Fire safety

NEW CABLE TRANSDUCER FOR SEISMOMAGNETOMETRIC DETECTION. Article updated 05.04 in 2023.

ik
NEW CABLE CONVERTER FOR SEISMOMAGNETOMETRIC DETECTION.

KHOREV Anatoly Anatolyevich, Doctor of Technical Sciences, Professor

ORGANIZING INFORMATION PROTECTION FROM LEAKAGE VIA TECHNICAL CHANNELS

General Provisions

To the protected information refers to information that is the subject of property and is subject to protection in accordance with the requirements of legal documents or requirements established by the owner of the information [3]. This is, as a rule, information with limited access, containing information classified as a state secret, as well as information of a confidential nature.

Protection of restricted information (hereinafter referred to as protected information) from leakage through technical channels is carried out on the basis of the Constitution of the Russian Federation, the requirements of the laws of the Russian Federation «On Information, Informatization and Information Protection», «On State Secrets», «On Commercial Secrets», other legislative acts of the Russian Federation, «Regulations on the state system of information protection in the Russian Federation from foreign technical intelligence services and from its leakage through technical channels», approved by RF Government Resolution No. 912-51 of 15.09.93, Regulations on licensing the activities of enterprises, organizations and organizations for carrying out work related to the use of information constituting a state secret, the creation of information protection tools, as well as the implementation of measures and (or) the provision of services for the protection of state secrets», approved by RF Government Resolution No. 333 of 15 April 1995, «Regulations on state licensing of activities in the field of information protection», approved by RF Government Resolution No. 10 of 27 April 1994, «Regulations on licensing activities on the development and (or) production of means of protecting confidential information” approved by RF Government Resolution No. 348 of 27 May 2002, as amended and supplemented on 3 October 2002 No. 731, “Regulations on the certification of information security tools”, approved by RF Government Resolution No. 608 of 26 June 1995, RF Government Resolutions “On licensing activities for the technical protection of confidential information” (dated 30 April 2002 No. 290, as amended and supplemented on 23 September 2002 No. 689 and on 6 February 2003 No. 64), “On licensing certain types of activities” (dated 11 February 2002 No. 135), as well as “Regulations on the certification of information technology facilities according to information security requirements”, approved by the Chairman of the State Technical Commission of Russia November 25, 1994, and other regulatory documents.

The requirements and recommendations of regulatory documents apply to the protection of state information resources. When carrying out work to protect non-state information resources that constitute a commercial secret, banking secret, etc., the requirements of regulatory documents are advisory in nature.

The protection mode for restricted access information that does not contain information constituting a state secret (hereinafter referred to as confidential information) is established by the owner of the information resources or an authorized person in accordance with the legislation of the Russian Federation.

In the following, we will consider methodological recommendations for organizing the protection of confidential information owned by non-governmental enterprises (organizations, firms).

Measures to protect confidential information from leakage through technical channels (hereinafter referred to as technical protection of information) are an integral part of the activities of enterprises and are carried out in conjunction with other measures to ensure their information security.

Protection of confidential information from leakage through technical channels must be carried out by means of a set of organizational and technical measures that constitute the system of technical protection of information at the protected object (STPI), and must be differentiated depending on the established category of the information technology object or the allocated (protected) premises (hereinafter the protected object).

Organizational measures to protect information from leakage through technical channels are mainly based on taking into account a number of recommendations when selecting premises for installing technical means for processing confidential information (TMPI) and conducting confidential negotiations, introducing restrictions on the TMPI used, auxiliary technical means and systems (ATMS) and their placement, as well as introducing a certain access regime for employees of the enterprise (organization, firm) to information technology facilities and to designated premises.

Technical measures to protect information from leakage through technical channels are based on the use of technical means of protection and the implementation of special design and engineering solutions.

Technical protection of information is carried out by information protection departments (security services) or individual specialists appointed by the heads of organizations to carry out such work. Third-party organizations that have licenses from the FSTEC or the FSB of Russia for the right to carry out the relevant work may be involved in developing measures to protect information.

To protect information, it is recommended to use technical means of protection certified according to information security requirements. The certification procedure is determined by the legislation of the Russian Federation.

The list of necessary information protection measures is determined based on the results of a special examination of the protected object, certification tests and special studies of technical means intended for processing confidential information.

The level of technical protection of information must correspond to the ratio of the costs of organizing information protection and the amount of damage that can be caused to the owner of information resources.

Protected objects must be certified according to information security requirements in accordance with regulatory documents of the FSTEC of Russia for compliance with established standards and requirements for information protection. Based on the results of certification, permission is given (certificate of compliance) for processing confidential information at this object.

Responsibility for ensuring the requirements for technical protection of information is assigned to the heads of organizations operating the protected objects.

In order to promptly detect and prevent information leakage through technical channels, the status and effectiveness of information protection must be monitored. Monitoring consists of checking the compliance with the requirements of regulatory documents on information protection using current methods, as well as assessing the validity and effectiveness of the measures taken. Information protection is considered effective if the measures taken comply with the established requirements and standards. The organization of work on information protection is assigned to the heads of departments operating the protected facilities, and control over ensuring information protection is assigned to the heads of departments for information protection (security services).

Installation of technical means for processing confidential information, as well as information protection means, must be carried out in accordance with the technical project or technical solution. Development of technical solutions and technical projects for the installation and assembly of TSOI, as well as information protection means, is carried out by information protection departments (enterprise security services) or design organizations licensed by the FSTEC, based on technical design assignments issued by customers.

Technical solutions for protecting information from leakage through technical channels are an integral part of technological, planning, architectural and design solutions and form the basis of the system of technical protection of confidential information.

The direct organization of work on the creation of the STZI is carried out by the official providing scientific and technical guidance for the design of the protected object.

The development and implementation of the STZI can be carried out both by enterprises (organizations, firms), and by other specialized organizations that have licenses from the FSTEC and (or) the FSB of Russia for the relevant type of activity.

In the case of development of the IST or its individual components by specialized organizations, the customer organization determines departments or individual specialists responsible for organizing and conducting information protection activities, who must provide methodological guidance and participate in a special survey of protected objects, analytical justification of the need to create the IST, coordination of the selection of the TSOI, technical and software protection tools, development of technical specifications for the creation of the IST, organization of work on the implementation of the IST and certification of protected objects.

The procedure for organizing work at the enterprise on the creation and operation of information technology facilities and dedicated (protected) premises is determined in a special Regulation on the procedure for organizing and conducting work at the enterprise on protecting information from its leakage through technical channels” taking into account specific conditions, which should determine:

  • the procedure for determining the information to be protected;
  • the procedure for involving the organization’s divisions, specialized third-party organizations in the development and operation of information technology facilities and ITZI, their tasks and functions at various stages of the creation and operation of the protected facility;
  • the procedure for interaction of all organizations, departments and specialists involved in this work;
  • the procedure for development, commissioning and operation of protected objects;
  • responsibility of officials for the timeliness and quality of the formation of requirements for the protection of information, for the quality and scientific and technical level of the development of STZI.

At the enterprise (institution, firm), the list of information subject to protection in accordance with regulatory legal acts must be documented, and an appropriate permit system for personnel access to such information must be developed.

When organizing work to protect against leakage through technical channels of information at the protected facility, three stages can be distinguished [6, 9]:

  • the first stage (preparatory, pre-design);
  • the second stage (design of the STZI);
  • the third stage (the stage of commissioning the protected facility and the technical information protection system).

Preparatory stage of creating a technical information protection system

The first stage involves preparation for creating a technical information protection system at protected facilities, during which a special survey of protected facilities is conducted, an analytical justification for the need to create a technical information protection system and a technical (particular technical) assignment for its creation are developed.

During a special survey of protected facilities with the involvement of relevant specialists, an assessment of potential technical channels of information leakage is carried out.

To analyze possible technical channels of leakage at a facility, the following are studied [1, 6 — 9]:

  • a plan (to scale) of the area adjacent to the building within a radius of up to 150 — 300 m, indicating (if possible) the ownership of the buildings and the boundaries of the controlled zone;
  • floor plans of the building indicating all rooms and the characteristics of their walls, ceilings, finishing materials, types of doors and windows;
  • a plan-diagram of the utility lines of the entire building, including the ventilation system;
  • a plan-diagram of the grounding system of the facility indicating the location of the ground electrode;
  • a plan-diagram of the power supply system of the building indicating the location of the isolating transformer (substation), all boards and distribution boxes;
  • a plan-diagram of the laying of telephone lines indicating the location of distribution boxes and the installation of telephone sets;
  • plan-diagram of security and fire alarm systems indicating installation locations and types of sensors, as well as distribution boxes.

It is established: when the object (building) was constructed, what organizations were involved in the construction, what organizations were previously located in it.

When analyzing the conditions of the object's location, the boundary of the controlled area, parking lots, and buildings that are in direct line of sight from the windows of protected premises outside the controlled area are determined. The affiliation of these buildings and the access mode to them are determined (if possible).

By visual observation or photography from the windows of protected premises, the windows of nearby buildings, as well as parking lots that are in direct line of sight, are determined. An assessment is made of the possibility of conducting reconnaissance from them using directional microphones and laser acoustic reconnaissance systems, as well as visual observation and filming equipment.

The location of the transformer substation, switchboard, and distribution boards is established. Buildings and premises located outside the controlled area that are powered from the same low-voltage bus of the transformer substation as the protected facilities are determined. The length of power lines from the protected facilities to possible connection points for information interception devices (distribution boards, premises, etc.) located outside the controlled area is measured. The possibility of receiving information transmitted by network bugs (if installed in protected premises) outside the controlled area is assessed.

Premises adjacent to the protected premises and located outside the controlled area are determined. Their affiliation and access mode to them are established. The possibility of access from the outside to the windows of the protected premises is determined. The possibility of speech information leakage from the protected premises via acoustic vibration channels is assessed.

Connecting lines of auxiliary technical means and systems (telephone lines, warning lines, security and fire alarm systems, clock systems, etc.) extending beyond the controlled area, and the locations of their distribution boxes are determined. The length of lines from protected objects to possible connection points for interception of information outside the controlled area is measured. The possibility of speech information leakage from protected premises via acoustoelectric channels is assessed.

Utility lines and extraneous conductors extending beyond the controlled area are determined, and their length from protected objects to possible connection points for interception of information is measured.

The location of the ground electrode to which the grounding circuit of the protected facility is connected is determined. The premises located outside the controlled area that are connected to the same ground electrode are determined.

The locations of the installation of the TSOI at the information technology facilities and the laying of their connecting lines are determined.

The possibility of intercepting information processed by the TSOI by special technical means via electromagnetic and electrical information leakage channels is assessed.

In modern conditions, it is advisable to conduct technical control to assess the actual shielding properties of building structures, sound and vibration insulation of premises in order to take their results into account when developing measures to protect the TSOI and designated premises.

A pre-project survey can be assigned to a specialized organization that has the appropriate license, but even in this case, it is advisable to perform an analysis of information support in terms of protected information by representatives of the customer organization with the methodological assistance of a specialized organization.

The specialists of this organization are familiarized with the protected information in accordance with the procedure established in the customer organization.

After conducting a pre-project special survey of the protected object by a group (commission) appointed by the head of the enterprise (organization, firm), an analytical justification for the need to create a CTSI is carried out, during which:

  • a list of information subject to protection is determined (the list of confidential information is approved by the head of the organization);
  • categorization of confidential information subject to protection is carried out;
  • a list of persons admitted to confidential information subject to protection is determined;
  • the degree of participation of personnel in the processing (discussion, transfer, storage, etc.) of information, the nature of their interaction with each other and with the security service is determined;
  • a matrix of personnel access to confidential information subject to protection is developed;
  • the model of a potential enemy (intruder, violator) is determined (specified);
  • classification and categorization of information technology objects and allocated premises are carried out;
  • justification of the need to involve specialized organizations that have the necessary licenses for the right to carry out work on information protection, for the design and implementation of the IST is carried out;
  • an assessment of the material, labor and financial costs for the development and implementation of the IST is carried out;
  • the approximate timeframes for the development and implementation of the STZI are determined.

The main feature of confidential information is its value for a potential enemy (competitors). Therefore, when determining the list of confidential information, its owner must determine this value through the extent of damage that may be caused to the enterprise in the event of its leakage (disclosure). Depending on the amount of damage (or negative consequences) that may be caused in the event of a leakage (disclosure) of information, the following categories of information importance are introduced:

  • Category 1 — information, the leakage of which may lead to the loss of economic or financial independence of the enterprise or the loss of its reputation (loss of trust of consumers, subcontractors, suppliers, etc.);

  • Category 2 — information, the leakage of which may lead to significant economic damage or a decrease in its reputation;

  • Category 3– information, the leakage or disclosure of which may cause economic damage to the enterprise.

From the point of view of information dissemination, it can be divided into two groups:

  • the first group (1) – confidential information that circulates only within the enterprise and is not intended for transfer to another party;

  • the second group (2) – confidential information that is intended to be transferred to another party or received from another party.

Therefore, it is advisable to establish six levels of information confidentiality (Table 1).

Table 1. Levels of information confidentiality

The amount of damage (negative consequences) that may be caused by disclosure of specific information

Level of information confidentiality

information that is not subject to transfer to other enterprises (organizations)

information intended for transfer to other enterprises (organizations) or received from them
Information leakage may result in the loss of economic or financial independence of the enterprise or loss of its reputation

1.1

1.2
Information leakage may result in significant economic damage or a decrease in the enterprise's reputation

2.1

2.2
Information leakage may cause economic damage to the enterprise

3.1

3.2

The introduction of information confidentiality categories is necessary to determine the scope and content of the set of measures for its protection.

When establishing a mode of access to confidential information, it is necessary to be guided by the principle — the greater the damage from disclosure of information, the smaller the circle of persons who are allowed to access it.

Modes of access to confidential information must be linked to the job responsibilities of employees.

In order to limit the circle of persons allowed to access information constituting a commercial secret, it is advisable to introduce the following modes of access to it:

  • Mode 1 — provides access to the entire list of confidential information. It is established for the management of the enterprise;

  • mode 2 — provides access to information when performing specific types of activities (financial, production, personnel, security, etc.). Established for the management of departments and services;

  • mode 3 — provides access to a specific list of information when performing specific types of activities. Established for employees — specialists of a specific department (service) in accordance with job responsibilities.

Thus, after compiling a list of confidential information, it is necessary to establish the level of its confidentiality, as well as the mode of access to it by employees.

It is advisable to delimit the access of employees of an enterprise (firm) to confidential information either by levels (rings) of confidentiality in accordance with access modes, or by so-called authority matrices, in which the rows list the positions of employees of the enterprise (firm), and the columns list the information included in the list of information constituting a commercial secret. The elements of the matrix contain information on the level of authority of the relevant officials (for example, “+” — access to information is permitted, -” — access to information is prohibited).

Next, the model of the probable enemy (intruder, violator) is defined (specified), which includes determining the level of equipment of the enemy interested in obtaining information, and its capabilities to use certain technical means of reconnaissance to intercept information.

Depending on financial support, as well as access to certain intelligence tools, the enemy has different capabilities for intercepting information. For example, intelligence tools for side electromagnetic radiation and interference, electronic devices for intercepting information, embedded in technical means, laser acoustic intelligence systems can be used, as a rule, by intelligence and special services of states.

To ensure a differentiated approach to organizing information protection from leakage through technical channels, protected objects must be assigned to the appropriate categories and classes.

Classification of objectsis carried out according to the tasks of technical protection of information and establishes requirements for the volume and nature of the set of measures aimed at protecting confidential information from leakage through technical channels during the operation of the protected object.

It is advisable to divide the protected objects into two protection classes (Table 2).

K Protection class A includes objects on which complete concealment of information signals that arise during information processing or negotiations is carried out (concealment of the fact of processing confidential information at the object) is carried out.

K protection class Binclude objects where the parameters of information signals arising during information processing or negotiations are hidden, for which it is possible to restore confidential information (hiding information processed at the object).

Table 2. Classes of protection of information technology objects and dedicated premises

Task of technical protection of information

Established protection class
Complete concealment of information signals that arise during information processing or negotiations (concealment of the fact of confidential information processing at the facility)

A
Concealment of parameters of information signals that arise during information processing or negotiations, by which it is possible to restore confidential information (concealment of information processed at the facility)

B

When establishing the category of the protected object, its protection class is taken into account, as well as the financial capabilities of the enterprise to close potential technical channels of information leakage. It is advisable to divide the protected objects into three categories.

The categorization of protected information technology objects and allocated premises is carried out by commissions appointed by the heads of the enterprises in whose jurisdiction they are located. The commissions, as a rule, include representatives of the departments responsible for ensuring information security and representatives of the departments operating the protected objects.

The categorization of protected objects is carried out in the following order:

  • information technology objects and allocated premises subject to protection are determined;
  • the level of confidentiality of information processed by the TSOI or discussed in a designated room is determined, and an assessment is made of the cost of damage that may be caused to an enterprise (organization, firm) due to its leakage;
  • for each protected object, a protection class (A or B) is established and potential technical channels of information leakage and special technical means that can be used to intercept information are determined (Tables 3, 4);
  • a rational composition of protection means is determined, and organizational measures are developed to close a specific technical channel of information leakage for each protected object;
  • for information classified as confidential and provided by the other party, the sufficiency of measures taken to protect it is determined (measures or standards for protecting information are determined by the relevant agreement);
  • an assessment is made of the cost of measures (organizational and technical) to close a specific technical channel of information leakage for each protected object;
  • taking into account the assessment of the capabilities of a potential adversary (competitor, attacker) to use certain technical intelligence tools to intercept information, as well as taking into account the cost of closing each information leak channel and the cost of damage that may be caused to the enterprise as a result of its leak, the advisability of closing certain technical information leak channels is determined;
  • after a decision has been made on which technical information leak channels need to be closed, the category of the information technology facility or allocated premises is established (Table 5).

The results of the commission's work are formalized in a report approved by the official who appointed the commission.

Table 3. Potential technical channels for leakage of information processed by a personal computer

Technical channels for leakage of information

Special technical means used

to intercept information
Electromagnetic (interception of spurious electromagnetic emissions of the TSOI) Surveillance equipment for spurious electromagnetic emissions and interference (SEMI) installed in nearby buildings and vehicles located outside the controlled zone
Electrical (interception of induced electrical signals) SEMI reconnaissance equipment connected to the TSOI power supply lines, VTSS connecting lines, extraneous conductors, TSOI grounding circuits outside the controlled zone
High-frequency irradiation of TSOI “High-frequency irradiation” equipment installed in nearby buildings or adjacent premises located outside the controlled area
Introduction of electronic information interception devices into TSOI Modular-type hardware bugs installed in the system unit or peripheral devices during the assembly, operation and repair of a personal computer:

  • hardware bookmarks for intercepting images displayed on the monitor screen, installed in personal computer monitors;
  • hardware bookmarks for intercepting information entered from the personal computer keyboard, installed in the keyboard;
  • hardware bookmarks for intercepting information printed, installed in the printer;
  • hardware bookmarks for intercepting information recorded on the personal computer hard drive, installed in the system unit.

Hardware bookmarks, covertly introduced into blocks, units, boards and individual elements of PC circuits at the stage of their manufacture

Table 4. Potential technical channels for speech information leakage

Technical channels for information leakage

Special technical means used

to intercept information
Direct acoustic (through cracks, windows, doors, technological openings, ventilation ducts, etc.)
  • directional microphones installed in nearby buildings and vehicles located outside the controlled area;
  • special highly sensitive microphones installed in air ducts or in adjacent premises belonging to other organizations;
  • electronic devices for intercepting speech information with microphone-type sensors installed in air ducts, provided that unauthorized persons have uncontrolled access to them;
  • listening to conversations conducted in a designated room without the use of technical means by third parties (visitors, technical personnel) when they are in corridors and rooms adjacent to the designated room (inadvertent listening)
Acousto-vibrational (through enclosing structures, utility pipes, etc.)
  • electronic stethoscopes installed in adjacent rooms belonging to other organizations;
  • electronic devices for intercepting speech information with contact-type sensors installed on utility lines (water supply pipes, heating pipes, sewer pipes, air ducts, etc.) and external enclosing structures (walls, ceilings, floors, doors, window frames, etc.) of a designated area, provided that unauthorized persons have uncontrolled access to them
Acousto-optic

(through window

glass)

 laser acoustic location systems installed in nearby buildings and vehicles located outside the controlled area
Acoustoelectric

(via BTSS connecting lines)
  • special low-frequency amplifiers connected to BTSS connecting lines with a “microphone” effect outside the controlled area;
  • “high-frequency imposition” equipment connected to BTSS connecting lines with a “microphone” effect outside the controlled area
Acoustoelectromagnetic (parametric)
  • special radio receiving devices installed in nearby buildings and vehicles located outside the controlled zone, intercepting PEMI at the operating frequencies of high-frequency generators included in the VTSS, which have a “microphone” effect;
  • “high-frequency irradiation” equipment installed in nearby buildings or adjacent premises located outside the controlled zone

Table 5. Categories of information technology objects and allocated premises

The task of technical information protection

Closed technical channels of information leakage

Established category of the protected object
Complete concealment of information signals arising during the processing of information by a technical means or during negotiations (concealment of the fact of processing confidential information at the facility) all potential technical channels of information leakage

1
Concealment of parameters of information signals arising during the processing of information by a technical means or during negotiations, by which it is possible to restore confidential information (concealment of information processed at the facility) all potential technical channels of information leakage

2
Hiding the parameters of information signals, arising during the processing of information by a technical means or negotiations, according to which it is possible to restore confidential information (hiding information processed at the facility) the most dangerous technical channels of information leakage

3

After establishing the category of the protected object, the possibilities for creating and implementing the IST by the enterprise (organization, firm) are assessed, or the need to involve specialized organizations that have the necessary licenses for the right to carry out work on information protection for the design and implementation of the IST is substantiated. An assessment of the material, labor and financial costs for the development and implementation of the IST is carried out, and the estimated timeframes for the development and implementation of the IST are determined.

The results of the analytical justification of the need to create a CTSI are presented in an explanatory note, which must contain [6, 8, 9]:

  • a list of confidential information indicating its level of confidentiality;
  • a list of enterprise employees admitted to confidential information, indicating their access mode, and, if necessary, an access matrix;
  • information characteristics and organizational structure of objects of protection;
  • a list of information technology objects subject to protection, indicating their categories;
  • a list of designated premises to be protected, indicating their categories;
  • a list and characteristics of technical means for processing confidential information, indicating their installation location;
  • a list and characteristics of auxiliary technical means and systems, indicating their installation location;
  • the expected level of equipment of a potential adversary (competitor, intruder);
  • technical channels of information leakage to be closed (eliminated);
  • organizational measures to close technical channels of information leakage;
  • list and characteristics of technical means of information protection proposed for use, indicating their installation location;
  • methods and procedure for monitoring the effectiveness of information protection;
  • justification of the need to involve specialized organizations that have the necessary licenses for the right to carry out work on information protection, for design;
  • assessment of material, labor and financial costs for the development and implementation of the STZI;
  • approximate timeframes for the development and implementation of the STZI;
  • list of measures to ensure the confidentiality of information at the STZI design stage.

The explanatory note is signed by the head of the group (commission) that conducted the analytical justification, agreed upon with the head of the security service and approved by the head of the enterprise.

Based on the analytical justification and current regulatory and methodological documents on information protection from leakage through technical channels, taking into account the established class and category of the protected object, specific requirements for information protection are set, included in the technical (particular technical) assignment for the development of the STZI.

The technical assignment (TA) for the development of the STZI must contain:

  • justification for the development;
  • initial data of the protected object in technical, software, information and organizational aspects;
  • link to regulatory and methodological documents, taking into account which the STZI will be developed and accepted into operation;
  • specific requirements for the STZI;
  • list of technical means of information protection intended for use;
  • composition, content and timing of work at the stages of development and implementation;
  • list of contractors — performers of various types of work;
  • list of scientific and technical products and documentation presented to the customer.

The technical assignment for the design of the STI of the protected object is drawn up as a separate document, agreed upon with the design organization, the security service (specialist) of the customer organization in terms of the adequacy of measures for technical protection of information and approved by the customer.

Stage of design of the technical protection system of information

To develop a technical project for the creation of a technical information protection system, organizations licensed by the FSTEC of the Russian Federation must be involved.

The technical project of the STZI must contain:

  • title page;
  • explanatory note containing information characteristics and the organizational structure of the protected object, information on organizational and technical measures to protect information from leakage through technical channels;
  • list of information technology objects subject to protection, indicating their locations and established protection category;
  • list of allocated premises subject to protection, indicating their locations and established protection category;
  • list of installed TSOI, indicating the availability of a certificate (operation order) and their installation locations;
  • list of installed VTSS, indicating the availability of a certificate and their installation locations;
  • list of installed technical means of information protection, indicating the availability of a certificate and their installation locations;
  • a diagram (to scale) indicating the plan of the building in which the protected objects are located, the boundaries of the controlled area, the transformer substation, the grounding device, the routes of utility lines, power lines, communications, fire and security alarms, the locations of the installation of separating devices, etc.;
  • technological floor plans of the building (to scale) indicating the locations of information technology facilities and dedicated rooms, the characteristics of their walls, ceilings, finishing materials, types of doors and windows;
  • plans of information technology facilities (to scale) indicating the locations of the installation of TSOI, VTSS and the laying of their connecting lines, as well as the routes for laying utility lines and external conductors;
  • a plan-diagram of utility lines for the entire building, including the ventilation system;
  • a plan-diagram of the grounding system of the facility, indicating the location of the ground electrode;
  • a diagram of the building's power supply system indicating the location of the isolating transformer (substation), all panels and distribution boxes;
  • a diagram of the layout of telephone lines indicating the location of distribution boxes and the installation of telephone sets;
  • a diagram of the security and fire alarm systems indicating the installation locations and types of sensors, as well as distribution boxes;
  • diagrams of active protection systems (if they are provided for by the technical specifications for the design);
  • instructions and operating manuals for technical means of protection for users and those responsible for ensuring information security at the information technology facility.

The technical design, working drawings, estimate and other design documentation must be taken into account in the established manner.

The technical project is agreed upon with the customer's security service (specialist), the design organization's information security agency, representatives of contractors performing types of work, and approved by the head of the design organization.

When developing the technical project, the following recommendations must be taken into account [1, 2, 4 – 9]:

  • certified technical means of information processing and auxiliary technical means must be installed in the allocated premises;
  • for placing the TSOI, it is advisable to choose basement and semi-basement premises (they have shielding properties);
  • it is recommended that the offices of the organization's managers, as well as especially important dedicated rooms, be located on the upper floors (except for the last one) on the side that is less dangerous from the point of view of reconnaissance;
  • it is necessary to provide for the supply of all communications (water supply, heating, sewerage, telephone, electricity, etc.) to the building in one place. It is advisable to immediately introduce the communications inputs into the building into the control room and ensure that its entrance is closed and an alarm or security system is installed;
  • if the isolating transformer (transformer substation), from which the protected technical equipment and allocated premises are supplied with electricity, is located outside the controlled zone, it is necessary to provide for disconnection from the low-voltage substation buses, from which the protected objects are supplied, of consumers located outside the controlled zone;
  • It is recommended that electric power cables be laid from the general power panel according to the principle of vertical wiring to the floors with horizontal floor-by-floor wiring and with the installation of a power panel on each floor. Connecting cables of auxiliary technical equipment, including communication system cables, should be laid in a similar manner;
  • the number of utility inputs into the protected premises area should be minimal and correspond to the number of utilities. Unused extraneous conductors passing through the protected premises, as well as cables (lines) of unused auxiliary technical equipment should be dismantled;
  • the laying of information circuits, as well as power supply and grounding circuits of protected technical equipment, must be planned in such a way that their parallel run with various extraneous conductors that go beyond the controlled zone is eliminated or reduced to acceptable limits;
  • for grounding technical equipment (including auxiliary equipment) installed in dedicated premises, it is necessary to provide a separate grounding circuit located within the controlled area. If this is not possible, it is necessary to provide for linear noise pollution of the facility's grounding system;
  • it is necessary to exclude the exits of extraneous conductors (various pipelines, air ducts, building metal structures, etc.), in which induced information signals are present, beyond the controlled area. If this is not possible, it is necessary to provide for linear noise pollution of extraneous conductors;
  • it is recommended to lay pipelines and communications of horizontal distribution in an open way or behind false panels, allowing their dismantling and inspection;
  • in places where technical communications pipelines exit the allocated premises, it is recommended to install flexible vibration-insulating inserts with filling the space between them and the building structure with mortar to the entire thickness of the structure. If it is impossible to install inserts, it will be necessary to equip the pipelines with a vibration noise reduction system;
  • it is necessary to provide for the laying of vertical risers of communications for various purposes outside the zone of allocated premises;
  • enclosing structures of allocated premises adjacent to other premises of the organization must not have openings, niches, or through channels for laying communications;
  • it is advisable to make the supply and exhaust ventilation and air exchange system of the zone of the allocated premises separate, it should not be connected to the ventilation system of other premises of the organization and have its own separate air intake and exhaust;
  • It is recommended that ventilation system boxes be made of non-metallic materials. The outer surface of ventilation system boxes leading out of the designated area or individual important rooms should be finished with sound-absorbing material. It is recommended that soft vibration-insulating inserts made of flexible material, such as tarpaulin or thick fabric, be installed at the points where ventilation system boxes exit the designated rooms. Ventilation duct outlets outside the designated room area should be covered with a metal mesh;
  • In rooms equipped with a sound reinforcement system, it is advisable to use sound-absorbing materials for lining the inner surfaces of enclosing structures;
  • Doorways in especially important rooms should be equipped with vestibules;
  • Decorative panels of heating batteries should be removable for inspection;
  • in especially important dedicated rooms it is not recommended to use suspended ceilings, especially non-detachable ones;
  • for glazing especially important dedicated rooms it is recommended to use sun protection and heat protection double-glazed windows;
  • it is advisable to make floors of especially important dedicated rooms without baseboards;
  • It is not recommended to use fluorescent lighting fixtures in dedicated areas. Lighting fixtures with incandescent lamps should be selected for full line voltage without the use of transformers and rectifiers.

Commissioning of the information security system

At the third stageThe installation and construction organizations shall implement the information protection measures envisaged by the technical project. Organizations licensed by the FSTEC RF shall be involved in the installation of technical means of information processing, auxiliary technical means, and in the implementation of technical measures to protect information.

The installation organization or the customer shall purchase certified TSOI and conduct a special check of non-certified TSOI to detect possible electronic devices for interception of information (“bookmarks”) embedded in them and their special studies.

Based on the results of special studies by the TSOI, information protection measures are specified. If necessary, appropriate changes are made to the technical project, which are agreed upon with the design organization and the customer.

Certified technical, software, and software-hardware information protection tools are purchased and installed in accordance with the technical project.

The security service (specialist) organizes control over the implementation of all information protection measures provided for by the technical project.

During the installation and assembly of the TSOI and information security equipment, special attention should be paid to ensuring the security of the protected object.

The main recommendations for this period include the following [1, 2, 4 – 9]:

  • organization of security and physical protection of the premises of the information technology facility and designated premises, excluding unauthorized access to the TSOI, their theft and disruption of functionality, theft of information carriers;
  • when carrying out reconstruction of the facility, control and registration of persons and vehicles arriving and leaving the area of ​​the work being carried out must be organized;
  • it is recommended to organize access of builders to the area and the building using temporary passes or daily lists;
  • copies of construction drawings, especially floor plans of premises, power supply line diagrams, communication lines, security and fire alarm systems, etc. must be taken into account, and their number is limited. Upon completion of installation work, copies of drawings, plans, diagrams, etc. must be destroyed in accordance with the established procedure;
  • it is necessary to ensure that components and construction materials are stored in a guarded warehouse;
  • it is not recommended to allow installation operations and finishing work to be performed by lone workers, especially at night;
  • at the stage of finishing work, it is necessary to ensure night security of the building.

Some measures to organize control during this period include:

  • before installation, it is necessary to ensure a covert check of all installed structures, especially installation equipment, for the presence of various kinds of marks and differences between them, as well as embedded devices;
  • it is necessary to organize a periodic inspection of the areas of the allocated premises in the evening or outside working hours in the absence of builders in order to identify suspicious areas and places;
  • organize control over the progress of all types of construction work on the territory and in the building. The main function of control is to confirm the correctness of the technology of construction and installation works and their compliance with the technical project;
  • organize inspection of places and sections of structures that, according to the technology, are subject to closure by other structures. Such control can be organized legally under the cover of the need to check the quality of installation and materials or covertly;
  • It is necessary to carefully check the compliance of the installation diagrams and the number of wires to be laid with the technical design. Particular attention should be paid to the stage of introducing wire communications and cables into the area of ​​​​allocated premises. All laid backup wires and cables must be applied to the plan-diagram indicating their start and end points.

When conducting inspection, special attention should be paid to the following points:

  • change in the number of teams not agreed with the customer, change in their personnel, especially during long-term similar processes;
  • the presence of deviations from the agreed or standard technology of construction and installation works;
  • large delays in the time of execution of standard installation operations are unacceptable;
  • unexpected replacement of types of building materials and structural elements;
  • change in the schemes and order of installation of structures;
  • carrying out work during lunchtime or outside working hours, especially at night;
  • psychological factors of the behavior of individual builders in the presence of supervisors, etc.

Before installing furniture and interior items in designated areas and IT facilities, technical devices and office equipment must be checked for the absence of embedded devices. At the same time, it is advisable to check the technical equipment for levels of side electromagnetic radiation. It is advisable to carry out such a check in a specially equipped room or in an intermediate warehouse.

After finishing, it is recommended to conduct a comprehensive analysis of the building for the possibility of information leakage through acoustic and vibration channels. Based on the results of measurements, taking into account the actual situation regarding the security regime, additional recommendations should be developed to strengthen security measures if there is a failure to meet security requirements.

Before the installation of the TSZI and information protection equipment, the customer determines the departments and persons planned to be appointed responsible for the operation of the TSZI. During the installation of the protection equipment and its trial operation, the appointed persons are trained in the specifics of information protection work.

Together with representatives of the design and installation organizations responsible for the operation of the TSZI, the development of operational documentation for the information technology facility and the allocated premises (technical passports of facilities, instructions, orders and other documents) is carried out.

The technical passport for the protected object is developed by the person appointed responsible for the operation and security of information at the given object, and includes:

  • an explanatory note containing the information characteristics and organizational structure of the protected object, information on organizational and technical measures to protect information from leakage through technical channels;
  • a list of information technology objects subject to protection, indicating their locations and the established protection category;
  • a list of allocated premises subject to protection, indicating their location and the established protection category;
  • a list of installed TSOI, indicating the availability of a certificate (operation order) and the locations of their installation;
  • a list of installed VTSS, indicating the availability of a certificate and the locations of their installation;
  • a list of installed technical means of information protection, indicating the availability of a certificate and the locations of their installation;
  • a diagram (to scale) indicating the plan of the building in which the protected facilities are located, the boundaries of the controlled area, the transformer substation, the grounding device, the routes for laying utility lines, power lines, communications, fire and security alarms, the locations of the installation of separating devices, etc.;
  • technological floor plans of the building (to scale) indicating the locations of information technology facilities and allocated rooms, the characteristics of their walls, ceilings, finishing materials, types of doors and windows;
  • plans of information technology facilities (to scale) indicating the locations of the installation of the TSOI, VTSS and the laying of their connecting lines, as well as the routes for laying utility lines and external conductors;
  • a plan-diagram of utility lines for the entire building, including the ventilation system;
  • a plan-diagram of the grounding system of the facility, indicating the location of the grounding conductor;
  • a plan-diagram of the power supply system of the building indicating the location of the isolating transformer (substation), all boards and junction boxes;
  • a plan-diagram of the laying of telephone communication lines indicating the locations of distribution boxes and the installation of telephone sets;
  • a plan-diagram of security and fire alarm systems indicating the installation locations and types of sensors, as well as distribution boxes;
  • schemes of active protection systems (if provided).

The following are attached to the technical passport:

  • operating instructions (certificates of compliance with information security requirements) of the TSOI;
  • certificates of compliance with information security requirements for technical means of information protection;
  • certificates of compliance with information security requirements for technical means of information protection;
  • certificates of concealed works performed;
  • measurement protocols for sound insulation of allocated rooms and shielding efficiency of structures and cabins;
  • measurement protocols for the value of ground resistance;
  • protocols for measuring the actual attenuation of information signals to the locations of possible deployment of intelligence assets.

After the installation and assembly of technical means of information protection, their trial operation is carried out in combination with other technical and software means in order to check their operability as part of an information technology facility and to develop the technological process of processing (transmitting) information.

Based on the results of the trial operation, acceptance tests of the means of information protection are carried out with the execution of a corresponding act.

Upon completion of the commissioning of the STZI, certification of the information technology facilities and allocated premises according to security requirements is carried out. It is a procedure for officially confirming the effectiveness of the complex of measures and means of information protection implemented at the facility.

If necessary, by decision of the head of the organization, work may be carried out to search for electronic devices for data collection (“bugs”), possibly embedded in designated premises, carried out by organizations that have the appropriate licenses from the FSB of Russia.

During the operation period, special surveys and inspections of designated premises and information technology facilities must be periodically carried out. Special surveys must be carried out under a cover story for the employees of the organization or in their absence (the presence of a limited number of people from among the organization's managers and security service employees is allowed).

Literature

  1. Abalmazov E.I. Methods and engineering and technical means of counteracting information threats. — M.: Grotek, 1997, p. 248.
  2. Gavrish V.F. Practical guide to protecting commercial secrets. — Simferopol: Tavrida, 1994, p. 112.
  3. GOST R 51275-99. Information protection. Informatization object. Factors affecting information. General provisions. (Adopted and put into effect by the Resolution of the State Standard of Russia dated May 12, 1999, No. 160).
  4. The Doctrine of Information Security of the Russian Federation (Adopted on September 9, 2000 PR-1895).
  5. Organization and modern methods of information protection. Information and reference manual. Moscow: Association «Security», 1996, p. 440 p.
  6. Counteracting economic espionage: a collection of publications from the journal «Information Protection. Confident» 1994 — 2000. — St. Petersburg: Confident, 2000, p. 344.
  7. Maksimov Yu.N., Sonnikov V.G., Petrov V.G. et al. Technical methods and means of information protection. St. Petersburg: Publishing House Polygon, 2000, p. 320.
  8. Torokin A.A. Engineering and technical information protection: A textbook for students studying in the specialties in the region. information security. – M.: Gelios ARV, 2005, p. 960.
  9. Khorev A.A. Methods and means of information protection: Textbook. – M.: Ministry of Defense of the Russian Federation, 2000, p. 316.

Passive IR sensors of security alarms

    Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.
    Принять