Organization of protection of commercial secrets at the enterprise.

Organization of protection of commercial secrets at the enterprise.

Organization of protection of commercial secrets at the enterprise.

Source— pps.ru

To ensure the protection of intellectual property at enterprises, a certain procedure for working with information and access to it is introduced, including a set of administrative, legal, organizational, engineering, financial, socio-psychological and other measures based on the legal norms of the republic or on the organizational and administrative provisions of the head of the enterprise (firm).
Effective protection of commercial secrets is possible with the mandatory fulfillment of a number of conditions:

• unity in resolving production, commercial, financial and security issues;
• coordination of security measures between all interested divisions of the enterprise;
• scientific assessment of information and objects subject to classification (protection). Development of security measures before the start of security work;
• personal responsibility (including financial responsibility) of managers at all levels, performers involved in classified work, for ensuring the safety of secrets and maintaining the security regime of the work at the proper level.

Inclusion of the main responsibilities of workers, specialists and administration to comply with specific requirements of the regime in a collective agreement, contract, labor agreement, work regulations.

• Organization of special office work, storage procedure, transportation of carriers of commercial secrets. Introduction of appropriate marking of documents and other carriers of classified information;
• Formation of a list of persons authorized by the head of the enterprise (firm) to classify information and objects containing data constituting the CT;
• Optimal limitation of the number of persons admitted to the CT;
• Availability of a single procedure for access and issuing passes;
• Compliance with requirements for ensuring the preservation of CT during the design and placement of special premises; in the process of R&D, testing and production of products, sales, advertising, signing contracts, during particularly important meetings, during the use of technical means of processing, storing and transmitting information, etc.;
• Organization of interaction with government authorities that have the authority to control certain types of activities of enterprises and firms;
• Presence of security, access control and intra-facility regimes;
• Planned development and implementation of measures to protect CT, systematic monitoring of the effectiveness of the measures taken;
• Creation of a system for training performers in the rules for ensuring the safety of CT.

When organizing the protection of commercial secrets, property and financial assets, the director (president) of the enterprise (firm) is guided primarily by economic feasibility. Here it is necessary to take into account two points: 1) the costs of ensuring economic security should, as a rule, be less in comparison with the possible economic damage and 2) the planned security measures contribute, as a rule, to increasing the economic efficiency of entrepreneurship.
The central place in the organization of ensuring the economic security of an enterprise (firm) is occupied by the choice of the structure of the service, which allows for the effective resolution of these issues.
At enterprises with an insignificant volume of information constituting the CT, as well as goods and money, the management of the security regime can be carried out by the head of the enterprise (firm) himself or, concurrently, by an employee appointed by his order, who has the relevant work experience. The security service (SS) of the enterprise (firm), as a rule, reports directly to the head of the enterprise and is created by his order.
It is a structural unit of the enterprise, directly involved in production and commercial activities. The activities of the SS are carried out in cooperation with the structural divisions of the enterprise.
The structure and staff of the Security Service, depending on the volume of work and the specifics of production and commercial activities, are determined by the head of the enterprise and, in the opinion of the authors, should be staffed with engineering and technical workers, specialists in the main profile of the work of this enterprise (firm), as well as specialists with practical experience in protecting information or working with various groups of people. The appointment to the position of the head (deputy) of the Security Service of the enterprise (firm), as well as his dismissal, is carried out only by the head of the enterprise.
The above and other requirements are included in the Regulation on the Security Service, which is developed at the direction of the director.
The most optimal structure of the SB can be determined by analyzing all the functions of ensuring economic security and selecting from the entire complex those that most adequately correspond to the production and commercial activities of the enterprise (firm).
To perform this stage of work, we will provide the most complete set of functions performed with the involvement of enterprise specialists by economic security services.

Functions for the protection of commercial secrets.

1. Development of criteria for identifying valuable information subject to protection.
2. Determination of intellectual property objects subject to protection.
3. Selection of protection methods (patenting, copyright, trade secret).
4. Development of the List (additions to the list) of information constituting intellectual property for subsequent approval.
5. Establishment of rules for admission and development of a permit system for access to information constituting intellectual property.
6. Drawing up lists of persons (lists of positions) authorized to work with specific components of a commercial secret.
7. Determining the list of positions (persons) authorized to classify information.
8. Establishing rules and procedures for classifying, marking documents and other information carriers, as well as removing them from the sphere of limited access (declassification).
9. Development and implementation of a unified procedure for handling information carriers (creation technologies, accounting, operating rules, storage, forwarding, transportation, duplication, destruction).
10. Drawing up a plan for the placement and accounting of premises in which, after appropriate certification, permanent or temporary storage of CT carriers, work with them, and holding closed meetings are permitted. Establishing a unified procedure for accessing these premises.
11. With the direct participation of heads of structural divisions and specialists who have access to CT, planning, implementation and control over the implementation of measures during all types of work that use classified information and classified media.
12. Providing methodological assistance to heads of enterprise departments in developing and implementing measures to protect information in the process of scientific, design, production and other activities (what technological security measures should be used; what changes in technology should be made; what requirements are advisable to include in the terms of the contract; what information should be protected even when the product enters the market, etc.).
13. Development and implementation, together with specialists, of measures to prevent the disclosure of CT at the stages of:
    • preparation of materials intended for publication in the open press, for use at conferences, exhibitions, in advertising activities (similar measures are carried out with respect to samples of products containing CT);
    • preparation of documents (samples) for transfer to the customer (co-contractor).
14. Organization with the participation of performers and specialists of the enterprise of protective measures during testing, storage, transportation, destruction of products containing CT.
15. Development of the procedure and control over the holding of closed meetings.
16. Determination of security measures for the reception of representatives of other companies, business travelers, representatives of regulatory authorities.
17. Participation together with the enterprise specialists in the development of measures to ensure security in the process of using technical means of information transmission — computers (personal computers), as well as a system to counter technical means of industrial espionage.
18. Organization of enterprise security, special premises, storage facilities, introduction of access control and internal facility regimes (access control to premises).
19. Formation of proposals for the installation of technical security equipment (TSE), organization of work on their installation, operation and repair.
20. Participation in the selection and placement of employees admitted to CT, development of measures to reduce staff turnover.
21. Development of regulations, instructions, rules, methods, etc. to ensure the work regime for performers of closed work, security specialists (imperfection of the developed standards is one of the main reasons for leaks).
22. Organization and participation in the training of persons admitted to CT (drawing up a training program, taking tests on knowledge of the relevant requirements of the regime).
23. Taking into account the specific situation, together with the heads of departments, in the process of organizational and preventive work, the formation of a conscious attitude among employees to ensuring the protection of information on a planned basis.
24. Development of measures to prevent the unauthorized destruction of information carriers, including in automated systems for storing, processing and transmitting information.
25. Monitoring compliance with security requirements: conducting analytical studies to assess the reliability of measures taken to protect CT and developing proposals to improve security efficiency.
26. Conducting official investigations into violations of the CT handling regime.

Functions to ensure the protection of the enterprise's property (taking into account its features and vulnerability).

1. Defining the enterprise's security system, the location of posts, TSO equipment, fire-fighting automation, and communications.
2. Allocation of premises (areas) where inventory items (money) are stored and implementation of measures to increase the reliability of their physical protection through the heads of the relevant departments.
3. Determination of areas vulnerable to explosions and fires, the failure of which can cause serious damage to the enterprise and development of measures to neutralize threats.
4. Determination of process equipment, the failure of which can lead to major economic losses, and development of measures to neutralize threats.
5. Identification of vulnerable points in the production cycle technology, unauthorized changes to which may lead to loss of quality of manufactured products and cause material damage, and taking appropriate measures.
6. Development, implementation and maintenance of the pass and facility regime in the protected area (procedure, time of admission of workers, visitors to the enterprise territory, including on holidays; procedure for import (import) or removal (bringing in) of material assets, finished products, materials, etc.; location and number of control passages and driveways; premises and divisions, access to which is restricted; system of passes and documentation).
7. Development of documents regulating the administrative and legal basis of activities on protection of the property assets of the enterprise (regulations on protection; instructions on the procedure for ensuring the safety of the material and documentary assets of the enterprise; instructions on the pass and internal facility regime).
8. Communicating requirements (relevant adjustments) on security, access control and internal facility regimes to the employees of the enterprise.
9. Control of execution and analysis of the state of reliability of storage of material assets, security, access control and internal facility regimes.
10. Conducting official investigations into violations of the procedure for working with property assets.
11. Organization of interaction with federal security agencies and internal affairs agencies to ensure the economic security of the enterprise (taking into account the competence of these agencies).

Functions to ensure the safety of the enterprise's personnel.

1. Development of measures to ensure the physical protection of personnel; organization of security (personal security, vehicle security), access control and internal facility regimes; establishment of an appropriate procedure for receiving visitors, the work of secretaries-referents, etc.
2. Providing personnel with means of technical protection against unauthorized entry into premises (offices), cars, parking lots, apartments to record attempts at criminal activity (installation of tape recorders, movie cameras), for covert communication between the manager and the enterprise security.
3. Defining a list of information that is not subject to disclosure (not included in the CT) to third parties.
4. Collection by the Security Service of information on signs characteristic of specific types of threats to personnel (employees).
5. Ensuring control over the implementation of repair and preventive work carried out by third-party organizations at the enterprise (if necessary, special inspections are carried out after the completion of work on these premises, vehicles, devices, instruments).
6. Preparing personnel for actions in extreme situations (developing skills for assessing information, appropriate standards of behavior and decision-making).
7. Training personnel and their family members to identify signs indicating the preparation of actions directed against them.
8. Legal training of personnel: legal possibilities of protection against a criminal (norms of necessary defense, extreme necessity).
9. Establishing and maintaining practical forms of interaction between the Security Service and law enforcement agencies to ensure personnel safety (upon receipt of data on unlawful actions being prepared or already taken against personnel, affecting issues of ensuring the economic security of the enterprise, etc.).

Information support for the enterprise's activities.

1. Legally competent and economically safe information services for the enterprise's activities in the labor market, interaction with the public and the press.
2. Ensuring the reliability of cooperative relations, eliminating both one-sided dependence and business contacts with unscrupulous business partners and intermediaries.
3. Participation in the preparation and implementation of special information campaigns that enhance the company's reputation in the eyes of partners, the public, and government bodies (including in relation to the Security Service in forming the environment's belief in the strength and effectiveness of its protection activities).
4. Together with other divisions of the enterprise, obtaining analytical information about competitors regarding their possible preparation and implementation of events classified as unfair competition, and developing measures to neutralize them.
5. Planning organizational measures for collecting and evaluating information in the interests of ensuring stable and efficient operations of the enterprise (list of issues on which information collection is necessary, who, how and when collects it).
6. Development of measures for accumulation, storage, use, accelerated delivery of valuable information to performers, including classified documents and information.
7. Information support for the activities of the Security Service to obtain data on impending attacks on the interests of the enterprise.
8. Receiving and summarizing open publications on issues of ensuring the economic security of enterprises and developing proposals based on them.

Having selected from the list of functions, the implementation of which would ensure reliable protection of the enterprise (firm), the manager determines the structure and quantitative composition of the Security Service.
With an optimal structure of the Security Service, its employees must cover all the functions assigned to this unit. At the same time, duplication of actions and workload of employees are excluded.
The director of the enterprise (firm) may grant the following rights to the Security Service:

• make proposals to prohibit work with documents leaving CT, as well as to change the procedure for storing or transporting goods and other valuables when violations are identified that could result in economic damage;
• monitor, with the involvement of enterprise specialists, the condition and reliability of protection of closed works and property, funds;
• to submit a petition to remove specific employees of the enterprise (firm) from conducting closed work, negotiations with other firms, transportation, storage, and protection of property;
• to coordinate measures developed by the enterprise's divisions in order to ensure economic security;
• to provide, within the framework of their competence, mandatory recommendations to the heads of divisions and employees; to conduct training and instruction for employees on issues of ensuring the economic security of the enterprise;
• by order of the director of the enterprise (firm), to participate in or independently conduct an investigation into the facts of disclosure of CT, loss of documents and products, theft of goods, other valuables, as well as gross violations of the established economic security regime of the enterprise.

Decisions and organizational and administrative documents on issues of the relationship of the Security Service with other divisions of the enterprise, if necessary, are formalized by orders of the director. All employees of the enterprise must know about the existence of such a division and its powers. This is explained primarily by the fact that even an employee of the enterprise who does not work with CT can become the creator of valuable information that requires immediate protection.
The security service of the enterprise (firm) reports directly to the head of the enterprise and is created in accordance with his order.
The security service is a structural unit of the enterprise directly involved in production and commercial activities. The work of this department is carried out in cooperation with the structural divisions of the enterprise.
The structure and staff of the Security Service, depending on the scope of work and the specifics of production and commercial activities, are determined by the head of the enterprise and, as a rule, must be staffed with engineering and technical workers—specialists in the main profile of the work of this enterprise (firm), as well as specialists with practical experience in protecting information or working with various groups of people. The appointment to the position of the head (deputy) of the Security Service of the enterprise (firm), as well as his dismissal, is carried out only by the head of the enterprise.
The above and other requirements are included in the Regulation on the Security Service, which is developed at the direction of the director.
In carrying out the tasks assigned to the Security Service, its employees use various forms and methods in their work: issuing organizational, administrative and methodological documentation, conducting comprehensive and targeted inspections in the enterprise's divisions, hearing reports from managers of the appropriate level on the state of the regime in the division, various forms and methods of preventive work, etc.

The head of the security service regularly reports on his work to the director of the enterprise within the established timeframes.
When starting to develop a system of measures to ensure the protection of the economic security of the enterprise, its manager (or the head of the Security Service) must receive answers to the following questions:

• what exactly needs to be protected (guarded), from whom and when?
• who organizes and ensures protection (security)?
• how to evaluate the effectiveness and sufficiency of protection (security)?

For illustration purposes, let's consider the stages of organizing a system for protecting commercial secrets.

1. The subject of protection is determined. A List of information constituting the CT is developed, in which the most valuable information requiring special protection is highlighted, and the requirements for the protection of other enterprises (firms) participating in joint work are taken into account.
2. The periods of existence of specific information as CT are established.
3. The following categories of valuable information carriers are distinguished: personnel, documents, products and materials; technical means of storing, processing and transmitting information; physical radiation. To ensure the perception of the developed protection system, a diagram can be drawn up indicating specific employees aware of the commercial secret, names (categories) of classified documents and products, etc.
4. The stages (phases) of work, the time of materialization of CT in information carriers are listed in relation to spatial zones (places of work with them inside and outside the enterprise). For example, R & D reports at the performers' workplaces; a log of the results of product tests on a test bench; an agreement signed abroad; speeches of participants in reporting meetings in specific offices; reproduction of classified documents in a copying area; product samples demonstrated at exhibitions, etc.
5. A work plan is drawn up with specific information materialized in carriers, within the enterprise (firm) and outside it, and their expected movement.
   Possible unauthorized movements for the enterprise, which can be used by competitors to acquire a commercial secret, are considered.
6. Permitting subsystems for admission and access to specific information constituting the CT are developed (or adjusted) in the process of analysis.
7. it is determined who implements the measures and who is responsible for protecting specific information, processes of work with classified data.
   Coordination measures are planned, specific performers are appointed.
8. Actions are planned to activate and stimulate persons involved in protection.
9. The reliability of the measures adopted for implementation to ensure protection is checked.

Analysis of the state of economic security efficiency includes:

• study and assessment of the actual state;
• identification of deficiencies and violations of the regime that may lead to the loss of physical carriers of secrets (valuable property) or disclosure of CT;
• establishment of the causes and conditions of the identified deficiencies and violations;
• development of provisions aimed at eliminating deficiencies and preventing violations.

The objects of analysis and control, depending on the tasks set, may be:

• compliance with the standards, rules for storage and security in premises, special storage facilities, and workplaces;
• recording and ensuring personal responsibility for the performance of this function;
• compliance with the procedure for storage, accounting, and destruction;
• compliance with the requirements of the handling procedure;
• measures to prevent unauthorized removal of CT media from the enterprise premises;
• compliance with the regime and security during transportation, mailing, delivery;
• organization of access of invited, business travelers, invited persons to the enterprise information;
• organization of meetings, exhibitions, negotiations, etc.;
• level of knowledge of the requirements of the regime of persons admitted to closed work and documents;
• degree of provision of the security service with reliable storage facilities, locking devices, sealing means;
• the level of provision of employees with appropriate workplaces for working with classified media;
• the state of the access and internal regime in buildings, premises, and the enterprise as a whole;
• the mechanism for distributing CT media by levels of execution and management;
• the validity of access to various types of media for specific groups of employees;
• the procedure for handling media in the workplace;
• the procedure for using the means of receiving, processing, storing, displaying, and transmitting information;
• the procedure for exchanging information within the enterprise and with external partners;
• timeliness and correctness of classification and disclosure of information;
• organization and holding of exhibitions, conferences, symposiums, etc.;
• quality of development of organizational and methodological documents, implementation of work plans and special measures for information protection;
• level and completeness of fulfillment of requirements of the enterprise management;
• state of preventive work with employees;
• level of organizational and methodological support for interaction between departments;
• time to search for and deliver information to performers.

The analysis includes modeling of various information leakage channels, possible methods and techniques for unauthorized receipt of classified information.

Foreign firms include the following among the most likely channels for leakage of classified information:

• joint activities with other firms, participation in negotiations;
• fictitious requests from outside about the possibility of working in the company in various positions;
• excursions and visits to the company;
• communications between sales representatives of the company about the characteristics of the product;
• excessive advertising;
• supplies from related companies;
• consultations of outside specialists who, as a result, gain access to the company's installations and documents;
• publications in the press and speeches;
• meetings, conferences, symposia, etc.;
• conversations in non-working areas;
• offended employees of companies.

When organizing the protection of commercial secrets, the security service must take into account the following possible methods and ways of collecting information:

• questioning employees of the company being studied at a personal meeting;
• imposing discussions on issues of interest;
• sending questionnaires and questionnaires to companies and individual employees;
• maintaining private correspondence between research centers and scientists with specialists.

In order to collect information, in some cases, representatives of competitors may use negotiations to determine prospects for cooperation and the creation of joint ventures.
The existence of such a form of cooperation as the implementation of joint programs that provide for the direct participation of representatives of other organizations in working with documents, visiting workplaces, expands the possibilities for making copies of documents, collecting various samples of materials, samples, etc. At the same time, taking into account the practice of developed countries, economic rivals may resort, among other things, to illegal actions, industrial espionage.

The following methods of obtaining information are most likely to be used:

• visual observation;
• eavesdropping;
• technical observation;
• direct questioning, spying;
• familiarization with materials, documents, products, etc.;
• collection of public documents and other sources of information;
• theft of documents and other sources of information;
• study of multiple sources of information containing the necessary information in parts.

Analytical studies and modeling of probable threats allow us to outline additional security measures if necessary. It is necessary to assess the probability of their implementation, the availability of methodological material, material support, and the readiness of the security service and personnel to implement them. When planning, the shortcomings in ensuring the safety of CT that have occurred at the enterprise are taken into account.

The planned activities should:

• facilitate the achievement of certain objectives, correspond to the general plan;
• be optimal.

Should not:

• contradict laws, requirements of the company manager (interests of cooperating firms);
• duplicate other actions.

The organization of the security system fits into the situation at the company. In this regard, it is extremely important to take into account the fundamental changes taking place in it and the expected ones.
Thus, the system for organizing the protection of CT includes a set of measures developed in advance for a certain period, covering a set of all types of activities aimed at improving the security of information taking into account changes in external and internal conditions and prescribing a certain procedure for specific individuals or departments.