Organization of confidential office work.

Organization of confidential office work.

Organization of confidential office work.

V. Pankratyev

Source —

As a rule, the least attention is paid to the organization of confidential office work in information security, although obtaining confidential information through gaps in office work is the simplest and most cost-effective way to obtain information.

Components of office work:

• paper office work;
• electronic office work;
• systems for interaction and coupling of paper and electronic office work.

When maintaining confidential office work, the following rules must be observed:

• assignment and removal of the confidentiality classification must be carried out by the company's management;
• mandatory registration and accounting of all confidential documents, as well as their transfer to the executor against signature in the register;
• control not only of documents containing confidential information, but also of papers with seals, stamps, forms, especially strict reporting forms containing a unique number, registered in the established manner and having a special mode of use;
• organizational separation of confidential office work from ordinary work;
• the confidentiality classification of a document is assigned according to the highest degree of confidentiality of the information contained in it;
• confidential documents are created in isolated, specially equipped rooms, documents are received and issued through a special window that does not open onto a common corridor or a barrier that restricts access to the workplaces of persons creating confidential documents;
• destruction of confidential documents, including drafts, in paper shredding machines in the presence of several people and with appropriate notes in the confidential document destruction logs. If there are a large number of documents, they may be burned;
• prohibition of taking confidential documents out of the controlled area;
• only persons who have entered into appropriate agreements on non-dissemination of commercial secrets are allowed to work with confidential documents;
• storage of confidential documents only in safes;
• in files or archives, confidential documents must be stored separately from open ones; upon completion of the registration of files, a record is made on the last sheet about the number of numbered sheets in it, certified by the appropriate signature and seal;
• include in documents only the minimum necessary confidential information;
• the distribution of confidential documents must be justified and kept to a minimum;
• the accounting system (manual or computer) of confidential documents must provide the necessary conveniences for searching and monitoring the location of each confidential document;
• organizationally exclude unjustified familiarization with documents by persons who do not have the necessary authority;
• sending confidential documents shall be carried out only by registered or valuable mail, through special communication channels, or delivery of correspondence shall be carried out by courier from among employees authorized to work with such documents;
• control over the use of copying and duplicating equipment, as well as blocking of input-output systems on computers that process confidential information;
• organization of periodic audit of office work.

Procedure for creating paper office work

Stage 1 — creation of the Secretariat (the department responsible for office work) or introduction of a position whose functional responsibilities will include ensuring the office work of the organization.

Stage 2 — purchase of the necessary supplies for the functioning of office work (safes, seals, equipment of premises, etc.).

Stage 3 — creation of the necessary regulatory documents (instructions, job responsibilities, etc.).

Stage 4 — dissemination of regulatory documents to employees within the framework of functional responsibilities.

Stage 5 — creation of mechanisms for monitoring compliance with office work.

Stage 6 — creation of a mechanism for liability for violation of office work rules.

Office work must be organized in accordance with GOSTs applied in the Russian Federation. Basis — GOST 6.30-97 <Unified documentation systems. System of organizational and administrative documentation. Requirements for document execution>.

Procedure for creating confidential paper records management

Stage 1 — creation of regular paper records management.

Stage 2 — definition of the list of confidential information and documents containing confidential information. Division of information into several groups according to the degree of confidentiality (for example: strictly confidential, confidential, for official use).

Stage 3 — approval of the list of confidential information by management, as well as determination of the procedure and terms for re-approval of this list, as well as reduction and removal of the confidentiality classification.

Stage 4 — determination of the rules for confidential paperwork based on general paperwork.

Stage 5 — determination of the procedure for admitting employees to confidential information.

Stage 6 — concluding confidentiality agreements between employees who will be allowed to work with confidential information and the organization's management.

Stage 7 — creating the necessary regulatory documents (instructions, job responsibilities, etc.).

Stage 8 — disseminating regulatory documents to employees within the framework of their functional responsibilities.

Stage 9 — creating mechanisms for monitoring compliance with confidential office work.

Stage 10 — creating a mechanism for liability for violating the rules of confidential office work.

Components of paperwork:

Paperwork related to standard but specific tasks:

• accounting;
• constituent documents;
• legal procedural documents;
• contractual documents, etc.

Paperwork related to current activities:

External paperwork:

• delivery of incoming correspondence (on paper, by fax, etc.);
• sending outgoing correspondence (on paper, by fax, etc.);

Internal office work:

• storage of documents:
• storage of documents with employees;
• storage of documents in the Secretariat.
• creation of documents by the contractor;
• publication of regulatory documents by the organization's management (orders, instructions, etc.);
• registration of the document in the Secretariat;
• document movement within the organization. Creation of a registry system for document transfer;
• document reproduction (making copies);
• control over document execution;
• creation of document archives. Expertise of document value. Possibility of using documents in the work, defined in the archive;
• destruction of documents.

Required regulatory documents for the functioning of office work, including confidential:

Regulatory and legal documents of the organization with amendments and additions related to the safety of confidential information:

• Charter of the organization;
• «Collective agreement»;
• Internal labor regulations for employees;
• Employment contract;
• Concluded contracts.

Agreement between the management of the organization and the employee on the preservation of confidential information.

Instructions for ensuring the safety of confidential information in the organization.
Approximate outline of the instruction:

• general provisions;
• definition of information and designation of documents containing confidential information and the terms of its validity;
• organization of work with confidential documents;
• procedure for the preservation of documents, files and publications containing confidential information;
• procedure for access to information constituting confidential information;
• control over the fulfillment of requirements within the object mode when working with information containing confidential information;
• responsibilities of the organization's employees working with information representing confidential information, and their responsibility for its disclosure.

Instructions for organizing office work. The instruction should consist of the following sections:

• general provisions;
• rules for drafting and processing documents;
• drawing up and processing the main types of documents;
• organization of document flow:
• procedure for movement and processing of incoming documents;
• procedure for movement and processing of outgoing documents;
• procedure for movement and processing of internal documents;
• registration of documents;
• control over execution of documents;
• systematization of documents;
• development of a nomenclature of cases;
• formation of cases;
• preparation of documents for archival storage;
• examination of the value of documents;
• description of documents of permanent and temporary storage periods;
• ensuring the safety of files;
• transfer of files to the archive;
• appendices:
  • approximate list of documents not subject to registration;
  • list of documents on which a seal is placed;
  • list of documents subject to approval;
  • list of documents subject to coordination;
  • form of registration and control card;
  • list of documents subject to control over execution, indicating storage periods;
  • act on the allocation of documents with expired storage periods for destruction;
  • internal inventory of case documents;
  • inventory of cases transferred for archival storage.

Instructions on confidential office work, defining:

• procedure for removal and introduction of confidential documents in relation to the protected area;
• procedure for working with confidential documents outside office premises;
• the procedure for producing and using organization forms, seals and stamps;
• the procedure for using strict reporting forms (organization forms prepared under the signature of the organization's top officials);
• the procedure for transferring confidential documents in the event of going on vacation, a business trip or dismissal from work;
• the procedure for preparing confidential documents, coordinating it, including with lawyers, financiers, proofreaders, as well as the procedure for signing confidential documents;
• the procedure for sending confidential documents outside controlled premises.

Regulations on the Secretariat (the unit responsible for paper and electronic office work).

Job responsibilities of the Secretariat employees to ensure office work.

Corporate confidential electronic office work should consist of the following interconnected systems:

• electronic confidential document management systems;
• systems for protecting information circulating in the electronic confidential document management system;
• systems for electronic confidential information storage;
• systems for interfacing confidential electronic and paper document management.

The electronic confidential document management system must provide for the following capabilities:

• the ability to create electronic documents using text editors, including the creation of electronic documents using standard forms;
• the ability to create composite electronic documents consisting of several files of different formats;
• the ability to create electronic documents by scanning a paper document;
• the ability to create electronic documents using other electronic data obtained via:
• e-mail;
• corporate computer network;
• computer information input devices (disk drives, etc.).
• working with electronic documents of various formats (text, graphic, etc.).
• creating a registration card of an electronic document, linking the registration card with the electronic document and assigning the necessary details, including:
• date of creation, receipt, execution;
• registration number;
• last name, first name, patronymic of the performer, addressee;
• access rights;
• degree of confidentiality;
• number of sheets, etc.
• division of documents by degree of confidentiality, assignment of a confidentiality classification to each document and delimitation of the rights of users to work with confidential documents on a mandate basis.
• receiving and sending electronic documents (document flow) via a corporate computer network, as well as by e-mail.
• work with interrelated documents, maintaining the ability to establish links between accounting cards or documents that are related thematically, canceling or complementing each other (for example, using hyperlinks with the ability to view a chain of interrelated documents).
• controlling the movement of electronic documents on the network and controlling familiarization with electronic documents, as well as controlling the copying, editing and reproduction of electronic documents.
• implementation of control functions (control over the execution of resolutions, instructions, deadlines, etc.), as well as the possibility of an alarm mode as an integral part of control.
• search for electronic documents by:
  • details;
  • keywords;
  • content;
  • date of creation;
  • control dates;
  • performer, etc.
• analysis of electronic documents by:
  • subject matter;
  • issues;
  • performers;
  • resolutions;
  • date of creation, etc.
• duplication (archiving) of electronic documents with a given frequency, as well as maintaining systematized electronic archives of documents, their images, accounting cards with the ability to search and analyze.
• separation of confidential and open electronic office work.

The system of confidential electronic information storage should provide for the ability to:

• systematization of documents of various types and forms received by the storage facility and streamlining work with them;
• guaranteed preservation of documents in storage arrays, freeing employees from this function;
• track the movement of documents issued to employees, control and ensure their return (physical documents) and destruction of issued electronic copies;
• ensure effective search for the necessary documents in the storage facility by identification features;
• organize a low-cost technology for issuing documents to employees and returning documents to the storage facility;
• reduce the number of documents that the performer has at the same time by quickly retrieving them from the repository;
• simplify work with documents in the repository and reduce the time spent on their selection and analysis due to a user-friendly interface in interactive mode;
• ensure the security of documents during their storage, transfer to storage or retrieval from storage through the use of modern technologies and information security tools, as well as user access control.

The system for protecting confidential electronic records management should consist of the following interconnected blocks:

• a block of technical (software) means for protecting electronic records management;
• a block of technical means for protecting electronic records management associated with the neutralization of side electromagnetic radiation and interference;
• a block of methods for protecting electronic office work related to the human factor and solving personnel issues;
• a block of organizational methods for protecting electronic office work.

The block of technical (software) means for protecting electronic office work must be multi-level. The most effective system is one consisting of 3 levels:

1 level — information protection systems provided by the software on which the computer network operates (Windows, Office protection tools, etc.);

2nd line — information security systems built into the electronic office work system itself;

3rd line — information security systems additionally installed in the computer network on the server and at the user's workstations

The block of technical (software) means of protecting electronic office work must provide for:

• cryptographic protection of computer information on magnetic media (hard drives, diskettes, Zip, CD-ROM, etc.), including the creation of protected <digital safes> for users on the server;
• protection of information (including cryptographic methods) when transmitted over a corporate computer network;
• protection of information (including cryptographic methods) when transmitted by e-mail;
• protection of computer information from unauthorized access;
• protection of a computer network when working on the global information network Internet (ideally, a separate computer operating in stand-alone mode is required to work with the Internet, as well as with e-mail);
  • mandatory principle of user access to information resources of electronic office work, including:
  • control and protection of an electronic document from viewing;
  • control and protection of an electronic document from editing and cancellation of protection from editing;
  • control and protection of an electronic document from copying and printing on printers;
  • dividing users into groups and granting each group the ability to work only with electronic documents of a certain confidentiality classification
  • control of the integrity and authenticity of the electronic document, as well as confirmation of the authorship of the performer using an electronic digital signature;
  • protection from malware (viruses);
  • password protection for turning on the machine, accessing the hard drive and/or opening application program files with periodic changes to the passwords used.

Systems for interfacing electronic and paper office work consist of:

• a system for converting a paper document into an electronic document;
• a system for converting an electronic document into a paper document;
• a system for electronic control over paper document flow;
• a system for parallel circulation of the same document in electronic and paper form.

It seems appropriate to carry out the circulation of documents within the organization in electronic form. Documents received in paper form from outside are scanned and further work with them is carried out electronically. Electronic documents received from outside are processed in the organization electronically. Before sending, outgoing documents (letters, faxes) are converted from electronic to paper representation and they are sent in the usual ways. If necessary, it is possible to send a document in electronic form.

About the author: Vyacheslav Vyacheslavovich Pankratyev, teacher of the course «Corporate Security» at:

This material is part of a methodological manual on corporate security published by the author. For questions about ordering the full text of the methodological manual, as well as for questions about teaching and consultations, you can contact the author by E-mail: kotakkel2@mtu-net.ru.