Organization of protection of confidential information
The protection of sensitive information that is not subject to disclosure has to pay great attention to both individuals and many companies. Leaked confidential information translates into loss of customers and reduced income. Attackers can get hold of valuable information, damage the reputation of citizens, gain access to bank accounts, private and government secret documents. To protect confidential information, to prevent its use for illegal or criminal purposes, technical means are used.
Information security and its features
Personal data of citizens, secrets of commercial activities of firms, official and state secrets, materials of legal proceedings are considered confidential information.
Protection of confidential information implies the implementation of measures for the physical and technical protection of classified materials. Security is achieved by limiting access to secret data, maintaining their reliability and integrity while working with sensitive information.
There are several possible channels for the leakage of valuable information. Direct channels of information leakage are direct copying of important documents or violation of trade secrets.
Indirect ones include:
- loss or theft of media devices;
- improper disposal of data to be destroyed;
- remote listening or photographing documents with classified information;
- radio interception of messages.
Social networks are often the culprits for the disclosure of personal information. Often, materials with information about the personal life, family secrets of citizens find themselves on the Internet. Fraudsters can gain access to e-wallets. To protect yourself, you have to use complex passwords and take other security measures.
There are various methods of stealing information: acoustic (eavesdropping), optical (video filming). Electromagnetic, electronic and other devices can be used to intercept data.
For companies that need to protect valuable information, special systems for protecting information of the DLP (Data Loss Prevention) class have been developed. With their help, you can find out who worked with classified information and where it was transferred. The degree of information security and the risk of leakage are assessed.
How security is ensured
To keep confidential information from disclosure, the following techniques are used:
1. Data certification. When developing measures to protect information, the requirements of regulatory documents are taken into account. They regulate the means to ensure the confidentiality of data. Certification is the verification of the compliance of protective measures with established standards for working with classified information.
2. Licensing - the issuance of a permit for a certain type of activity or use of an invention. If the case concerns information that is not subject to disclosure, control over compliance with the conditions and confidentiality requirements specified in the license is carried out.
3. Categorization - division of objects into categories of secrecy and taking into account the danger of data leakage when working with classified information.
4. Attestation - checking the premises in which confidential materials are stored for compliance with security requirements and the availability of the necessary technical means.
The heads of companies that own classified information must have a list of information that is not subject to disclosure, as well as a list of names of persons who have access to such materials. When hiring new employees, they are warned about the inadmissibility of disclosing official information and about impending liability.
If the matter does not concern state secrets, the heads of enterprises themselves establish the degree of confidentiality of information, as well as choose the methods and means of its protection. In doing so, management takes responsibility for the mishandling of valuable information and identifies possible consequences. All information protection measures are carried out in accordance with federal law and decrees of the President of the Russian Federation.
Information security elements
For the effective protection of information, a complex of legal, organizational, software and hardware, engineering and technical and cryptographic measures is carried out.
Compliance with legal standards of information security is monitored, legal relations are established between the company that owns valuable information and the state. With the help of official checks, facts of disclosure of information by personnel are revealed.
The availability of documents related to the conclusion of labor agreements, contracts, instructions for working with classified information is checked.
Work is underway with the staff regarding responsibility for unauthorized destruction of documents with important information, transfer of false information, disclosure of official secrets.
New employees are explained the specifics of information security and confidentiality requirements. When signing the contract, a written consent is taken to comply with the restrictions and rules for handling proprietary information.
They include actions aimed at ensuring a safe operating mode of a company using classified information:
- Creation of a security service. Appointment of a specific person responsible for issuing materials to employees using confidential information. Providing security services with the necessary information security programs;
- Compilation of a list of especially important paper and electronic documents, as well as a list of materials with valuable information;
- Introduction of a permitting system for employees' access to materials of varying degrees of secrecy, implementation of control checks on handling classified information;
- Development of methods for selecting personnel to work with secrets, familiarizing employees with instructions for the use and protection of classified information;
- Prevention of the possibility of accidental or deliberate violation by employees of the established procedure for working with confidential information;
- Development of a system for protecting important information during meetings, events for the exchange of information with representatives of another organization, meetings with the media, etc.;
- Verification of premises intended for work requiring the exchange of classified information, licensing of means that ensure confidentiality, certification of means for processing confidential data;
- The introduction of access control, the introduction of methods for identifying employees and visitors. Ensuring the protection of the territory, equipment and personnel possessing valuable information;
- Creation of instructions for the protection of classified materials in the event of extreme situations;
- Organization of effective protection of computers, local networks, as well as management of the entire information security system and assessment of the effectiveness of the measures taken.
Engineering and technical activities
The protection of confidential information is carried out using expensive technical means and special equipment. This helps prevent unlawful theft and declassification of information by hackers. Organizations possessing important information are equipped with tracking and listening devices.
Engineering and technical safety measures include:
- Installation of fences, gratings, steel doors with combination locks, as well as the use of identification cards, equipping safes;
- Alarm device (including fire alarm). Installation of electronic means of warning about the penetration of unauthorized persons into the object and an attempt to take possession of classified information;
- The use of equipment for the detection of eavesdropping devices, hidden video cameras and other reconnaissance devices;
- Installation of devices that ensure the protection of important documents and materials when trying to take them out of the territory of the enterprise;
- The use of software and hardware methods for protecting information stored in computers and other electronic devices. At the same time, identification, authentication, audit programs and special methods of information transfer (tunneling, encryption) are used. The programs allow only those employees who have special codes and passwords to enter the information system. Biometric identification is carried out. The time of entering the system and using secret information is recorded. If unauthorized entry into the information system is detected, the program automatically blocks access to the materials.
Secret codes and passwords for access to the information system of enterprises dealing with especially valuable information are being developed. When transferring information, a special cryptographic key is used. It is a sequence of characters that are used to encrypt and decrypt digital signatures, secret messages and codes.
To keep confidential information transmitted in an open way (by mail, fax, unsecured Internet channels), conditions of mutual trust are developed.
When exchanging service information, the password for entering the information system is transmitted using special cryptographic methods and programs. This technique can also be used when communicating information by telephone or radio.
Cryptographic information security measures also include:
- Creation of identification magnetic cards or biometric identification devices for employees who have permission to familiarize themselves with classified information;
- Development of methods for confirming the authenticity of identification data (authentication) through the use of pin codes, smart cards, personal digital signatures;
- Implementation of message escaping methods. Of the entire volume of classified information, employees are given access only to certain information, and the rest are "screened";
- Development of a system for limiting the attendance of premises in which documents with classified information are located. Code locks are installed, personal magnetic cards are used.
Choice of techniques
The scope of measures taken to safeguard confidential information depends on the characteristics of the organization, the size of the business, the degree of importance and secrecy of the information it owns.
In a small company, to prevent leakage of confidential information, it is enough to establish the procedure for their processing and storage, as well as to restrict personnel access to the protected information. It is necessary to properly organize work with personnel, conduct instructions on handling important information. It is important to analyze and control organizational actions aimed at preventing the leakage of confidential information.
Large organizations use a complex multi-level system for classifying materials. The methods and tools used are periodically updated to prevent attackers from recognizing them.
The list of employees who have access to classified materials does not include persons who develop the security system and the corresponding computer programs.
Secure communication channels are used to transmit classified commercial information over the Internet. Data is transferred encrypted or disguised.
Information security procedure
When protecting classified information, the following procedure is followed:
- A list of trade secrets and information not subject to disclosure is compiled. This takes into account the need for security measures in a related organization that has access to such information;
- Methods for storing information are being developed (using electronic media, paper documents, technical processing facilities). Premises and equipment for storing documents with valuable information are allocated, a list of responsible persons is drawn up;
- The effectiveness of the measures taken is checked.
Increasing information security requires complex measures using complex technical devices. It is necessary to correctly assess the risk of information leakage and take adequate measures to prevent theft of information that can be used for illegal and criminal purposes. It is important to constantly analyze the effectiveness of information protection and improve the methodology for its implementation.