State information security staffing system
Along with the development of technologies and constantly growing competition in all spheres of life, the problem of ensuring personnel security has become urgent. To assess the importance of this task, it is enough to use the data of historical and statistical studies.
In the 1940s, nuclear weapons were being developed intensively. The scale of the espionage was such that the results of classified US research, along with the blueprints, were at the disposal of British and Soviet intelligence within five hours after the first practical tests. Since then, state and industrial espionage has been developing non-stop.
According to the official statistics of the Judicial Department under the Supreme Court of the Russian Federation, 11 people were arrested in 2019 on charges of espionage and high treason. Another 20 people were detained in connection with the discovery of the fact of disclosing state secrets. Their guilt has been proven. The court sentenced the accused to imprisonment from 5 to 20 years.
From the above it follows that the main task of ensuring the information security of the state is the correct personnel policy. Only the selection of personnel verified by the special services and realizing the importance of maintaining state secrets will ensure the reliability of the data protection system.
On a national scale, an information security system is created by taking a whole range of measures. These include the use of various programs, equipment, surveillance and security systems. However, only the correct selection of personnel makes this system truly reliable and efficient.
The procedure for inspection and training of personnel of state enterprises
The sphere of public service differs from commercial enterprises in that the personnel of state enterprises can be admitted to state or military secrets. Therefore, the personnel policy of state-owned enterprises is more stringent.
Before the employment of all applicants for a position that implies access to classified information, representatives of the special services are checked. Depending on the profile of the enterprise, this may be the state secret protection service (abbreviated HRT), the FSB or the internal security department.
The subject of the check is:
- Biography. The fact that the applicant or his immediate family has a criminal record is a good reason to refuse employment.
- Documents. All documentation is checked for authenticity.
- Reviews. A characteristic from the place of study or previous place of work can influence the decision of the inspectors regarding employment. This is especially true for the military. An officer's position can only be taken by the person whose characteristics include the wording "can keep a military secret."
- Personal qualities. The check involves a psychologist who tests the applicant for loyalty to the company. Many public and private organizations employ profilers with lie detectors in their interviews.
If the applicant passes the screening, the next step for the enterprise security department is the training of a specialist. An example of such training can be considered the work of HRT service with future officers, in the process of which the service representatives:
- Under the signature, servicemen are introduced to the list of permitted and prohibited actions. They explain the procedure for using communication means and various equipment at secret facilities, talk about the access levels and memory drives used within the facilities.
- They tell about examples of violations of the secrecy regime and their consequences. As soon as it becomes known about cases of violation of the secrecy regime, all servicemen with the appropriate level of security are notified of the incident. This ensures the prevention of offenses.
- Conduct certification. During the exam, military personnel answer questions, confirming their knowledge of information security rules. Those who do not pass certification are deprived of admission, suspended from the performance of official duties, and may even be fired if they fail to pass the re-certification.
- An admission is issued with an appropriate degree of secrecy.
At state-owned enterprises, the personnel training system is slightly different. There, the security service pays attention mainly to training employees in the rules for using the equipment, as well as keeping working information secret from unauthorized persons.
Training of specialists responsible for information security
In addition to ordinary employees of state enterprises, there are also specialists with a special degree of responsibility. We are talking about representatives of services that are involved in ensuring the security of information systems. Their preparation is particularly difficult.
To ensure that the information security of a state enterprise does not threaten anything, highly qualified specialists with specialized education should be engaged in its provision. These include:
- officers who graduated from the FSB academy;
- specialists with higher education who have the skills to develop software products in the field of information security;
- former and current law enforcement officers with positive traits and experience in the fight against cybercrime.
- The training of such specialists is carried out in accordance with the level of confidentiality introduced in the enterprise.
There are several levels of secrecy at government enterprises and military installations. Documents, photo and video files can be marked with labels:
- "For administrative use";
- "Top secret";
- "Of particular importance."
Information for official use is not considered secret. However, its disclosure to unauthorized persons is prohibited. Therefore, even ordinary proprietary information is classified as confidential data and is prohibited from disclosing in any way.
Depending on the degree of secrecy introduced at the enterprise, different methods of training the personnel involved in ensuring information security are used.
If a state enterprise does not belong to secure facilities, then the protection of its information systems is carried out in a standard way:
- anti-virus programs are installed on PCs and laptops;
- systems of authorization and user identification are being introduced;
- control over the visitors and employees of the facility is carried out.
In this case, a separate specialist or directly the head of the organization is responsible for the security of the enterprise information systems. The responsibilities of the person in charge include:
- participate in the selection of personnel;
- notify employees about the implementation of the confidentiality regime;
- prevent leakage of official information through preventive measures;
- timely update anti-virus and basic software, install only licensed programs;
- ensure that employees observe confidentiality.
Thus, a specialist with a minimum level of training can be involved in information security at state-owned enterprises that are not classified as security facilities. Based on the above list of responsibilities, it is enough to train the employee responsible for the security of information systems to install software or control the work of the IT department.
As for sensitive facilities, the training of specialists responsible for the security of information systems is much more complicated.
- know the norms of Russian legislation that regulate access to classified information;
- be able to use specialized equipment and software designed to protect information systems;
- develop and implement information security systems;
- monitor the observance of the facility regime (admission of unauthorized persons, movement of employees with limited access, etc.);
- classify documents, audio and video files related to state secrets, and declassify them in accordance with the requirements of the law.
The training of such specialists includes:
- study of Russian legislation in the field of protection of state secrets;
- work with equipment, hardware and software to protect the information assets of the enterprise;
- study of methods and ways to combat the disclosure of confidential information;
- training in the development and implementation of data protection complexes.
It is advisable to train specialists in specialized educational institutions. In Russia, professional retraining and advanced training of personnel involved in information security is carried out by the FSB and FSTEC. The training is conducted in accordance with the professional standards established by law. Upon completion of training, students are issued with opinions, certificates or licenses. Trained in this way, specialists can be engaged in ensuring information security until the documents issued by federal services expire.
Training and recruitment principles
The main principle of training company employees responsible for the preservation of information assets is the relevance of training. Data security can only be ensured if personnel are familiar with all the existing threats.
At the moment, the current threats that can lead to information leaks are:
- hacker attacks;
- industrial and government espionage;
- intentional and unintentional disclosure of confidential information;
- unauthorized access of unauthorized persons to documents and equipment.
Based on these threats, personnel are trained to counter espionage and prevent information crimes.
Employees of the enterprise are trained:
- Rules for handling computer equipment. To ensure the safety of data on work PCs and laptops, users should only use anti-virus-tested memory drives. The data required for authorization and identification of users are kept secret.
- Rules for the exchange of information with strangers. Proprietary information should not be discussed with those who are not included in the list of current employees of the enterprise. The exchange of data within the enterprise must be carried out over secure communication channels.
- Rules for the use of telephones, cameras, video cameras and other equipment on the territory of the enterprise. Depending on the measures developed by the organization's management to ensure the protection of information, the use of personal communications, equipment and memory drives may be limited or completely prohibited.
When recruiting personnel, the HR department of the enterprise, together with information security specialists, selects only those applicants who have undergone professional training and are ready to observe confidentiality. Together with the employment contract, the hired employees sign an obligation to keep state and commercial secrets secret. And information protection specialists monitor the information security of the enterprise and the observance of the standards for protecting state secrets established by law.