The protective measures taken must be adequate to the likelihood of occurrence of this type the threat and the potential damage that could occur if the threat were to materialize (including the costs of defending against it).

It must be borne in mind that many security measures require quite large computing resources, which in turn significantly affects the information processing process. Therefore, the modern approach to solving this problem is to apply the principles of situational management of the security of information resources in the automated control system. The essence of this approach is that the required level of information security is established in accordance with the situation that determines the relationship between the value of the processed information, costs (reduced productivity of the automated control system, additional costs RAM etc.) that are necessary to achieve this level, and possible total losses (material, moral, etc.) from distortion and unauthorized use of information.

The necessary characteristics of protecting information resources are determined during situational planning during the direct preparation of the technological process of secure information processing, taking into account the current situation, as well as (to a reduced extent) during the processing process. When choosing protective measures, you have to take into account not only the direct costs of purchasing equipment and programs, but also the costs of introducing new products, training and retraining of personnel. An important circumstance is the compatibility of the new tool with the existing hardware and software structure of the object.

Foreign experience in the field of intellectual property protection and domestic experience in protecting state secrets show that only comprehensive protection can be effective, combining such areas of protection as legal, organizational and engineering.

Legal direction provides for the formation of a set of legislative acts, legal documents, regulations, instructions, guidelines, the requirements of which are mandatory within the scope of their activities in the information security system.

Organizational direction– this is the regulation of production activities and relationships between performers on a legal basis in such a way that disclosure, leakage and unauthorized access to confidential information become impossible or significantly hampered due to organizational measures.

According to experts, organizational measures play a big role in creating a reliable mechanism for protecting information, since the possibility of unauthorized use of confidential information is largely determined not by technical aspects, but by malicious actions, negligence, negligence and negligence of users or security personnel.

Organizational activities include:

Activities carried out during the design, construction and equipment of office and industrial buildings and premises;

Activities carried out during personnel selection;

Organization and maintenance of reliable access control, security of premises and territory, control over visitors;

Organization of storage and use of documents and media of confidential information;

Organization of information security;

Organizing regular training for employees.

One of the main components of organizational support information security The company is the Information Security Service (ISS - the information security system management body). The effectiveness of information security measures largely depends on the professional preparedness of information security service employees and the availability of modern security management tools in their arsenal. Its staffing structure, number and composition are determined by the real needs of the company, the degree of confidentiality of its information and the general state of security.

The main goal of the functioning of the ISS, using organizational measures and software and hardware, is to avoid or at least minimize the possibility of violation of the security policy, or, as a last resort, to notice and eliminate the consequences of the violation in a timely manner.

To ensure the successful operation of the ISS, it is necessary to determine its rights and responsibilities, as well as the rules for interaction with other departments on information security issues at the facility. The number of the service must be sufficient to perform all the functions assigned to it. It is desirable that the staff of the service do not have responsibilities related to the functioning of the protected object. The information security service must be provided with all the conditions necessary to perform its functions.

Core engineering and technical direction are software and hardware means of information protection, which include mechanical, electromechanical, electronic, optical, laser, radio and radio engineering, radar and other devices, systems and structures designed to ensure security and protection of information.

Information security software is understood as a set of special programs, implementing the functions of information protection and operating mode.

The formed set of legal, organizational and engineering measures results in an appropriate security policy.

The security policy determines the appearance of the information protection system in the form of a set of legal norms, organizational (legal) measures, a software package technical means and procedural decisions aimed at countering threats to eliminate or minimize the possible consequences of information impacts. After adopting one or another security policy option, it is necessary to assess the security level of the information system. Naturally, security is assessed based on a set of indicators, the main ones being cost, efficiency, and feasibility.

Evaluating options for constructing an information security system is a rather complex task, requiring the use of modern mathematical methods for multi-parameter performance assessment. These include: the method of analyzing hierarchies, expert methods, the method of successive concessions and a number of others.

When the planned measures have been taken, it is necessary to check their effectiveness, that is, to ensure that the residual risks have become acceptable. Only after this can you set a date for the next revaluation. Otherwise, you will have to analyze the mistakes made and conduct a second session of vulnerability analysis, taking into account changes in the protection system.

The generated possible scenario of the violator’s actions requires checking the information security system. This type of testing is called “penetration testing.” The purpose is to ensure that there are no easy ways for an unauthorized user to bypass security mechanisms.

One of possible ways system security certification - inviting hackers to hack without prior notification to network personnel. For this purpose, a group of two or three people with high professional training is allocated. Hackers are provided with a secure automated system, and the group spends 1–3 months trying to find vulnerabilities and develop test tools based on them to bypass the security mechanisms. Hired hackers submit a confidential report on the results of their work, assessing the level of information availability and recommendations for improving protection.

Along with this method, software testing tools are used.

At the stage drawing up a protection plan In accordance with the chosen security policy, a plan for its implementation is developed. The security plan is a document putting into effect the information security system, which is approved by the head of the organization. Planning is not only about best use all the capabilities that the company has, including allocated resources, but also with the prevention of erroneous actions that could lead to a decrease in the effectiveness of the measures taken to protect information.

The site information security plan should include:

Description of the protected system (main characteristics of the protected object: purpose of the object, list of tasks to be solved, configuration, characteristics and placement of technical means and software, a list of categories of information (packages, files, sets and databases in which they are contained) to be protected, and requirements for ensuring access, confidentiality, integrity of these categories of information, a list of users and their authority to access system resources, etc. .);

The purpose of protecting the system and ways to ensure the security of the automated system and the information circulating in it;

A list of significant threats to the security of the automated system from which protection is required, and the most likely ways of causing damage;

Information security policy;

Plan for placement of funds and functional diagram of the information security system at the facility;

Specification of information security tools and cost estimates for their implementation;

Calendar plan for carrying out organizational and technical measures to protect information, the procedure for putting into effect protective equipment;

Basic rules regulating the activities of personnel on issues of ensuring the information security of an object (special responsibilities of officials servicing the automated system);

The procedure for revising the plan and modernizing protective equipment.

The protection plan is revised when the following components of the object change:

Information system architecture (connection of other local networks, change or modification of used computer equipment or software);

Geographical location of automated system components.

As part of the protection plan, it is necessary to have a plan for personnel actions in critical situations, i.e. provision plan continuous operation and information recovery. It reflects:

The goal of ensuring the continuity of the process of functioning of the automated system, restoring its functionality and the way to achieve it;

List and classification of possible crisis situations;

Requirements, measures and means to ensure continuous operation and restoration of the information processing process (the procedure for creating, storing and using backup copies of information, maintaining current, long-term and emergency archives; composition backup equipment and the procedure for its use, etc.);

Responsibilities and procedures for various categories of system personnel in crisis situations, when eliminating their consequences, minimizing the damage caused and when restoring the normal functioning of the system.

If an organization exchanges electronic documents with partners for the execution of single orders, then it is necessary to include in the protection plan an agreement on the procedure for organizing the exchange of electronic documents, which reflects the following issues:

Delimitation of responsibilities of subjects participating in the processes of exchange of electronic documents;

Determination of the procedure for preparation, registration, transmission, reception, verification of authenticity and integrity of electronic documents;

The procedure for generating, certification and distribution of key information (keys, passwords, etc.);

The procedure for resolving disputes in the event of conflicts.

The information protection plan is a package of textual and graphic documents, therefore, along with the above components of this package, it may include:

Regulations on trade secrets, defining the list of information constituting a trade secret and the procedure for its determination, as well as the responsibilities of officials to protect trade secrets;

Regulations on information protection, regulating all areas of activity to implement the security policy, as well as a number of additional instructions, rules, provisions corresponding to the specifics of the object of protection.

Implementation of the protection plan (protection system management) involves developing the necessary documents, concluding contracts with suppliers, installing and configuring equipment, etc. After the formation of an information security system, the problem of its effective use, i.e., security management, is solved.

Management is a process of purposeful influence on an object, carried out to organize its functioning according to a given program.

Information security management should be:

Resistant to active interference by the intruder;

Continuous, providing constant impact on the protection process;

Hidden, not allowing the organization of information security management to be revealed;

Operational, providing the ability to promptly and adequately respond to the actions of attackers and implement management decisions by a given deadline.

In addition, decisions on information protection must be justified from the point of view of comprehensive consideration of the conditions for fulfilling the task, application various models, calculation and information problems, expert systems, experience and any other data that increases the reliability of the initial information and decisions made.

An indicator of the effectiveness of information security management is the management cycle time for a given quality of decisions made. The management cycle includes collection necessary information to assess the situation, make decisions, form appropriate teams and execute them. The response time of the information security system to a violation can be used as an efficiency criterion, which should not exceed the time of obsolescence of information based on its value.

As the development of real automated control systems shows, none of the methods (measures, means and activities) of ensuring information security is absolutely reliable, and the maximum effect is achieved by combining all of them into a holistic information security system. Only an optimal combination of organizational, technical and program measures, as well as constant attention and control over maintaining the protection system up to date, will allow the solution of a constant problem to be achieved with the greatest efficiency.

The methodological foundations for ensuring information security are fairly general recommendations based on global experience in creating such systems. The task of each information security specialist is to adapt abstract provisions to his specific subject area (organization, bank), which will always have its own peculiarities and subtleties.

Analysis of domestic and foreign experience convincingly proves the need to create a comprehensive company information security system that links operational, operational-technical and organizational protection measures. Moreover, the security system must be optimal in terms of the ratio of costs and value of protected resources. Requires flexibility and adaptation of the system to rapidly changing factors environment, organizational and social situation in the institution. It is impossible to achieve such a level of security without analyzing existing threats and possible channels of information leakage, as well as without developing an information security policy at the enterprise. As a result, a security plan must be created that implements the principles laid down in the security policy.

But there are other difficulties and pitfalls that definitely need to be taken into account. These are problems identified in practice and difficult to formalize: problems not of a technical or technological nature, which are solved one way or another, but problems of a social and political nature.

Problem 1. Lack of understanding among staff and middle and lower-ranking managers of the need to carry out work to improve the level of information security.

At this rung of the management ladder, as a rule, the strategic tasks facing the organization are not visible. Security issues can even cause irritation - they create “unnecessary” difficulties.

The following arguments are often given against carrying out work and taking measures to ensure information security:

The emergence of additional restrictions for end users and department specialists, making it difficult for them to use the organization’s automated system;

The need for additional material costs both for carrying out such work and for expanding the staff of specialists dealing with the problem of information security.

This problem is one of the main ones. All other questions in one way or another act as its consequences. To overcome it, it is important to solve the following tasks: firstly, to improve the qualifications of personnel in the field of information security by holding special meetings and seminars; secondly, to increase the level of staff awareness, in particular, about the strategic challenges facing the organization.

Problem 2. Confrontation between the automation service and the security service of organizations.

This problem is determined by the type of activity and sphere of influence, as well as the responsibility of these structures within the enterprise. The implementation of the security system is in the hands of technical specialists, and the responsibility for its security lies with the security service. Security specialists want to limit all traffic using firewalls at all costs. But people working in automation departments do not want to solve the additional problems associated with servicing special tools. Such disagreements do not have the best impact on the level of security of the entire organization.

This problem, like most similar ones, is solved by purely management methods. It is important, firstly, to have a mechanism for resolving such disputes in the organizational structure of the company. For example, both services may have a single management that will solve problems of their interaction. Secondly, technological and organizational documentation must clearly and competently divide the spheres of influence and responsibility of departments.

Problem 3. Personal ambitions and relationships at the level of middle and senior managers.

Relationships between managers can be different. Sometimes, when carrying out work on information security research, one or another official shows over-interest in the results of this work. Indeed, research is a fairly powerful tool for solving their particular problems and satisfying their ambitions. The conclusions and recommendations recorded in the report are used as a plan for further actions of one or another unit. A “free” interpretation of the report’s conclusions in combination with problem 5, described below, is also possible. This situation is an extremely undesirable factor, since it distorts the meaning of the work and requires timely identification and elimination at the level of the enterprise’s top management. The best option are business relationships when the interests of the organization are put at the forefront, and not personal ones.

Problem 4. Low level of implementation of the planned action program to create an information security system.

This is a fairly trivial situation when strategic goals and objectives are lost at the execution level. Everything can start perfectly. The General Director decides on the need to improve the information security system. An independent consulting firm is hired to audit the existing information security system. Upon completion, a report is generated that includes all necessary recommendations on information protection, improvement of existing document flow in the field of information security, implementation of technical means of information security and organizational measures, further support of the created system. The protection plan includes short-term and long-term measures. Next, the recommendations are transferred to one of the departments for implementation. And here it is important that they do not drown in the swamp of bureaucracy, personal ambitions, sluggishness of staff and a dozen other reasons. The contractor may be poorly informed, insufficiently competent, or simply not interested in performing the work. It is important that the general director monitors the implementation of the planned plan, so as not to lose, firstly, the funds invested in security at the initial stage, and secondly, so as not to incur losses as a result of the lack of this security.

Problem 5. Low qualifications of information security specialists.

This aspect cannot be considered a serious obstacle if it is not an obstacle to the creation of an information security system. The fact is that the protection plan, as a rule, includes such an event as advanced training of specialists in the field of information security in the company. Seminars on the basics of organizing information security can be held for specialists from other services. It is necessary to correctly assess the real qualifications of the employees involved in the implementation of the protection plan. Often, incorrect conclusions or inability to apply protection methods in practice lead to difficulties in implementing recommended measures. If such circumstances are hinted at, the most correct solution would be to improve the qualifications of information security specialists in training centers specially created for this purpose.

Thus, practical activities in the field of increasing economic and information security clearly demonstrate that the creation of a truly functioning information security system turns out to be highly dependent on the timely solution of the listed problems. However, the accumulated experience shows that all the issues considered are successfully resolved subject to close collaboration between representatives of the customer and the performing company. The main thing is to understand the importance of carrying out such work, promptly identify existing threats and apply adequate countermeasures, which, as a rule, are specific to each specific enterprise. The presence of desire and opportunity is a sufficient condition for fruitful work, the goal of which would be to create a comprehensive system for ensuring the security of the organization.

Previous

Submitting your good work to the knowledge base is easy. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

COURSE PROJECT

In the discipline "Information Security"

On the topic

“Improving the information security system at

LLC "Aries"

Introduction

When talking about information security, we currently mean, strictly speaking, computer security. Indeed, the information found on electronic media plays an increasingly important role in the life of modern society. The vulnerability of such information is due to a number of factors: huge volumes, multipoint and possible anonymity of access, the possibility of “information sabotage”... All this makes the task of ensuring the security of information located in a computer environment much more difficult complex problem than, say, maintaining the secrecy of traditional mail correspondence.

If we talk about the security of information stored on traditional media (paper, photo prints, etc.), then its safety is achieved by observing physical protection measures (i.e. protection from unauthorized entry into the media storage area). Other aspects of protecting such information relate to natural and man-made disasters. Thus, the concept of “computer” information security as a whole is broader in comparison with information security regarding “traditional” media.

If we talk about differences in approaches to solving the problem of information security at different levels (state, regional, level of one organization), then such differences simply do not exist. The approach to ensuring the security of the State Automated System "Elections" is no different from the approach to ensuring security local network in a small company. Therefore, the principles of ensuring information security in this work are discussed using examples of the activities of a separate organization.

The goal of the course project is to improve the information security system of Aries LLC. Tasks course work will be an analysis of Aries LLC, its resources, structure and the existing information security system at the enterprise and the search for methods to improve it.

At the first stage, an analysis of the information security system will be carried out. Based on the results obtained, at the second stage a search will be made for methods to improve information security, if they exist. weaknesses in this system.

1. Analysis of the information security system at Aries LLC

1.1 Characteristics of the enterprise. Organizational and staffing structure of the enterprise. Service dealing with information resources and their protection

The full corporate name of the enterprise is Limited Liability Company "Aries". The abbreviated name of the Company is Oven LLC. Further in the text Society. The company does not have branches or representative offices; its only center is located in the Perm Territory, Suksunsky district, the village of Martyanovo.

The society was founded in 1990 as a small farm and had three founders. After the reorganization of the farm into a peasant farm in 1998, the only founder remained. The last time the reorganization took place was in April 2004. From April 1, the company became known as the limited liability company "Aries".

The main activity of the company is the cultivation of agricultural products, seed material, and the sale of agricultural products. Today in Russia the company ranks thirteenth among potato farming enterprises and first in the Perm region.

Legal address: Russia, 617553, Perm region, Suksunsky, Martyanovo village.

Goals of the enterprise as a whole:

· Receiving profit from core activities.

· Increasing the competitiveness of products and expanding sales markets.

· Concentration of capital and increase in investment resources for the implementation of investment and other projects.

Mission of the company:

1. Continue to occupy a leading position in the market.

2. Creation of a seed farm.

Organizational structure of the enterprise.

The enterprise uses a linear-functional structure. In a linear-functional structure, a hierarchy of services is formed. In this structure, heads of functional departments have the right to give orders to the next level of management on functional issues.

The structure of the enterprise is shown in Figure 1.

Posted on http://www.allbest.ru/

Posted on http://www.allbest.ru/

Figure 1 - Organizational structure of Aries LLC

1.2 Analysis and characteristics of enterprise information resources

Today everyone is concerned about the security of corporate information. Individual programs and entire complexes designed to protect data are becoming increasingly popular. However, no one thinks about the fact that you can have as much as you want reliable protection, but still lose important information. Because one of your employees will consider it insignificant and put it on public display. And if you are sure that you are protected from this, then you are very mistaken. At first glance, such a situation looks somewhat unreal, like a joke. However, this does happen, and happens often. Indeed, technical personnel, who in the vast majority of cases deal with information security problems, do not always understand what data needs to be hidden and what not. In order to understand, you need to break down all the information into different types, which are usually called types, and clearly define the boundaries between them.

As a matter of fact, all companies specializing in the supply complex systems ensuring the security of computer information, take into account the division of data into different types. You just have to be careful here. The fact is that Western products follow international standards (in particular ISO 17799 and some others). According to them, all data is divided into three types: open, confidential and strictly confidential. Meanwhile, in our country, according to the current legislation, a slightly different distinction is used: open information, for internal use and confidential.

Open means any information that can be freely transmitted to other persons, as well as posted in the media. Most often, it is presented in the form of press releases, speeches at conferences, presentations and exhibitions, and individual (naturally, positive) elements of statistics. In addition, this classification includes all data obtained from open external sources. And, of course, information intended for a corporate website is also considered public.

At first glance, it seems that open information does not need protection. However, people forget that data can not only be stolen, but also replaced. Therefore, maintaining the integrity of open information is a very important task. Otherwise, instead of a pre-prepared press release, you may end up with something incomprehensible. Or the main page of a corporate website will be replaced with offensive inscriptions. So open information also needs protection.

Like any other enterprise, the company has open information, contained mainly in presentations shown to potential investors.

Information for internal use includes any data that is used by employees to carry out their professional duties. But that's not all. This category includes all information that is exchanged between various divisions or branches to ensure their functionality. And finally, the last type of data that falls under this category of data is information obtained from open sources and subjected to processing (structuring, editing, clarification).

In fact, all this information, even if it falls into the hands of competitors or attackers, cannot cause serious harm to the company. However, there may still be some damage from her abduction. Let's say employees collected news for their boss on a topic of interest to him, among which they selected the most important messages and marked them. Such a digest is clearly information for internal use (information was obtained from open sources and processed). At first glance, it seems that competitors, having acquired it, will not be able to benefit from it. But in fact, they can guess what area of ​​activity the management of your company is interested in, and, who knows, maybe they will even be able to get ahead of you. Therefore, information for internal use must be protected not only from substitution, but also from unauthorized access. True, in the vast majority of cases, you can limit yourself to the security of the local network, because spending large sums on this is not economically profitable.

The enterprise also presents this type of information, which is contained in various kinds of reports, lists, extracts, etc.

Confidential information - documented information, access to which is limited in accordance with the law Russian Federation, which is not publicly available and, if disclosed, could harm the rights and legally protected interests of the person who provided it. The list of data related to this classification is established by the state. On at the moment it is as follows: personal information, information constituting a commercial, official or professional secret, information that is a secret of investigation and office work. In addition, recently, data on the essence of an invention or scientific discovery has begun to be classified as confidential before its official publication.

Confidential information at an enterprise includes data such as: development plan, research and development work, technical documentation, drawings, profit distribution, contracts, reports, resources, partners, negotiations, contracts, as well as management and planning information.

The enterprise has about twenty PCs. As for the presence of a local network in an enterprise, PCs in society are not united into a single network. In addition, all computers are equipped with a standard set of office and accounting programs. Three computers have Internet access via the WAN Miniport. However, not a single computer in the enterprise is equipped with an antivirus program. Information exchange is carried out through media: flash drives, floppy disks. All information on “traditional” media is located in cabinets that are not locked. Most important documents located in a safe, the keys to which are kept by the secretary.

information protection security

1.3 Threats and means of protecting information in the enterprise

Threat to information security - a set of conditions and factors that create a potential or actual danger associated with information leakage and/or unauthorized and/or unintentional impacts on it

According to the methods of influencing information security objects, threats that are relevant to society are subject to the following classification: informational, software, physical, organizational and legal.

Information threats include:

· unauthorized access to information resources;

· theft of information from archives and databases;

· violation of information processing technology;

· illegal collection and use of information;

Software threats include:

· computer viruses and malware;

Physical threats include:

· destruction or destruction of information processing and communication facilities;

· theft of storage media;

· impact on personnel;

Organizational and legal threats include:

· procurement of imperfect or outdated information technology and information means;

Information security means are a set of engineering, electrical, electronic, optical and other devices and devices, devices and technical systems, as well as other material elements used to solve various problems of information protection, including preventing leaks and ensuring the security of protected information.

Let's look at the information security tools used in the enterprise. There are four of them in total (hardware, software, mixed, organizational).

Hardware protection- locks, window bars, security alarms, surge protectors, CCTV cameras.

Software protection: operating system tools are used, such as password protection, accounts.

Organizational means of protection: preparation of premises with computers.

2 Improving the information security system

2.1 Identified deficiencies in the information security system

The most vulnerable point in the protection of information in society is the protection computer security. Even a superficial analysis of the enterprise can highlight the following shortcomings:

§ Rarely produced backup information;

§ Insufficient level software information protection;

§ Some employees have insufficient PC skills;

§ There is no control over employees. Often, employees can leave their place of work without turning off their PC and carrying a flash drive with official information.

§ Lack of regulatory documents on information security.

§ Not all computers use OS features such as passwords and accounts.

2.2 Goals and objectives of creating an information security system in an enterprise

The main goal of the information security system is to ensure the sustainable functioning of the facility, prevent threats to its security, protect the legitimate interests of the enterprise from illegal attacks, prevent the theft of financial resources, disclosure, loss, leakage, distortion and destruction of official information, ensuring the normal production activities of all departments of the facility. Another goal of the information security system is to improve the quality of services provided and guarantee the security of property rights and interests.

The objectives of forming an information security system in an organization are: integrity of information, reliability of information and its confidentiality. When completing the assigned tasks, the goal will be realized.

The creation of information security systems (ISS) in IS and IT is based on the following principles:

Systematic approach to the construction of a protection system, meaning the optimal combination of interrelated organizational, software, hardware, physical and other properties, confirmed by the practice of creating domestic and foreign systems protection and applied at all stages of the technological cycle of information processing.

The principle of continuous development of the system. This principle, which is one of the fundamental principles for computer information systems, is even more relevant for NIB. Methods for implementing information threats in IT are constantly being improved, and therefore ensuring IP security cannot be a one-time act. This is a continuous process consisting of substantiating and implementing the most rational methods, methods and ways to improve the information security system, continuous monitoring, identifying its bottlenecks and weaknesses, potential channels for information leakage and new methods of unauthorized access.

Separation and minimization of powers for access to processed information and processing procedures, i.e. providing both users and IS employees themselves with a minimum of strictly defined powers sufficient for them to perform their official duties.

Complete control and registration of unauthorized access attempts, i.e. the need to accurately establish the identity of each user and record his actions for a possible investigation, as well as the impossibility of performing any information processing operation in IT without its prior registration.

Ensuring the reliability of the protection system, i.e., the impossibility of reducing the level of reliability in the event of failures, failures, intentional actions of a hacker or unintentional errors of users and maintenance personnel in the system.

Ensuring control over the functioning of the protection system, i.e. creation of means and methods for monitoring the performance of protection mechanisms.

Providing all kinds of anti-malware tools.

Ensuring the economic feasibility of using a protection system, which is expressed in the excess of possible damage to IS and IT from the implementation of threats over the cost of developing and operating the SIS.

2.3 Proposed measures to improve the organization’s information security system

Identified shortcomings at the enterprise require their elimination, therefore the following measures are proposed.

§ Regular backup of the database with personal data of the company’s employees, accounting data and other databases available at the enterprise. This will prevent data loss due to disk failures, power outages, viruses and other accidents. Careful planning and regular backup procedures allow you to quickly restore your data if you lose it.

§ Using OS tools on each computer. Create accounts for specialists and regularly change the password for these accounts.

§ Training of enterprise personnel to work with computers. A necessary condition for proper operation of workstations and preventing loss and damage to information. The work of the entire enterprise depends on the PC skills of the staff, in terms of correct execution.

§ Installation on computers antivirus programs such as: Avast, NOD, Doctor Web, etc. This will prevent your computer from becoming infected with various malicious programs called viruses. Which is very important for of this enterprise, since several PCs have access to the Internet and employees use flash drives to exchange information.

§ Monitoring employees using video cameras. This will reduce cases of careless handling of equipment, the risk of equipment theft and damage, and will also allow you to control the “removal” of proprietary information from the territory of the company.

§ Development of a regulatory document “Information protection measures in Oven LLC and liability for their violations”, which would comply with the current legislation of the Russian Federation and would define risks, violations and liability for these violations (fines, punishments). As well as entering the corresponding column in employment contract company that he is familiar with and undertakes to comply with the provisions of this document.

2.4 Effectiveness of the proposed measures

The proposed measures not only contain positive aspects, such as eliminating the main problems in the enterprise related to information security. But at the same time, they will require additional investments in personnel training and the development of regulatory documents relating to security policy. It will require additional labor costs and will not completely eliminate risks. There will always be a human factor and force majeure. But if such measures are not taken, the cost of recovering information will be greater than the cost of developing a security system.

Let's consider the results of the proposed measures:

1. Increasing the reliability of the organization’s information security system;

2. Increasing the level of PC proficiency of personnel;

3. Reduced risk of information loss;

4. Availability of a regulatory document defining the security policy.

5. Perhaps it will reduce the risk of entering/removing information from the enterprise.

3 Information security model

The presented information security model (Figure 2) is a set of objective external and internal factors and their influence on the state of information security at the facility and on the safety of material or information resources.

Figure 2 - Information security system model

This model complies with special regulatory documents on ensuring information security adopted in the Russian Federation, the international standard ISO/IEC 15408 "Information technology - methods of protection - criteria for assessing information security", the standard ISO/IEC 17799 "Information security management", and takes into account development trends domestic regulatory framework (in particular, the State Technical Commission of the Russian Federation) on information security issues.

Conclusions and suggestions

The Information Age has brought about dramatic changes in the way a large number of professions perform their duties. Now a mid-level non-technical person can do the work that was previously done by a highly skilled programmer. The employee has at his disposal as much accurate and timely information as he has never had before.

But the use of computers and automated technologies creates a number of problems for the management of an organization. Computers, often networked, can provide access to enormous amounts of diverse data. Therefore, people are concerned about information security and the risks associated with automation and providing much more access to confidential, personal or other critical data. The number of computer crimes is increasing, which can ultimately lead to economic disruption. And therefore it should be clear that information is a resource that must be protected.

And since automation has led to the fact that now operations with computer technology performed by ordinary employees of the organization, and not by specially trained technical personnel, it is necessary that end users are aware of their responsibility for protecting information.

A single recipe that provides 100% guarantee of data safety and reliable operation the network does not exist. However, creating a comprehensive, well-thought-out security concept that takes into account the specific tasks of a particular organization will help reduce the risk of losing valuable information to a minimum. Computer protection is a constant struggle against the stupidity of users and the intelligence of hackers.

In conclusion, I would like to say that information protection is not limited to technical methods. The problem is much broader. The main disadvantage of protection is people, and therefore the reliability of a security system depends mainly on the attitude of company employees towards it. In addition, protection must be constantly improved along with the development of the computer network. Do not forget that it is not the security system that hinders work, but its absence.

I would also like, summing up the results of this course project, to note that after analyzing the information security system of the Aries enterprise, five shortcomings were identified. After a search, solutions were found to eliminate them; these shortcomings can be corrected, which will improve the information security of the enterprise as a whole.

In the course of the above actions, practical and theoretical skills in studying the information security system were developed, therefore, the goal of the course project was achieved. Thanks to the solutions found, we can say that all project objectives were completed.

References

1. GOST 7.1-2003. Bibliographic record. Bibliographic description. General requirements and rules of compilation (Moscow: Publishing House of Standards, 2004).

2. Galatenko, V.A. "Fundamentals of information security." - M.: “Intuit”, 2003.

3. Zavgorodniy, V. I. " Comprehensive protection information in computer systems". - M.: “Logos”, 2001.

4. Zegzhda, D.P., Ivashko, A.M. “Fundamentals of information systems security.”

5. Nosov, V.A. Introductory course in the discipline “Information Security”.

6. Federal Law of the Russian Federation of July 27, 2006 N 149-FZ “On information, information technologies and information protection”

Posted on Allbest.ru

Similar documents

Characteristics of information resources of the Ashatli agricultural holding. Information security threats specific to the enterprise. Measures, methods and means of information protection. Analysis of the shortcomings of the existing and the advantages of the updated security system.

course work, added 02/03/2011


General information about the activities of the enterprise. Information security objects in the enterprise. Measures and means of information protection. Copying data to removable media. Installing an internal Backup server. Efficiency of improving the information security system.

test, added 08/29/2013


Concept, meaning and directions of information security. A systematic approach to organizing information security, protecting information from unauthorized access. Information security tools. Information security methods and systems.

abstract, added 11/15/2011


System for forming an information security regime. Problems of information security of society. Information security tools: basic methods and systems. Protection of information in computer networks. Provisions of the most important legislative acts of Russia.

abstract, added 01/20/2014


Information security risk analysis. Assessment of existing and planned means of protection. A set of organizational measures to ensure information security and protection of enterprise information. Test example of project implementation and its description.

thesis, added 12/19/2012


An enterprise information security strategy in the form of a system of effective policies that would define an effective and sufficient set of security requirements. Identification of information security threats. Internal control and risk management.

course work, added 06/14/2015


Characteristics of a set of tasks and justification of the need to improve the system for ensuring information security and information protection at the enterprise. Development of a project for the use of a DBMS, information security and personal data protection.

thesis, added 11/17/2012


Regulatory documents in the field of information security in Russia. Analysis of threats to information systems. Characteristics of the organization of the clinic’s personal data protection system. Implementation of an authentication system using electronic keys.

thesis, added 10/31/2016


Prerequisites for creating a personal data security system. Information security threats. Sources of unauthorized access to ISPD. Design of personal data information systems. Information security tools. Security Policy.

course work, added 10/07/2016


Objectives, structure, physical, software and hardware measures to protect the information system. Types and causes of computer crimes, ways to improve an organization's security policy. Purpose and main functions of the "Diary" folder in MS Outlook 97.

2. ESET NOD 32 antivirus system to protect against computer viruses.

The databases are updated irregularly and workstations are scanned.

3. Built-in Windows Backup for creating archives.

OS Backup Wizard is a program designed to quick creation and recovery backup copy Windows. It allows you to create a copy of entire Windows or just separate files and folders.

4. Encryption with a 2048-bit key for a vpn channel (connection to the office of the management company for mail and document flow).

Chapter 2. Improving the NIB

2.1 Weaknesses in the information security system

When analyzing issues related to information security, it is necessary to take into account the specifics of this aspect of security, which consists in the fact that information security is an integral part of information technology - an area that is developing at an unprecedentedly high pace. What is important here is not so much individual decisions (laws, training courses, software and hardware products) that are at the modern level, as well as mechanisms for generating new solutions that allow you to live at the pace of technical progress.

Modern programming technologies do not allow the creation of error-free programs, which does not contribute to the rapid development of information security tools.

Having analyzed the information security of an enterprise, we can conclude that insufficient attention is paid to information security:

Lack of system access passwords;

No passwords when working with the program with 1C: Enterprise, when changing data;

There is no additional protection of files and information (there is no basic password request when opening or changing information in files, not to mention data encryption tools);

Irregular updating of antivirus program databases and scanning of workstations;

A large number of documents on paper media mostly lie in folders (sometimes without them) on the employee’s desktop, which allows attackers to easily take advantage of this type of information for their own purposes;

There is no regular discussion of information security issues at the enterprise and emerging problems in this area;

Regular testing of the functionality of the enterprise’s information systems is not organized; debugging is carried out only when they fail;

Lack of information security policy;

Lack of system administrator.

All of the above are very important disadvantages of ensuring enterprise information security.

2.2 Purpose and objectives of the information security system

Information security is the state of security of information resources in computer networks and enterprise systems from unauthorized access, accidental or intentional interference in the normal functioning of systems, and attempts to destroy its components.

Information protection goals:

prevention of threats to enterprise security due to unauthorized actions of destruction, modification, distortion, copying, blocking of information or other forms of illegal interference in information resources and information systems;

preservation of trade secrets processed using computer technology;

protection of the constitutional rights of citizens to maintain personal secrets and confidentiality of personal data available in information systems.

To achieve protection goals, the following tasks must be effectively addressed:

· protection from interference in the functioning of the enterprise by unauthorized persons;

· protection from unauthorized actions with the enterprise’s information resources by unauthorized persons and employees who do not have the appropriate authority;

· ensuring the completeness, reliability and efficiency of information support for making management decisions by the management of the enterprise;

· ensuring the physical safety of the enterprise’s hardware and software and protecting them from man-made and natural sources of threats;

· registration of events affecting the security of information, ensuring full control and accountability of all operations performed at the enterprise;

· timely identification, assessment and forecasting of sources of threats to information security, causes and conditions that contribute to damage to the interests of subjects, disruption of the normal functioning and development of the enterprise;

· analysis of the risks of implementing threats to information security and assessment of possible damage, preventing unacceptable consequences of a violation of the security of enterprise information, creating conditions for minimizing and localizing the damage caused;

· ensuring the possibility of restoring the current state of the enterprise in the event of a violation of information security and eliminating the consequences of these violations;

· creation and formation of a targeted enterprise information security policy.

2.3 Measures and means to improve the information security system

To achieve set goals and solve problems, it is necessary to carry out activities at information security levels.

Administrative level of information security.

To form an information security system, it is necessary to develop and approve an information security policy.

Security policy is a set of laws, rules and norms of behavior aimed at protecting information and the resources associated with it.

It should be noted that the policy developed must be consistent with existing laws and regulations relevant to the organization, i.e. these laws and regulations need to be identified and taken into account when developing policies.

The more reliable the system, the stricter and more diverse the security policy should be.

Depending on the formulated policy, specific mechanisms can be selected to ensure system security.

Organizational level of information security.

Based on the shortcomings described in the previous section, the following measures can be proposed to improve information security:

Organization of work to train personnel in working with new software products with the participation of qualified specialists;

Development of necessary measures aimed at improving the system of economic, social and information security of the enterprise.

Conduct training to ensure that each employee understands the importance and confidentiality of the information entrusted to him, since, as a rule, the reason for the disclosure of confidential information is the employees’ insufficient knowledge of the rules for protecting trade secrets and misunderstanding (or misunderstanding) of the need for their careful compliance.

Strict monitoring of employee compliance with rules for working with confidential information;

Monitoring compliance with the rules for storing working documentation of enterprise employees;

Scheduled holding of meetings, seminars, discussions on enterprise information security issues;

Regular (scheduled) testing and maintenance of all information systems and information infrastructure for operability.

Appoint a system administrator on a permanent basis.

Software and hardware measures for information protection.

Software and hardware are one of the most important components in the implementation of information security of an enterprise, therefore, to increase the level of information security, it is necessary to introduce and apply the following measures:

Entering user passwords;

To regulate user access to enterprise information resources, it is necessary to enter a list of users who will log into the system under their login. Using OS Windows Server 2003 Std installed on the server, you can create a list of users with corresponding passwords. Distribute passwords to employees with appropriate instructions on their use. It is also necessary to enter a password expiration date, after which the user will be prompted to change the password. Limit the number of login attempts with an incorrect password (for example, to three).

Introducing a password request in the 1C: Enterprise program when working with a database, when changing data. This can be done using PC software and software.

Access control to files, directories, disks.

Access to files and directories will be limited system administrator, which will allow access to the appropriate drives, folders and files for each user specifically.

Regular scanning of workstations and updating the anti-virus program databases.

Allows you to detect and neutralize malware and eliminate the causes of infections. It is necessary to perform work to install, configure and ensure the functioning of anti-virus protection tools and systems.

To do this, you need to configure your antivirus program to regularly scan your PC and regularly update databases from the server.

Installation of the Agnitum Outpost FireWall firewall on the server computer, which blocks attacks from the Internet.

Advantages of using the Agnitum Outpost FireWall firewall:

¾ controls connections between a computer and others, blocking hackers and preventing unauthorized external and internal access to the network.

LEGAL PROBLEMS OF USING COMPUTER TECHNOLOGIES AND IMPROVING LEGISLATION

IMPROVING THE INSTITUTIONAL MECHANISM FOR ENSURING INFORMATION SECURITY OF THE RF

IMPROVING THE INSTITUTIONAL MECHANISM FOR ENSURING THE INFORMATION SECURITY OF THE RUSSIAN FEDERATION

© Koblova Yulia Alexandrovna

Yuliya A. Koblova

Candidate of Economic Sciences, Associate Professor of the Department of Institutional Economics and Economic Security, Saratov Socio-Economic Institute (branch) of the Federal State Budgetary Educational Institution of Higher Professional Education "REU im. G.V. Plekhanov"

Cand.Sc. (Economics), associate professor at the department of institutional economics, Saratov socio-economic institute (branch) of Plekhanov Russian University of Economics

e-mail: [email protected]

The article examines the institutional aspects of ensuring state information security. The essence and role of the institutional mechanism in ensuring the information security of the state is revealed. An assessment is made of the institutional provision of information security in Russia. Problems are identified and a system of measures is proposed to improve the institutional mechanism for ensuring the country's information security.

Keywords Keywords: institutions, institutional mechanism, information security, Internet space.

The paper examines the institutional aspects of ensuring information security of the state. The author reveals the essence and role of institutional mechanism in ensuring state information security, evaluates the institutional mechanism of ensuring information security in Russia, highlights major challenges, and suggests a system of measures to improve the institutional mechanism to ensure information security.

Keywords: institutions, institutional mechanisms, information security, internet space.

Ensuring the information security of the state is a fairly new state function with the scope and content of methods and tools not yet established.

cops. Its formation is due to the need to protect society and the state from information threats associated with the development of the latest information and communication technologies.

on technologies. The scale of the negative consequences of these threats for states, organizations, and people has already been recognized by the world community, therefore the most important task of the state is to develop a system of measures to prevent and neutralize them. An important role in achieving information security of the state is played by the institutional mechanism for ensuring it. The effectiveness of the institutional system that realizes public interests is the key to their harmonization in order to ensure the highest state interests, including national and information security.

Let us recall that institutions are the rules of interaction (“rules of the game”) in society generated by human consciousness and experience, the restrictions and prerequisites for development in politics, the social sphere and the economy. The institutions that support long-term economic growth are laws and rules that create incentives and mechanisms. Institutions set a system of positive and negative incentives, reduce uncertainty and make the social environment more predictable. The institutions that guarantee information security are known: the rule of law, an independent and competent court, the absence of corruption, etc.

The institutional mechanism for ensuring information security is a special structural component of the economic mechanism, ensuring the creation of norms and rules governing the interaction of various economic entities in information sphere on preventing threats to information security. The institutional mechanism puts institutions into action (formal and informal), structures the interactions of subjects, and exercises control over compliance with established norms and rules.

The essence of the institutional mechanism is manifested through its functions. O.V. Inshakov and N.N. Lebedev believe that the institutional mechanism performs the following functions, which also apply to the mechanism for ensuring information security:

1) integration of agents into one institution in order to carry out joint activities within the framework of common statuses and norms;

2) differentiation of norms and statuses, as well as subjects and agents of different institutions into requirements that separate and ignore them; regulation of interaction between institutions

ta and its agents in accordance with established requirements;

3) translation of new requirements into real practice;

4) ensuring the reproduction of routine innovations;

5) subordination and coordination of relations between entities that belong to different institutions;

6) informing subjects about new norms and opportunistic behavior;

7) regulation of the activities of entities that share and reject the requirements determined by the institution;

8) monitoring the implementation of norms, rules and agreements.

Thus, the institutional mechanism for ensuring information security includes the legislative framework and the institutional structures that provide it. Improving this mechanism includes reorganizing the legislative framework for information security and institutional structures for countering threats to information security.

The institutional mechanism for ensuring information security includes: the adoption of new laws that would take into account the interests of all subjects of the information sphere; maintaining a balance between the creative and restrictive functions of laws in the information sphere; integration of Russia into the global legal space; taking into account the state of the sphere of domestic information technologies.

To date, a legislative framework in the field of information security has been formed in Russia, including:

1. Laws of the Russian Federation: Constitution of the Russian Federation, “On Security”; “On the bodies of the Federal Security Service in the Russian Federation”, “On state secrets”, “On foreign intelligence”, “On participation in international information exchange”, “On information, information technologies and information protection”, “On electronic digital signatures” "etc.

2. Regulatory acts of the President of the Russian Federation: Doctrine of information security of the Russian Federation; National Security Strategy of the Russian Federation until 2020, “On the fundamentals of state policy in the field of informatization”, “On the list of information classified as state secrets”, etc.

3. Regulatory legal acts of the Government of the Russian Federation: “On certification

means of information protection", "On licensing the activities of enterprises, institutions and organizations to carry out work related to the use of information constituting state secrets, the creation of information security means, as well as the implementation of measures and (or) provision of services to protect state secrets", "On licensing of certain types of activities”, etc.

4. Civil Code of the Russian Federation (part four).

5. Criminal Code of the Russian Federation.

In recent years, Russia has implemented

a set of measures to improve its information security. Measures have been implemented to ensure information security in federal government bodies, government bodies of constituent entities of the Russian Federation, at enterprises, institutions and organizations, regardless of their form of ownership. Work is underway to protect special information and telecommunication systems. An effective solution The problems of information security of the Russian Federation are facilitated by the state system of information protection, the system of protection of state secrets and the certification system of information security means.

The State Technical Commission under the President of the Russian Federation pursues a unified technical policy and coordinates work in the field of information protection, stands at the head of the state system for protecting information from technical intelligence and ensures the protection of information from leakage through technical channels in Russia, and monitors the effectiveness of protection measures taken.

State and public organizations play an important role in the country’s information security system: they exercise control over state and non-state media.

At the same time, the level of information security in Russia does not fully meet the needs of society and the state. In the conditions of the information society, contradictions are intensifying between the public need for expansion and freedom of exchange of information, on the one hand, and the need to maintain certain regulated restrictions on its dissemination.

Currently, there is no institutional support for the rights of citizens in the information sphere enshrined in the Constitution of the Russian Federation (to privacy, personal secrets, secrecy of correspondence, etc.). Remaining

The protection of personal data collected by federal authorities leaves much to be desired.

There is no clarity in the implementation of state policy in the sphere of formation of the information space of the Russian Federation, the media, international information exchange and integration of Russia into the global information space.

Improving the institutional mechanism of information security of the state, in our opinion, should be aimed at solving the following important problems.

The weak practical orientation of modern Russian legislation in the information sphere creates problems of a legal and methodological nature. Opinions are expressed that the Information Security Doctrine of the Russian Federation has no practical significance and contains many inaccuracies and methodological errors. Thus, the objects of information security in the Doctrine are recognized as interests, the individual, society, the state - concepts that are not comparable to each other. Many scientists have drawn attention to the inadmissibility of accepting the protection of interests, rather than their carriers, as an object of information security.

The use of these categories, the content of which is uncertain, in a legislative document is not entirely inappropriate. For example, subjects of law are legal and natural persons, organizations, stateless persons, executive authorities. The category “state” includes the territory of the country, its population (nations), political power, and constitutional system.

The Information Security Doctrine of the Russian Federation recognizes the following as sources of threats to information security:

Activities of foreign structures;

Development of information warfare concepts by a number of states;

The desire of a number of countries to dominate, etc.

According to G. Atamanov, the source can be an object or subject that takes part in the information process or is capable of influencing it to one degree or another. For example, in American legislation, sources of threats to information infrastructure include: hackers opposed to the United States; terrorist groups; states against which an anti-terrorist operation may be directed;

hackers, curious or self-affirming.

The shortcomings and framework nature of the Doctrine reduce the effectiveness and limit the scope of its application, set the wrong direction for the development of legislation in the information sphere and increasingly confuse it.

To properly ensure information security, it is necessary to create an appropriate system of legal relations, which, in turn, is impossible without revising the categorical apparatus, the doctrinal and conceptual foundation of legislation in the information sphere.

2. The gap between legislation and practice in the information sphere.

A huge gap between legislation and practice in the information sphere objectively exists due to the speed and scale of development of information technology and the Internet, which instantly generate new threats. The legislative process, on the contrary, is long and thorny. Therefore, in modern conditions, mechanisms are needed to harmonize the development of laws with the realities of the development of information technology and the information society. It is important that the lag is not too large, as this is fraught with a decrease or loss of information security.

Bridging the gap between practice and legislation in the information sphere is necessary to reduce and neutralize threats to information security that arise due to the rapid development of information technology and the emergence of a vacuum in legislation.

3. Lack of supranational institutions guaranteeing information security.

It is impossible to combat crimes committed on the Internet with the help of one country. Prohibitory measures introduced at the national level will not be effective, since violators may be located abroad. To combat them, it is necessary to consolidate efforts at the international level and adopt international rules of conduct in the Internet space. Similar attempts have been made. Thus, the Budapest Convention of the Council of Europe allowed the prosecution of violators on the territory of another state without warning its authorities. That is why many countries found it unacceptable to ratify this document.

Model Law “On the Fundamentals of Internet Regulation”, approved at the plenary

meeting of the Interparliamentary Assembly of the CIS Member States, establishes the procedure for state support and regulation of the Internet, as well as the rules for determining the place and time of performing legally significant actions on the network. In addition, the law regulates the activities and responsibilities of service operators.

It is also necessary to note the ratification of the document allowing the exchange of confidential information on the territory of Russia, Belarus and Kazakhstan. This is a protocol that defines the procedure for providing information containing confidential information for investigations prior to the introduction of special protective, anti-dumping and countervailing measures in relation to third countries. This is a very important agreement between the member states of the Customs Union, which allows us to jointly develop and build protective anti-dumping and countervailing measures. Thus, today a strong regulatory framework has been organized, which creates a fundamentally new supranational body, authorized not only to conduct investigations, collect evidence, but also to protect it from leaks, determining the procedure for provision.

The formation of supranational institutions in the information sphere will help overcome the limitations of national legislation in the fight against information crimes.

4. Lack of institutions in the Internet space.

Currently, new institutions should appear in international law that regulate the interaction of subjects in the Internet space, such as “electronic border”, “electronic sovereignty”, “electronic taxation” and others. This will help overcome the latent nature of cybercrime, i.e. increasing the detection of cybercrimes.

5. Development of public-private partnership in the information sphere.

The desire of government organizations to publish reports on the state of their information security systems poses an interesting dilemma. On the one hand, these publications reflect the efforts of the state to maintain the cybersecurity system at the proper level. It would seem that such a result should lead to a more efficient structure of spending on cybersecurity. But, on the other hand, the publication of information about the shortcomings of the cybersecurity system

Scientific and practical journal. ISSN 1995-5731

safety government organizations more likely to make them vulnerable to attacks by hackers, which entails the need for more resources to repel and prevent them.

The biggest challenge in ensuring cooperation and sharing of security-related information between government agencies and corporations is considered by Gordon and Loeb to be free-riding. It would seem, since safety computer networks depends on the actions of each participant, such cooperation is the optimal way to increase the efficiency of funds spent on cybersecurity. Successful exchange of information and experience in the field of cybersecurity could provide an opportunity to coordinate such activities at the national and international levels. But in reality, the company’s fear of losing competitive advantages by participating in such network cooperation and providing complete information about itself leads to avoidance.

reluctance to provide complete information. The situation here can only be changed by the development of public-private partnerships based on the introduction of sufficiently significant economic incentives.

Thus, the institutional mechanism for ensuring the information security of the state involves the formation of a legislative framework and institutional structures that ensure it. To improve the institutional mechanism and form a new architecture of economic security in the information economy, a system of measures has been proposed, including: overcoming the declarative nature of legislation and reducing the gap between legislation and practice in the information sphere, the formation of supranational legislation in the information sphere, the creation of new institutions that define the framework for interaction and rules of behavior in the Internet space.

Bibliography (References)

1. Inshakov O.V., Lebedeva N.N. Economic and institutional mechanisms: correlation and interaction in the conditions of social-market transformation of the Russian economy // Vestnik St. Petersburg. state unta. Ser. 5. 2008. Issue. 4 (No. 16).

2. Dzliev M.I., Romanovich A.L., Ursul A.D. Security problems: theoretical and methodological aspects. M., 2001.

3. Atamanov G. A. Information security in modern Russian society (social and philosophical aspect): dis. ...cand. Philosopher Sci. Volgograd, 2006.

4. Kononov A. A., Smolyan G. L. Information society: a society of total risk or a society of guaranteed security? // Information society. 2002. No. 1.

1. Inshakov O.V., Lebedeva N.N. (2008) Khozyaystvennyy i institutsional"nyy mekhaniz-my: sootnosheniye i vzaimodeystviye v usloviyakh sotsial"no-rynochnoy transformatsii rossiyskoy ekonomiki // Vestnik S.-Peterb. gos. un-ta. Ser. 5. Vyp. 4 (No. 16).

2. Dzliyev M.I., Romanovich A.L., Ursul A.D. (2001) Problemy bezopasnosti: teoretiko-metodologicheskiye aspekty. M.

3. Atamanov G.A. (2006) Informationnaya bezopasnost" v sovremennom rossiyskom ob-shchestve (sotsial"no-filosofskiy aspekt). Volgograd.

4. Kononov A.A., Smolyan G.L. (2002) Informatsionnoye obshchestvo: obshchestvo total "nogo riska ili obshchestvo garantirovannoy bezopasnosti? // Informatsionnoye obshchestvo. No. 1.

Having analyzed the information security of an enterprise, we can conclude that insufficient attention is paid to the following points in information security:

– irregular backup of the enterprise database;

– data is not backed up on employees’ personal computers;

– messages email stored on servers postal services on the Internet;

– some employees have insufficient skills to work with automated systems;

– employees have access to personal computers your colleagues;

– lack of anti-virus programs on some workstations;

– poor differentiation of access rights to network resources;

– there are no safety regulations.

All of the above are very important disadvantages of ensuring enterprise information security.

Risk analysis

The danger of a threat is determined by the risk in the event of its successful implementation. Risk is potential damage. Acceptability of risk means that damage if the threat is realized will not lead to serious negative consequences for the owner of the information. The organization has the following risks:

1. Irregular backup of the enterprise database;

Consequences: loss of data about the operation of the enterprise.

2. Data is not backed up on employees’ personal computers;

Consequences: When equipment fails, some important data may be lost.

3. E-mail messages are stored on the servers of mail services on the Internet;

4. Some employees have insufficient skills in working with automated systems;

Consequences: May result in incorrect data being stored in the system.

5. Employees have access to the personal computers of their colleagues;

6. Lack of anti-virus programs on some workstations;

Consequences: the appearance of viruses and malicious software in the system

7. Poor differentiation of access rights to network resources;

Consequences: carelessness can lead to data loss.

8. There are no safety regulations.

Purpose and objectives of the information security system

The main goal of an enterprise's security system is to prevent damage to its activities due to theft of material and technical means and documentation; destruction of property and valuables; disclosure, leakage and unauthorized access to sources of confidential information; disruption of the operation of technical means of supporting production activities, including information technology, as well as preventing damage to enterprise personnel.

The objectives of the security system are:

· protection of the rights of the enterprise, its structural divisions and employees;

· preservation and efficient use of financial, material and information resources;

· increasing the image and profit growth of the enterprise by ensuring the quality of services and customer safety.

Objectives of the enterprise security system:

· timely identification and elimination of threats to personnel and resources; reasons and conditions conducive to causing financial, material and moral damage to the interests of the enterprise, disruption of its normal functioning and development;

· classification of information into categories limited access, and other resources - to different levels of vulnerability (danger) and subject to conservation;

· creation of a mechanism and conditions for prompt response to security threats and manifestations of negative trends in the functioning of the enterprise;

· effective suppression of attacks on resources and threats to personnel based on an integrated approach to security;

The organization and operation of the security system must be based on the following principles:

Complexity. Involves ensuring the safety of personnel, material and financial resources, information from all possible threats by all available legal means and methods, throughout the entire life cycle and in all modes of operation, as well as the ability of the system to develop and improve in the process of operation.

Reliability. Different security zones must be equally reliable in terms of the likelihood of a threat occurring.

Timeliness. The ability of the system to be proactive in nature based on the analysis and forecasting of security threats and the development of effective measures to counter them.

Continuity. No interruptions in the operation of security systems caused by repairs, replacements, maintenance, etc.

Legality. Development of security systems based on existing legislation.

Reasonable sufficiency. Establishing an acceptable level of security at which the probability and size of possible damage will be combined with the maximum acceptable costs for the development and operation of the security system.

Centralization of management. Independent functioning of the security system according to uniform organizational, functional and methodological principles.

Competence. The security system must be created and managed by persons with professional training sufficient to correctly assess the situation and make adequate decisions, including in conditions of increased risk.

Reviews