strengthening of the moral values ​​of society, the traditions of patriotism and humanism, the cultural and scientific potential of the country. These interpretations of the concept of “national security” and the content of national interests in the information sphere were developed in the Doctrine of Information Security. In this document, the concept of “information security of the Russian Federation” was disclosed as “the state of protection of national interests in the information sphere, determined by the totality of balanced interests of the individual, society and state.”

Table of contents
Authors' team
Accepted abbreviations
Chapter 1. Ensuring information security in the context of globalization of the information space
1.1. Information security in the information society
1.2. Modern information warfare and ensuring information security

Self-study assignments
Chapter 2. Theoretical and methodological issues of organizational and legal support of information security
2.1. Information security in the national security system of the Russian Federation
2.2. basic principles of information security
2.3. Legal regulation of information security in the system of Russian information law
2.4. Legal means of ensuring the security of the information infrastructure of the Russian Federation
2.5. Legal means of ensuring information security
2.6. Organizational support for information security of the Russian Federation
Questions and tasks for self-control
Self-study assignments
Chapter 3. Organizational and legal problems of international information security
3.1. International legal acts in the field of information security
3.2. Foreign experience in legal support of information security
3.3. Promotion of Russian initiatives in the field of ensuring international information security
Questions and tasks for self-control
Self-study assignments
Chapter 4. Legal regimes for ensuring the security of restricted information
4.1. Restricting access to information in order to protect the interests of the individual, society and the state
4.2. Legal regimes of secrets in the system of organizational and legal security of restricted access information
4.3. Legal regime for the protection of state secrets
4.4. Legal regime of trade secrets
4.5. Legal regime for ensuring the security of personal data
4.6. Current issues of the official secret regime
Questions and tasks for self-control
Self-study assignments
Chapter 5. Current problems of legal and organizational support for information security
5.1. Countering extremist activities in the information sphere
5.2. Protecting children from information harmful to their health and development
5.3. Legal problems of ensuring information security on the Internet
Questions and tasks for self-control
Self-study assignments
Chapter 6. Features of organizational and legal support for the protection of information systems
6.1. Features of organizational and legal support for the processes of creating automated systems in a secure design
6.2. Features of organizational and legal support for the protection of information systems in the field of legal proceedings
6.3. Practice of development and implementation of information security policy for corporate information systems
Questions and tasks for self-control
Self-study assignments
Chapter 7. Legal liability for offenses in the information sphere
7.1. The concept and types of legal liability in the field of information security. Subjects and objects of legal relations in the field of information security
7.2. Crime in the information sphere as a threat to information security during the formation information society and conditions of globalization
7.3. Problems of criminal liability for information crimes
7.4. Problems of international cooperation and foreign experience in combating crimes in the information sphere
Questions and tasks for self-control
Self-study assignments
Recommended reading.

1. Explanatory note

1.1. Goals and objectives of the discipline

The discipline "Fundamentals of Information Security" implements the requirements of the federal state educational standard of higher vocational education in the direction of training 090301.65 “Computer Security”.

Purpose studying the discipline “Organizational and legal support of information security” is to familiarize students with the basics of information security. Information threats, their neutralization, issues of organizing measures to protect information resources, regulatory documents regulating information activities, cryptography, and other issues related to ensuring the security of computer networks are studied.

The objectives of the discipline are:

· Outline of the main provisions of the Information Security Doctrine of the Russian Federation.

· Provide knowledge of the basics of a comprehensive information security system;

· Provide knowledge of the basics of organizational and legal support for information security.

· Forming the basis for further self-study issues of computer and information security

Thus, the discipline "Fundamentals of Information Security" is an integral integral part vocational training in the direction of training 090301 “Computer Security”. Together with other disciplines in the cycle of professional disciplines, the study of this discipline is intended to form a specialist, and in particular, to develop in him such quality, How:

· rigor in judgments,

· creative thinking,

· organization and efficiency,

· discipline,

· independence and responsibility.

1.2. Place of discipline in the structure of OOP:

The discipline belongs to the cycle of mathematical and natural sciences


The knowledge gained in studying the discipline "Fundamentals of Information Security" is used in the study of disciplines

Information security audit,

1.3. Requirements for the results of mastering the discipline:

The process of studying the discipline is aimed at developing the following competencies:

General cultural competencies (GC):

− the ability to act in accordance with the Constitution of the Russian Federation, to fulfill one’s civic and professional duty, guided by the principles of legality and patriotism (OK-1);

− the ability to analyze socially significant phenomena and processes, including those of a political and economic nature, ideological and philosophical problems, to apply the basic principles and methods of the humanities, social and economic sciences when solving social and professional tasks(OK-3);

− the ability to understand the driving forces and patterns of the historical process, the role of the individual in history, the political organization of society, the ability to respect and take care of the historical heritage, tolerantly perceive social and cultural differences (OK-4);

Professional competencies (PC):

− the ability to use basic methods of protecting production personnel and the population from the possible consequences of accidents, catastrophes, and natural disasters (PC-6);

As a result of studying the discipline, the student must:


· sources of threats to information security;

· methods for assessing information vulnerability;

· methods of creating, organizing and ensuring the functioning of integrated information security systems;

· methods of suppressing the disclosure of confidential information;

· types and signs of computer crimes

Be able to:

· find the necessary regulatory legal acts and information legal norms in the system current legislation, including using systems legal information;

· apply the current legislative framework in the field of information security;

· develop draft regulations, instructions and other organizational and administrative documents regulating the work on information protection.

2. Structure and labor intensity of the discipline.

5. Contents of discipline sections

Topic 1.

Information threats. The concept of information threats. Concept of information. Information wars. The basic definitions of information, its value, and information threats are studied. Information security threats information security. The issues of building an information structure in the Russian Federation are considered, various problems arising in connection with this process, the participation of the Russian Federation in international information exchange. Types of opponents. Hackers. The socio-psychological portrait of an information security violator, his capabilities and methods of action are studied. Types of possible violations of the information system. General classification information threats. Disturbances in the operation of information systems are studied, a classification of threats to information systems is introduced, possible subjects and objects of access to information systems, and threats implemented at the level of a local (isolated) computer system are considered. Causes of computer network vulnerabilities.

Topic 2. Computer viruses. Are being studied malware, the history of their development, responsibility for the creation and distribution, types, principles of action of viruses, unmasking signs.

Topic 3. Legal regulation of information protection (analysis of articles of the Criminal Code, other regulations). Information security standards Regulations regulating information activities in the Russian Federation and the world. Information Security Standards

Topic 4. Organizational measures to ensure information security of computer systems. The role of the tasks and responsibilities of the security administrator, the definition of approaches to risk management, the structuring of countermeasures, the procedure for certification for compliance with information security standards

Topic 5. Data protection using cryptographic methods. Encryption methods and algorithms, cipher requirements, most common fonts

Topic 6. Information security policy. Models of information protection in the CS Security policy and its main components, models of information protection in computer systems, technologies for protecting and restricting access to information.

Topic 7. Typical remote attacks using network protocol vulnerabilities. Classification of remote attacks. Attacks on ARP - protocol, ICMP - protocol, DNS - protocol, TCP - protocol, types of attacks.

6. Seminar classes.

Topic 1. Data protection using cryptographic methods.

l Encryption methods and algorithms.

lWriting the most common fonts.

Topic 2. Information security policy.

l Information security models in CS

l Security policy and its main components,

l Models of information security in computer systems,

l Technologies for protecting and restricting access to information.

l Reasons, types, channels of information leakage and distortion

Topic 3. Typical remote attacks using network protocol vulnerabilities.

· Remote attacks on ARP protocol,

· Remote attacks on ICMP – protocol,

· Remote attacks on DNS protocol,

· Remote attacks on TCP protocol.

