Types of information security measures
Information security implies the creation of conditions for the impossibility of disclosing valuable personal or business information. Leakage of personal information can undermine the reputation of individuals, cause them moral or material damage. The disclosure of sensitive business information can harm a company's operations, damage its reputation, and even endanger employees. To ensure information security, it is necessary to take special measures to prevent leakage of confidential information and use it for unseemly purposes.
Information is usually stored in paper or electronic form. The threat of data leakage arises when transferring them via the Internet, improper storage of electronic media, non-observance of instructions for working with classified materials. To obtain unauthorized access to confidential information, scammers use virus programs, extort personal data, passwords and user logins. The organizations have information security services, which have at their disposal technical and software tools for protecting information resources.
Information security principles
When developing measures to ensure the security and protection of classified information, the principles of the availability, integrity and confidentiality of information are taken as a basis.
Availability. The applied methods of protection should provide for unhindered access to information provided to specific individuals.
Integrity. Creation of conditions for the impossibility of deliberate distortion or destruction of data. For example, an incorrect interpretation of a technical instruction can lead to the loss of time and money for the production of low-quality products. And the deliberate distortion of the drug formulation poses a threat to the health and life of people.
Confidentiality. Any measure taken must ensure the security of information, the disclosure of which threatens with unpleasant consequences for citizens and government or commercial organizations.
Types of methods of countering information threats
To protect information from the encroachment of third parties, legal, organizational, moral, ethical, technical and physical methods are used. The software and hardware and various technological methods are used to increase security.
Legislative actions
To ensure information security in the Russian Federation, special regulations, laws and decrees have been issued regarding the rules for handling information that is not desirable for disclosure. They refer specifically to how such materials are made available and the main methods of using them. The degree of responsibility for disclosure is stipulated, as well as the penalty.
Leaders of organizations should promptly familiarize employees with the content of legislation in order to prevent accidental or intentional violation of rules and increase the vigilance of employees.
Organizational activities
These include recruiting, training, and developing job descriptions. The security of the premises in which confidential materials are located is organized, an access regime is introduced. The work of employees who have access to the information system is monitored, as well as the procedure for storing and destroying classified materials.
Technological techniques
To ensure security, “reinsurance” techniques are used, with the help of which the possibility of erroneous or unauthorized entry into the information system is excluded. For example, to gain access to important materials, you must obtain permission from several senior officials. To complete a banking transaction, a general balance of accounts of several types is required.
Moral and ethical methods
These are preventive actions, mainly of an educational nature. They are undertaken to create a healthy moral climate in society and individual collectives. When hiring, it is necessary to warn people about the need to comply with business ethics. Employees are introduced to the regulations related to the preservation of trade secrets and personal data of the company's customers.
Physical protection
Such measures are aimed at reducing the risk of data loss and identifying persons trying to enter the protected area or the information system. Video cameras, sound alarm are installed. Sealing of classified documents is carried out, special tags are used to detect the threat of information leakage.
Hardware-software (technical) methods
To implement information protection, special computer programs and technologies are used. With their help, you can hide important data, prevent leakage during transmission over the Internet. Technical measures include the use of hardware and software. They allow you to detect hacker attacks, prevent the possibility of their implementation, and eliminate the consequences.
Methods such as encryption and masking of information, creation of an electronic signature on computer documents are used. For data transmission, special communication channels are used. The time of user access to the information system is noted, passwords and secret labels are used. Login to the system is complicated by the introduction of biometric data.
Important information security conditions
The implementation of measures to ensure information security should be subject to the following conditions:
1. All actions to ensure it must be lawful, based on the principles set forth in the Constitution of the Russian Federation, Presidential Decrees, Resolutions of the Government of the Russian Federation and international treaties of the Russian Federation devoted to the protection of information. Regulatory and methodological documents (the Doctrine of information security of the Russian Federation, orders of the FSB and others) are taken as a basis. The legal basis for information protection is set out in Chapter 28 of the Criminal Code of the Russian Federation "Crimes in the field of computer security". It describes the main options for computer crimes and punishments for their commission.
2. It is necessary to address information security issues comprehensively. Activities of different types should complement each other. They should be carried out systematically and constantly. The requirements should be the same for everyone. When developing methods, possible directions of hacker attacks, weaknesses in the information system, increasing the risk of unauthorized access to classified data, should be taken into account.
3. It is important to carry out both "external" and "internal" protection. This means that measures to ensure physical, organizational and legal protection should be combined with the use of the latest technologies for the safe operation of computer operating systems. Ensure that passwords and encryption keys are stored correctly. They should be changed frequently to prevent attackers from analyzing existing protection methods and deploying virus programs.
4. When developing methods for creating information security, it is important to take into account the experience of foreign specialists in this area.
5. The cost of ensuring information security should match the value of the materials owned by the company. Taking inappropriate measures can interfere with the work process and irritate staff. To assess the risks, a "categorization" of information held by a particular organization is carried out. The level of risk is considered high if information leakage is fraught with catastrophic consequences for the activities and financial condition of the company, threatens the safety of personnel. The level of risk can also be moderate. At a low level, the organization's activities are not interrupted as a result of the leakage of valuable information, but its effectiveness decreases. At the same time, the financial damage is insignificant.
6. It is necessary to distribute work with classified materials among several employees, to introduce a system of limited access to information. At the same time, the risk of its disclosure is reduced, since only a certain share of important information will be available to each individual employee. It is important to clearly assign responsibilities for compliance with security standards in order to quickly identify the culprit in the event of a data breach.
7. Any protective measure must be reasonable and technically feasible. The development of technical and software products should involve professionals who have state licenses to provide services in the field of protecting confidential information;
8. An important role is played by personnel training, familiarity with the basics of safe work with classified information and the techniques that fraudsters use to extract it. Employees should be warned about the possibility of phishing attacks (sending out suspicious letters or attachments containing psychological traps). The purpose of such attacks is to obtain data on banking operations, electronic company accounts. It is necessary to increase the vigilance of personnel, to warn about the consequences of loss or theft of electronic media.
Compliance with the developed measures is monitored by the enterprise information security service. Its employees provide both physical and engineering protection.
Experts constantly monitor all events in the organization's information system, back up data to prevent the loss of valuable information in the event of its destruction by intruders.
***
Information security plays an important role in the lives of individuals, ensuring the normal operation of government organizations and private companies. Complex measures are taken to protect information, prevent its leakage or destroy archival information. They are carried out in accordance with the laws of the state. Various methods and technologies are used to ensure the confidentiality of information. Its security and protection methods depend on the degree of secrecy of the materials and the severity of the consequences that may arise when information gets into the hands of intruders.
The development of computer technology and the transition to working with electronic documents require special vigilance from people when using programs that can be used by fraudsters.
18.12.2020
