Information security instructions
Ensuring the security of the information system is one of the main tasks facing the heads of enterprises of any form of ownership.
Let's figure out what is the role of the established rules in minimizing damage caused by the leakage of confidential information, as well as in the effectiveness of preventing unauthorized and unintended impact on IP.
Significance of local IS requirements and regulations
It is possible to achieve a sufficient level of information protection at the stage of its creation, processing or transmission with the complex application of organizational and technical measures.
You need to start with a risk analysis, taking into account the scope of the company, objective and subjective threats of leakage of valuable information, espionage, equipment failure. Then, based on legal requirements and guidelines, local documents on information security should be developed.
The procedure and methods for performing individual or interrelated actions, the duties and responsibilities of persons admitted to confidential information, processing of personal data, are determined in special instructions.
An information system is a collection of documents on paper and electronic media and technologies for their creation, processing and transmission.
Therefore, the instructions should define:
- rules of operation and maintenance of informatization means;
- general requirements for ensuring the protection of confidential information established by the legislation of the Russian Federation, internal documents;
- the procedure for access to information and use of available means of protection;
- responsibilities of persons responsible for ensuring and controlling the security of the system;
- algorithm of actions in case of detection of violations of security requirements in the information system;
- responsibility of users admitted to the processing of personal data, electronic storage media.
Contents of typical instructions
Upon hiring, new employees undergo induction training to gain a general understanding of:
- the operating hours of the company;
- safety rules;
- the order of notification of the management about emergency situations, the threat of damage.
Taking into account the specifics of the activity, access to information resources to prevent possible incidents, before being allowed to independently perform their work duties at the workplace, employees are introduced to instructions that establish their rights and obligations. At the same time, attention is paid to the nuances, possible risks, given the position of the employee.
Requirements for employees with access to confidential data
Employees who have access to information representing commercial, state, or other secrets must comply with information security rules.
In addition to general provisions, their attention is focused on:
- on the main responsibilities for compliance with the rules, excluding information leakage when working with classified data;
- on the measures taken to protect automated workplaces from unauthorized access by outsiders;
- on setting a password for accessing data on a personal computer, electronic media;
- on the necessary measures to protect against malware;
- on the algorithm of actions in the event of emergency situations.
Requirements for the administrator responsible for protecting the local area network
Officials responsible for carrying out work on the technical protection of information of local network resources, in the process of operation and modernization, are guided by:
- the provisions of federal laws;
- regulatory acts of the Russian Federation;
- administrative documents of the State Technical Commission of Russia (FSTEC), FAPSI (FSO, FSB), Gosstandart of Russia;
- local legal acts of internal use.
The administrator is introduced to the established rights and obligations under signature. For example, it can disconnect users who violate information security requirements from access to the network, prohibit the installation of non-standard software.
The main responsibilities of the administrator are documented. These include:
- participation in testing and monitoring the security level of the local network;
- analysis of data entered in the LAN operation log for timely detection of violations of protection requirements and assessment of possible consequences;
- providing access to the information system to users with permission;
- blocking attempts to make changes to software and hardware without coordination;
- immediate notification of the security service about unauthorized access attempts, security violations.
The instructions pay attention to the strict prohibition to transfer user credentials, passwords, identifiers, keys on hard media to third parties.
Information protection from computer viruses
Recommendations on methods of detecting and fighting viruses are general for users of personal computers and administrators responsible for protecting information resources.
The characteristic manifestations of virus programs that disrupt the operation of a computer, capable of destroying information stored in electronic form, and transmitted over a local network connection, are distinguished. Creation of a list of preventive work allows you to reduce risks, exclude the appearance and spread of malicious programs.
The document includes:
- daily automatic check of personal computers before starting work and regular comprehensive check by the administrator;
- software backup;
- data protection by configuring read-only access rights, which will prevent the introduction of extraneous entries, the penetration of viruses.
By analyzing the results of virus checks, the administrator draws conclusions about the need for an internal investigation. Viruses destroy by erasing damaged files and using special programs.
Organization and management of password protection of information
Users must be instructed against signature:
- on the procedure for generating, changing and terminating passwords, accounts;
- on the rules for entering a password to gain access to the local information system.
Personal passwords are generated independently or distributed centrally, taking into account the established requirements that help to reduce risks, exclude the possibility of unauthorized picking up the access code.
Employees of the information technology department control the actions of performers and service personnel.
Special requirements are established for storing passwords in paper form - in a safe with persons responsible for security in a sealed envelope.
It also regulates the procedure for obtaining access to computer equipment in case of production need during the absence of a staff member who owns a personal computer.
The selected passphrases must meet the requirements specified in the document.
Since this information is confidential, the responsibility for disclosing, transferring information lies with the owner of the password.
In order to ensure the protection of secret data, reduce the risk of leakage, destruction or infection of network resources by viruses, a list of grounds is established to block outgoing and incoming e-mail.
Separately, attention is focused on the prohibition:
- use of a corporate email address for personal purposes;
- use of free email services for corporate correspondence;
- publishing a corporate email address on public Internet resources.
Rules for safe work in the information network
The regulations, operating modes of computer equipment, which include not only personal computers, but also printers, servers, network switches, are documented.
Security measures include:
- use of certified equipment that meets the requirements of sanitary and epidemiological standards, GOSTs (permissible noise level, electromagnetic compatibility, immunity to electromagnetic interference);
- correct preparation of equipment for switching on and operation;
- compliance with the prohibitions regarding switching cable connectors, self-repairing devices, removing serial and line numbers from the case;
- using special paper of the recommended density when printing on a laser printer;
- inadmissibility of the use of physical forces to pull the paper out of the printer's exit hole during printing, which can damage the printing mechanism;
- correct shutdown of the computer after closing running programs, using the command "Shutdown" in the "Start" menu;
- the procedure for granting access to the organization's information network.
Employees who are familiar with the basic requirements of information security, including those related to the performance of professional (job) duties, are responsible for violations of established rules within the framework of labor, in certain situations of criminal legislation.