Organization of storage of confidential information
Companies are often faced with the task of storing sensitive information of the organization. Information can be located in the local networks of the company, on paper and other material carriers, in cloud storage. A separate issue is the circulation of highly classified data within the organization.
How confidential information is defined by law
Confidentiality is the restriction of access to information of a certain status. The term comes from the Latin word confidentia, meaning trust. This means that only trusted employees can access confidential information. Access control solutions are implemented at the organizational and programmatic level.
In various areas of social and economic life, in different countries, separate models are adopted for regulating the degree of confidentiality of information.
In Russia, in the law "On Information" (149-FZ), the general principle of classifying data as confidential is to indicate this need in any other federal law, for example, in the Family Code in the article on the protection of the secrecy of adoption.
The regulation defines the following categories of confidential information:
- state secret;
- official information of limited distribution, stored in the IS of public authorities;
- trade secret;
- official secret;
- professional secrecy;
- personal data of citizens.
The procedure for handling various categories of information, including those not named directly in the law, such as bank secrets and attorney secrets, is regulated by separate federal laws. For most categories of confidential information, the laws and regulations developed in accordance with them establish separate rules for ensuring its security.
The European Union has developed a number of directives and agreements describing the procedure for accessing confidential information; many of their provisions have been incorporated into national legislation practically without revision.
The European Convention on Crime in the Field of Computer Information (ETS N 185) recommends in national legislation to define as criminal offenses:
- illegal access to information protected in accordance with the requirements of the law;
- illegal interception of data;
- influence on information in order to destroy or change it;
- impact on information systems.
These violations were included as crimes in the Criminal Code of the Russian Federation, and their presence encourages potential attackers to abandon attempts to steal or damage confidential data. But not all criminals can be uncovered, so the regulators that determine the data protection mechanisms - the Government of the Russian Federation, FSTEC, Roskomnadzor, FSB, Central Bank - are adopting regulations governing special rules for storing data arrays protected by law.
An even more detailed list of confidential information is provided by presidential decree No. 188:
- personal data;
- secrecy of investigation and legal proceedings, data related to the protection of judges and witnesses;
- official information of government agencies;
- information related to professional activities, namely, medical, notarial, attorney's secrets, secrecy of correspondence, telephone conversations, mailings, telegraph or other messages;
- trade secret;
- data on the essence of the invention, utility model or industrial design, before a patent is filed or officially published.
Some items from the list overlap, so there is no need to provide different storage modes. It is sufficient to comply with the general principles of information security, except for data for which the regulator proposes separate organizational, technical or program measures.
Basic principles of protecting confidential information
An organization, regardless of the category of information confidentiality, should use uniform data storage models that provide basic security. They are described in Art. 10 of the Law "On Trade Secrets" and are available to any company:
- determine the list of confidential information and the degree of their confidentiality;
- establish restrictions on the procedure for accessing data and adopt standardized rules for granting access rights and changing their volume;
- keep a record of persons who have received the right to access information for any reason, for example, within the framework of an employment or contractual relationship;
- establish in labor contracts for employees the rules for handling and protecting data from measures of responsibility for leakage, and for counterparties (customers, suppliers, service providers) - in civil agreements;
- to label material media (documents, floppy disks, USB-media) containing valuable information with the indication of information about the owner of the information.
Software and technical measures to ensure the safety of data are taken based on the requirements of the regulator or based on the preferences of the company's management.
Measures, according to the logic of the law, will be sufficient if the following is ensured:
- complete impossibility of access to data related to trade secrets for any person without the expressed consent of their owner;
- the trade secret regime does not interfere with the use of its constituent data in business processes.
When developing a system for protecting confidential information, it should be borne in mind that modern business processes are based on the use of a virtualization environment, cloud technologies, and some solutions should be used when protecting data in their own information networks, while others - when they are placed in the cloud.
In enterprise information systems
When processing information in local networks, the greatest attention should be paid to its structuredness. The administration of the organization must clearly understand which information arrays are classified as confidential, in which files and folders they are located, and how access differentiation is ensured.
To clean up the file system with SearchInform FileAuditor. Learn more.
When working with documents
There are two types of documents in the company:
- paper version, original or copy;
- electronic version uploaded to the information system.
For the first type of confidential information, the practice has developed standard data protection methods:
- transfer paper data carriers only against signature, indicating the date and purpose of the transfer;
- affix secrecy stamps on documents;
- make copies only with the permission of management;
- if necessary, make indistinguishable changes to the copies to reveal which employee leaked;
- provide physical protection for tangible media.
Compliance with these requirements will be sufficient to protect classified information. Documents that are no longer used in current work, but contain data of a high degree of secrecy (court cases, personal files of employees), are sometimes transferred to archive companies that provide a service for renting safe boxes. The safety of documents is ensured at a high level, while the office space of the company is freed. But if the documents contain personal data, when transferring for storage, it is necessary to establish measures of responsibility for their safety and comply with all technical requirements for the storage: registration of visitors, the presence of locks, protected windows, the complete absence of the possibility of unauthorized access to data.
In local networks and cloud storage
The storage of electronic documents or files containing confidential data in information networks is accompanied by the mandatory use of a set of measures that completely exclude unauthorized access:
- the use of software tools that allow you to assign confidentiality labels;
- application of programs for monitoring information security incidents;
- maintaining logs for recording user actions, recording all operations with protected documents;
- processing and transmission of information in encrypted form;
- creation of structured databases that allow you to store documents with different degrees of confidentiality and different purposes in separated cells.
The person responsible for organizing the system for storing confidential information must at any time know where and what document is located and who has access to it. To avoid the risk of data loss due to system damage or disaster, you need to provide backups that will allow you to restore lost or distorted information as soon as possible.
When processing confidential information to protect it from the main threats - leaks, loss of integrity, distortion, reduced availability - organizations use a number of software tools:
- antivirus programs . Modern viruses are capable of encrypting or completely destroying files, stealing data. Antivirus can protect against these threats;
- network health monitoring tools , allowing to identify cases of failures of nodes and programs that can lead to a loss of integrity or availability of information;
- trusted boot tools that allow only users with a certain amount of privileges to log on to the system;
- two-factor authentication methods , sometimes using technical means - tokens;
- SIEM systems that allow identifying information security incidents and notifying the security service about them;
- DLP systems that exclude all data leaks caused by insiders.
If personal data are processed in information systems, the requirements for technical and software protection means are established by the regulator. Difficult situations arise when a company that transfers databases for storage to third-party cloud servers doubts whether it is thereby violating the requirements of the legislation on the protection of personal data.
In this case, you should adhere to the following safety rules:
- make sure that cloud servers are located in the Russian Federation;
- establish that the cloud storage security system meets the requirements of the FSTEC RF. Some providers certify their IP, which improves the quality of their cloud storage services;
- conclude an agreement in which to describe all the measures of responsibility that will be applied to the provider if confidential information is lost through his fault.
Most professional companies offering the service of finding confidential information on cloud servers meet the wishes of the client, while their information security system is more reliable than that of small and medium-sized businesses.
The decision on the choice of storage method - in its own system or with a service provider - is made by the administration of the organization. But she should not forget that the responsibility for the leakage of PD will lie with her, and not with the provider.