Protection of confidential information in the enterprise. Working with confidential information Methods for protecting confidential information in an enterprise

Youtube

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Introduction

1.2 Value of information
1.4 Threats and confidential information protection system
Chapter 2. Organization of work with documents containing confidential information
2.1 Regulatory and methodological basis for confidential records management
2.2 Organization of access and procedures for personnel to work with confidential information, documents and databases
2.3 Technological basis for processing confidential documents
Chapter 3. Protection of restricted access information at JSC "ChZPSN - Profnastil"
3.1 Characteristics of OJSC "ChZPSN - Profnastil"
3.2 Information security system at JSC "ChZPSN - Profnastil"
3.3 Improving the security system for restricted access information
Conclusion
List of sources and literature used

Introduction

One of the most important components of the national security of any country is now unanimously called its information security. Problems of ensuring information security are becoming increasingly complex and conceptually significant due to the massive transition of information technologies in management to a paperless, automated basis.

The choice of the topic of this final qualifying work is due to the fact that in the modern Russian market economy, a prerequisite for the success of an entrepreneur in business, making a profit and maintaining the integrity of the organizational structure created by him is ensuring the economic security of his activities. And one of the main components of economic security is information security.

The object of research in this work is the formation and functioning of information resources in the organization's management system.

The research base is OJSC "ChZPSN - Profnastil"

The subject of the study is activities to ensure the security of information resources in the organization's management system.

The purpose of the study is to analyze modern technologies, methods, methods and means of protecting confidential information of an enterprise.

The objectives of the study, in accordance with the goal, include:

1. Reveal the main components of information security;

2. Determine the composition of information that should be classified as confidential;

3. Identify the most common threats, distribution channels and privacy leaks;

4. Consider methods and means of protecting confidential information;

5. Analyze the regulatory framework for confidential records management;

6. Study the security policy in organizing access to confidential information and the procedure for personnel working with confidential documents;

7. Consider technological systems for processing confidential documents;

8. Assess the information security system of the enterprise JSC ChZPSN - Profnastil and provide recommendations for its improvement.

The following research methods were used in the work: cognitive methods (description, analysis, observation, survey); general scientific methods (analysis of publications on the topic), as well as such a documentary method as analysis of enterprise documentation.

The regulatory framework for final qualifying work is based primarily on the Constitution as the fundamental law of the Russian Federation) (1). Article 23 of the Constitution of the Russian Federation guarantees the right to personal and family secrets, privacy of correspondence, telephone conversations, postal, telegraph and other communications. However, restriction of this right is allowed only on the basis of a court decision. The Constitution of the Russian Federation does not allow (Article 24) the collection, storage, use and dissemination of information about the private life of a person without his consent (1).

The rules for regulating relations arising when handling confidential information are also contained in the Civil Code of the Russian Federation. At the same time, confidential information is classified as intangible benefits in the Civil Code of the Russian Federation (Article 150) (2).

Criteria by which information is considered an official and commercial secret , are contained in Article 139 of the Civil Code of the Russian Federation. It states that information constitutes an official or commercial secret in the case when:

1. This information has actual or potential value due to its unknownness to third parties;

2. There is no free access to this information on a legal basis and the owner of the information takes measures to protect its confidentiality (2).

In addition, the definition of confidentiality of commercial information is contained in Article 727 of the Civil Code of the Russian Federation (2).

On July 27, 2006, two federal laws that were most important for the protection of confidential information were adopted: No. 149-FZ “On Information, Information Technologies and Information Protection” (8) and No. 152-FZ “On Personal Data” (9). They provide basic concepts of information and its protection. Such as “information”, “information confidentiality”, “personal data”, etc.

On January 10, 2002, the President of the Russian Federation signed a very important law “On Electronic Digital Signature” (5), developing and specifying the provisions of the above law “On Information...” (8).

The following laws of the Russian Federation are also fundamental in the field of confidential information security:

1. “On state secrets” dated July 22, 2004 (4);

2. “On Trade Secrets” dated July 29, 2004 (it contains information constituting a trade secret, trade secret regime, disclosure of information constituting a trade secret) (6);

3. “On approval of the List of confidential information” (11);

4. On approval of the List of information that cannot constitute a commercial secret" (13).

The standard establishing the basic terms and definitions in the field of information security is GOST R 50922-96 (29).

The regulatory and methodological basis for confidential records management is presented in detail in the second chapter of this work. In the final qualifying work, the works of leading document specialists were used: I.V. Kudryaeva (83), A.I. Aleksentseva (31; 32), T.V. Kuznetsova (45; 67; 102), A.V. Pshenko (98), L.V. Sankina (92), E.A. Stepanova (81; 96).

The concept of information security and its main components are set out in the works of V.A. Galatenko (82), V.N. Yarochkina (56), G. Zotova (66).

K. Ilyin (52) in his works considers issues of information security in electronic document management). Aspects of information security are described in articles by V.Ya. Ishcheinova (76; 77), M.V. Metsatunyan (77), A.A. Malyuka (74), V.K. Senchagova (93), E.A. Stepanova (96).

The information security system is described in the works of E.A. Stepanova (81), Z. Bogatyrenko (74), T.A. Korolkova (69), G.G. Aralbaeva (100), A.A. Shiverskogo (103), V.N. Martynov and V.M. Martynova (49).

The works of the following authors are devoted to the legal regulation of restricted access information: A.A. Antopolsky (33), E.A. Stepanova (81), I.L. Bachilo (37, 38), O. Gavrilova (41). The latter, in his article, points out the imperfection of legislation in the area under consideration.

R.N. devoted his works to technologies for processing confidential documents. Moseev (75), M.I. Petrov (89), V.I. Andreeva (34), V.V. Galakhov (44), A.I. Aleksentseva (32).

In the process of preparing the work, scientific, educational, practical, methodological recommendations on organizing the protection of confidential information prepared by such leading experts in this field as A.I. Aleksentsev (31; 32) and E.A. Stepanov (81; 96).

Works by I.L. Bachilo (38), K.B. Gelman-Vinogradova (43), N.A. Khramtsovskaya (48), V.M. Kravtsova (51) are devoted to controversial aspects of information security.

In general, we can say that the problem of information security, in general, is provided by sources; the source base makes it possible to highlight the assigned tasks. The significance of the literature on this issue is great and corresponds to its relevance.

But in our country there is no regulatory legal act that would establish a uniform procedure for recording, storing, and using documents containing confidential information. And according to analysts whose articles were used in the work, E.A. Voynikanis (40), T.A. Partyki (57), V.A. Mazurov (71) and others, this is hardly advisable.

Unpublished sources used in the work include an extract from the Charter of OJSC "ChZPSN - Profnastil" (Appendix 11), documents of the current office work of the enterprise.

The final qualifying work consists of an introduction, three chapters, a conclusion, a list of used sources and literature, and applications.

The introduction formulates the relevance and practical significance of the topic, the purpose of the research, objectives, the degree of development of the problem under study, the object, subject, basis of the study, research tools, the structure and content of the final qualifying work

The first chapter: “Fundamentals of information security and information protection” contains the history of the issue and the basic concepts of information security. Such as, value of information, confidentiality. Paragraph 1.2 indicates the channels of distribution and information leakage; the next section discusses the threat system and the system for protecting confidential information.

Chapter "Organization of work with confidential documents." consists of the regulatory and methodological foundations of confidential office work, followed by the work procedure for employees and the organization of their access to confidential information. The technology for working with the indicated information is described in the last paragraph of the second chapter.

In the third chapter, using the example of the enterprise JSC ChZPSN - Profnastil, the system for protecting information of limited access and analysis of work with confidential documents are considered. Recommendations, changes and additions are given to the technology of confidential office work that has been formed at the enterprise.

The conclusion contains conclusions on the final qualified work.

The list of used sources and literature includes 110 titles.

The work is supplemented by appendices that present: regulations, instructions that regulate the procedure for handling documents containing information with limited access at the enterprise, sample document forms, registration forms, an extract from the Charter of OJSC "ChZPSN - Profnastil".

Chapter 1. Fundamentals of information security and information protection

1.1 Evolution of the term “information security” and the concept of confidentiality

It has long been believed that whoever has the information controls the situation. Therefore, even at the dawn of human society, intelligence activities arise. Therefore, state and commercial secrets (the composition of porcelain, silk) appear, and during wars - military secrets (disposition of troops, weapons). The desire to keep secret from others what gives advantage and power seems to be the main motivation of people in historical perspective. Many owners, in order to protect their interests, classify information and carefully protect it or patent it. Classification of information leads to constant improvement of means and methods for obtaining protected information; and to improve the means and methods of information security (89, p.45).

In world practice, the terms “industrial secret”, “trade secret”, “secret of credit relations” were first used, i.e. the name of the secret was linked to a specific field of activity. The Russian lawyer V. Rosenberg made an attempt to combine these names into one - “trade secret” and even published a book of the same name in 1910. However, this term did not catch on. Both in the Russian Empire and abroad, the term “trade secret” was finally established, uniting the secret of any activity aimed at making a profit (46, p. 20).

From the second half of the 19th century. Various definitions of the concept of trade secret also appear, primarily in the field of criminal and civil legislation. For example, German legislation defined trade secrets as the secret of the technical processes of manufacturing a product and the secret of its sales operations, or, as expressed in higher language, the secret of the production of goods and the secret of their distribution.

In Russia, according to the Criminal Code of 1903, trade secrets were understood as special production methods used or intended to be used, and in another edition - individual characteristics of production and trade processes. The secret of production processes was classified as a property secret, and trade - as a business secret.

In Russia, in November 1917, trade secrets were abolished. During the NEP, it was unofficially “reborn”, but later it was used only by foreign trade enterprises of the USSR in contacts with other countries, but there was no domestic legislative basis for this. Scientific activity in this area also ceased (31, p.78).

In the second half of the 80s. entrepreneurial activity required the development of related regulatory documents, including those related to trade secrets. First of all, it was necessary to formulate a definition of a trade secret. This definition was made in the Law “On Enterprises in the USSR”. It says: “A commercial secret of an enterprise is understood as information that is not a state secret, related to production, technological information, management, finance and other activities of the enterprise, the disclosure (transfer, leakage) of which may harm its interests.”

Trade secret in the modern interpretation is information, data, information, objects, the disclosure, transfer or leakage of which by third parties may harm the interests or safety of the owner (32, p. 13).

ISO/IEC 17799 defines information security as ensuring the confidentiality, integrity and availability of information. (56, p.212).

Security is not only protection from criminal attacks, but also ensuring the safety of (especially electronic) documents and information, as well as measures to protect critical documents and ensure continuity and/or restoration of activities in the event of disasters (71, p. 5 8).

Information security should be understood as the protection of subjects of information relations. Its main components are confidentiality, integrity, and availability (82, p. 15).

In the Information Security Doctrine of the Russian Federation (19), the term “information security” denotes the state of protection of national interests in the information sphere, determined by the totality of balanced interests of the individual, society and the state.

Confidentiality - protection from unauthorized access (83, p. 17). The following definition of confidentiality is given by the Federal Law “On Information, Information Technologies and Information Protection” (8) Article 2.p.7: confidentiality is a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without its consent owner.

The security of information resources (information) is understood as the security of information in time and space from any objective and subjective threats (dangers) that arise under normal operating conditions of a company in extreme situations: natural disasters, other uncontrollable events, passive and active attempts by an attacker to create a potential or a real threat of unauthorized access to documents, files, databases (61, p. 32).

Confidentiality - rules and conditions for the safety of data and information transfer. There is a distinction between external confidentiality - as a condition of non-disclosure of information to the external environment, and internal confidentiality - among personnel.

The security of valuable documented information (documents) is determined by the degree of its protection from the consequences of extreme situations, including natural disasters, as well as passive and active attempts by an attacker to create a potential or real threat (danger) of unauthorized access to documents using organizational and technical channels, as a result what can happen is theft and misuse of information by an attacker for his own purposes, its modification, substitution, falsification, destruction (68, p. 36).

Secrecy is the rules and condition of access and access to information objects (89, p. 50).

Thus, the phrase “information security” is not limited to protection against unauthorized access to information.

This is a fundamentally broad concept. The subject of information relations may suffer (suffer losses and/or receive moral damage) not only from unauthorized access, but also from a system breakdown that causes an interruption in work.

Although confidentiality is synonymous with secrecy, the term is widely used exclusively to refer to restricted information resources that are not classified as state secrets.

Confidentiality reflects the restriction that the owner of information imposes on access to it by other persons, i.e. the owner establishes the legal regime of this information in accordance with the law (91, p. 208).

1.2 Value of information

Protected information includes: secret information (information containing state secrets), confidential (information containing commercial secrets, secrets relating to the personal life and activities of citizens) (100, p. 38).

There are always management documents, the leakage of the contents of which is undesirable or simply harmful, since it can be used directly or indirectly to the detriment of its authors. Such information and, accordingly, the documents containing it are considered confidential (closed, protected). Documented information of limited access always belongs to one of the types of secrets - state or non-state. In accordance with this, documents are divided into secret and unclassified. A mandatory feature (criterion for belonging) of a secret document is the presence in it of information that constitutes a state secret in accordance with the law. Unclassified documents that include information classified as non-state secrets (official, commercial, banking, professional, industrial, etc.) or containing personal data of citizens are called confidential.

Information - information about persons, objects, facts, events, phenomena and processes, regardless of the form of their presentation (8).

The legislation of the Russian Federation establishes that documented information (documents) is publicly available, with the exception of those classified by law as restricted access (11).

In this case, documented information with limited access is divided into information classified as state secrets and confidential information. Both of these types of information are subject to protection from illegal dissemination (disclosure) and are classified as secrets protected by law.

A mandatory feature of a confidential document is the presence in it of information to be protected. The peculiarity of such a document is that it simultaneously represents not only the information itself - a mandatory object of protection, but also a mass storage medium of information, the main source of accumulation and dissemination of this information, including its leakage. That is, information is confidential, first of all, and only then the documents in which this information is recorded become confidential. The category of confidential information includes all types of restricted information protected by law - commercial, official, personal. With the exception of state secrets (94, p.78).

Information can be divided into three categories (82, p.33).

The first is unclassified (or open), which is intended for use both inside and outside the company.

The second is for official use, which is intended only for use within the company. It is divided, in turn, into two subcategories:

1. Available to all employees of the company;

2. Available for certain categories of employees, but can be transferred in full to another employee to perform the necessary work.

The third is classified information (or restricted information), which is intended for use only by specially authorized employees of the company and is not intended for transfer to other employees in full or in parts.

Information of the second and third categories is usually called confidential (35, p.9).

Confidential information may also constitute a certain set of open information, just as a certain set of information for official use may constitute restricted access information. Therefore, it is necessary to clearly define the conditions under which the classification of information can and should be increased (55, p.83).

For example, at JSC ChZPSN - Profnastil, information about the details of concluded contracts, as well as which of the employees concludes them, is confidential. At the same time, open information includes data on personnel, their distribution among departments, and the official responsibilities of employees. On their website, the news regularly reports about which enterprises (in what profile) the company is negotiating, with whom it intends to conclude a contract, etc. It is clear that taken together, the above three sources of open information (personnel, job responsibilities, information about concluded contracts) can form confidential information about the employee entering into a specific contract.

The conditions under which information can be classified as confidential are listed in Article 13, Part 1 of the Civil Code of the Russian Federation (2). These include:

1. The actual or potential commercial value of the information due to its unknownness to third parties;

2. Lack of free access to this information on a legal basis;

3. The owner of the information takes the necessary measures to protect its confidentiality.

Thus, ensuring the confidentiality of document information contains three aspects:

1. Determining the composition of information that should be classified as confidential;

2. Determining the circle of employees who should have access to this or that confidential information and establishing appropriate relationships with them;

3. Organization of office work with confidential documents. (99, pp. 7-9).

If these conditions are not met, the organization will not have grounds to hold anyone accountable for disclosing confidential information.

According to the Federal Law “On Information, Information Technologies and Information Protection” (8), the following cannot constitute a trade secret:

1. Constituent documents (decision to establish an enterprise or founders’ agreement) and the Charter;

2. Documents giving the right to engage in entrepreneurial activities (registration certificates, licenses, patents);

3. Information on established forms of reporting on financial and economic activities and other information necessary to verify the correctness of calculation and payment of taxes and other obligatory payments to the state budget system of the Russian Federation;

4. Documents on solvency;

5. Information on the number, composition of employees, their wages and working conditions, as well as the availability of available jobs;

6. Documents on payment of taxes and obligatory payments;

7. Information about environmental pollution, violation of antimonopoly legislation, non-compliance with safe working conditions, sales of products harmful to public health, as well as other violations of the legislation of the Russian Federation and the extent of damage caused;

8. Information on the participation of enterprise officials in cooperatives, small enterprises, partnerships, joint-stock companies, associations and other organizations engaged in business activities.

The listed information of the enterprise and persons engaged in entrepreneurial activities, heads of state and municipal enterprises are required to submit at the request of authorities, management, regulatory and law enforcement agencies, other legal entities entitled to this in accordance with the legislation of the Russian Federation, as well as the workforce of the enterprise (21 ).

Information on issues included by law in the concept of state secrets cannot be classified as confidential (12). As for the issues of working with documents containing such information, in accordance with the Law of the Russian Federation “On State Secrets” (4), it is determined that citizens, officials and organizations should be guided only by legislative acts regulating the protection of state secrets.

According to the law, confidential information is documented information, access to which is limited in accordance with the legislation of the Russian Federation (11). Confidential information is considered to be such information, the disclosure of which could harm the interests of the company (35, p.6). It can also be said that the assignment of confidentiality to certain information, among other things, contributes to the preservation of trade secrets (8).

The generalized concept of confidential information is largely specified in the “List of Confidential Information” (11). According to it, confidential information is grouped into several main categories.

Firstly, this is information about the facts, events and circumstances of a citizen’s private life, allowing identification of an individual (personal data), with the exception of information subject to dissemination in the media in cases established by federal law.

The second category of specified information is information constituting the secret of investigation and legal proceedings. . The list further defines a group of official information, access to which is limited by government authorities in accordance with the Civil Code of the Russian Federation (2, p. 52) and federal law (official secrets).

Another group of information in the list indicates information related to professional activities, access to which is limited in accordance with the Constitution of the Russian Federation (1, p. 25) and federal law (medical, notary, lawyer (16), confidentiality of correspondence, telephone conversations, postal items (10), telegraphic or other messages (17) and so on).

The next group of confidential information includes information related to commercial activities, access to which is limited in accordance with the Civil Code of the Russian Federation (2) and federal laws (trade secrets) (6).

The list of confidential information ends with information about the essence of the invention, utility model or industrial design before official publication about them (53, p. 51; 82, p. 33).

Documented information used by an entrepreneur in business and management of an enterprise, organization, bank, company or other structure is his own or private information that is of significant value to him, his intellectual property.

The value of information can be a cost category that characterizes a specific amount of profit when it is used or the amount of losses when it is lost. Information often becomes valuable due to its legal significance for the company or business development, for example, constituent documents, programs and plans, agreements with partners and intermediaries, etc. The value of information may also reflect its future scientific, technical or technological significance (58, p. 224).

Information that has intellectual value for an entrepreneur is usually divided into two types:

1. Technical, technological: methods of manufacturing products, software, production indicators, chemical formulas, test results of prototypes, quality control data, etc. (53, p.50);

2. Business: cost indicators, market research results, customer lists, economic forecasts, market strategy, etc.

Valuable information is protected by law (patent, copyright, related law), a trademark, or is included in the category of information that constitutes a company secret (58, p. 54).

Thus, as a rule, all information circulating within an organization can be divided into two parts - open and confidential (65, p.5).

The commercial value of information, as a rule, is short-lived and is determined by the time required for a competitor to develop the same idea or to steal it and reproduce it, publish it and make the information publicly known. The degree of value of information and the reliability of its protection are directly dependent.

Identification and regulation of the actual composition of information that is valuable to the entrepreneur and constitutes a company secret are fundamental parts of the information security system. The composition of valuable information is recorded in a special list that determines the period (term) and level (class) of its confidentiality (i.e., inaccessibility to everyone), a list of company employees who are granted the right to use this information in their work. The list, which is based on the typical composition of protected information from companies in this profile, is a permanent working material for the company’s management, security services and confidential documentation. It is a classified list of typical and specific valuable information about the work being carried out, products being manufactured, scientific and business ideas, and technological innovations. The list includes truly valuable information about each work of the company (51, pp. 45-51).

Additionally, a list of documents in which this information is reflected (documented) can be compiled. The list also includes documents that do not contain protected information, but are valuable to the company and subject to protection. The lists are compiled individually by each company in accordance with the recommendations of a special commission and approved by the first head of the company. The same commission regularly makes current changes to the lists in accordance with the dynamics of the company’s performance of specific work.

Documents containing valuable information are part of the company’s information resources, which can be: a) open (available for personnel without special permission) and b) limited for personnel access (classified as one of the types of secrets - state or non-state) .

The list of information classified as confidential information, as well as the list of employees admitted to it, is drawn up by order for the company.

1.3 Channels of distribution and leakage of confidential information

Source information always spreads to the external environment. Channels for the dissemination of information are objective in nature, characterized by activity and include: business, management, trade, scientific, regulated communications; information networks; natural technical channels.

The information dissemination channel is a path for moving valuable information from one source to another in an authorized mode (permitted) or due to objective laws or due to objective laws (83, p. 48).

The term “leakage of confidential information” is probably not the most euphonious, but it more succinctly reflects the essence of the phenomenon than other terms. It has long been entrenched in the scientific literature and regulatory documents (99, p. 11). Leakage of confidential information constitutes unlawful, i.e. unauthorized release of such information beyond the protected zone of its operation or the established circle of persons who have the right to work with it, if this release led to the receipt of information (familiarization with it) by persons who do not have authorized access to it. Leakage of confidential information means not only its receipt by persons who do not work at the enterprise; unauthorized access to confidential information by persons of a given enterprise also leads to leakage (104, p. 75).

The loss and leakage of confidential documented information is caused by the vulnerability of the information. The vulnerability of information should be understood as the inability of information to independently withstand destabilizing influences, i.e. such influences that violate its established status (94, p.89). Violation of the status of any documented information consists of a violation of its physical safety (in general or with a given owner in full or in part), logical structure and content, and accessibility for authorized users. Violation of the status of confidential documented information additionally includes violation of its confidentiality (closedness to unauthorized persons). The vulnerability of documented information is a collective concept. It does not exist at all, but appears in various forms. These include: theft of a storage medium or information displayed on it (theft); loss of storage media (loss); unauthorized destruction of a storage medium or information displayed in it (destruction, distortion of information (unauthorized change, unauthorized modification, forgery, falsification); blocking of information; disclosure of information (distribution, disclosure).

The term "destruction" is used mainly in relation to information on magnetic media. The existing variants of names: modification, forgery, falsification are not entirely adequate to the term “distortion”; they have nuances, but their essence is the same - unauthorized partial or complete change in the composition of the original information (36, p. 59).

Blocking information here means blocking access to it by authorized users, not by attackers.

Disclosure of information is a form of manifestation of the vulnerability of confidential information only.

This or that form of vulnerability of documented information can be realized as a result of intentional or accidental destabilizing effects in various ways on the information carrier or on the information itself from the sources of influence. Such sources can be people, technical means of processing and transmitting information, communications, natural disasters, etc. Methods of destabilizing influence on information are its copying (photography), recording, transmission, removal, infection of information processing programs with a virus, violation of processing and storage technology information, withdrawal (or failure) and disruption of the operating mode of technical means of processing and transmitting information, physical impact on information, etc.

The vulnerability of documented information leads or may lead to loss or leakage of information. (97, p.12).

The loss of documented information is caused by theft and loss of storage media, unauthorized destruction of storage media or only the information displayed on them, distortion and blocking of information. The loss can be complete or partial, irreversible or temporary (when information is blocked), but in any case it causes damage to the owner of the information.

Its disclosure leads to leakage of confidential documented information. As some authors note (77, p.94; 94, p.12) in the literature and even in regulatory documents, the term “leakage of confidential information” is often replaced or identified with the terms: “disclosure of confidential information”, “dissemination of confidential information”. This approach, from the point of view of specialists, is unlawful. Disclosure or dissemination of confidential information means unauthorized delivery of it to consumers who do not have the right to access it. Moreover, such delivery must be carried out by someone, come from someone. A leak occurs when confidential information is disclosed (unauthorized distribution), but is not limited to it. A leak can also occur as a result of the loss of a medium of confidential documented information, as well as theft of the information medium or the information displayed on it while the medium is kept safe by its owner (possessor). This doesn't mean it will happen. A lost carrier may fall into the wrong hands, or it may be “grabbed” by a garbage collection machine and destroyed in the manner established for garbage. In the latter case, no leakage of confidential information occurs. The theft of confidential documented information is also not always associated with its receipt by persons who do not have access to it. There are many examples where the theft of confidential information carriers was carried out from work colleagues by persons who had access to this information for the purpose of “helping out” or causing harm to a colleague. Such media are usually were destroyed by the persons who kidnapped them. But in any case, the loss and theft of confidential information, if they do not lead to its leakage, always create a threat of leakage. Therefore, we can say that the leakage of confidential information is caused by its disclosure and can result from theft and loss. The difficulty lies in the fact that it is often impossible to divide, firstly, the very fact of disclosure or theft of confidential information while the information carrier is kept safe by its owner (possessor), and secondly, whether the information got to unauthorized persons as a result of its theft or loss.

The owner of a trade secret is an individual or legal entity who legally possesses information constituting a trade secret and the corresponding rights in full (91, p. 123).

Information that constitutes a trade secret does not exist on its own. It is displayed in various media that can save, accumulate, and transmit it. With their help, information is also used. (8; 91, p.123)

An information carrier is an individual or a material object, including a physical field, in which information is reflected in the form of symbols, images, signals, technical solutions and processes (8; 68, p. 37).

From this definition it follows, firstly, that material objects are not only what can be seen or touched, but also physical fields, as well as the human brain, and secondly, that information in media is displayed not only by symbols, i.e. . letters, numbers, signs, but also images in the form of pictures, drawings, diagrams, other iconic models, signals in physical fields, technical solutions in products, technical processes in product manufacturing technology (39, p. 65).

The types of material objects as information carriers are different. They can be magnetic tapes, magnetic and laser disks, photo, film, video and audio tapes, various types of industrial products, technological processes, etc. But the most widespread type is paper-based media (46, p. 11). The information in them is recorded in handwritten, typewritten, electronic, typographical ways in the form of text, drawing, diagram, picture, formula, graph, map, etc. In these media, information is displayed in the form of symbols and images. Such information of the Federal Law “On Information...” (8) is classified as documented information and represents various types of documents.

Recently, there have been significant adjustments to the forms and means of obtaining confidential information through informal means. Of course, this mainly concerns the impact on a person as a carrier of confidential information.

A person as an object of influence is more susceptible to informal influences than technical means and other carriers of confidential information, due to a certain legal vulnerability at the current moment, individual human weaknesses and life circumstances (64, p. 82).

Such informal influence is, as a rule, hidden, illegal in nature and can be carried out either individually or by a group of people.

The following types of information leakage channels are possible for a person who is a carrier of confidential information: speech channel, physical channel and technical channel.

Speech channel of leakage - information is transmitted from the owner of confidential information through words personally to the object interested in receiving this information (29).

Physical channel of leakage - information is transmitted from the owner of confidential information (carrier) through paper, electronic, magnetic (encrypted or open) or other means to an object interested in receiving this information (36, p. 62).

Technical leakage channel - information is transmitted through technical means (29).

Forms of influence on a person who is a carrier of protected information can be open and hidden (33).

Open influence on the owner (carrier) of confidential information for receipt by the interested object implies direct contact (101, p. 256).

The hidden influence on the owner (carrier) of confidential information for its receipt by the interested object is carried out indirectly (101, p. 256).

The means of informal influence of the owner (carrier) of confidential information to obtain certain information from him through an open speech channel are a person or a group of people who interact through: promises of something, requests, suggestions (107, p. 12).

As a result, the owner (carrier) of confidential information is forced to change his behavior, his official obligations and transfer the required information (91, p. 239).

Hidden influence through the speech channel on the owner (carrier) of confidential information is carried out through indirect coercion - blackmail through a third party, unintentional or intentional eavesdropping, etc.

The mentioned means of influence, in the end, accustom the owner (carrier) of confidential information to his tolerance (tolerance) of the influences exerted on him (85, p. 220).

Forms of influence on the owner (carrier) of confidential information through a physical leak channel can also be open and hidden.

Open influence is carried out through force (physical) intimidation (beatings) or force with a fatal outcome, after receiving (beatings) or force with a fatal outcome, after receiving information (95, p. 78).

The hidden impact is more subtle and extensive in terms of the use of funds. This can be represented in the form of the following structure of influence (95, p.79). Interested object - interests and needs of the carrier of confidential information.

Consequently, the interested object acts covertly (indirectly) on the interests and needs of the person who owns the confidential information.

Such hidden influence can be based on: fear, blackmail, manipulation of facts, bribery, bribery, intimacy, corruption, persuasion, provision of services, assurances about the future of a person who is a carrier of confidential information. (94, p.87)

The form of influence on the owner (carrier) of confidential information through technical channels can also be open or hidden.

Open (direct) means - fax, telephone (including mobile systems), Internet, radio communications, telecommunications, media.

Hidden means include: listening using technical means, viewing from a display screen and other means of displaying it, unauthorized access to a personal computer and software and hardware.

All the considered means of influence, regardless of their forms, have an informal impact on the person who is the carrier of confidential information, and are associated with illegal and criminal methods of obtaining confidential information (72).

The possibility of manipulating the individual characteristics of the owner (carrier) of confidential information with his social needs in order to obtain it must be taken into account when placing, selecting personnel and implementing personnel policies when organizing work with confidential information.

You should always remember that the fact of documenting information (applying it to any tangible medium) increases the risk of information leakage. A material medium is always easier to steal, and there is a high degree that the necessary information is not distorted, as happens when information is disclosed orally.

Threats to the safety, integrity and secrecy of confidentiality) of restricted access information are practically realized through the risk of the formation of channels for the unauthorized receipt (extraction) of valuable information and documents by an attacker. These channels are a set of unprotected or weakly protected by the organization directions of possible information leakage, which the attacker uses to obtain the necessary information, deliberate illegal access to protected and protected information.

Each specific enterprise has its own set of channels for unauthorized access to information; in this case, ideal companies do not exist.

This depends on many factors: the volume of protected and protected information; types of protected and protected information (constituting a state secret, or some other secret - official, commercial, banking, etc.); professional level of personnel, location of buildings and premises, etc.

The functioning of channels for unauthorized access to information necessarily entails information leakage, as well as the disappearance of its carrier.

If we are talking about information leakage due to the fault of personnel, the term “disclosure of information” is used. A person can disclose information orally, in writing, by obtaining information using technical means (copiers, scanners, etc.), using gestures, facial expressions, and conventional signals. And transmit it personally, through intermediaries, through communication channels, etc. (56, p.458).

Leakage (disclosure) of information is characterized by two conditions:

1. Information goes directly to the person interested in it, the attacker;

2. Information passes to a random third party.

In this case, a third party is understood as any outsider who has received information due to circumstances beyond the control of this person, or the irresponsibility of personnel, who does not have the right to own the information, and, most importantly, this person is not interested in this information (37, p.5 ). However, information from a third party can easily pass to an attacker. In this case, a third party, due to circumstances set up by the attacker, acts as a “blotter” for intercepting the necessary information.

The transfer of information to a third party seems to be a fairly common occurrence, and it can be called unintentional, spontaneous, although the fact of disclosure of information does occur.

Unintentional transfer of information to a third party occurs as a result of:

1. Loss or improper destruction of a document on any medium, a package of documents, a file, confidential records;

2. Ignoring or deliberate failure by the employee to comply with the requirements for the protection of documented information;

3. Excessive talkativeness of workers in the absence of an intruder - with work colleagues, relatives, friends, other persons in public places: cafes, transport, etc. (recently this has become noticeable with the spread of mobile communications);

4. Work with documented information with limited access to the organization in the presence of unauthorized persons, unauthorized transfer of it to another employee;

5. Use of information with limited access in open documents, publications, interviews, personal notes, diaries, etc.;

6. Absence of secrecy (confidentiality) stamps on information on documents, markings with the corresponding stamps on technical media;

7. The presence in the texts of open documents of unnecessary information with limited access;

8. Unauthorized copying (scanning) of documents, including electronic ones, by an employee for official or collection purposes.

Unlike a third party, an attacker or his accomplice purposefully obtains specific information and deliberately, illegally establishes contact with the source of this information or transforms the channels of its objective dissemination into channels of its disclosure or leakage.

Organizational channels of information leakage are distinguished by a wide variety of types and are based on the establishment of various, including legal, relationships between the attacker and the enterprise or employees of the enterprise for subsequent unauthorized access to the information of interest.

The main types of organizational channels can be:

1. An attacker is hired by an enterprise, usually in a technical or support position (computer operator, forwarder, courier, cleaner, janitor, security guard, driver, etc.);

2. Participation in the work of the enterprise as a partner, intermediary, client, use of various fraudulent methods;

3. The attacker’s search for an accomplice (initiative assistant) working in the organization, who becomes his accomplice;

4. The establishment by the attacker of a trusting relationship with an employee of the organization (for common interests, up to joint drinking and love relationships) or a regular visitor, an employee of another organization who has information of interest to the attacker;

5. Use of the organization’s communication links - participation in negotiations, meetings, exhibitions, presentations, correspondence, including electronic correspondence, with the organization or its specific employees, etc.;

6. Using erroneous actions of personnel or deliberately provoking these actions by an attacker;

7. Secret or fictitious entry into enterprise buildings and premises, criminal, forceful access to information, that is, theft of documents, floppy disks, hard drives (hard drives) or computers themselves, blackmail and inducement to cooperate of individual employees, bribery and blackmail of employees, creation of extreme situations, etc.;

8. Obtaining the necessary information from a third (random) person.

Organizational channels are selected or formed by the attacker individually in accordance with his professional skills and specific situation, and it is extremely difficult to predict them. Detection of organizational channels requires serious search and analytical work (75, p. 32).

Wide possibilities for unauthorized receipt of information with limited access are created by the technical support of the organization’s financial document flow technologies. Any managerial and financial activity is always associated with the discussion of information in offices or via communication lines and channels (conducting video and conference calls), carrying out calculations and analyzing situations on computers, producing and reproducing documents, etc.

8.4. The insider problem

Recently, the problem of information leaks has often been discussed and solutions for monitoring the telecommunication perimeter and external devices on computers are considered in connection with the term “insider”.

In this area, there are foreign and domestic solutions for monitoring external devices (such as USB, DVD-RW, Bluetooth). Such products are offered by SecureWave (Sanctuary Device Control), Safend, Control Guard, SecurIT and other companies. There is a large group of network control and perimeter protection tools from companies (of the domestic companies, Info Watch is the most noticeable here).

By the way, we should not forget about the need to carefully monitor users’ computers: what kind of software is installed on them, are there any security holes, what programs are allowed to run, what processes are required to run in the system, etc.

But! As often happens, an attempt to make the infrastructure as secure as possible creates distortions in the implementation of a comprehensive security system. Often you can't see the forest for the trees.

The first thing to note is that there is no 100% protection against information leaks. You can control corporate email and computer ports, but an attacker will always find additional opportunities to implement his plan. For example, print a document or simply take a picture of the screen with further conversion to the desired electronic format using text recognition programs. In addition, be aware of the difficulties associated with exactly how to control all this (who will analyze what data the authorized user wrote to the USB device?). We can also recall the moral and psychological side of the issue: if the company has authorized the user to work with this document (hence, he is trusted with this work), then where does the need to control his actions come from? In this case, this means that, probably, the very basics of security - corporate identity, authorization and access management, as well as database protection - are not properly built in the organization.

Confidential information protection surveys are relevant for every modern enterprise. Confidential company data must be protected from leaks, losses, and other fraudulent activities, as this can lead to critical consequences for the business. It is important to understand what data needs protection and to determine ways and methods of organizing information security.

Data that needs protection

Information that is extremely important for business should have limited access within the enterprise, and its use is subject to strict regulation. Data that needs to be carefully protected includes:

trade secret;
production documentation of a secret nature;
company know-how;
customer base;
personal data of employees;
other data that the company considers necessary to protect from leakage.

What information constitutes a trade secret and how to protect it?

Confidentiality of information is often violated as a result of fraudulent actions by employees, the introduction of malware, and fraudulent operations by external attackers. It doesn’t matter from which side the threat comes, you need to secure confidential data in a complex consisting of several separate blocks:

determining the list of assets to be protected;
development of documentation regulating and limiting access to company data;
determining the circle of people who will have access to the CI;
defining response procedures;
risk assessment;
introduction of technical means for CI protection.

Federal laws establish requirements for limiting access to confidential information. These requirements must be met by persons accessing such data. They do not have the right to transfer this data to third parties if their owner does not give his consent (Article 2, paragraph 7 of the Federal Law of the Russian Federation “On Information, Information Technologies and Information Protection”).

Federal laws require protecting the foundations of the constitutional system, rights, interests, people's health, moral principles, ensuring the security of the state and the defense capability of the country. In this regard, it is imperative to comply with the CI, access to which is limited by federal laws. These regulations define:

under what conditions the information is classified as an official, commercial or other secret;
mandatory compliance with confidentiality conditions;
responsibility for disclosure of CI.

Information received by employees of companies and organizations engaged in certain types of activities must be protected in accordance with the requirements of the law for the protection of confidential information, if in accordance with the Federal Law they are assigned such responsibilities. Data related to professional secrets can be provided to third parties if this is prescribed by the Federal Law or there is a court decision (when considering cases of disclosure of private information, identifying cases of theft, etc.).

A complete list of documents that regulate approaches to information security.

Protecting confidential information in practice

During the work process, the employer and employee exchange a large amount of information, which is of a different nature, including confidential correspondence, work with internal documents (for example, personal data of the employee, company developments).

The degree of reliability of information protection is directly dependent on how valuable it is for the company. The complex of legal, organizational, technical and other measures provided for these purposes consists of various means, methods and activities. They can significantly reduce the vulnerability of protected information and prevent unauthorized access to it, record and prevent its leakage or disclosure.

Legal methods must be applied by all companies, regardless of the simplicity of the protection system used. If this component is missing or not fully observed, the company will not be able to ensure the protection of CI and will not be able to legally hold accountable those responsible for its loss or disclosure. Legal protection is mainly about legally competent preparation of documentation and proper work with the organization’s employees. People are the basis of the system for protecting valuable confidential information. In this case, it is necessary to select effective methods of working with employees. When enterprises develop measures to ensure the safety of CIs, management issues should be a priority.

Information protection in the enterprise

If civil law and labor disputes arise regarding disclosure, theft or other harmful actions in relation to trade secrets, the decision about the involvement of certain persons will depend on the correctness of creating a system for protecting this information in the organization.

Particular attention should be paid to identifying documentation that constitutes a trade secret, marking it with appropriate inscriptions indicating the owner of the information, its name, location and circle of persons who have access to it.

Employees, when hired and during their work activities as the CI base is formed, must familiarize themselves with local acts regulating the use of trade secrets and strictly comply with the requirements for handling them.

Employment contracts must stipulate clauses on non-disclosure by the employee of certain information provided to him by the employer for use in his work, and liability for violation of these requirements.

IT information protection

An important place in the protection of computer data is occupied by the provision of technical measures, since in the modern high-tech information world, corporate espionage, unauthorized access to enterprise data, and the risks of data loss as a result of viral cyber attacks are quite common. Today, not only large companies are faced with the problem of information leakage, but also medium and small businesses feel the need to protect confidential data.

Violators can take advantage of any error made in information protection, for example, if the means to ensure it were chosen incorrectly, installed or configured incorrectly.

Hacking, Internet hacking, and theft of confidential information, which today is becoming more valuable than gold, require company owners to reliably protect it and prevent attempts to steal and damage this data. The success of the business directly depends on this.

Many companies use modern, highly effective cyber defense systems that perform complex tasks of detecting threats, preventing them and protecting against leaks. It is necessary to use high-quality, modern and reliable nodes that are able to quickly respond to messages from information block protection systems. In large organizations, due to the complexity of interaction schemes, multi-level infrastructure and large volumes of information, it is very difficult to monitor data flows and identify intrusions into the system. This is where a “smart” system can come to the rescue, which can identify, analyze and perform other actions with threats in order to prevent their negative consequences in a timely manner.

To detect, store, identify sources, recipients, and methods of information leakage, various IT technologies are used, among which it is worth highlighting DLP and SIEM systems that work in an integrated and comprehensive manner.

DLP systemcan be integrated with SIEM solutions. This will enhance the effect of the two products.

DLP systems to prevent data loss

To prevent the theft of confidential company information, which can cause irreparable harm to the business (data on investments, customer base, know-how, etc.), it is necessary to ensure the reliability of its safety. (Data Loss Prevention) is a reliable protector against CI theft. They protect information simultaneously through several channels that may be vulnerable to attacks:

USB connectors;
locally operating and network-connected printers;
external drives;
Internet;
postal services;
accounts, etc.

The main purpose of the DLP system is to control the situation, analyze it and create conditions for efficient and safe work. Its task is to analyze the system without informing company employees about the use of this method of tracking worker nodes. Employees are not even aware of the existence of such protection.

The DLP system controls the data transmitted through a variety of channels. It updates them and identifies information according to its importance in terms of confidentiality. In simple terms, DLP filters data and monitors its safety, evaluates each individual information, and makes a decision about the possibility of skipping it. If a leak is detected, the system will block it.

Using this program allows you not only to save data, but also to determine who sent it. If, for example, a company employee decides to “sell” information to a third party, the system will identify such an action and send this data to the archive for storage. This will allow you to analyze information, taking it from the archive at any time, detect the sender, and establish where and for what purpose this data was sent.

Specialized DLP systems are complex and multifunctional programs that provide a high degree of protection of confidential information. They are advisable to use for a wide variety of enterprises that require special protection of confidential information:

private information;
intellectual property;
financial data;
medical information;
credit card data, etc.

SIEM systems

Experts believe that an effective way to ensure information security is the program (Security Information and Event Management), which allows you to summarize and combine all the logs of ongoing processes on various resources and other sources (DLP systems, software, network devices, IDS, OS logs, routers, servers, workstations). users, etc.).

If the threat was not identified in a timely manner, and the existing security system worked to repel the attack (which does not always happen), the “history” of such attacks subsequently becomes inaccessible. The SIEM will collect this data across the entire network and store it for a certain period of time. This allows you to use the event log at any time using the SIEM to use its data for analysis.

In addition, this system allows you to use convenient built-in tools to analyze and process incidents that have occurred. It converts hard-to-read formats of information about incidents, sorts them, selects the most significant ones, and eliminates the insignificant ones.

Special SIEM rules specify the conditions for the accumulation of suspicious events. It will report them when such a quantity (three or more) accumulates that it indicates a possible threat. An example is an incorrect password. If a single event of entering an incorrect password is recorded, the SIEM will not report this, since cases of one-time password errors during login occur quite often. But recording repeated attempts to enter an invalid password while logging into the same account may indicate unauthorized access.

Any company today needs such systems if it is important for it to maintain its information security. SIEM and DLP provide complete and reliable information protection for the company, help avoid leaks and allow you to identify who is trying to harm the employer by stealing, destroying or damaging information.

Trade secret. Official secret. Professional secrets. Personal Information.

Basic terms and concepts:

Commercial (official) secret

Personal Information

Professional secrecy

With the development of the information society, problems related to the protection of confidential information are becoming increasingly important. Currently, these issues have not been fully and systematically resolved in Russian legislation. A detailed classification of confidential information, as mentioned above, is given in the list of confidential information established by Decree of the President of the Russian Federation of March 6, 1997 No. 188. Next, we will consider in more detail some types of confidential information.

trade secret

The commercial activities of an organization are closely related to the receipt, accumulation, storage, processing and use of various information. Not all information is subject to protection, but only that which is valuable to the organization. When determining the value of commercial information, it is necessary to be guided by its properties such as usefulness, timeliness and reliability.

The usefulness of information lies in the fact that it creates favorable conditions for the subject to make a prompt decision and obtain an effective result. In turn, the usefulness of information depends on its timely receipt and delivery to the performer. Due to the untimely receipt of important information, the opportunity to conclude a profitable trade or other deal is often missed.

The criteria of usefulness and timeliness are closely interrelated and interdependent with the criterion of information reliability. The reasons for the occurrence of unreliable information are different: incorrect perception (due to misconception, insufficient experience or professional knowledge) of facts or deliberate distortion of facts undertaken for a specific purpose. Therefore, as a rule, information of commercial interest, as well as the source of its receipt, must be double-checked.

The owner of commercial information, based on the totality of the listed criteria, determines its value for his business activities and makes an appropriate operational decision.

In foreign economic literature, commercial information is considered not as a means of making a profit, but, first of all, as a condition that promotes or impedes making a profit. The presence of the cost factor of commercial information is especially emphasized, i.e. the ability to act as a subject of purchase and sale. Therefore, in the context of the development of diverse forms of ownership, the question of determining whether information on intellectual property rights belongs to a specific business entity, and, ultimately, whether it has the rights to protect it, is important.

The definition and issues of civil protection of official and commercial secrets in Russian legislation do not differ and are discussed in Art. 139 of the first part of the Civil Code of the Russian Federation, called “Official and commercial secrets”:

“Information constitutes an official or commercial secret in the case when the information has actual or potential commercial value due to its unknownness to third parties, there is no free access to it on a legal basis and the owner of the information takes measures to protect its confidentiality. Information that cannot constitute an official or commercial secret is determined by law and other legal acts.

Information constituting an official or commercial secret is protected by the methods provided for by this Code and other laws.

Persons who have obtained information that constitutes an official or commercial secret through illegal methods are obliged to compensate for the losses caused. The same obligation is assigned to employees who disclosed official or commercial secrets contrary to an employment contract, including a contract, and to contractors who did this contrary to a civil law contract.”

Ensuring the protection of state secrets is not directly related to the protection of trade secrets. However, some possible exceptions should be noted. Commercial information that is assessed as particularly important not only for its owner, but also for the state, can be taken under state protection, when it is possible that a foreign intelligence service may show interest in it. The issue of such protection should be resolved on a contractual basis between the entrepreneur and the federal security agency, outlining the limits and functions of the latter’s professional activities. As for the trade secret itself, it does not have special criminal law or regime protection.

The actual or potential commercial value of information is largely subjective and allows an entrepreneur to limit access to almost any information used in business activities, with the exception of information determined by regulations and acts.

What information cannot constitute a trade secret? The Decree of the Government of the RSFSR dated December 5, 1991 No. 35 “On the list of information that cannot constitute a commercial secret” states:

Constituent documents (decision to establish an enterprise or founders’ agreement) and Charter;

Documents giving the right to engage in business activities (registration certificates, licenses, patents);

Information on established forms of reporting on financial and economic activities and other information necessary to verify the correctness of calculation and payment of taxes and other obligatory payments to the state budget system of the RSFSR;

Documents on solvency;

Information on the number, composition of employees, their wages and working conditions, as well as the availability of vacancies;

Documents on payment of taxes and obligatory payments;

Information about environmental pollution, violation of antimonopoly legislation, non-compliance with safe working conditions, sales of products harmful to public health, as well as other violations of the legislation of the RSFSR and the amount of damage caused;

Information on the participation of company officials in cooperatives, small enterprises, partnerships, joint-stock companies, associations and other organizations engaged in business activities.

The same regulatory act prohibits state and municipal enterprises, before and during the process of their privatization, from classifying the following data as a commercial secret:

On the size of the enterprise’s property and its funds;

On investing funds in profitable assets (securities) of other enterprises, in interest-bearing bonds and loans, in the authorized funds of joint ventures;

On credit, trade and other obligations of the enterprise arising from the legislation of the RSFSR and the agreements concluded by it;

On agreements with cooperatives, other non-state enterprises, creative and temporary labor collectives, as well as individual citizens.

It should be noted that the restrictions imposed on the use of information constituting a trade secret are aimed at protecting intellectual, material, financial property and other interests that arise during the formation of the labor activity of the organization, department personnel, as well as during their cooperation with employees of other organizations.

The purpose of such restrictions is to prevent disclosure, leakage or unauthorized access to confidential information. Restrictions must be appropriate and justified from the point of view of the need to ensure information security. It is not allowed to use restrictions to hide mistakes and incompetence of the organization’s management, waste, unfair competition and other negative phenomena in the organization’s activities, as well as to evade fulfilling contractual obligations and paying taxes.

Official secret

If the main purpose of ensuring the confidentiality of information constituting a trade secret is to ensure competitive advantage, then protecting the confidentiality of official secrets, although it may affect the commercial interests of the organization, the main task is to ensure the interests of clients or their own interests not directly related to commercial activities. Thus, information relating to measures to ensure the safety of the organization’s employees, security of warehouse and other premises, etc., which are not directly related to the implementation of the subject matter, should be classified as official, and not commercial, secrets.

Currently, the institution of official secrets in domestic law is the least developed. There are three sets of issues in this problem.

Firstly, the issues of “borderline” and “derivative” information require regulation at the legislative level. “Borderline” information is such official information in any branch of science, technology, production and management, which, with a certain generalization and integration, becomes a state secret. “Derivative” information is official information obtained as a result of fragmentation of information constituting a state secret into separate components, each of which cannot be attributed to it.

Secondly, the protection of information generated in the activities of public authorities and management requires special legal regulation. To form an administrative-legal institution of official secrets, a special law should be adopted, the effect of which should extend to all levels of the public administration system.

Thirdly, a certain category of significant information of subjects of civil law relations requires protection. This refers to the legal protection of information that in the activities of organizations cannot be classified as a trade secret, despite the fact that in the Civil Code of the Russian Federation the concept of official secret is directly related to the actual or potential commercial value of information.

It should be noted that a simplified approach is currently being practiced: any information about the business activities of an organization, access to which is limited, is classified as a trade secret. However, with this approach, difficulties may arise in determining material damage and lost profits in the event of unlawful dissemination of confidential information, for example, information about the organization’s security regime or other aspects of its functioning that are not directly related to the implementation of the subject activity. At the same time, this information must be protected, because The commercial success of an organization largely depends on restricting access to them.

Professional secrets

In accordance with current legislation, professional secrets include information related to the official activities of medical workers, notaries, lawyers, private detectives, clergy, employees of banks, registry offices, and insurance institutions. Both a legal entity and an individual can act as a subject of professional secrecy.

Keeping information received in connection with the performance of professional functions confidential is primarily due to the norms of professional ethics, and not to the own commercial interests of the entrepreneur or organization. The appropriate legal status for the norms under consideration is given by their legislative consolidation.

1)bank secrecy. The concept of bank secrecy, in accordance with Art. 857 of the Civil Code of the Russian Federation, covers information about a bank account, deposit, account transactions, as well as information about bank clients.

Banking secrecy protects the confidential information of a client or the commercial information of a correspondent.

The Federal Law “On Banks and Banking Activities” defines the responsibilities of subjects, categories of information and the grounds on which information is provided to interested government bodies, organizations and individuals. The credit institution and the Bank of Russia guarantee the secrecy of transactions, accounts and deposits of their clients and correspondents. All employees of a credit institution are required to keep secret the transactions, accounts and deposits of its clients and correspondents, as well as other information established by the credit institution, unless this contradicts federal law.

The Bank of Russia does not have the right to disclose information about accounts, deposits, as well as information about specific transactions and operations from the reports of credit institutions, received by it as a result of performing licensing, supervisory and control functions, except for cases provided for by federal laws.

Thus, a credit institution has the right to classify any information as a banking secret, with the exception of those expressly specified in the Law.

2)notarial secret. Secrecy is a specific rule of notarial acts. In accordance with Art. 5 of the Fundamentals of the legislation of the Russian Federation on notaries, a notary in the performance of official duties, as well as persons working in a notary office, are prohibited from disclosing information, reading out documents that have become known to them in connection with the performance of notarial acts, including after resignation or dismissal, for except in cases provided for by the Fundamentals. The obligation to maintain professional secrecy is included in the text of the notary's oath.

3)procedural secrets Usually divided into two types: investigative secrecy and secrecy of deliberations of judges.

Investigative mystery is associated with the interests of the legal conduct of a preliminary investigation in criminal cases (Article 310 of the Criminal Code of the Russian Federation “Disclosure of preliminary investigation data”). Information about the progress of the preliminary investigation may be made public only with the permission of the prosecutor, investigator or person conducting the inquiry. Such information may relate to both the nature of the investigative actions being carried out and the evidence base, prospects for the investigation, and the circle of persons participating in the investigation. It is important to note that the list of information constituting an investigative secret is not legally established. This means that the prosecutor, investigator or person conducting the inquiry has the discretion to determine what information about the preliminary investigation can be specially protected and what cannot.

Secrecy of the meeting of judges. For all four types of processes existing in domestic legal proceedings, a certain procedure is provided for ensuring the independence and objectivity of making a decision on the case. This procedure has one of the goals of prohibiting the disclosure of information about discussions, judgments, and voting results that took place during the meeting of judges. Ensuring the secrecy of meetings of judges is established by Art. 193 Civil Procedure Code (Civil Procedure Code) of the Russian Federation, Art. 70 of the Federal Constitutional Law “On the Constitutional Court of the Russian Federation”, Art. 124 of the Arbitration Procedural Code of the Russian Federation.

4)medical secrecy. According to Art. 61 of the Fundamentals of the Legislation of the Russian Federation on the protection of the health of citizens, information about the fact of seeking medical help, the state of health of a citizen, the diagnosis of his disease and other information obtained during his examination and treatment constitute a medical secret. The citizen must be confirmed with a guarantee of confidentiality of the information transmitted to him.

5)attorney-client privilege. In accordance with the Federal Law “On Advocacy and the Legal Profession in the Russian Federation,” a lawyer, an assistant lawyer and a trainee lawyer do not have the right to disclose information provided by the client in connection with the provision of legal assistance to him. Moreover, confidential information received by a lawyer can be either in the form of documents or orally. The law establishes guarantees for the independence of a lawyer. In particular, a lawyer cannot be questioned as a witness about circumstances that became known to him in connection with the performance of his duties as a defense attorney or representative (Article 15 of the Law).

6)the secret of insurance. The institution of insurance secrecy is in many respects similar to the institution of banking secrecy. The secrecy of insurance, in accordance with Art. 946 of the Civil Code of the Russian Federation, constitute information received by the insurer as a result of its professional activities about the policyholder, the insured person and the beneficiary, their state of health, as well as the property status of these persons. For violation of insurance secrecy, the insurer, depending on the type of rights violated and the nature of the violation, is liable in accordance with the rules provided for in Art. 139 or art. 150 Civil Code of the Russian Federation.

According to Art. 8 of the Law of the Russian Federation “On the organization of insurance business in the Russian Federation”, both legal entities and individuals - insurance agents and insurance brokers - can act as a person obliged to maintain the secrecy of insurance. Furthermore, in accordance with Art. 33 of this Law, officials of the federal executive body for supervision of insurance activities do not have the right to use for personal gain or disclose in any form information that constitutes a trade secret of the insurer.

7)secret connection . The Federal Law “On Communications”, in terms of information protection, regulates social relations related to ensuring the impossibility of illegal access to messages transmitted by any entities - individuals or legal entities - via communications. With this formulation of the issue, communication secrecy becomes a tool for ensuring the safety of confidential information.

The secrecy of correspondence, telephone conversations, postal items, telegraph and other messages transmitted over electrical and postal networks is protected by the Constitution of the Russian Federation. The responsibility to ensure compliance with the secrecy of communications rests with the communications operator, which is understood as an individual or legal entity that has the right to provide electrical or postal communications services. Also, telecom operators are obliged to maintain the confidentiality of information about subscribers and the communication services provided to them, which became known to the operators due to the performance of professional duties.

8)adoption secret. The institution of secrecy of adoption is associated with the interests of protecting family life and is expressed in the establishment of civil and criminal liability for disclosing the secrecy of adoption. According to Art. 155 of the Criminal Code of the Russian Federation, the secrecy of adoption can be of two types. The first is possessed by persons who are obliged to keep the fact of adoption as an official or professional secret (judges, employees of local administrations, guardianship authorities and other persons specified in Part 1 of Article 139 of the RF IC). The second - all other persons, if their selfish or other base motives are established when disclosing the secret of adoption without the consent of both adoptive parents.

9)secret of confession. Ensuring the secrecy of confession is an internal matter of the priest; He bears no legal responsibility for its disclosure. According to Part 2 of Art. 51 of the Constitution of the Russian Federation and Part 7 of Art. 3 of the Federal Law “On Freedom of Conscience and Religious Associations”, a clergyman cannot be held accountable for refusing to testify on circumstances that became known to him from confession.

Introduction

Chapter 1. Fundamentals of information security and information protection

1.1 Evolution of the term “information security” and the concept of confidentiality

1.2 Value of information

1.3 Channels of distribution and leakage of confidential information

1.4 Threats and confidential information protection system

Chapter 2. Organization of work with documents containing confidential information

2.1 Regulatory and methodological basis for confidential records management

2.2 Organization of access and procedures for personnel to work with confidential information, documents and databases

2.3 Technological basis for processing confidential documents

Chapter 3. Protection of restricted access information at JSC "ChZPSN - Profnastil"

3.1 Characteristics of OJSC "ChZPSN - Profnastil"

3.2 Information security system at JSC "ChZPSN - Profnastil"

3.3 Improving the security system for restricted access information

Conclusion

List of sources and literature used

Introduction

The object of research in this work is the formation and functioning of information resources in the organization's management system.

The research base is OJSC "ChZPSN - Profnastil"

The subject of the study is activities to ensure the security of information resources in the organization's management system.

The purpose of the study is to analyze modern technologies, methods, methods and means of protecting confidential information of an enterprise.

The objectives of the study, in accordance with the goal, include:

1. Reveal the main components of information security;

2. Determine the composition of information that should be classified as confidential;

3. Identify the most common threats, distribution channels and privacy leaks;

4. Consider methods and means of protecting confidential information;

5. Analyze the regulatory framework for confidential records management;

6. Study the security policy in organizing access to confidential information and the procedure for personnel working with confidential documents;

7. Consider technological systems for processing confidential documents;

8. Assess the information security system of the enterprise JSC ChZPSN - Profnastil and provide recommendations for its improvement.

The following research methods were used in the work: cognitive methods (description, analysis, observation, survey); general scientific methods (analysis of publications on the topic), as well as such a documentary method as analysis of enterprise documentation.

The rules for regulating relations arising when handling confidential information are also contained in the Civil Code of the Russian Federation. At the same time, confidential information is classified as intangible benefits in the Civil Code of the Russian Federation (Article 150) (2).

Criteria by which information is considered an official and commercial secret , are contained in Article 139 of the Civil Code of the Russian Federation. It states that information constitutes an official or commercial secret in the case when:

1. This information has actual or potential value due to its unknownness to third parties;

2. There is no free access to this information on a legal basis and the owner of the information takes measures to protect its confidentiality (2).

In addition, the definition of confidentiality of commercial information is contained in Article 727 of the Civil Code of the Russian Federation (2).

On January 10, 2002, the President of the Russian Federation signed a very important law “On Electronic Digital Signature” (5), developing and specifying the provisions of the above law “On Information...” (8).

The following laws of the Russian Federation are also fundamental in the field of confidential information security:

2. “On Trade Secrets” dated July 29, 2004 (it contains information constituting a trade secret, trade secret regime, disclosure of information constituting a trade secret) (6);

3. “On approval of the List of confidential information” (11);

4. On approval of the List of information that cannot constitute a commercial secret" (13).

The standard establishing the basic terms and definitions in the field of information security is GOST R 50922-96 (29).

The concept of information security and its main components are set out in the works of V.A. Galatenko (82), V.N. Yarochkina (56), G. Zotova (66).

K. Ilyin (52) in his works considers issues of information security in electronic document management). Aspects of information security are described in articles by V.Ya. Ishcheinova (76; 77), M.V. Metsatunyan (77), A.A. Malyuka (74), V.K. Senchagova (93), E.A. Stepanova (96).

The information security system is described in the works of E.A. Stepanova (81), Z. Bogatyrenko (74), T.A. Korolkova (69), G.G. Aralbaeva (100), A.A. Shiverskogo (103), V.N. Martynov and V.M. Martynova (49).

The works of the following authors are devoted to the legal regulation of restricted access information: A.A. Antopolsky (33), E.A. Stepanova (81), I.L. Bachilo (37, 38), O. Gavrilova (41). The latter, in his article, points out the imperfection of legislation in the area under consideration.

R.N. devoted his works to technologies for processing confidential documents. Moseev (75), M.I. Petrov (89), V.I. Andreeva (34), V.V. Galakhov (44), A.I. Aleksentseva (32).

In the process of preparing the work, scientific, educational, practical, methodological recommendations on organizing the protection of confidential information prepared by such leading experts in this field as A.I. Aleksentsev (31; 32) and E.A. Stepanov (81; 96).

Works by I.L. Bachilo (38), K.B. Gelman-Vinogradova (43), N.A. Khramtsovskaya (48), V.M. Kravtsova (51) are devoted to controversial aspects of information security.

In general, we can say that the problem of information security, in general, is provided by sources; the source base makes it possible to highlight the assigned tasks. The significance of the literature on this issue is great and corresponds to its relevance.

But in our country there is no regulatory legal act that would establish a uniform procedure for recording, storing, and using documents containing confidential information. And according to analysts whose articles were used in the work, E.A. Voynikanis (40), T.A. Partyki (57), V.A. Mazurov (71) and others, this is hardly advisable.

The final qualifying work consists of an introduction, three chapters, a conclusion, a list of used sources and literature, and applications.

The introduction formulates the relevance and practical significance of the topic, the purpose of the research, objectives, the degree of development of the problem under study, the object, subject, basis of the study, research tools, the structure and content of the final qualifying work

Chapter "Organization of work with confidential documents." consists of the regulatory and methodological foundations of confidential office work, followed by the work procedure for employees and the organization of their access to confidential information. The technology for working with the indicated information is described in the last paragraph of the second chapter.

In the third chapter, using the example of the enterprise JSC ChZPSN - Profnastil, the system for protecting information of limited access and analysis of work with confidential documents are considered. Recommendations, changes and additions are given to the technology of confidential office work that has been formed at the enterprise.