Measures to protect confidential information
Information - a way to govern the world without arms and fight, which makes it easy to manipulate people and entire corporations. Therefore, huge sums of money are spent annually on ensuring the security of confidential information. The global business contribution to business data protection exceeded $ 120 billion in 2019. These costs cannot be considered in vain. The penetration of even one virus into a corporate business network can disrupt the work of hundreds of companies around the world.
What is confidential information
In addition to publicly available information, there are confidential data, access to which has a limited number of people. Restrictions are usually set by law or company-specific regulation.
According to Presidential Decree No. 188 "On Approving the List of Confidential Information" dated March 6, 1997, confidential information concerns personal or secret data, state secrets and may be:
1. Personal. Refers to personal data or other information by which an individual can be identified.
2. Service. Refers to information representing an official secret.
3. Judicial. Includes information about all participants in the trial: judges, control or law enforcement agencies, witnesses, victims, as well as data from the personal files of convicts.
4. Professional. Refers to the secrecy of telephone conversations, correspondence, postage, as well as the field of activity of representatives of some professions: doctors, notaries, lawyers.
5. Commercial. Along with trade secrets, this includes data on inventions, industrial developments, and technologies.
The main sources of confidential information are people: individuals, employees of the organization, clients, service personnel. In addition, these are documents in paper or electronic form, information carriers, products manufactured at the enterprise, sometimes even production waste.
Where does the danger come from
Information threats can be internal and external. According to statistics, internal factors are a significant part of these threats. Usually, the sources of danger are employees of the enterprise who act out of personal revenge or with the aim of obtaining additional income - insiders. Sometimes an insider can be recruited by third parties and causes irreparable harm to the company's security.
External threats come from outside, they can harm information storages, local network, company computers: these are usually viruses, spyware (software), blocking work, system hacks, destruction or modification of software.
All threats can be divided into several groups: leakage, falsification of information, loss, access violation.
Data leakage methods
Information is lost in different ways, through different channels. Quite often, leakage occurs through physical channels, in the course of production activities. For example, when:
- partnership work under civil law contracts;
- visiting the enterprise;
- transfer of information at the request of various government agencies;
- document management.
About 70% of all information is lost through the following channels: acoustic, visual, through a connection to a computer network, due to accompanying electromagnetic radiation.
Some of the information leaks through information channels: advertising events, exhibitions, publications and interviews in the media.
The human factor plays an important role in the loss of information. Employees of an organization, through ignorance or negligence, may disclose confidential data, and a dismissed employee often deliberately transfers classified information to third parties. Quite often, the leak occurs through social engineering techniques.
Information protection measures
To ensure the safety of their data, organizations take special measures that are aimed at preserving the confidentiality of information, protecting it from illegal access, as a result of which information can be destroyed, distorted, blocked, copied or disseminated. This is spelled out in Federal Law No. 149 "On Information, Information Technologies and Information Protection" dated July 27, 2006 (as amended on July 29, 2017).
The legislation of the Russian Federation provides for the need to prevent access to data, transfer them to unauthorized persons who, according to the law, do not have access to this area, as well as:
- timely reveal the facts of illegal entry;
- prevent the risk of negative consequences of violation of the rules;
- immediately restore modified or destroyed information;
- not to allow unauthorized influence on technical means of data processing;
- constantly monitor the level of protection of your data.
All these responsibilities are assigned to the information owner or information system operator. Databases for collecting, recording, organizing, accumulating, storing, updating, protecting data must be located on the territory of the Russian Federation (clause 7 of the Federal Law No. 242 of 21.07.2014).
Protection of confidential information is a multifaceted work that must be carried out simultaneously in several directions, using organizational, technical and legal measures.
Legal level of protection
This side of security is regulated by the state through the adoption of legislative norms. Legal protection means ensuring compliance with the state standard in the field of copyright, decrees, patents, job descriptions. This also includes the provision of trade secrets at the enterprise.
A properly built system of legal protection of information allows you to avoid violation of user rights and legislation in the field of its processing.
It involves streamlining work with documents, confidential information, determining the degree and level of access of each employee to media and information systems.
The organizational level of information protection consists of:
1. Special methods of personnel management, which includes competent selection of personnel and their training, constant monitoring, behavior in an emergency situation. Working with IT specialists requires a special attitude.
2. The confidentiality regime in the field of document flow, office work, that is, the development of special rules for the creation of documents, their storage, destruction, transfer.
3. Regime measures at the enterprise: organizing access control, security, bringing in and taking out documents, using gadgets by employees, working with information, remote access.
4. Organizational protective measures, in which information is divided into parts, duplicated at key points, placed in cloud storage, bank storages, its backups are created, and an audit is conducted.
5. Technical means of protection: DLP systems, encryption, correct hardware configuration, software protection.
All these measures help prevent or minimize the leakage of confidential information due to negligence or carelessness of staff.
It can be carried out in several directions, the main of which is the physical. It involves the use of electrical, mechanical, electronic devices that prevent data leakage. These are locks, video cameras, sensors, recorders.
Other areas of protection:
- Software Various simple or complex programs are used, for example, DLP and SIEM systems , which ensure information security.
- Hardware. Information and telecommunication systems are equipped with built-in electronic, electrical, optical, laser devices: noise generators, surge protectors, scanners. This applies to computers, employee control systems, servers, corporate networks.
- Mathematical (cryptographic). To ensure security, cryptographic and verbatim methods of transferring information over global and corporate networks are being introduced. This method does not control the path of entry, but protects the information itself. For this, various encryption providers, VPN tools, key generation and verification, electronic digital signatures are used.
The information protection system can be built competently, strictly, but no technical or legal measure will give a result without ensuring a favorable microclimate in the team. Therefore, along with other methods, it is recommended to develop and implement in the company moral and ethical standards related to the maintenance of information, and thereby create a high corporate culture of working with data. Despite the lack of connection with legislative norms, violation of internal norms should negatively affect the authority and prestige of a person.
The legal and organizational levels, along with moral and ethical standards, are considered informal remedies. At this stage, it is important to prevent or make impossible the leakage or damage of information due to unprofessional staff, violation or improperly organized movement of documentation. The technical level is considered formal. It includes working with devices and software.
Thus, the work to ensure the security of information includes the following measures:
1. Initially, the management of the enterprise initiates the development and implementation of a security policy, approves regulations and instructions for data protection.
2. At the second stage, legal norms are adopted for the preservation of secret data: on commercial secrets, confidential information. The contracts are supplemented by confidentiality annexes.
3. Further technical measures are taken that imply the integration of firmware and complex products to prevent external and internal access.
The preparatory stage of configuring the protection system
First, you need to highlight the information that needs to be protected, for which a complete survey of information systems is performed.
After that, you need to act according to the following scheme:
- optimize protected data streams;
- identify forms of information provision;
- find potential sources of threats, ways to implement them;
- compile a list of persons interested in the leak;
- calculate the period during which the information will be relevant.
It is important to establish a general direction of measures: sometimes it is enough to protect only information systems, in other cases, simultaneous protection of systems and the information itself is required.
Before proceeding with the activities, it is necessary to determine what purpose they pursue. Sometimes it is enough to formally fulfill the requirements of the law, but more often it is important to have real protection of information, which should not become available to unauthorized persons.
The following areas require special attention:
- availability of remote access to data;
- coincidence of the content of the employment contract with an IT specialist with the terms of a civil contract with a third-party organization;
- customization of the software with special attention to its updates;
- reliability, decency of an IT specialist, accountant, secretary, other employees;
- access control scheme;
- ways of splitting information into parts.
After a complete examination of threats, their models are developed, on the basis of which the terms of reference are formed. Further, a technical project for the implementation of software protection is developed, the installation and configuration of new software products are carried out, technical support of the installed systems is carried out.
SearchInform DLP consists of ready-made software modules, each of which monitors a specific data transmission channel. The customer only needs to choose which channels and on how many PCs to control. Learn more.
Information security principles
Information protection measures should not be ad hoc. This is a complex, systematic work that is carefully planned and implemented on the basis of a well-thought-out strategy. It uses the following principles.
Ensuring security implies the implementation of a systematic approach in all areas, from the selection, professional training of employees, and ending with the regulation of the office. Even such seemingly insignificant details as the prohibition on leaving any document on the table "face up" are important. Call service, the process of identifying callers and visitors require detailed regulation. This is as important as the systematization of work with the network, gadgets, technology.
The principle of information noise
Any possession of information means the constant presence of the danger of its leakage or disclosure, so you can never feel protected. It is not recommended to consider cabinets, media, storages as a reliable storage place. Often they become available to third parties, so any confidential information must be presented in such a way that no uninitiated person can understand it.
"Divide and rule"
Complete information should be available only to one person - the head of the organization. In such a situation, cybercriminals have to collect information piece by piece from different sources, which makes it difficult to leak.
The principle of different baskets
Save data, transfer it at different times, through different channels. For example, you cannot provide a password and login at the same time. The password can be sent by corporate mail, and the login can be sent by phone or SMS.
The principle of healthy paranoia
This principle is great for coping with information security if paranoia has reasonable limits. A leader should not trust everyone; on the contrary, everyone should be suspicious. Even the latest technologies are not capable of completely preserving data; they can easily fall into the wrong hands. If suspicions arise, it is recommended to provoke theft, monitor the behavior of employees in order to identify the intruder.
Information security is a set of complex measures to protect personal, government, commercial and other information. Lack of attention to this area can lead to the fact that confidential information becomes the property of fraudsters, and this almost always causes many problems and negative consequences.