Procedure for processing confidential information
In the work of the company, situations arise when confidential information in paper and electronic form is used in standard business processes. It is necessary to regulate the work with such data to avoid leaks. This task is solved by building a paper and electronic document management system based on the company's internal regulations.
The procedure for recognizing information as confidential
In order for information to be recognized as confidential and to receive a protection status in this regard, certain conditions must exist:
- assigning it to the category protected by law (state secret, personal data);
- recognition of confidential information as a commercial secret within the framework of the company's internal documents.
For the first category of confidential information, the procedure for working with data is largely determined by the requirements of regulators (FSB, FSTEC). For the second group of confidential data, firms have the right to build a protection system themselves, often based on already established procedures. There is no approved procedure for processing documents containing commercial information. Most often, GOST is used, based on the methods of the Soviet Union and recommending exactly how to set up processes for working with paper carriers of commercial secrets and other categories of confidential information. In electronic document management (EDM) systems, the solution to security issues when working with confidential information is determined by a set of functions embedded in software products.
The basis of the regulation of work is a set of procedures that ensure the introduction of a commercial secret regime regarding confidential information:
- drawing up a list of information that is considered confidential by the company. It is necessary to differentiate its status based on different degrees of employee access. To do this, they usually use various secrecy labels - "Secret". "Top Secret", "Special Importance". In EDF, confidentiality stamps are replaced with labels assigned to files and directories containing restricted information;
- adoption of a provision regulating the rules for working with commercial secrets, the procedure for accessing it, responsibility for its disclosure;
- introduction of a clause in employment contracts obliging the employee to ensure the safety of trade secrets.
After the implementation of these options, the information receives the status of protected, and in the event of its leakage, the company can not only bring an employee to disciplinary responsibility, but also oblige him to compensate for the damage caused in connection with the disclosure of information in civil law.
Regulation of work with paper media
Document management standards adopted by most non-small business companies are based on the concept of confidential document execution. This term means a sequence of actions:
- creating or receiving a confidential document;
- its registration in the company's workflow database with the assignment of identifying signs and a confidentiality stamp;
- development by the head of the organization of an order arising from the essence of the document, taking into account the degree of confidentiality of information;
- appointment of a responsible executor or executors;
- execution of the order;
- control over the implementation and quality of confidentiality of information.
The execution of confidential documents and their processing differ from the work with documents that do not have a confidentiality stamp. When working with paper or electronic media, processing files containing confidential information, the following threats are identified in the databases, associated with incorrect actions of executors, organizers of the execution process or security services:
- loss of confidential information if it was documented on paper or electronic media that is not included in the control perimeter of the organization's security service;
- creation within the company of a document (order, regulation, instructions), which is publicly available to all employees, but contains information of limited access;
- inclusion in a document intended for external distribution (business proposal, press release, protocol of agreements), redundant information of a confidential nature. Based on the norms of the law, this is equivalent to the disclosure of trade secrets;
- accidental or deliberate assignment to a document of a lower information confidentiality label than provided for by the regulations;
- preparation of a document containing confidential information in a situation in which it is impossible to ensure the security mode (in the cloud service, on a mobile device, at home, when working together using public Wi-Fi networks);
- accidental loss of the original, copy or draft of a document, electronic storage medium with the employee concealing this fact and an attempt to correct the situation by making a substitution;
- leakage of confidential information through communication channels, both unintentional and as a result of hacker actions;
- erroneous actions of the person responsible for the safety of confidential information related to incorrect settings of the security system, technical and documentary.
Threats should be monitored by the security service and the IT department at all stages of working with confidential information.
Features of the creation and execution of confidential documents
Based on the listed risks, the process of execution of confidential documents will differ from the execution of ordinary ones; additional stages and procedures will appear in it:
- setting the level of confidentiality for a document at the time of generating an idea for its creation. This will make it possible to accurately determine the level of information to be included, the list of performers and coordinators, and the familiarization list;
- a description of all categories of information carriers where the created document will be located, the rules for their distribution, storage and other features of the procedure for processing confidential information;
- preparation of a confidential document, taking into account the determination of the level of admission of all performers, determination of the subtleties of collaboration, the organization of a protected area for work both on the territory of the organization and in the virtual space, especially when working in a project group on remote access, determining the number of paper copies of the document;
- approval of a confidential document, taking into account the level of admission of persons who take part in this process: director, members of the board of directors, secretariat, department for documentation support.
Each stage should be strictly regulated by internal instructions, and the executors of the instructions should not make mistakes due to their ignorance. The human factor should not cause the loss of restricted data. Knowledge of the procedure for handling confidential information should be regularly checked by the security service and supported by trainings.
How to deal with threats to confidentiality of information
The fact of fixing restricted access data on a physical medium is a factor provoking the threat of their leak. To ensure work with documents in conditions of information security, already at the stage of its generation, it is required to determine the future confidentiality stamp. When creating a list of information constituting a commercial secret, it is necessary to focus on three levels of secrecy, each of which determines the level of persons allowed to work with data.
The list of information and the level of the neck is determined by the following factors:
- a list of company information of commercial value;
- the requirements of partners to protect their trade secrets transferred in the framework of business relationships;
- legal norms.
The assignment of a security label and the determination of its level are made based on the value of the information and how much damage the company will cause its loss. In a commercial organization, three levels of labels are usually used, expressed in the form of marks on paper or tags on electronic resources:
- the first level, at which employees of any level are allowed to process confidential information, subject to the presence of a nondisclosure clause in their employment contracts, are “Confidential Information” stamps;
- the second level, at which only employees of a limited list can access the data. The “Strictly Confidential” stamp is assigned by the head of the company, only he can change or cancel it. The process of determining the features of storing data of this level is organized by the head of the company, sometimes for his sake a separate unit is created to ensure the workflow of restricted data;
- documents intended for official use are marked with the stamp "DSP"
The confidentiality label of information on paper should be affixed in such a way as to eliminate doubts about its wording. It is put on the first sheet. If there is an electronic copy of the document in the work, the stamp is affixed on each page in order to avoid copying. The copy given to each employee may contain additional tags that are invisible to the eye, which will allow you to determine where the leak originated.
Features of processing confidential information in EDM systems
Most companies have electronic document management systems that greatly facilitate office work. The documents in them are in the form of electronic copies.
There are the following types of EDF systems:
- programs created by the company's programmers, taking into account its specifics;
- modules in standard business programs and CRM systems;
- specialized programs designed exclusively for document flow;
- modules in global information systems of large corporations built on one software platform.
Working with documents containing restricted access data in EDM systems requires building separate routes for the movement of such documents when they are signed, excluding access to them by unauthorized persons. Similar security measures must be implemented when uploading these documents to software and production modules. In most software products on the market, such a solution is difficult to implement. The task becomes especially difficult if data storage is performed on cloud servers. When choosing a software product, these features must be taken into account and risks must be avoided.
The processing of confidential data requires increased attention from all involved persons and departments. Particular attention must be paid to document management, security and IT departments, but ultimately the responsibility for the safety of trade secrets lies with the head of the organization.