Methods for ensuring the security of information in information systems
Information security plays an important role in the protection of confidential data. It includes a complex of legal, administrative and engineering-technical methods and means of protection.
What are they guarding
The objects of protection are:
- information resources are data stored on a tangible medium with the possibility of their identification;
- systems for the use, distribution and generation of data - libraries, archives, information systems, etc.;
- the right of the state, individuals and legal entities to distribute or use data;
- systems that influence the formation of consciousness, for example, social institutions or the media.
The complex of data protection tools is aimed at limiting unauthorized access to them, their destruction or modification, copying, violation of confidentiality requirements and restrictions in the exercise of access rights. And also to suppress any other illegal acts that pose a threat to declassify information.
Legal protection
Legal means of protecting information are used administratively or judicially. These are legal acts that have entered into legal force, adopted in order to ensure the safety and protection of information contained and processed in information systems. Legal means of protection in the field of information security are the Constitution of the Russian Federation, the Codes of the Russian Federation, Federal laws, regulations, decrees and other regulatory legal acts.
For example, antitrust policy and the fight against unfair competition are administrative tools to protect various databases and systems.
Protection of information in the legal spectrum is carried out by judicial authorities. The jurisdiction and jurisdiction of the court is determined by the nature of the crime committed and the personality of the offender. In order to ensure fairness in the consideration of conflicts arising in the field of the use of information, permanent or temporary arbitration courts may be established.
Legal protection of confidential data implies punishment for illegal acts. The Criminal Code deals with the topic of computer crimes in Chapter 28.
Organizational and administrative measures
The preservation of data using organizational methods implies, first of all, working with personnel.
Ensuring a high level of information security in this case is due to:
- the correct selection of personnel who will use the data to perform their job duties;
- room security and access control;
- organization of special access to classified information and work with it;
- development of job descriptions, procedures for storing and using information, etc.
First of all, measures to protect information in relation to persons working with confidential data are aimed at the employee's interest in the safety and protection of this data.
To ensure the safety and protection of information, the following methods are used:
- introduction of official duties, for non-observance of which disciplinary penalties, administrative and criminal liability are provided;
- encouraging employees as a method to prevent the sale of classified information or provide access to it to intruders;
- training and psychological training of employees in order to protect information and its non-disclosure in the interests of the company.
Several types of organizational and administrative protection measures are listed above. All activities should arouse the interest of the person working with confidential information in order to protect it from the encroachment of third parties.
Engineering methods
Engineering and technical means for protecting information include special bodies, measures and technical devices used to protect data. The technical means of protecting information include, for example, burglar alarms, which protect data from unauthorized access.
Engineering protection includes the use of:
- physical means;
- hardware;
- software tools;
- cryptography.
Physical means
Physical means of protecting information include devices for restricting unhindered entry and exit to the territory, bringing in and removing devices that can damage the system, preventing the possibility of theft or damage to the database.
Such security measures include:
- protection of the territory of the enterprise, buildings and premises;
- organization of access control;
- video monitoring;
- use of safes and secure vaults;
- installation of fences, electronic, mechanical or electromechanical locks;
- installation of equipment and devices to prevent emergencies, for example, to extinguish a fire.
Technical means, as well as hardware, are classified by purpose:
- warning, for example, a fence around the territory, preventing the possibility of unauthorized entry into it;
- detecting, for example, security cameras used by security guards;
- elimination of a threat, for example, a fire safety system.
Hardware
These are devices that ensure the reliability of using system data, limiting the ability to use confidential information for users without access, preventing its leakage and unauthorized disclosure.
Hardware types:
- passive (engineering detection tools, devices that control radio air, operating systems, access control systems);
- active (masking system data, uninterruptible power supply, hardware algorithms for converting a digital stream, noise generators).
Such devices are used to:
- detection and localization of information leakage channels;
- search and neutralization of devices intended for unauthorized use of information;
- conducting tests and inspections of the information network in order to detect possible leaks.
By functionality, hardware is divided into those intended for:
- search and measurement;
- detection;
- counteraction.
They can also be general-purpose for use by non-professionals and professional complexes, for example, devices for detecting and direction finding installed microphones and radio transmitters. Hardware is a separate category that makes up the security structure of individual computers or the entire network.
Software
Software that ensures the security of the use of information systems is understood as special software systems or programs. They are intended for:
- differentiation of access to information;
- user authentication when working with the system;
- prohibition of copying information;
- anti-virus protection;
- protection of documents, files, folders.
Examples of protective software:
- firewall is an intermediate server that monitors traffic;
- a proxy server that prohibits access to the local network from the global network;
- virtual private networks (VPN).
The use of the above software tools in combination can significantly increase the level of security.
Cryptography
It is a science that studies methods to ensure the protection of confidential data. The goal is to achieve the impossibility of reading and changing information and verifying the authenticity of authorship, user and other properties of the object. Cryptography provides a high level of protection of data in the system, not access to it.
The concept of cryptographic data protection means a set of systems and complexes aimed at transforming information in order to ensure its safety during storage, processing and transmission. In fact, cryptographic methods allow information to be encrypted, thereby limiting the ability of third parties to use it.
***
To achieve a higher level of protection of confidential information, it is necessary to apply all measures simultaneously. Each of the methods is an important element in the complex of measures aimed at data protection. If they are neglected, the actions taken can become meaningless.
18.12.2020
