ORGANIZING INFORMATION PROTECTION FROM LEAKAGE VIA TECHNICAL CHANNELS.

logo11d 4 1

ORGANIZING INFORMATION PROTECTION FROM LEAKAGE VIA TECHNICAL CHANNELS.

KHOREV Anatoly Anatolyevich, Doctor of Technical Sciences, Professor

General Provisions

Protected information refers to information that is the subject of ownership and is subject to protection in accordance with the requirements of legal documents or requirements established by the owner of the information.

This is, as a rule, restricted access information containing information classified as a state secret, as well as information of a confidential nature.

Protection of restricted information (hereinafter referred to as protected information) from leakage through technical channels is carried out on the basis of the Constitution of the Russian Federation, the requirements of the laws of the Russian Federation «On Information, Informatization and Information Protection», «On State Secrets», «On Commercial Secrets», other legislative acts of the Russian Federation, «Regulations on the state system of information protection in the Russian Federation from foreign technical intelligence services and from its leakage through technical channels», approved by RF Government Resolution of 15.09.93 No. 912-51, «Regulations on licensing the activities of enterprises, organizations and organizations for the performance of work related to the use of information constituting a state secret, the creation of information protection tools, as well as the implementation of measures and (or) the provision of services for the protection of state secrets», approved by RF Government Resolution of 15 April 1995 No. 333, «Regulations on state licensing of activities in the field of information protection», approved by RF Government Resolution of 27 April 1994 No. 10, “Regulations on licensing activities for the development and (or) production of means of protecting confidential information” approved by RF Government Resolution No. 348 of May 27, 2002, with amendments and additions of October 3, 2002 No. 731, “Regulations on the certification of information protection tools” approved by RF Government Resolution No. 608 of June 26, 1995, Resolutions of the Russian Government “On licensing activities for the technical protection of confidential information” (April 30, 2002 No. 290, with amendments and additions of September 23, 2002 No. 689 and February 6, 2003 No. 64), “On licensing certain types of activities” (February 11, 2002 No. 135), as well as “Regulations on the certification of information technology objects on information security requirements”, approved by the Chairman of the State Technical Commission of Russia on November 25, 1994, and other regulatory documents.

The requirements and recommendations of regulatory documents apply to the protection of state information resources.

When carrying out work to protect non-state information resources that constitute a commercial secret, banking secret, etc., the requirements of regulatory documents are advisory in nature.

The protection regime for restricted access information that does not contain information constituting a state secret (hereinafter referred to as confidential information) is established by the owner of information resources or an authorized person in accordance with the legislation of the Russian Federation.

In the following, we will consider methodological recommendations for organizing the protection of confidential information owned by non-governmental enterprises (organizations, firms).

Measures to protect confidential information from leakage through technical channels (hereinafter — technical protection of information) are an integral part of the activities of enterprises and are carried out in conjunction with other measures to ensure their information security.

Protection of confidential information from leakage through technical channels must be carried out by means of a set of organizational and technical measures that constitute the system of technical protection of information at the protected object (STPI), and must be differentiated depending on the established category of the information technology object or the allocated (protected) premises (hereinafter referred to as the protected object).

Organizational measures to protect information from leakage through technical channels are mainly based on taking into account a number of recommendations when selecting premises for installing technical means for processing confidential information (TMPI) and conducting confidential negotiations, introducing restrictions on the TMPI used, auxiliary technical means and systems (ATMS) and their placement, as well as introducing a certain access regime for employees of the enterprise (organization, firm) to information technology facilities and to designated premises.

Technical measures to protect information from leakage through technical channels are based on the use of technical means of protection and the implementation of special design and engineering solutions.

Technical protection of information is carried out by information protection departments (security services) or individual specialists appointed by the heads of organizations to carry out such work. Third-party organizations that have licenses from the FSTEC or the FSB of Russia for the right to carry out the relevant work may be involved in developing measures to protect information.

To protect information, it is recommended to use technical means of protection certified according to information security requirements. The certification procedure is determined by the legislation of the Russian Federation.

The list of necessary information protection measures is determined based on the results of a special examination of the protected object, certification tests and special studies of technical means intended for processing confidential information.

The level of technical protection of information must correspond to the ratio of the costs of organizing information protection and the amount of damage that can be caused to the owner of information resources.

Protected objects must be certified according to information security requirements in accordance with the regulatory documents of the FSTEC of Russia for compliance with established standards and requirements for information protection. Based on the results of certification, permission is given (certificate of compliance) to process confidential information at this object.

Responsibility for ensuring the requirements for technical protection of information is assigned to the heads of organizations operating protected facilities.

In order to promptly identify and prevent information leakage through technical channels, the status and effectiveness of information protection must be monitored.

Control consists of checking the compliance with the requirements of regulatory documents on information protection according to the current methods, as well as assessing the validity and effectiveness of the measures taken.

Information protection is considered effective if the measures taken comply with the established requirements and standards.

Organization of work on information protection is assigned to the heads of departments operating the protected facilities, and control over ensuring information protection is assigned to the heads of departments for information protection (security services).

Installation of technical means for processing confidential information, as well as information protection means, must be carried out in accordance with the technical project or technical solution.

Development of technical solutions and technical projects for installation and assembly of TSOI, as well as information protection means, is carried out by information protection departments (security services of enterprises) or design organizations licensed by the FSTEC, based on technical design assignments issued by customers.

Technical solutions for protecting information from leakage through technical channels are an integral part of technological, planning, architectural and design solutions and form the basis of the system of technical protection of confidential information.

The direct organization of work on the creation of the STZI is carried out by the official providing scientific and technical guidance for the design of the protected object.

The development and implementation of the STZI can be carried out both by enterprises (organizations, firms), and by other specialized organizations that have licenses from the FSTEC and (or) the FSB of Russia for the relevant type of activity.

In the case of development of the IST or its individual components by specialized organizations, the customer organization determines departments or individual specialists responsible for organizing and conducting information protection activities, who must provide methodological guidance and participate in a special survey of protected objects, analytical justification of the need to create the IST, coordination of the selection of TSOI, technical and software protection tools, development of technical specifications for the creation of the IST, organization of work on the implementation of the IST and certification of protected objects.

The procedure for organizing work at the enterprise on the creation and operation of information technology facilities and dedicated (protected) premises is determined in a special “Regulation on the procedure for organizing and conducting work at the enterprise on protecting information from its leakage through technical channels” taking into account specific conditions, which should determine:

  • the procedure for determining the information to be protected;
  • the procedure for involving the organization’s divisions, specialized third-party organizations in the development and operation of information technology facilities and ITZI, their tasks and functions at various stages of the creation and operation of the protected facility;
  • the procedure for interaction of all organizations, departments and specialists involved in this work;
  • the procedure for development, commissioning and operation of protected objects;
  • responsibility of officials for the timeliness and quality of the formation of requirements for the protection of information, for the quality and scientific and technical level of the development of STZI.

The enterprise (institution, firm) must have a documented list of information subject to protection in accordance with regulatory legal acts, and also developed an appropriate permit system for personnel access to such information.

When organizing work to protect against leakage through technical channels of information at the protected facility, three stages can be distinguished:

  • the first stage (preparatory, pre-design);
  • the second stage (design of the STZI);
  • the third stage (the stage of commissioning the protected facility and the technical information protection system).

Preparatory stage of creation of the system of technical protection of information

At the first stage, preparations are made for creation of the system of technical protection of information at the protected objects, during which a special survey of the protected objects is conducted, an analytical justification of the necessity of creation of the STZI and technical (particular technical) assignment for its creation are developed.

During a special survey of protected facilities with the involvement of relevant specialists, an assessment of potential technical channels of information leakage is carried out.

To analyze possible technical channels of leakage at a facility, the following are studied:

  • a plan (to scale) of the area adjacent to the building within a radius of up to 150 — 300 m, indicating (if possible) the ownership of buildings and the boundaries of the controlled zone;
  • floor plans of the building indicating all rooms and the characteristics of their walls, ceilings, finishing materials, types of doors and windows;
  • plan-diagram of the utility lines of the entire building, including the ventilation system;
  • plan-diagram of the grounding system of the facility indicating the location of the grounding conductor;
  • plan-diagram of the power supply system of the building indicating the location of the isolating transformer (substation), all boards and distribution boxes;
  • plan-diagram of the laying of telephone lines indicating the location of distribution boxes and installation of telephone sets;
  • plan-diagram of security and fire alarm systems indicating installation locations and types of sensors, as well as distribution boxes.

It is established: when the object (building) was constructed, what organizations were involved in the construction, what organizations were previously located in it.

When analyzing the conditions of the object's location, the boundary of the controlled zone, parking places for cars, and buildings that are in direct line of sight from the windows of protected premises outside the controlled zone are determined.

The affiliation of these buildings and the access mode to them are determined (if possible).

By visual observation or photography from the windows of protected premises, the windows of nearby buildings are determined, as well as parking places for cars that are in direct line of sight.

An assessment is made of the possibility of conducting reconnaissance from them using directional microphones and laser acoustic reconnaissance systems, as well as visual observation and filming equipment.

The location of the transformer substation, electrical panel, and distribution boards is established.

Buildings and premises located outside the controlled area that are powered from the same low-voltage bus of the transformer substation as the protected facilities are determined.

The length of power lines from protected facilities to possible connection points for information interception devices (distribution boards, rooms, etc.) located outside the controlled area is measured.

The possibility of receiving information transmitted by network bugs (if installed in protected premises) outside the controlled area is assessed.

Premises adjacent to protected premises and located outside the controlled area are determined.

Their affiliation and access mode are established. The possibility of access from the outside to the windows of the protected premises is determined.

The possibility of speech information leakage from the protected premises via acoustic-vibration channels is assessed.

The connecting lines of auxiliary technical means and systems (telephone lines, warning, security and fire alarm systems, clocking, etc.) that go beyond the controlled area, the locations of their distribution boxes are determined.

The length of lines from protected objects to possible connection points for interception of information outside the controlled area is measured.

The possibility of speech information leakage from protected premises via acoustoelectric channels is assessed.

Utility lines and extraneous conductors extending beyond the controlled area are identified, and their length from protected objects to possible connection points for interception of information is measured.

The location of the ground electrode to which the grounding circuit of the protected object is connected is established. The premises located outside the controlled area that are connected to the same ground electrode are determined.

The locations of installation of the TSOI at the information technology facilities and the laying of their connecting lines are determined.

An assessment is made of the possibility of intercepting information processed by the TSOI by special technical means via electromagnetic and electrical information leakage channels.

In modern conditions, it is advisable to conduct technical control to assess the actual shielding properties of building structures, sound and vibration insulation of premises in order to take their results into account when developing measures to protect the TSOI and designated premises.

The pre-project survey may be assigned to a specialized organization that has the appropriate license, but even in this case, it is advisable to perform the analysis of information support in terms of protected information by representatives of the customer organization with the methodological assistance of the specialized organization.

The familiarization of this organization's specialists with protected information is carried out in the manner established in the customer organization.

After conducting a pre-project special survey of the protected object by a group (commission) appointed by the head of the enterprise (organization, firm), an analytical justification is made for the need to create a CTSI, during which:

  • a list of information subject to protection is determined (the list of confidential information is approved by the head of the organization);
  • a categorization of confidential information subject to protection is carried out;
  • a list of persons admitted to confidential information subject to protection is determined;
  • the degree of personnel participation in the processing (discussion, transfer, storage, etc.) of information, the nature of their interaction with each other and with the security service are determined;
  • a matrix of personnel access to confidential information subject to protection is developed;
  • a model of a potential adversary (intruder, violator) is determined (specified);
  • classification and categorization of information technology objects and allocated premises are carried out;
  • the need to involve specialized organizations with the necessary licenses for the right to carry out work on information protection is substantiated for the design and implementation of the IST;
  • an assessment of the material, labor and financial costs for the development and implementation of the IST is carried out;
  • approximate deadlines for the development and implementation of the IST are determined.

The main feature of confidential information is its value for a potential enemy (competitors). Therefore, when determining the list of confidential information, its owner must determine this value through the extent of damage that may be caused to the enterprise if it is leaked (disclosed).

Depending on the amount of damage (or negative consequences) that may be caused if information is leaked (disclosed), the following categories of information importance are introduced:

  • Category 1
    • – information, the leakage of which may lead to the loss of economic or financial independence of the enterprise or the loss of its reputation (loss of trust of consumers, subcontractors, suppliers, etc.);
    • Category 2 – information, the leakage of which may lead to significant economic damage or a decrease in its reputation;
  • Category 3 – information, the leakage or disclosure of which may cause economic damage to the enterprise.

From the point of view of information dissemination, it can be divided into two groups:

  • the first group (1)
    • – confidential information that circulates only within the enterprise and is not intended for transfer to another party;
  • the second group (2) – confidential information that is supposed to be transferred to another party or received from another party.

Therefore, it is advisable to establish six levels of information confidentiality (Table 1).

Table 1. Levels of information confidentiality

 

The amount of damage (negative consequences) that may be caused by disclosure of specific information

 

Level of information confidentiality

 

information that is not subject to transfer to other enterprises (organizations)

 

information intended for transfer to other enterprises (organizations) or received from them

Information leakage may lead to the loss of economic or financial independence of the enterprise or loss of its reputation

1.1

1.2

Information leakage may lead to significant economic damage or a decrease in the enterprise's reputation

2.1

2.2

Information leakage may cause economic damage to the enterprise

3.1

3.2

The introduction of information confidentiality categories is necessary to determine the scope and content of a set of measures to protect it.

When establishing a mode of access to confidential information, it is necessary to be guided by the principle — the greater the damage from disclosure of information, the smaller the circle of persons who are allowed to access it.

Modes of access to confidential information must be linked to the job responsibilities of employees.

In order to limit the circle of persons allowed to access information constituting a commercial secret, it is advisable to introduce the following modes of access to it:

  • mode 1
    • – provides access to the entire list of confidential information. It is established for the management of the enterprise;
    • mode 2 – provides access to information when performing specific types of activities (financial, production, personnel, security, etc.). It is established for the management of departments and services;
  • mode 3 – provides access to a specific list of information when performing specific types of activities. It is established for employees – specialists of a specific department (service) in accordance with job responsibilities.

Thus, after compiling a list of confidential information, it is necessary to establish the level of its confidentiality, as well as the mode of access to it by employees.

It is advisable to delimit the access of employees of an enterprise (firm) to confidential information either by levels (rings) of confidentiality in accordance with access modes, or by so-called authority matrices, in which the rows list the positions of employees of the enterprise (firm), and the columns list the information included in the list of information constituting a commercial secret.

The elements of the matrix contain information on the level of authority of the relevant officials (for example, “+” — access to information is permitted, “-” — access to information is prohibited).

Next, the model of the probable enemy (intruder, violator) is defined (specified), which includes determining the level of equipment of the enemy interested in obtaining information, and its capabilities to use certain technical intelligence means to intercept information.

Depending on financial support, as well as access to certain intelligence means, the enemy has different capabilities to intercept information.

For example, reconnaissance means for secondary electromagnetic radiation and interference, electronic devices for intercepting information, embedded in technical means, laser acoustic reconnaissance systems can be used, as a rule, by intelligence and special services of states.

To ensure a differentiated approach to organizing the protection of information from leakage through technical channels, the protected objects must be assigned to the appropriate categories and classes.

The classification of objects is carried out according to the tasks of technical protection of information and establishes requirements for the volume and nature of the complex of measures aimed at protecting confidential information from leakage through technical channels during the operation of the protected object.

It is advisable to divide the protected objects into two protection classes (Table 2).

To protection class Ainclude objects where complete concealment of information signals that arise during information processing or negotiations is carried out (concealment of the fact of processing confidential information at the object).

Protection class B includes objects where concealment of parameters of information signals that arise during information processing or negotiations is carried out, for which it is possible to restore confidential information (concealment of information processed at the object).

Table 2. Protection classes of information technology objects and dedicated premises

 

The task of technical protection of information

 

Established protection class

Complete concealment of information signals that arise during information processing or negotiations (concealment of the fact of processing confidential information at the facility)

A

Concealment of parameters of information signals that arise during information processing or negotiations, which may allow recovery of confidential information (concealment of information processed at the facility)

B

When establishing the category of the protected facility, its protection class is taken into account, as well as the financial capabilities of the enterprise to close potential technical channels of information leakage. It is advisable to divide the protected facilities into three categories.

The categorization of protected information technology facilities and allocated premises is carried out by commissions appointed by the heads of the enterprises in whose jurisdiction they are located.

The commissions, as a rule, include representatives of the departments responsible for ensuring information security and representatives of the departments operating the protected facilities.

The categorization of protected facilities is carried out in the following order:

  • the objects of information technology and the allocated premises subject to protection are determined;
  • the level of confidentiality of the information processed by the TSOI or discussed in the allocated premises is determined, and an assessment is made of the cost of damage that may be caused to the enterprise (organization, firm) as a result of its leakage;
  • for each protected object, a protection class (A or B) is established and potential technical channels of information leakage and special technical means that can be used to intercept information are determined (Tables 3, 4);
  • a rational composition of protection means is determined, and organizational measures are developed to close a specific technical channel of information leakage for each protected object;
  • for information classified as confidential and provided by the other party, the sufficiency of measures taken to protect it is determined (measures or standards for protecting information are determined by the relevant agreement);
  • an assessment is made of the cost of measures (organizational and technical) to close a specific technical channel of information leakage for each protected object;
  • taking into account the assessment of the capabilities of a potential adversary (competitor, attacker) to use certain technical intelligence tools to intercept information, as well as taking into account the cost of closing each information leak channel and the cost of damage that may be caused to the enterprise as a result of its leak, the advisability of closing certain technical information leak channels is determined;
  • after a decision has been made on which technical information leak channels need to be closed, the category of the information technology facility or allocated premises is established (Table 5).

The results of the commission's work are formalized in a report, which is approved by the official who appointed the commission.

Table 3. Potential technical channels for leakage of information processed by a personal computer

 

Technical channels of information leakage

 

Special technical means used

to intercept information

Electromagnetic (interception of side electromagnetic radiation of TSOI) Means of reconnaissance of side electromagnetic radiation and interference (SEMI), installed in nearby buildings and vehicles located outside the controlled zone
Electrical (interception of induced electrical signals) SEMI reconnaissance means connected to the power supply lines of the TSOI, connecting lines of the VTSS, extraneous conductors, grounding circuits of the TSOI outside the controlled zone
High-frequency irradiation of the TSOI “High-frequency irradiation” equipment installed in nearby buildings or adjacent premises located outside the controlled zone
Implementation of electronic devices for intercepting information in the TSOI Modular-type hardware bugs installed in the system unit or peripheral devices during the assembly, operation and repair of personal computers:

  • hardware bugs for intercepting images displayed on the monitor screen, installed in personal computer monitors;
  • hardware bugs for intercepting information entered from the personal computer keyboard, installed in the keyboard;
  • hardware bugs for intercepting information being printed, installed in the printer;
  • hardware bugs for intercepting information being written to the hard disk of a personal computer, installed in the system unit.

Hardware bugs, covertly introduced into blocks, units, boards and individual elements of personal computer circuits at the stage of their manufacture

Table 4. Potential technical channels for leakage of speech information

 

Technical channels of information leakage  

Special technical means used

to intercept information

Direct acoustic (through cracks, windows, doors, technological openings, ventilation ducts, etc.)
  • directional microphones installed in nearby buildings and vehicles located outside the controlled zone;
  • special highly sensitive microphones installed in air ducts or in adjacent rooms belonging to other organizations;
  • electronic devices for intercepting speech information with microphone-type sensors installed in air ducts, provided that unauthorized persons have uncontrolled access to them;
  • listening to conversations conducted in a designated room without the use of technical means by third parties (visitors, technical personnel) when they are in corridors and rooms adjacent to the designated room (inadvertent listening)
Acousto-vibrational (through enclosing structures, utility pipes, etc.)
  • electronic stethoscopes installed in adjacent rooms belonging to other organizations;
  • electronic devices for intercepting speech information with contact-type sensors installed on utility lines (water supply, heating, sewerage pipes, air ducts, etc.) and external enclosing structures (walls, ceilings, floors, doors, window frames, etc.) of a designated area, provided that unauthorized persons have uncontrolled access to them
Acousto-optic

(through window

glass)

laser acoustic location systems installed in nearby buildings and vehicles located outside the controlled area
Acoustoelectric

(through VTSS connecting lines)

  • special low-frequency amplifiers connected to the VTSS connecting lines with a “microphone” effect outside the controlled area;
  • “high-frequency imposition” equipment connected to the VTSS connecting lines with a “microphone” effect outside the controlled area
Acoustoelectromagnetic (parametric)
  • special radio receiving devices installed in nearby buildings and vehicles located outside the controlled zone, intercepting PEMI at the operating frequencies of high-frequency generators included in the VTSS, which have a “microphone” effect;
  • “high-frequency irradiation” equipment installed in nearby buildings or adjacent premises located outside the controlled zone

 

Table 5. Categories of information technology facilities and designated premises

 

The task of technical protection of information

 

Closed technical channels of information leakage

 

Established category of the protected object

Complete concealment of information signals arising during the processing of information by a technical means or during negotiations (concealment of the fact of processing confidential information at the facility) all potential technical channels of information leakage

1

Hiding the parameters of information signals that arise when processing information by a technical means or conducting negotiations, through which it is possible to restore confidential information (hiding the information processed at the facility) all potential technical channels of information leakage

2

Hiding the parameters of information signals, arising during the processing of information by technical means or negotiations, through which it is possible to restore confidential information (concealment of information processed at the facility) the most dangerous technical channels of information leakage

3

After establishing the category of the protected object, the possibilities for creating and implementing the IST by the enterprise (organization, firm) are assessed, or the need to involve specialized organizations that have the necessary licenses for the right to carry out work on information protection for the design and implementation of the IST is substantiated.

An assessment of the material, labor and financial costs for the development and implementation of the IST is carried out, and the estimated timeframes for the development and implementation of the IST are determined.

The results of the analytical justification of the need to create a CTSI are presented in an explanatory note, which must contain:

  • a list of confidential information indicating its level of confidentiality;
  • a list of enterprise employees admitted to confidential information, indicating their access mode, and, if necessary, an access matrix;
  • information characteristics and organizational structure of objects of protection;
  • a list of information technology objects subject to protection, indicating their categories;
  • a list of allocated premises to be protected, indicating their categories;
  • a list and characteristics of technical means for processing confidential information, indicating their installation location;
  • a list and characteristics of auxiliary technical means and systems, indicating their installation location;
  • the expected level of equipment of a potential adversary (competitor, intruder);
  • technical channels of information leakage to be closed (eliminated);
  • organizational measures to close technical channels of information leakage;
  • list and characteristics of technical means of information protection proposed for use, indicating their installation location;
  • methods and procedure for monitoring the effectiveness of information protection;
  • justification of the need to involve specialized organizations that have the necessary licenses for the right to carry out work on information protection, for design;
  • assessment of material, labor and financial costs for the development and implementation of the STZI;
  • approximate timeframes for the development and implementation of the STZI;
  • list of measures to ensure the confidentiality of information at the STZI design stage.

The explanatory note is signed by the head of the group (commission) that conducted the analytical justification, agreed upon with the head of the security service and approved by the head of the enterprise.

Based on the analytical justification and current regulatory and methodological documents on information protection from leakage through technical channels, taking into account the established class and category of the protected object, specific requirements for information protection are set, included in the technical (particular technical) assignment for the development of the STZI.

The technical assignment (TA) for the development of the STZI must contain:

  • justification for the development;
  • initial data of the protected object in technical, software, information and organizational aspects;
  • reference to regulatory and methodological documents, taking into account which the STZI will be developed and accepted into operation;
  • specific requirements for the STZI;
  • list of technical means of information protection intended for use;
  • composition, content and timing of work at the stages of development and implementation;
  • list of contractors — performers of various types of work;
  • list of scientific and technical products and documentation presented to the customer.

The technical assignment for the design of the STI of the protected object is drawn up as a separate document, agreed upon with the design organization, the security service (specialist) of the customer organization in terms of the adequacy of measures for technical protection of information and approved by the customer.

Stage of design of the technical protection system of information

To develop a technical project for the creation of a technical information protection system, organizations licensed by the FSTEC of the Russian Federation must be involved.

The technical project of the STZI must contain:

  • title page;
  • explanatory note containing information characteristics and organizational structure of the protected object, information on organizational and technical measures to protect information from leakage through technical channels;
  • list of information technology objects subject to protection, indicating their locations and established protection category;
  • list of allocated premises subject to protection, indicating their locations and established protection category;
  • list of installed TSOI, indicating the availability of a certificate (operation order) and their installation locations;
  • list of installed VTSS, indicating the availability of a certificate and their installation locations;
  • list of installed technical means of information protection, indicating the availability of a certificate and their installation locations;
  • a diagram (to scale) indicating the plan of the building in which the protected objects are located, the boundaries of the controlled area, the transformer substation, the grounding device, the routes of utility lines, power lines, communications, fire and security alarms, the installation locations of separating devices, etc.;
  • technological floor plans of the building (to scale) indicating the locations of information technology facilities and dedicated rooms, the characteristics of their walls, ceilings, finishing materials, types of doors and windows;
  • plans of information technology facilities (to scale) indicating the locations of the installation of TSOI, VTSS and the laying of their connecting lines, as well as the routes for laying utility lines and external conductors;
  • a plan-diagram of utility lines for the entire building, including the ventilation system;
  • a plan-diagram of the grounding system of the facility, indicating the location of the ground electrode;
  • a diagram of the building's power supply system indicating the location of the isolating transformer (substation), all panels and distribution boxes;
  • a diagram of the layout of telephone lines indicating the location of distribution boxes and the installation of telephone sets;
  • a diagram of the security and fire alarm systems indicating the installation locations and types of sensors, as well as distribution boxes;
  • diagrams of active protection systems (if they are provided for by the technical specifications for the design);
  • instructions and operating manuals for technical means of protection for users and those responsible for ensuring information security at the information technology facility.

The technical design, working drawings, estimate and other design documentation must be taken into account in the established manner.

The technical project is agreed upon with the customer's security service (specialist), the design organization's information security agency, representatives of contractors — performers of types of work and approved by the head of the design organization.

When developing the technical project, the following recommendations must be taken into account:

  • certified technical means of information processing and auxiliary technical means must be installed in the allocated premises;
  • for placing the TSOI, it is advisable to choose basement and semi-basement premises (they have shielding properties);
  • it is recommended that the offices of the organization's managers, as well as especially important dedicated rooms, be located on the upper floors (except for the last one) on the side that is less dangerous from the point of view of reconnaissance;
  • it is necessary to provide for the supply of all communications (water supply, heating, sewerage, telephone, electricity, etc.) to the building in one place. It is advisable to immediately introduce the communications inputs into the building into the control room and ensure that its entrance is closed and an alarm or security system is installed;
  • if the isolating transformer (transformer substation), from which the protected technical equipment and allocated premises are supplied with electricity, is located outside the controlled zone, it is necessary to provide for disconnection from the low-voltage substation buses, from which the protected objects are supplied, of consumers located outside the controlled zone;
  • It is recommended that electric power cables be laid from the general power panel according to the principle of vertical distribution to floors with horizontal floor-by-floor distribution and with the installation of a power panel on each floor. Connecting cables of auxiliary technical equipment, including communication system cables, should be laid in a similar manner;
  • the number of utility inputs into the protected premises area must be minimal and correspond to the number of utilities. Unused extraneous conductors passing through the protected premises, as well as cables (lines) of unused auxiliary technical equipment must be dismantled;
  • the laying of information circuits, as well as power supply and grounding circuits of the protected technical equipment must be planned in such a way that their parallel run with various extraneous conductors that have an exit beyond the controlled area is excluded or reduced to acceptable limits;
  • for grounding technical equipment (including auxiliary equipment) installed in dedicated premises, it is necessary to provide a separate grounding circuit located within the controlled area. If this is not possible, it is necessary to provide for linear noise pollution of the facility's grounding system;
  • it is necessary to exclude the exits of extraneous conductors (various pipelines, air ducts, building metal structures, etc.), in which induced information signals are present, beyond the controlled area. If this is not possible, it is necessary to provide for linear noise pollution of extraneous conductors;
  • in places where utility pipelines exit the designated areas, it is recommended to install flexible vibration-insulating inserts with the space between them and the building structure filled with mortar to the entire thickness of the structure. If it is impossible to install inserts, the pipelines will need to be equipped with a vibration noise reduction system;
  • it is necessary to provide for the laying of vertical risers of utilities for various purposes outside the designated areas;
  • enclosing structures of designated areas adjacent to other areas of the organization must not have openings, niches, or through channels for laying utilities;
  • it is advisable to make the supply and exhaust ventilation and air exchange system of the zone of the allocated premises separate, it should not be connected to the ventilation system of other premises of the organization and have its own separate air intake and exhaust;
  • It is recommended that ventilation system boxes be made of non-metallic materials. The outer surface of ventilation system boxes leading out of the designated area or individual important rooms should be finished with sound-absorbing material. It is recommended that soft vibration-insulating inserts made of flexible material, such as tarpaulin or thick fabric, be installed at the points where ventilation system boxes exit the designated rooms. Ventilation duct outlets outside the designated room area should be covered with a metal mesh;
  • In rooms equipped with a sound reinforcement system, it is advisable to use sound-absorbing materials for lining the inner surfaces of enclosing structures;
  • Doorways in especially important rooms should be equipped with vestibules;
  • Decorative panels of heating batteries should be removable for inspection;
  • in especially important dedicated rooms it is not recommended to use suspended ceilings, especially non-detachable ones;
  • for glazing especially important dedicated rooms it is recommended to use sun protection and heat protection double-glazed windows;
  • it is advisable to make floors of especially important dedicated rooms without baseboards;
  • It is not recommended to use fluorescent lighting fixtures in dedicated areas. Lighting fixtures with incandescent lamps should be selected for full line voltage without the use of transformers and rectifiers.

Commissioning of the information security system

At the third stage, installation and construction organizations carry out information security measures provided for in the technical project.

Organizations licensed by the FSTEC RF must be involved in installation of technical means for information processing, auxiliary technical means, and also in carrying out technical measures to protect information.

The installation organization or the customer purchases certified TSOI and conducts a special check of non-certified TSOI to detect possible electronic devices for interception of information (“bookmarks”) embedded in them and their special studies.

Based on the results of special studies by the TSOI, information protection measures are specified. If necessary, appropriate changes are made to the technical project, which are agreed upon with the design organization and the customer.

Certified technical, software, and software-hardware information protection tools are purchased and installed in accordance with the technical project.

The security service (specialist) organizes control over the implementation of all information protection measures provided for by the technical project.

During the installation and assembly of the TSOI and information security tools, special attention should be paid to ensuring the regime and security of the protected object.

The main recommendations for this period include the following:

  • organization of security and physical protection of the premises of the information technology facility and allocated premises, excluding unauthorized access to the TSOI, their theft and disruption of operability, theft of information carriers;
  • when carrying out reconstruction of the facility, control and registration of persons and vehicles arriving and leaving the area of ​​the work being carried out must be organized;
  • it is recommended to organize access of builders to the area and the building using temporary passes or daily lists;
  • copies of construction drawings, especially floor plans of premises, power supply line diagrams, communication lines, security and fire alarm systems, etc. must be taken into account, and their number is limited. Upon completion of installation work, copies of drawings, plans, diagrams, etc. must be destroyed in accordance with the established procedure;
  • it is necessary to ensure that components and construction materials are stored in a guarded warehouse;
  • it is not recommended to allow installation operations and finishing work to be performed by lone workers, especially at night;
  • at the stage of finishing work, it is necessary to ensure night security of the building.

Some measures to organize control during this period include:

  • before installation, it is necessary to ensure a covert check of all installed structures, especially installation equipment, for the presence of various kinds of marks and differences between them, as well as embedded devices;
  • it is necessary to organize a periodic inspection of the areas of the allocated premises in the evening or outside working hours in the absence of builders in order to identify suspicious areas and places;
  • organize control over the progress of all types of construction work on the territory and in the building. The main function of control is to confirm the correctness of the technology of construction and installation works and their compliance with the technical project;
  • organize inspection of places and sections of structures that, according to the technology, are subject to closure by other structures. Such control can be organized legally under the cover of the need to check the quality of installation and materials or covertly;
  • It is necessary to carefully check the compliance of the installation diagrams and the number of wires to be laid with the technical design. Particular attention should be paid to the stage of introducing wired communications and cables into the area of ​​the allocated premises. All laid backup wires and cables should be applied to the plan-diagram indicating their start and end points.

When conducting inspection, special attention should be paid to the following points:

  • uncoordinated with the customer change in the number of teams, change in their personnel, especially during long-term similar processes;
  • presence of deviations from the agreed or standard technology of construction and installation works;
  • large delays in the time of execution of standard installation operations are unacceptable;
  • unexpected replacement of types of building materials and structural elements;
  • change in the schemes and order of installation of structures;
  • carrying out work during lunchtime or outside working hours, especially at night;
  • psychological factors of the behavior of individual builders in the presence of supervisors, etc.

Before installing furniture and interior items in designated areas and IT facilities, technical devices and office equipment must be checked for the absence of embedded devices.

At the same time, it is advisable to check the technical equipment for levels of side electromagnetic radiation. It is advisable to conduct such a check in a specially equipped room or in an intermediate warehouse.

After finishing, it is recommended to conduct a comprehensive analysis of the building for the possibility of information leakage through acoustic and vibration channels.

Based on the results of measurements, taking into account the actual situation regarding the security regime, additional recommendations should be developed to strengthen security measures if security requirements are not met.

Before the installation of the TSZI and information protection equipment, the customer determines the departments and persons planned to be appointed responsible for the operation of the TSZI. During the installation of the protection equipment and its trial operation, the appointed persons are trained in the specifics of information protection work.

Together with representatives of the design and installation organizations responsible for the operation of the TSZI, the development of operational documentation for the information technology facility and the allocated premises (technical passports of facilities, instructions, orders and other documents) is carried out.

The technical passport for the protected object is developed by the person appointed responsible for the operation and security of information at the given object, and includes:

  • an explanatory note containing the information characteristics and organizational structure of the protected object, information on organizational and technical measures to protect information from leakage through technical channels;
  • list of information technology objects subject to protection, indicating their locations and established protection category;
  • list of allocated premises subject to protection, indicating their locations and established protection category;
  • list of installed TSOI, indicating the availability of a certificate (operation order) and their installation locations;
  • list of installed VTSS, indicating the availability of a certificate and their installation locations;
  • a list of installed technical means of information protection, indicating the availability of a certificate and the locations of their installation;
  • a diagram (to scale) indicating the plan of the building in which the protected objects are located, the boundaries of the controlled area, the transformer substation, the grounding device, the routes of utility lines, power lines, communications, fire and security alarms, the locations of the installation of separating devices, etc.;
  • technological floor plans of the building (to scale) indicating the locations of information technology facilities and dedicated rooms, the characteristics of their walls, ceilings, finishing materials, types of doors and windows;
  • plans of information technology facilities (to scale) indicating the locations of the installation of TSOI, VTSS and the laying of their connecting lines, as well as the routes for laying utility lines and external conductors;
  • a plan-diagram of utility lines for the entire building, including the ventilation system;
  • a plan-diagram of the grounding system of the facility, indicating the location of the ground electrode;
  • a diagram of the building's power supply system indicating the location of the isolating transformer (substation), all panels and distribution boxes;
  • a diagram of the layout of telephone lines indicating the location of distribution boxes and the installation of telephone sets;
  • a diagram of the security and fire alarm systems indicating the installation locations and types of sensors, as well as distribution boxes;
  • diagrams of active protection systems (if provided).

The following documents are attached to the technical passport:

  • operating instructions (certificates of compliance with information security requirements) of the TSOI;
  • certificates of compliance with information security requirements for the VTSS;
  • certificates of compliance with information security requirements for technical means of information protection;
  • certificates of compliance with information security requirements for technical means of information protection;
  • certificates of concealed work performed;
  • measurement protocols for sound insulation of allocated rooms and shielding efficiency of structures and cabins;
  • protocols for measuring the value of ground resistance;
  • protocols for measuring the actual attenuation of information signals to the locations of possible deployment of reconnaissance assets.

After the installation and assembly of technical means of information protection, their trial operation is carried out in combination with other technical and software means in order to check their operability as part of an information technology facility and to develop the technological process of processing (transmitting) information.

Based on the results of the pilot operation, acceptance tests of the information protection tools are carried out with the execution of the corresponding act.

Upon completion of the commissioning of the STZI, certification of the information technology facilities and allocated premises according to security requirements is carried out. It is a procedure for officially confirming the effectiveness of the complex of measures and means of information protection implemented at the facility.

If necessary, by decision of the head of the organization, work may be carried out to search for electronic devices for collecting information (“bugs”), possibly embedded in designated premises, carried out by organizations that have the appropriate licenses from the FSB of Russia.

During the operation period, special surveys and inspections of the allocated premises and information technology facilities should be carried out periodically. Special surveys should be carried out under a cover story for the organization's employees or in their absence (the presence of a limited number of people from among the organization's managers and security service employees is permitted).

Literature

  1. Abalmazov E.I. Methods and engineering and technical means of counteracting information threats. — M.: Grotek, 1997, p. 248.
  2. Gavrish V.F. Practical guide to protecting commercial secrets. — Simferopol: Tavrida, 1994, p. 112.
  3. GOST R 51275-99. Information security. Informatization object. Factors affecting information. General provisions. (Adopted and put into effect by the Resolution of the State Standard of Russia dated May 12, 1999, No. 160).
  4. The Doctrine of Information Security of the Russian Federation (Adopted on September 9, 2000, No. PR-1895).
  5. Organization and modern methods of information security. Information and reference manual. — M .: Association «Security», 1996, p. 440 p.
  6. Counteracting economic espionage: a collection of publications from the journal «Information Security. Confident» 1994 — 2000. — St. Petersburg: Confident, 2000, p. 344.
  7. Maksimov Yu.N., Sonnikov V.G., Petrov V.G., et al. Technical methods and means of information protection. — St. Petersburg: Poligon Publishing House, 2000, p. 320.
  8. Torokin A.A. Engineering and technical information protection: Textbook for students studying in information security specialties. — Moscow: Gelios ARV, 2005, p. 960.
  9. Khorev A.A. Methods and means of information protection: Textbook. — Moscow: Ministry of Defense of the Russian Federation, 2000, p. 316.

 

Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.
Принять