Development of a system for protecting confidential information.

logo11d 4 1

Development of a system for protecting confidential information..

Development of a system for protecting confidential information.

Development of a system for protecting confidential information

Stolyarov Nikolay Vladimirovich

Source— security.meganet.md

Disclosure of CI means intentional or careless actions of persons admitted to CI, leading to premature dissemination of said information among persons, not caused by official necessity, including employees of JSC, to whom this information was not communicated in the officially established manner; leakage of CI is the unauthorized dissemination of information beyond the established physical space.

Comprehensive protection of CI aims to solve two problems: protection of the organization's right to CI, including that related to the category of intellectual property of the organization (achieved on the basis of the application of legal norms of the current legislation of the Russian Federation); prevention of threats to the information security of the organization, their identification and significant mitigation (achieved on the basis of the implementation of a set of legal, organizational and technical measures for the protection of CI, agreed upon in purpose, place and time of application, forming a system for the protection of confidential information (SZKI)).
SZKI provides an opportunity to strengthen the economic security of the organization, which helps to create conditions for the long-term sustainable functioning of the organization.

What is confidential information??? The category of confidential information includes all types of information with limited access, protected by law —

  • commercial
  • official
  • personal

with the exception of state secrets. (Articles 727, 771, 1032 of the Civil Code of the Russian Federation, Article 16 of the Customs Code of the Russian Federation, Decree of the President of the Russian Federation of March 6, 1997 No. 188 «On approval of the list of confidential information»)

«A commercial secret is a type of secret that includes information established and protected by its owner in any area of ​​his commercial activity, access to which is limited in the interests of the owner of the information.»

A commercial secret is one of the main types of secrets, since the success of an enterprise producing goods or services is determined by the ability to compete, and therefore, to see how to achieve increased profits compared to competitors.

Any business information can be classified as a commercial secret, except for the restrictions imposed by the RF Government Resolution “On the list of information that cannot constitute a commercial secret” dated 05.12.91, No. 35

Information related to official information is usually not the subject of independent transactions, but its disclosure may cause property damage to the organization and harm to its business reputation.

In the Federal Law of February 20, 1995 N 24-FZ «On information, informatization and protection of information» information about citizens — personal data — information about facts, events and circumstances of the life of a citizen, allowing to identify his personality.

Creation of a system for protecting CI

In order to legally engage in the protection of confidential information, you must obtain a license for the right to carry out activities for the technical protection of confidential information (In accordance with the REGULATION ON LICENSING ACTIVITIES FOR TECHNICAL PROTECTION OF CONFIDENTIAL INFORMATION Approved by Decree of the Government of the Russian Federation of April 30, 2002 N 290). :

To do this, you must meet the following requirements:

a) implementation of licensed activities by specialists with higher professional education in the specialty of «computer security», «comprehensive information security of automated systems» or «information security of telecommunication systems», or by specialists who have undergone retraining in information security issues.

b) compliance of production facilities, production, testing and control and measuring equipment with technical norms and requirements established by state standards of the Russian Federation and regulatory and methodological documents on technical protection of information; (paragraphs «b» as amended by RF Government Resolution of 23.09.2002 N 689)

c) use of certified (certified according to information security requirements) automated systems processing confidential information, as well as means of protecting such information;

d) use by third parties of programs for electronic computers or databases on the basis of an agreement with their copyright holder.

To obtain a license, the license applicant shall submit the following documents to the licensing authority:

a) an application for a license indicating:
the licensed activity;
the name, organizational and legal form and location—for a legal entity;
the last name, first name, patronymic, place of residence, details of the identity document—for an individual entrepreneur;

b) copies of constituent documents and a document confirming the entry of a record of the legal entity in the Unified State Register of Legal Entities; (as amended by RF Government Resolution of 06.02.2003 N 64)

c) a copy of the certificate of state registration of the license applicant — individual entrepreneur;

d) a copy of the certificate of registration of the license applicant with the tax authority indicating the taxpayer identification number;

d) a document confirming payment of the license fee for consideration of the application for a license;

e) information on the qualifications of the license applicant's information security specialists.
If copies of documents are not notarized, the originals must be presented along with the copies.

The license is valid for five years and may be extended upon application by the licensee in the manner prescribed for reissuing a license.

The license shall be reissued within ten days from the date of receipt of the relevant application by the licensing authority.

The development of measures and provision of information protection are carried out by information protection departments (security services) or individual specialists appointed by the management of the enterprise (institution) to carry out such work. The development of information protection measures can also be carried out by third-party enterprises that have the appropriate licenses from the State Technical Commission of Russia and/or FAPSI for the right to provide services in the field of information protection.
As is known, law is a set of generally binding rules and norms of behavior established or sanctioned by the state in relation to certain areas of life and activity of state bodies, enterprises (organizations) and the population (individuals).

Legal norms for ensuring security and protection of information at any enterprise (firm, organization) are reflected in a set of constituent, organizational and functional documents.

Requirements for ensuring security and protection of information are reflected in the Charter:

  • the enterprise has the right to determine the composition, volume and procedure for protecting confidential information, to require its employees to ensure its safety and protection from internal and external threats;
  • the enterprise is obliged to ensure the safety of confidential information.

Such requirements give the enterprise administration the right to:

  • create organizational structures for the protection of confidential information;
  • issue regulatory and administrative documents determining the procedure for issuing confidential information and mechanisms for protecting it;
  • include information protection requirements in 5; contracts for all types of business activities;
  • demand protection of the interests of the enterprise by state and judicial authorities;
  • manage information that is the property of the enterprise for the purpose of extracting benefits and preventing economic damage to the enterprise team and the owner of the means of production;
  • develop a «List of confidential information». Requirements for legal security of information protection are provided for in the collective agreement.

The organization's charter must contain the following requirements:

Section «Rights and Obligations»:

1. The company has the right:

  • to ensure its economic security, determine the composition, volume and procedure for protecting confidential information;
  • require employees to ensure economic security and protect confidential information;
  • monitor compliance with measures to ensure economic security and protect confidential information.

2. The company is obliged to:

  • ensure economic security and the safety of confidential information;
  • monitor compliance with measures to ensure economic security and protect confidential information.

Section «Confidential Information»:

The Company organizes the protection of its confidential information. The composition and volume of confidential information and the procedure for protecting it are determined by the CEO.

INTRODUCING THESE ADDITIONS GIVES THE RIGHT TO THE ADMINISTRATION:

  • create organizational structures for the protection of commercial secrets or assign these functions to the appropriate officials;
  • issue regulatory and administrative documents determining the procedure for isolating information constituting a commercial secret and the mechanisms for protecting it;
  • include requirements for the protection of commercial secrets in contracts for all types of business activities (collective and joint with related companies);
  • demand protection of the company's interests before government and judicial authorities;
  • dispose of information that is the property of the company in order to extract benefits and prevent economic damage to the team and the owner of the means of production.

A collective agreement must contain the following requirements:

Section «Subject of the Agreement»

  • The administration undertakes to ensure the development and implementation of measures for economic security and the protection of confidential information in order to prevent economic damage to the team.
  • The workforce undertakes to comply with the requirements established at the company for economic security and the protection of confidential information.
  • The Administration shall take into account the requirements of economic security and protection of confidential information in the internal labor regulations, in the functional responsibilities of employees and the regulations on structural divisions.

Section «Personnel. Ensuring labor discipline»

The Administration undertakes to hold violators of the requirements for economic security and protection of confidential information accountable in accordance with the legislation of the Russian Federation.

It is advisable to supplement the internal work regulations for workers and employees of the enterprise with the following requirements:

Section «Procedure for hiring and firing workers and employees»

When hiring an employee or transferring him in the established manner to another job related to confidential information, as well as when dismissing him, the administration is obliged to:

  • instruct the employee on the rules of economic security and the preservation of confidential information;
  • draw up a written commitment to non-disclosure of confidential information. The administration has the right to:
  • make decisions to suspend from work persons who violate the requirements for the protection of confidential information;
  • exercise control over compliance with measures to protect and non-disclosure of confidential information within the enterprise.

Section «Main Duties of Workers and Employees»

Workers and employees are required to:

  • know and strictly comply with the requirements of economic security and protection of confidential information;
  • give a voluntary written undertaking not to disclose confidential information;
  • take good care of the storage of personal and official documents and products containing confidential information. In case of their loss, immediately notify the administration.

Section «Main Duties of the Administration»

The administration and heads of departments are obliged to:

  • ensure strict compliance with the requirements of economic security and protection of confidential information;
  • consistently conduct organizational, economic and educational work aimed at protecting economic interests and confidential information;
  • include specific requirements for economic security and protection of confidential information in the regulations on departments and job descriptions;
  • strictly comply with the requirements of the charter, collective agreement, employment contracts, internal work regulations and other business and organizational documents in terms of ensuring economic security and protecting confidential information.

The administration and heads of departments are directly responsible for organizing and complying with measures for economic security and protecting confidential information.

The agreement on joint work must contain the following requirements:
Section «Terms of Confidentiality»

The parties undertake not to transfer licenses to persons and not to publicly disclose information about joint work without mutual consent. For violation of this condition, the parties bear financial responsibility for compensation for losses, lost profits and moral damages.

Persons who violate the conditions of confidentiality may be held liable in accordance with applicable law.

The obligations of a specific employee, worker or employee in terms of information protection must be stipulated in the employment contract (contract). In accordance with the Labor Code (Chapter III), when concluding an employment contract, the employee undertakes to comply with certain requirements in force at the given enterprise. Regardless of the form of the contract (oral or written), the employee's signature on the order of employment confirms his consent to the terms of the contract (Labor Code of the Russian Federation, Article 18).

Requirements for the protection of confidential information may be stipulated in the text of the contract if the contract is concluded in writing. If the contract is concluded orally, then the requirements for the protection of information arising from the regulatory documents of the enterprise apply. When concluding an employment contract and drawing up an order for the hiring of a new employee, a note is made about his awareness of the procedure for protecting the information of the enterprise. This creates the necessary element of including this person in the mechanism for ensuring information security.

The use of non-disclosure agreements is not an independent measure to protect secrets. You should not think that after signing such an agreement with a new employee, the secret will be preserved. This is only a warning to the employee that a system of measures to protect information comes into play, and a legal basis for stopping his incorrect or illegal actions. The next task is to prevent the loss of commercial secrets.

The implementation of legal norms and acts aimed at protecting information at the organizational level is based on certain organizational and legal forms, which include maintaining the confidentiality of work and actions, contracts (agreements) and various forms of mandatory law.

Confidentiality is a form of handling information that constitutes confidential information, based on organizational measures that exclude the unauthorized acquisition of such information.

Contracts are agreements between parties (two or more persons) on the establishment, modification or termination of mutual obligations.

An obligation is a civil legal relationship by virtue of which one party (the debtor) is obliged to perform certain actions in favor of the other party.

Legal regulation is necessary to improve the mechanism for preventing illegal actions in relation to information resources, to clarify and consolidate the tasks and powers of individual entities in the sphere of preventive activities, protection of the rights and legitimate interests of citizens and organizations.

An analysis of the legislation regulating the activities of entities in the field of information security shows the presence of certain shortcomings. The existing legal norms are scattered across various regulations issued at different times, in different conditions and at different levels. The current legislation is not systematized, which creates great difficulties in its use in practice.

Organizational protection is the regulation of production activities and relationships between performers on a regulatory and legal basis, eliminating or significantly complicating the illegal acquisition of confidential information and the manifestation of internal and external threats.

Organizational protection ensures:

  • organization of security, regime, work with personnel, with documents;
  • use of technical security means and information and analytical activities to identify internal and external threats to business activities.

Organizational measures play a significant role in creating a reliable mechanism for protecting information, since the possibility of unauthorized use of confidential information is largely determined not by technical aspects, but by malicious actions, negligence, carelessness and carelessness of users or security personnel. The influence of these aspects is almost impossible to avoid using technical means. This requires a set of organizational-legal and organizational-technical measures that would exclude (or at least minimize) the possibility of danger to confidential information.

The main organizational measures include:

  • organization of the regime and security. Their purpose is to exclude the possibility of secret entry into the territory and premises of unauthorized persons; ensuring the convenience of control over the passage and movement of employees and visitors; creation of separate production zones of the confidential work type with independent access systems; control and observance of the temporary regime of work and stay on the territory of the company's personnel; organization and maintenance of a reliable access control and control of employees and visitors, etc.;
  • organization of work with employees, which provides for the selection and placement of personnel, including familiarization with employees, their study, training in the rules for working with confidential information, familiarization with measures] of responsibility for violating the rules of information protection, etc.;
  • organization of the use of technical means for collecting, processing, accumulating and storing confidential information;
  • organization of work on analyzing internal and external threats to confidential information and developing measures to ensure its protection;
  • organization of work on systematic monitoring of personnel work with confidential information, the procedure for recording, storing and destroying documents and technical media.
  • organization of work with documents and documented information, including the organization of the development and use of documents and carriers of confidential information, their accounting, and execution, return, storage and destruction;

Based on the situation and in order to improve the information security system, I propose to combine all services involved in information security into one service and call it a security service, the functions of which will be as follows:

  • organizes and ensures access control and internal security in buildings and premises, the procedure for carrying out security services, monitors compliance with the requirements of the regime by employees, tenants, partners and visitors;
  • manages work on technical protection, as well as on legal and organizational regulation of relations on the protection of state secrets and confidential information;
  • develops fundamental documents with the aim of enshrining in them the requirements for ensuring security and protecting state secrets and confidential information, in particular the charter, internal work regulations, regulations on departments, as well as employment contracts, agreements, contracts, job descriptions and duties of management, specialists, workers and employees;
  • develops and implements, together with other departments, measures to ensure work with documents containing information that is a state secret and confidential information, in all types of work organizes and monitors the implementation of the requirements of the instruction on the protection of state secrets and confidential information;
  • studies all aspects of production, commercial, financial and other activities to identify and close possible channels for the leakage of state secrets and confidential information, keeps records and analyzes violations of the security regime, accumulates and analyzes data on the malicious intentions of competitors and other organizations in relation to the activities of the organization and its clients, partners, and subcontractors;
  • organizes and conducts official investigations into disclosure of information, loss of documents and other violations of the organization's security;
  • develops, maintains, updates and replenishes the list of information constituting confidential information and other regulatory acts governing the procedure for ensuring the security and protection of information;
  • ensures strict compliance with the requirements of regulatory documents on the protection of confidential information;
  • carries out management of the security services and divisions of the organization's enterprises in terms of the conditions stipulated in contracts for the protection of state secrets and confidential information;
  • organizes and regularly conducts training for the company's employees and security services in all areas of protecting state secrets and confidential information, ensuring that there is a deeply conscious approach to the protection of commercial secrets;
  • maintains records of safes, metal cabinets, special storage facilities and other premises in which permanent or temporary storage of state secrets and confidential information is permitted;
  • maintains records of premises allocated for confidential work, technical equipment in them, which have potential channels for information leakage;

The security service must be an independent organizational unit, reporting directly to the general director of the organization.

The head of the security service is the head of the service in the position of deputy general director for security.

Organizationally, the security service consists of the following structural units:

  • security department;
  • department for the protection of confidential information:
  • sector for processing documents marked «confidential information»;
  • laboratories for monitoring the security of automated systems and computer equipment against unauthorized access to information.
  • Laboratory for comprehensive control of the effectiveness of countering foreign technical intelligence and technical protection of information;
  • group for analyzing the possibility of forming technical channels for information leakage;

To protect confidential information, the following regulatory and legal documents must be developed in the organization:

  • List of information constituting the organization's confidential information;
  • Contractual obligation to non-disclosure of CI
  • Instructions for the protection of confidential information

Information protection in computers must be carried out in accordance with the requirements of the RD of the State Technical Commission, and STR-k (special requirements and recommendations for technical protection of confidential information).

First of all, a list of information constituting the confidential information of the organization should be developed. The list should include all information that is the property of the organization.

Information (and its carriers) means:

  • Data obtained as a result of processing information using technical means (office equipment);
  • Information as a part of data that contains useful information and is used by employees of the organization for work purposes;
  • Documents (carriers) that are formed as a result of the mental activity of employees of the organization, including information of any origin, type and purpose, but necessary for the normal functioning of the organization.

The information included in the List has a limited nature of use (application). Restrictions imposed on the use of information constituting confidential information are aimed at protecting intellectual, material, financial property and other interests arising in the organization of labor activities of employees (personnel) of its divisions, as well as in their cooperation with employees of other enterprises.

In general, confidential information should be understood as data that is not a state secret, but which is primarily related to the production, management, financial or other economic activities of an organization, the disclosure (transfer, leakage, theft) of which may harm its interests or the interests of its owners.

The legislative basis for the protection of confidential information is Part Two of the Civil Code of the Russian Federation.

When developing a list, one should be guided by:

  • The Constitution of the Russian Federation, adopted on December 12, 1993
  • By the Law of the Russian Federation “On State Secrets” No. 5485-1 of 21.07.93
  • Federal Law of the Russian Federation “On Information, Informatization and Protection of Information” No. 24-FZ of 20.02.95
  • Decree of the President of the Russian Federation “on approval of the List of information classified as a state secret” No. 1203 of 30.11.95
  • Decree of the President of the Russian Federation “on approval of the List of information of a confidential nature” No. 188 of 06.03.97
  • By the RF Government Resolution “On the List of Information That May Not Constitute a Commercial Secret” No. 35 of 05.12.91
  • Information that is legally publicly available, including in accordance with the RF Government Resolution No. 35 of 05.12.91:
  • Constituent documents (decision on the establishment of an enterprise or founders’ agreement) and charter;
  • Documents granting the right to engage in entrepreneurial activity (registration certificates, licenses, patents);
  • Information on established forms of reporting on financial and economic activities and other information necessary to verify the correctness of the calculation and payment of taxes and other mandatory payments to the state budget system of Russia;
  • Documents on solvency; information on the number, composition of employees, their wages and working conditions, as well as on the availability of vacancies;
  • Documents on the payment of taxes and mandatory payments;
  • Information on environmental pollution, violation of antitrust laws, failure to comply with safe working conditions, sale of products that are harmful to public health, as well as other violations of Russian legislation and the amount of damage caused;
  • Information on the participation of enterprise officials in cooperatives, small businesses, partnerships and other organizations engaged in entrepreneurial activities.
  • Analysis of the advantages and disadvantages for working with open and closed (internal) use of such information.
  • Analysis of the nature of possible damage in the event of unauthorized dissemination of confidential information;

After the draft list is developed, it is discussed and approved at the ETC and agreed upon with the general director of the organization, heads of the main services and departments. The list is introduced by order of the general director of the organization as an appendix to it.

Employees of the organization who are allowed by the nature of their work or functional responsibilities to information constituting confidential information must familiarize themselves with this order and the appendix to it under signature.

The list must be communicated in a differentiated manner at least once a year to all employees of the organization who use in their work partially or in full information, data, or work with DSP documents and their carriers. All persons hired by the organization must undergo training and familiarize themselves with the memo on maintaining confidential information.

An employee who has received access to confidential information and documents must sign an individual written contractual obligation (Appendix 2) on their non-disclosure. The obligation is drawn up in one copy and is kept in the employee's personal file for at least 5 years after his dismissal. When he is dismissed from the organization, he is given a subscription on non-disclosure of the organization's confidential information.

Next, an instruction should be developed regulating the procedure for employee access to CI, the procedure for creating, recording, storing and destroying confidential documents of the organization. When writing such an instruction, one should be guided by the provisions of GOST R6 30-2003 — «Unified documentation systems.», as well as «Unified system of organizational and administrative documentation. Requirements for the execution of documents», which was adopted and put into effect by the Resolution of the State Standard of the Russian Federation dated March 3, 2003 N 65-st.

The instruction for the protection of confidential information should consist of the following parts:

  1. GENERAL PROVISIONS.
  2. CONFIDENTIAL INFORMATION
  3. RESPONSIBILITY FOR DISCLOSURE OF CONFIDENTIAL INFORMATION
  4. SYSTEM OF ACCESS OF EMPLOYEES TO INFORMATION CONSTITUTING CI.
  5. CIRCLE OF PERSONS AUTHORIZED TO GIVE PERMISSION FOR ACCESS TO CONFIDENTIAL DOCUMENTS
  6. PROCEDURE FOR ISSUING PERMISSION FOR ACCESS TO CONFIDENTIAL DOCUMENTS
  7. PROCEDURE FOR ACCESS TO MEETINGS ON ISSUES CONTAINING CONFIDENTIAL INFORMATION
  8. PREPARATION AND PUBLICATION OF CONFIDENTIAL DOCUMENTS
  9. ACCOUNTING, PROCESSING AND SENDING OF PUBLISHED CONFIDENTIAL DOCUMENTS
  10. RECEIPT, ACCOUNTING AND PROCESSING OF RECEIVED DOCUMENTS
  11. ACCOUNTING OF CONFIDENTIAL DOCUMENTS OF ALLOCATED STORAGE
  12. ACCOUNTING OF JOURNALS AND CARD FILES
  13. ORGANIZING THE STORAGE OF CONFIDENTIAL DOCUMENTS
  14. ORGANIZING AND TECHNOLOGY FOR CONTROL OF THE EXECUTION OF CONFIDENTIAL DOCUMENTS
  15. REPRODUCTION OF DOCUMENTS
  16. DESTRUCTION DOCUMENTS
  17. DRAWING UP AND FORMATTING A NOMENCLATURE OF CASES CLASSIFIED «CONFIDENTIAL»
  18. DRAWING UP AND FORMATTING CASES
  19. CHECKING THE AVAILABILITY OF CONFIDENTIAL DOCUMENTS.
  20. PREPARING CONFIDENTIAL DOCUMENTS FOR ARCHIVAL STORAGE
  21. PROCEDURE FOR TRANSFERRING CONFIDENTIAL DOCUMENTS TO THE ARCHIVE
  22. APPENDICES

Protection of confidential information is one of the most important factors in creating the prerequisites for the stable existence and progressive development of an organization.

The main conditions for ensuring the information security of an organization in the context of the planned approach to solving the problems of protecting CI are:

  • building models of intruders and competitors based on the search and authentication of information about their intentions and aspirations;
  • defining a list of information that constitutes the object of protecting the interests of the concern in specific areas of its activity;
  • formation of the preferred structure of the CI protection system for the concern based on synthesis, structural optimization and technical and economic assessment of alternative options for the CI protection system;
  • management of the process of implementation of the selected concept of CI protection and coordination of work on organizing CI protection between all interested structural divisions of the organization;
  • combination of organizational and administrative measures for CI protection with active involvement of all personnel of the organization in this process;
  • introduction of personal responsibility (including financial) of officials at all levels, as well as other employees of the concern admitted to CI, for ensuring the confidentiality regime established in the JSC.

The above documents have been developed taking into account the general requirements for the content and design of such documents.

You can receive documents developed by the author, for this it is enough to send a request for receiving such instructions to me by e-mail indicating the name of the organization, area of ​​activity).

Stolyarov Nikolay Vladimirovich
nstolyarov@yandex.ru

Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.
Принять