Security of personal data in the bank
What is personal data?
According to the definition from federal law, personal data is any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income, other information.
Where is personal data located?
Personal data (PD) in the bank is located in the following systems:
Automated banking system (ABS);
Client-Bank systems;
Instant money transfer systems;
Accounting systems;
Personnel accounting systems;
Corporate information system;
Internal web portal.
PD may be present on paper documents (agreements, forms, orders, instructions, questionnaires, agreements, etc.).
What documents establish the requirements for the protection of personal data?
Federal laws
Federal Law No. 149-FZ of July 27, 2006 “On information, information technologies and information protection”;
Government Decrees
Government Decree Russian Federation No. 781 of November 17, 2007 “On approval of the regulations on ensuring the security of personal data during their processing in information systems personal data";
Decree of the Government of the Russian Federation No. 957 of December 29, 2007 “On approval of regulations on licensing of certain types of activities related to encryption (cryptographic) means”;
Decree of the Government of the Russian Federation No. 687 of September 15, 2008 “On approval of the regulations on the specifics of processing personal data carried out without the use of automation tools.”
FSTEC of Russia
Joint order of the FSTEC of Russia, the FSB of Russia and the Ministry of Information and Communications of Russia dated February 13, 2008 No. 55/86/20 “On approval of the procedure for classifying personal data information systems”;
Guiding document of the FSTEC of Russia “Basic model of threats to the security of personal data during their processing in personal data information systems”;
Guiding document of the FSTEC of Russia “Methodology for determining current threats to the security of personal data during their processing in personal data information systems”;
Order of the FSTEC of Russia dated February 5, 2010 No. 58 “On approval of the regulations on methods and means of protecting information in personal information data.”
FSB of Russia
FAPSI Order No. 152 dated June 13, 2001 “On approval of instructions on organizing and ensuring the security of storage, processing and transmission via communication channels using means cryptographic protection information with limited access that does not contain information constituting a state secret”;
Order of the FSB of the Russian Federation dated February 9, 2005 No. 66 “On approval of the regulations on the development, production, sale and operation of encryption (cryptographic) information security means (regulations PKZ-2005)”;
Guiding document of the FSB of Russia dated February 21, 2008 No. 149/54-144 “Methodological recommendations for ensuring the security of personal data using crypto-means when processing them in personal data information systems using automation tools”;
Guiding document of the FSB of Russia dated February 21, 2008 No. 149/6/6-622 “Standard requirements for organizing and ensuring the functioning of encryption (cryptographic) means intended to protect information that does not contain information constituting state secrets, if they are used for ensuring the security of personal data during their processing in personal data information systems”;
Bank of Russia standard
STO BR IBBS-1.0-2010 “Ensuring information security of organizations of the banking system of the Russian Federation. General provisions";
STO BR IBBS-1.1-2007 “Ensuring information security of organizations of the banking system of the Russian Federation. Information security audit";
STO BR IBBS-1.2-2010 “Ensuring information security of organizations of the banking system of the Russian Federation. Methodology for assessing the compliance of information security of organizations of the banking system of the Russian Federation with the requirements of STO BR IBBS-1.0-20xx";
RS BR IBBS-2.0-2007 “Ensuring information security of organizations of the banking system of the Russian Federation. Guidelines for documentation in the field of information security in accordance with the requirements of STO BR IBBS-1.0";
RS BR IBBS-2.1-2007 “Ensuring information security of organizations of the banking system of the Russian Federation. Guidelines for self-assessment of compliance of information security of organizations of the banking system of the Russian Federation with the requirements of STO BR IBBS-1.0";
RS BR IBBS-2.3-2010 “Providing information security to organizations of the banking system of the Russian Federation. Requirements for ensuring the security of personal data in personal data information systems of organizations of the banking system of the Russian Federation";
RS BR IBBS-2.4-2010 “Providing information security to organizations of the banking system of the Russian Federation. Industry-specific model of threats to the security of personal data during their processing in information systems of PD of organizations of banks of the banking system of the Russian Federation";
Methodological recommendations for meeting legal requirements when processing personal data in RF BS organizations, developed jointly by the Bank of Russia, the ARB and the Association of Regional Banks of Russia (the Rossiya Association).
How should personal data be protected?
According to the requirements of methodological documents for PD protection, the following subsystems are common to all types of ISPD:
Access control subsystem;
Registration and accounting subsystem;
Integrity subsystem;
Firewall security subsystem.
If the ISPD is connected to the Internet, then it is necessary to additionally use the following subsystems:
Anti-virus security subsystem;
Intrusion detection subsystem;
Security analysis subsystem.
It is also necessary to use electronic locks and/or electronic keys for reliable identification and authentication of users.
If the PDIS is distributed additionally to prevent unauthorized access by separating protected information from publicly available information, it is necessary to use cryptography when transmitting PD over unsecured communication channels, as well as digital signature to confirm the authenticity of the data.
This breakdown into subsystems and the formation on their basis of a list of products for protecting personal data is generally accepted and is used in most cases.
What is it necessary to protect personal data from?
If the task is to ensure only the confidentiality of personal data, it is necessary to implement measures and/or use technical means aimed at preventing unauthorized access, then such an information system becomes standard.
If additional requirements are imposed to ensure other properties of information security, such as ensuring integrity, availability, as well as their derivatives (non-repudiation, accountability, adequacy, reliability, etc.), then such an ISPD becomes special. In most cases, any ISPD will be special, that is, in addition to classes of PD, to determine protection mechanisms, you need to be guided by the threat model created for this purpose.
How to reduce the PD class?
In order to reduce and simplify measures to protect personal data, Banks use various tricks. Below I present the most typical ways to reduce the cost of protective equipment. However, such a “redrawing” of the Bank’s information systems in itself is a rather complex and time-consuming task.
Reducing the number of sites
As was shown above, if the ISPD is distributed, then increased requirements are imposed on its protection; in order to reduce them, you need to try to move away from distributed ISPD.
With a distributed ISPD, PD are located at various sites, PD is transmitted through communication channels uncontrolled by the Bank, and in general this means that PD exits or leaves the controlled area. Then, first of all, it is necessary to localize the PD, reducing the number of sites on which they will be located. In some cases this is possible, but if we consider ABS, then most likely this will not be possible.
Reducing the number of servers
If the PDIS is local, that is, it operates within the Bank’s local network, then the easiest way to reduce the cost of protection costs would be to reduce the number of server equipment on which PD is present and/or processed.
Reducing the number of workstations and personnel
With any type of ISPD (in the form of an automated workplace, local, distributed), the final processing of PD is usually carried out by Bank personnel. If you do not use terminal access, which will be discussed below, it makes sense to reduce the number of Bank personnel involved in processing personal data or having access to them.
IC separation using firewall
In order to reduce the amount of personal data, and therefore reduce the cost of protective equipment, in a good way is the division information networks into segments in which PD is processed. To do this, it is necessary to install and use firewalls, to the ports of which segments with PD should be connected. Often all server equipment is located in a demilitarized zone, that is, in segments separated from public and banking networks by firewalls. This method also requires a significant “redrawing” of information networks. There is a method based on the so-called “linear encryption”, that is, encryption of the client-client, client-server, server-server channel. Such encryption of network traffic can be implemented both using special security tools and using standard IPSec technology, however, it is not certified by the FSB of Russia, which is its significant disadvantage.
Another way to share ISPD throughout the entire network could be technology virtual networks– VLAN, but in fact VLAN is just an identifier in one of the fields of the network packet, which allows us to talk about this technology as “IT”. Therefore, dividing networks using VLANs does not exempt you from using information security technologies.
Dividing databases into parts
Let's assume that there is a database consisting of thousands of records: Full name. and the deposit amount.
Let's create two other databases. Let's enter an additional unique identifier. Let's divide the table into two parts, in the first we will place the fields Full Name and ID, in the other the ID and deposit amount.
Thus, if each employee can process only one of these new databases, then personal data protection is greatly simplified, if not nullified. Obviously, the value of such a database is significantly lower than the original one. Both databases will be located on the most secure server. In reality, there are many more fields in the database, however this principle can work in almost every case, because the number of fields that are significant from a personal data security point of view is not so large, but rather quite limited. In extreme cases, you can store key matches on a PC that is not part of the local network or even not use automated processing.
Depersonalization of personal data
According to the definition from 152-FZ, depersonalization of personal data is actions as a result of which it is impossible to determine whether personal data belongs to a specific personal data subject. From this definition follows a series of methods by which it is possible to obtain PD, by which it is impossible to determine the identity of the PD. For example, if the exact data of certain fields is not important for processing purposes, you can either not display them, or display only the ranges in which they fall. For example, age 20-30, 30-40, etc. The address can be “rounded” to a district, district or city: Tsaritsyno, Yuzhny, Moscow. Depending on the need, the process of depersonalization of personal data can be reversible or irreversible. Irreversible includes the above methods of “rounding”, and reversible, for example, encryption. From my point of view, encryption (encoding) can be a way of depersonalizing data and should be used for these purposes.
Thin clients and terminal access
The use of “thin client” technologies and the corresponding terminal access technology on servers can significantly reduce the requirements for personal data protection. The fact is that when using “thin clients” and terminal access on the Bank employees’ PCs, there is no need to install specialized software, such as client parts of databases, client parts of core banking systems, etc. Moreover, there is no need to install any special protection tools on the Bank employees’ PCs. These technologies allow you to display information from databases stored on servers at your workplace and manage the processing of personal data. These technologies are a priori safe, because Terminal policies can easily limit the ability of end clients (Bank staff) to copy and therefore distribute personal data. The communication channel between servers and a PC with a “thin client” is easily encrypted, that is in simple ways Confidentiality of transmitted data can be ensured.
The speed of potential data leaks will be limited only by the visual channel, which is determined by the speed of the camera or video camera, however, with the introduction of special organizational measures, such copying becomes very difficult.
How can you protect personal data?
In a broad sense, ensuring protection against unauthorized access is understood as a set of organizational and technical measures. These activities are based on an understanding of mechanisms to prevent unauthorized access at a variety of levels:
Identification and authentication (also two-factor or strong). This could be (operating system, infrastructure software, application software, hardware such as dongles);
Registration and accounting. This can be logging (logging, logging) of events in all of the above systems, software and tools);
Ensuring integrity. This may include calculating checksums of controlled files, ensuring the integrity of software components, using a closed software environment, as well as ensuring trusted loading of the OS);
Firewall, both gateway and local;
Anti-virus security (up to three levels of defense are used, the so-called layered or multi-vendor approach);
Cryptography (functionally applied at different levels of the OSI model (network, transport and higher), and provides various security functionality).
There are a few complex products, having developed NSD functionality. They all differ in application types, hardware support, software and implementation topology.
When ISPD is distributed or connected to a public network (Internet, Rostelecom, etc.), security analysis products are used (MaxPatrol from Positive Technologies, which has no direct competitors in the Russian Federation), as well as intrusion detection and prevention (IDS/IPS) - as in at the gateway level and at the end node level.
How can you transfer personal data?
If the PDIS is distributed, this means the need to transmit PD over unsecured communication channels. By the way, the “air” channel also refers to the unprotected channel. To protect personal data in communication channels, various methods can be used:
Encryption of the communication channel. Can be provided in any way, such as VPN between gateways, VPN between servers, VPN between workstations (InfoTecs ViPNet Custom, Informzashchita APKSh Kontinent, etc.);
MPLS packet switching. Packets are transmitted along various paths in accordance with labels assigned by network equipment. For example, Rostelecom's MPLS network has a certificate of compliance of the packet switching network with the information security requirements of FSTEC of Russia, which is a guarantee of high security of the services provided on its basis;
Encryption of documents. Can be used in various ways software for encrypting data files, as well as container files (ViPNet SafeDisk, InfoWatch CryptoStorage, True Crypt, etc.);
Encryption of archives. Various archivers can be used that allow you to archive and encrypt files using cryptographic algorithms such as AES. (WinRAR, WinZIP, 7-ZIP, etc.).
Do I need to use certified protective equipment?
Today, there is only one requirement of the FSTEC of Russia regarding the certification of personal data protection means. The requirement concerns the provision of level 4 undeclared capabilities, so on the last issue I will give only three theses:
The certification system for protective equipment is voluntary;
It is enough to comply with legal requirements;
There is no need to certify the personal data information system as a whole.
Shauro Evgeniy
Dzhabrail Matiev, head of personal data protection for the commercial part of the companyReignVox
Constant work with huge amounts of client data requires a bank of any format permanent job in the field of protecting this data.
That is why the topic of information security, and with it the topic of trust, is especially relevant in the financial sector. Moreover, the requirement to protect any personal data included in the structure of the information system of a modern financial company is also legally justified - Federal Law No. 152 “On Personal Data” clearly obliges every company processing this data to protect it within a strictly defined time frame. Both new and existing information systems processing personal data must be brought into compliance with legal requirements by January 1, 2011. With such strict time frames, organizations processing such information have less and less time to comply with legal requirements.
Where should you start working to protect personal data? What time frame can you expect for work? Who should be entrusted with the work? What is the average cost of a project and how to minimize costs? All these questions are relevant today for any company doing business in the financial sector. ReignVox's extensive experience in the field of personal data protection in financial institutions allows us to provide expert answers to them.
Life is in countdown mode
Federal Law No. 152 “On Personal Data” comes into full force on January 1, 2011 - more than six months ahead of the deadline set by legislators. But don’t give in to the misleading impression of having too much time.
Firstly, the implementation of a project aimed at meeting the requirements for the protection of personal data requires from four to six months, depending on its complexity. But this figure is not final either - terms may increase to six to eight months due to the period that the bank will spend selecting a worthy integrator for developing and maintaining the project. Carrying out this type of work on its own is fraught for the bank with a loss of objectivity at the stage of examination and analysis, the means of protection existing in it, as well as the need to find separate labor resources for this work. In this case, you should also remember such factors as the availability of specialists trained in the field of personal data protection, the required amount of regulatory and methodological support, and free resources for the very task of protecting personal data. Practice shows that usually it is third-party integrators who fully meet all these requirements.
Secondly, returning to the topic of the deadlines set by the Law “On Personal Data” for data operators (and the fact that banks are precisely such operators is no longer an issue in principle), no matter what they say about their “transfer ", the first regulatory checks are already taking place. The conclusion is quite logical: the relevance of the problem has not only remained, it has increased significantly, and its solution is becoming an urgent need.
“And the casket just opened...”
The task of bringing the ISPD into compliance with the provisions of the Law “On Personal Data” has recently been the subject of active discussions, the result of which basically boils down to one thing: solving this problem is very problematic due to the combination of its organizational and legal features. This conclusion is not entirely correct: the practice of applying requirements for the protection of personal data, which appeared during the first quarter of 2010 (including in banking sector), confirms the understandability and interpretability of the requirements for ISPD. Their formulation, implementation and documentary confirmation of the latter with a minimal risk of any errors is not so much difficult in its implementation as it is important from the point of view of the security of the banking business. The task is further simplified by the ability to delegate it to a third-party integrator, whose specialists will complete the project to protect personal data as quickly and professionally as possible, taking into account the individual characteristics of the banking business.
Thus, the first priority becomes the choice of an integrator company, which will be entrusted with the management of the project.
"Standard" = "Exclusive"?
Such an equal sign between these mutually exclusive concepts has a right to exist. This statement is supported by the practical experience of successful personal data protection projects already completed by ReignVox.
On the one hand, each such project includes a standard number of stages: the stage of surveying personal data information systems, the stage of designing a personal data protection system, the stage of implementing the PDSDN, the stage of assessing the compliance of the PDSDN with the requirements of the law, and the stage of supporting the created system. Moreover, the assessment of compliance with ISPD, as a stage, is optional and is carried out at the discretion of the customer company. As well as the stage of supporting the created system.
Typicality usually ends at the first stage (the stage of surveying information systems), since it is this stage that makes it possible to identify and describe those requirements that will be presented in the future to systems. And these parameters are already individual and focused on each specific customer, optimized in accordance with his needs.
During this survey, information resources are analyzed, standard solutions, used in the construction of IT infrastructure, information flows of personal data, existing systems and means of information protection.
At the same stage, a model of threats and a PD security violator is developed, and the need to ensure PD security in the ISPD using crypto-techniques is assessed.
The classic scheme for the second stage includes an audit of the regulatory framework and assessment of its compliance with regulatory requirements. Its result is the development of the missing internal documents, as well as the development of technical specifications for the development of the SPD. At the same stage, the integrator begins the direct development of a set of measures to protect information.
At the end of this stage, the bank is quite capable of successfully passing inspection by one of the regulators.
The essence of the third stage comes down to the implementation of systems and configuration of existing security measures. After testing, if necessary, the complex of technical and software.
At each of the described stages, ReignVox, as an integrator, faces various additional tasks, determined by the specifics of the business conducted by the customer company, its size, infrastructure, activity of business processes and many other points. And from many such components each time a new, individually adapted project concept for the protection of personal data is formed.
“...and the sheep are safe”
Minimizing expenses, optimizing the budget, saving - no matter what phrase you choose, the essence will remain the same - a rational approach to the use of monetary resources - this is the second cornerstone of the success of a financial structure (after trust, of course). Therefore, the desire to reduce costs as much as possible without compromising information security is natural and quite achievable.
The cost of an average standard project to create a personal data protection system for a banking structure is about 1.5 million rubles. When calculating this amount, a number of principles are taken into account, following which allows one to reduce the budget for creating a personal data protection system.
First of all, we strive to preserve as much as possible the IT infrastructure already existing in the organization. Usually they talk about two polar scenarios for personal data protection. The first is a radical reworking of all ISPD, and the second is formal, consisting only of issuing internal regulatory documents, without making any changes to the ISPD. We consider the third option to be optimal, which consists precisely in maintaining the current IT infrastructure of the bank, accompanied by modifying some of its elements and adding new ones necessary to ensure compliance with the law.
In this case we are talking about the first principle, based on maximum use of existing information security tools when designing information security systems. Protection means in any company are used regardless of the need to protect personal data, these include anti-virus protection systems and built-in access control tools operating system, and firewalls and many other tools. Therefore, the maximum number of requirements is covered by existing security measures. And only if some requirements are not met by current means of protection, it is necessary to purchase and implement additional ones.
The second principle is the principle economical logical structuring of information systems personal data. Following this principle, as part of the implementation of a project to protect personal data in a bank, it becomes economically feasible to combine several systems located in the same room into one, in combination with downgrading non-critical segments. Thus, an ISPD “Data Processing Center” is created, in which protection is provided along the perimeter. This allows you to significantly minimize the cost of separating streams within different systems.
Principle three - protect only from current threats. At the same time, the updating of threats is described in a document required for special systems, called the “Threat Model”. When updating threats, those whose probability is low and the damage upon implementation is small are discarded.
Provided that already proven methods are used, the task of bringing the ISPD of any bank into compliance with the requirements of the law by January 1, 2011 is fully achievable. For maximum success in implementing such technologies in the banking sector, it is still necessary to remember an integrated approach to working on the project. In this case, we mean the organization of joint work of specialists from various departments - specialists in IT technologies, information security and project management, financiers, lawyers - guaranteeing compliance with the necessary balance of the overall approach to protecting critical data within the financial structure.
Reference: ReignVox is a Russian company specializing in innovative projects and developments in the field of information technology and ensuring their information security.
The purpose of creating the company is to provide services to ensure the protection of personal data in accordance with the requirements of the Law “On Personal Data” Federal Law No. 152 of July 27, 2006 and to build comprehensive information security systems.
ReignVox is a member of the interregional public organization “Association for Information Security” (IPO “AZI”), an associated member of the “Infocommunication Union”, and also a member of the Association of Regional Banks of Russia.
ReignVox has significant experience in successfully implementing personal data protection projects in large commercial banks. Among its clients are NOTA-Bank, Vnesheconombank, CentroCredit, Tempbank, Alta-Bank, etc.
Estimate:
INTRODUCTION
Relevance. IN modern world information becomes a strategic resource, one of the main wealth of an economically developed state. The rapid improvement of informatization in Russia, its penetration into all spheres of vital interests of the individual, society and state, has caused, in addition to undoubted advantages, the emergence of a number of significant problems. One of them was the need to protect information. Considering that currently the economic potential is increasingly determined by the level of development of the information structure, the potential vulnerability of the economy from information influences is growing proportionally.
Spreading computer systems, combining them into communication networks enhances the possibilities of electronic penetration into them. The problem of computer crime in all countries of the world, regardless of their geographical location, necessitates attracting more and more public attention and efforts to organize the fight against this type of crime. Crimes in automated banking systems and e-commerce have become especially widespread. According to foreign data, bank losses as a result of computer crimes annually amount to many billions of dollars. Although the level of implementation of the latest information technologies into practice in Russia is not so significant, computer crimes are making themselves felt more and more every day, and protecting the state and society from them has become a super task for the competent authorities.
No one doubts the relevance of the issue of personal data protection. This is primarily due to the deadline set for bringing personal data information systems (PDIS) into compliance with Federal Law No. 152-FZ of July 27, 2006 “On Personal Data.” This deadline is inexorably approaching, and at the same time the obvious difficulty of fulfilling the requirements of regulatory guidance documents provokes a lot of controversy and ambiguous interpretations. At the same time, the secrecy of some governing documents, their uncertain legal status, as well as a number of other issues, do not contribute to solving the problem. All this creates a situation where the regulatory framework has not been finalized, and it is necessary to comply with legal requirements now.
May 2009 the first meeting was held working group on the issue of personal data in the ARB. At the event, during an open discussion, problem areas of concern to the banking community were quite clearly identified. Basically they concerned technical protection personal data and future interaction between financial institutions and FSTEC. Representatives of the Bank of Russia announced in their speech developments in organizing the implementation of the law “On Personal Data”. The attempts of the Bank of Russia to find a compromise with regulators regarding the formulation of technical requirements for the banking community can be called fundamentally new and important. I would especially like to note the activity of the Central Bank of the Russian Federation in working with the FSTEC of Russia. Taking into account the huge number of difficulties in fulfilling the requirements of the governing documents of the FSTEC, the Bank of Russia decided to prepare its own documents (draft documents), which are currently consistent with the FSTEC. It can be assumed that there is a high probability of the emergence of a new industry standard for financial institutions on personal data.
The purpose of the course work is to study ways to protect personal data in online banking systems.
To achieve the goal, the following tasks were solved:
studying approaches and basic principles of ensuring security;
determination of methods and means of ensuring security;
identifying features of ensuring the security of personal data in online banking systems;
development of measures to ensure the security of personal data in online banking systems.
The object of study is banking information systems.
The subject of the study is the security of personal information in online banking systems.
The theoretical and methodological basis of the study was based on theoretical principles, the work of scientists, and research by specialists on information provision issues.
The methodological basis of the course work was a systematic approach to the study of security problems.
Logical, comparative legal, and systemic analysis were used. In addition, the method of structural analysis used allows us to study with the necessary care the individual components of the phenomenon under study and analyze the relationship of these elements with each other, as well as with the overall whole.
1. Theoretical aspects of personal data protection in online banking systems
1.1 Approaches, principles of security
Ensuring the security of information systems means measures that protect an information system from accidental or intentional interference in its operating modes.
There are two fundamental approaches to ensuring computer security.
The first of them is fragmented, within its framework there is a focus on countering strictly defined threats under certain conditions (for example, specialized anti-virus tools, stand-alone encryption tools, etc.). The approach has both advantages - suggesting a high level of selectivity in relation to a strictly defined problem, and disadvantages - suggesting fragmentation of protection - i.e. strictly defined elements.
The information security management process includes the components shown in Fig. 1.
The second approach is systemic, its peculiarity is that within its framework information protection is treated on a larger scale - a secure environment for processing, storing and transmitting information is created that combines heterogeneous methods and means of countering threats: software and hardware, legal, organizational and economic. Through the specified secure environment, a certain level of security of the automated information system can be guaranteed.
A systematic approach to information protection is based on the following methodological principles:
final goal - the absolute priority of the final (global) goal;
unity - joint consideration of the system as a whole" and as a collection of parts (elements);
connectivity - consideration of any part of the system together with its connections with the environment;
modular construction - identifying modules in the system and considering it as a set of modules;
hierarchy - introducing a hierarchy of parts (elements) and their ranking;
functionality - joint consideration of structure and function with priority of function over structure;
development - taking into account the variability of the system, its ability to develop, expand, replace parts, accumulate information;
decentralization - combinations of centralization and decentralization in decisions made and management;
uncertainty - taking into account uncertainties and contingencies in the system.
Modern researchers identify the following methodological ones:
organizational and implementation principles of information (including computer) security.
The principle of legality. Consists of following current legislation in the field of information security.
The principle of uncertainty. Arises due to the ambiguity of the subject’s behavior, i.e. who, when, where and how can violate the security of the protected object.
The principle of the impossibility of creating an ideal protection system. It follows from the principle of uncertainty and limited resources of these funds.
The principles of minimal risk and minimal damage stem from the impossibility of creating an ideal protection system. In accordance with it, it is necessary to take into account the specific conditions of existence of the object of protection for any moment in time.
The principle of safe time. It involves taking into account absolute time, i.e. during which it is necessary to preserve the objects of protection; and relative time, i.e. the period of time from the moment malicious actions are detected until the attacker achieves his goal.
The principle of “protecting everyone from everyone.” It involves the organization of protective measures against all forms of threats to the objects of protection, which is a consequence of the principle of uncertainty.
Principles of personal responsibility. Assumes the personal responsibility of each employee of an enterprise, institution and organization for compliance with the security regime within the framework of their powers, functional responsibilities and current instructions.
The principle of limitation of powers. It involves limiting the powers of a subject to familiarize himself with information to which access is not required for the normal performance of his functional duties, as well as the introduction of a ban on access to objects and areas in which stay is not required by the nature of his activity.
The principle of interaction and cooperation. Internally, it involves cultivating trusting relationships between employees responsible for security (including information security) and personnel. In external manifestation - establishing cooperation with all interested organizations and individuals (for example, law enforcement agencies).
The principle of complexity and individuality. It implies the impossibility of ensuring the security of the object of protection by any one measure, but only by a set of complex, interconnected and overlapping measures, implemented with individual reference to specific conditions.
The principle of successive safety lines. Involves the earliest possible notification of an encroachment on the safety of a particular protected object or other adverse incident in order to increase the likelihood that an early alarm signal of protective equipment will provide employees responsible for safety with the opportunity to timely determine the cause of the alarm and organize effective countermeasures.
Principles of equal strength and equal power of protection lines. Equal strength implies the absence of unprotected areas within the protection lines. Equivalence presupposes a relatively equal amount of protection of the protection lines in accordance with the degree of threats to the protected object.
Methods for ensuring information security at an enterprise are the following:
An obstacle is a method of physically blocking an attacker’s path to protected information (equipment, storage media, etc.).
Access control is a method of protecting information by regulating the use of all resources of an enterprise's automated information system. Access control includes the following security features:
identification of users, personnel and resources of the information system (assigning a personal identifier to each object);
authentication (establishing the authenticity) of an object or subject using the identifier presented by it;
verification of authority (checking compliance of the day of the week, time of day, requested resources and procedures with the established regulations);
registration of requests to protected resources;
response (alarm, shutdown, delay of work, refusal of a request when attempting unauthorized actions).
Masking is a method of protecting information in an enterprise's automated information system by cryptographicly closing it.
Regulation is a method of information protection that creates conditions for automated processing, storage and transmission of information under which the possibility of unauthorized access to it would be minimized.
Coercion is a method of protecting information in which users and system personnel are forced to comply with the rules for the processing, transfer and use of protected information under the threat of material, administrative and criminal liability.
Incentive is a method of information security that encourages users and system personnel not to violate established rules by complying with established moral and ethical standards.
The above methods of ensuring information security are implemented using the following basic means: physical, hardware, software, hardware-software, cryptographic, organizational, legislative and moral and ethical.
Physical means of protection are intended for external protection of the territory of objects, protection of components of an automated information system of an enterprise and are implemented in the form of autonomous devices and systems.
Hardware protection means are electronic, electromechanical and other devices directly built into blocks of an automated information system or designed as independent devices and interfaced with these blocks. They are designed for internal protection of structural elements of facilities and systems computer technology: terminals, processors, peripheral equipment, communication lines, etc.
Software protection tools are designed to perform logical and intellectual protection functions and are included either in the software of an automated information system, or in the composition of tools, complexes and control equipment systems.
Information security software is the most common type of protection, having the following positive properties: versatility, flexibility, ease of implementation, possibility of change and development. This circumstance makes them at the same time the most vulnerable elements of protecting an enterprise’s information system.
Hardware-software protection means are means in which the software (firmware) and hardware parts are completely interconnected and inseparable.
Cryptographic means are means of protection by transforming information (encryption).
Organizational means - organizational, technical and organizational and legal measures to regulate the behavior of personnel.
Legislative means are legal acts of the country that regulate the rules for the use, processing and transmission of restricted access information and that establish penalties for violating these rules.
Moral and ethical means - norms, traditions in society, for example: Code of Professional Conduct for Members of the Computer Users Association in the USA.
1.2 Security methods and means
Various encryption mechanisms are used to implement security measures. What are these methods used for? Initially, when sending data (text, speech or drawing), it is unprotected, or, as experts call it, open. Open data can easily be intercepted by other users (intentionally or not). If there is a goal to prevent certain information from reaching third parties, such data is encrypted. The user to whom the specified information is intended then decrypts it using the inverse transformation of the cryptogram, receiving the data in the form he needs.
Encryption can be symmetric (one secret key is used for encryption) and asymmetric (one public key is used for encryption, and another for decryption, not interrelated - i.e., if you know one of them, you cannot determine the other).
Security mechanisms include:
) Digital mechanisms electronic signature are based on asymmetric encryption algorithms and include two procedures: the formation of a signature by the sender and its recognition by the recipient. Formation of a signature by the sender ensures that the data block is encrypted or supplemented with a cryptographic checksum, and in both cases the sender's secret key is used. A public key is used for identification.
) Access control mechanisms check the authority of programs and users to access network resources. When a resource is accessed over a connection, control is performed at both the origination point and intermediate points, as well as at the end point.
) Data integrity mechanisms apply to the individual block and to the data stream. The sender completes the transmitted block with a cryptographic amount, and the recipient compares it with the cryptographic value corresponding to the received block. A discrepancy indicates distortion of information in the block.
) Mechanisms for setting up traffic. They are based on the generation of blocks by AIS objects, their encryption and organization of transmission over network channels. This neutralizes the possibility of obtaining information by observing the external characteristics of flows circulating through communication channels.
) Routing control mechanisms ensure the selection of routes for the movement of information along communication network in such a way as to prevent the transmission of sensitive information through unsafe, physically unreliable channels.
) Arbitration mechanisms provide confirmation of the characteristics of data transferred between entities by a third party. To do this, the information sent or received by objects passes through the arbiter, which allows him to subsequently confirm the mentioned characteristics.
The main disadvantages of the security system of economic facilities are:
-a narrow, unsystematic understanding of the problem of facility safety; -neglecting the prevention of threats, working according to the principle “If a threat has appeared, we begin to eliminate it”; -incompetence in the economics of security, inability to compare costs and results; -“technocratism” of management and security specialists, interpretation of all tasks in the language of an area familiar to them. As a conclusion from the first chapter of the work, we determine the following. Ensuring the security of information systems refers to certain measures by which an information system is protected from accidental or intentional interference in its operating modes. To ensure security, there are two main approaches: 1) fragmented, within which certain threats are countered under certain conditions; and 2) systemic, within which a secure environment for processing, storing and transmitting information is created, combining various types of methods and means of countering threats. Various means and mechanisms are used to protect information. The means include: encryption, digital electronic recording, access control, traffic staging, etc. bank online system safety 2. Features of ensuring the security of personal data in online banking systems 2.1. General conditions for ensuring the security of personal data in online banking systems Protection of personal information is the state of security of information and its supporting infrastructure (computers, communication lines, power systems, etc.) from accidental or intentional impacts that could cause damage to the owners or users of this information. Information security of credentials also means: ensured reliability of the computer; safety of valuable credentials; protection of personal information from changes to it by unauthorized persons; preservation of documented credentials in electronic communications. Objects of information security in accounting are information resources containing information classified as a trade secret and confidential information; as well as information technology tools and systems. The owner of information resources, information systems, technologies and means of supporting them is the entity that exercises ownership and use of these objects and exercises the powers of disposal within the limits established by law. An information user is a subject who turns to an information system or intermediary to obtain the information he needs and uses it. Information resources are individual documents and individual arrays of documents, documents and arrays of documents in information systems. An information security threat is a potential action that, through its impact on the components of a personal system, can lead to damage to the owners of information resources or users of the system. The legal regime of information resources is determined by the rules establishing: procedure for documenting information; ownership of individual documents and individual files documents, documents and arrays of documents in information systems; category of information according to the level of access to it; procedure for legal protection of information. The main principle violated when implementing an information threat in accounting is the principle of documenting information. An accounting document received from an automated accounting information system acquires legal force after it is signed by an official in the manner established by the legislation of the Russian Federation. All set potential threats in accounting, according to the nature of their occurrence, they can be divided into two classes: natural (objective) and artificial. Natural threats are caused by objective reasons, usually beyond the control of the accountant, leading to the complete or partial destruction of the accounting department along with its components. Such natural phenomena include: earthquakes, lightning strikes, fires, etc. Man-made threats are related to human activities. They can be divided into unintentional (unintentional), caused by the ability of employees to make any mistakes due to inattention, or fatigue, illness, etc. For example, an accountant, when entering information into a computer, may press the wrong key, make unintentional errors in the program, introduce a virus, or accidentally disclose passwords. Intentional (intentional) threats are associated with the selfish aspirations of people - attackers who deliberately create false documents. Security threats in terms of their focus can be divided into the following groups: threats of penetration and reading of data from credential databases and computer programs for processing them; threats to the safety of credentials, leading to either their destruction or modification, including falsification of payment documents (payment requests, orders, etc.); data availability threats that occur when a user cannot access credentials; Threat of refusal to carry out operations, when one user transmits a message to another and then does not confirm the transmitted data. Information processes are the processes of collecting, processing, accumulating, storing, searching and distributing information. Information system is an organizationally ordered set of documents (arrays of documents and information technologies, including the use of computer technology and communications, implementing information processes). Documentation of information is carried out in the manner established by government bodies responsible for organizing office work, standardizing documents and their arrays, and security of the Russian Federation. Depending on the source of threats, they can be divided into internal and external. The source of internal threats is the activities of the organization’s personnel. External threats come from outside from employees of other organizations, from hackers and other individuals. External threats can be divided into: local, which involve the intruder entering the organization’s territory and gaining access to a separate computer or local network; remote threats are typical for systems connected to global networks (Internet, SWIFT international banking system, etc.). Such dangers arise most often in the electronic payment system when making payments between suppliers and buyers, and using Internet networks in payments. The sources of such information attacks can be located thousands of kilometers away. Moreover, not only computers are affected, but also accounting information. Intentional and unintentional errors in accounting leading to an increase in accounting risk are the following: errors in recording accounting data; incorrect codes; unauthorized accounting transactions; violation of control limits; missed Accounts; errors in data processing or output; errors in the formation or correction of directories; incomplete accounts; incorrect assignment of records to periods; data falsification; violation of regulatory requirements; violation of personal policy principles; discrepancy between the quality of services and user needs. Particularly dangerous are information that constitutes a trade secret and relates to personal and reporting information (data about partners, clients, banks, analytical information about market activities). In order for this and similar information to be protected, it is necessary to draw up agreements with employees of accounting, financial services and other economic departments indicating a list of information that is not subject to public disclosure. Information protection in automated accounting systems is based on the following basic principles. Ensuring physical separation of areas intended for processing classified and unclassified information. Ensuring cryptographic protection of information. Ensuring authentication of subscribers and subscriber installations. Ensuring differentiation of access of subjects and their processes to information. Ensuring the establishment of the authenticity and integrity of documentary messages when they are transmitted over communication channels. Ensuring the protection of equipment and technical means of the system, the premises where they are located, from leakage of confidential information through technical channels. Ensuring the protection of encryption technology, equipment, hardware and software from information leakage through hardware and software bookmarks. Ensuring control of the integrity of the software and information part of the automated system. Using only domestic ones as protection mechanisms State information resources of the Russian Federation are open and publicly available. The exception is documented information classified by law as restricted access. Documented information with limited access, according to the terms of its legal regime, is divided into information classified as state secret and confidential. The list of confidential information, in particular information related to commercial activities, is established by Decree of the President of the Russian Federation of March 6, 1997 No. 188 (Appendix No.) developments. Ensuring organizational and regime protection measures. It is advisable to use additional measures to ensure communication security in the system. Organizing the protection of information about the intensity, duration and traffic of information exchange. Using channels and methods to transmit and process information that make interception difficult. Protecting information from unauthorized access is aimed at forming three main properties of the protected information: confidentiality (classified information should be accessible only to those for whom it is intended); integrity (information on the basis of which important decisions are made must be reliable, accurate and fully protected from possible unintentional and malicious distortions); readiness (information and related information services must be available, ready to serve stakeholders whenever they are needed). Methods for ensuring the protection of personal information are: obstacles; access control, camouflage, regulation, coercion, inducement. An obstacle should be considered a method of physically blocking an attacker’s path to protected personal information. This method is implemented by the enterprise’s access system, including the presence of security at the entrance to it, blocking the path of unauthorized persons to the accounting department, cash desk, etc. Access control is a method of protecting personal and reporting information, implemented through: authentication - establishing the authenticity of an object or subject by the identifier presented by them (carried out by comparing the entered identifier with the one stored in the computer memory); authority checks - checking the compliance of the requested resources and the operations performed according to the allocated resources and permitted procedures; registration of requests to protected resources; informing and responding to attempts of unauthorized actions. (Cryptography is a method of protection by transforming information (encryption)). In the BEST-4 complex, access to information is restricted at the level of individual subsystems and is ensured by setting separate access passwords. At initial setup or at any time while working with the program, the system administrator can set or change one or more passwords. The password is requested each time you log into the subsystem. In addition, some modules have their own system for restricting access to information. It provides the ability to protect each menu item with special passwords. Passwords can also protect access to individual subsets of primary documents: for example, in the automated workplace “Inventory accounting in a warehouse” and “Accounting for goods and products” it is possible to set access passwords to each warehouse separately, in the automated workplace “Cash transactions accounting” - access passwords for each cash register, in the automated workplace “Accounting for settlements with the bank” - access passwords to each bank account. Particularly noteworthy is the fact that in order to effectively restrict access to information, it is necessary, first of all, to protect with passwords the very modes for determining passwords for access to certain blocks. 1C.Enterprise, version 7.7 has its own information protection - access rights. In order to integrate and separate user access to information when working with the 1C.Enterprise system on the network personal computers, the system configurator allows you to set the rights for each user to work with information processed by the system. Rights can be set within a fairly wide range - from the ability to only view certain types of documents to full set rights to enter, view, correct and delete any types of data. Assigning access rights to a user is carried out in 2 stages. At the first stage, standard sets of rights to work with information are created, differing, as a rule, in the breadth of access capabilities provided. At the second stage, the user is assigned one of these standard sets of rights. All work on creating standard sets of rights is done on the “Rights” tab of the “Configuration” window. This window is called up by selecting the “open configuration” item from the “Configuration” menu of the program’s main menu 2.2 A set of measures to ensure the security of personal data in online banking systems Justification of a set of measures to ensure the security of personal data in the ISPD is carried out taking into account the results of assessing the danger of threats and determining the class of ISPD based on the “Basic measures for organizing and technical support security of personal data processed in personal data information systems.” In this case, measures should be determined for: identifying and closing technical channels of personal data leakage in the information system; protection of personal data from unauthorized access and unlawful actions; installation, configuration and use of protective equipment. Measures to identify and close technical channels of personal data leakage in the information system are formulated based on the analysis and assessment of threats to personal data security. Measures to protect personal data during their processing in ISPD from unauthorized access and unlawful actions include: access control; registration and accounting; ensuring integrity; control of the absence of undeclared capabilities; antivirus protection; ensuring secure internetwork interaction of ISPD; security analysis; intrusion detection. It is recommended to implement the access control, registration and accounting subsystem on the basis of software tools for blocking unauthorized actions, signaling and registration. These are special software and hardware and software that are not included in the core of any operating system for protecting the operating systems themselves, electronic personal data databases and application programs. They perform protection functions independently or in combination with other means of protection and are aimed at eliminating or complicating the execution of actions of a user or violator that are dangerous for the ISPD. These include special utilities and software protection systems that implement diagnostic, registration, destruction, alarm and simulation functions. Diagnostic tools carry out testing of the file system and personal data databases, constantly collecting information about the functioning of the elements of the information security subsystem. Destruction tools are designed to destroy residual data and may provide for emergency data destruction in the event of an unauthorized access threat that cannot be blocked by the system. Signaling means are designed to warn operators when they access protected PD and to warn the administrator when detecting the fact of unauthorized access to PD and other facts of violation of the normal operating mode of the ISPD. Simulation tools simulate working with violators when an attempt to tamper with protected personal data or software is detected. Imitation allows you to increase the time to determine the location and nature of unauthorized data, which is especially important in geographically distributed networks, and to misinform the offender about the location of the protected personal data. The integrity subsystem is implemented primarily by operating systems and database management systems. Means for increasing reliability and ensuring the integrity of transmitted data and transaction reliability, built into operating systems and database management systems, are based on the calculation of checksums, notification of failure in the transmission of a message package, and retransmission of an unaccepted package. The subsystem for monitoring the absence of undeclared capabilities is implemented in most cases on the basis of database management systems, information security tools, and anti-virus information security tools. To ensure the security of PD and the software and hardware environment of the ISPD that processes this information, it is recommended to use special anti-virus protection tools that perform: detection and (or) blocking of destructive viral effects on system-wide and application software that processes personal data, as well as on personal data; detection and removal of unknown viruses; ensuring self-monitoring (prevention of infection) of this antivirus product when it is launched. When choosing antivirus protection tools, it is advisable to consider the following factors: compatibility of these tools with standard ISPD software; the degree of decrease in the performance of the ISPD for its main purpose; availability of means for centralized management of the functioning of anti-virus protection tools from the information security administrator’s workplace in the ISPD; the ability to promptly notify the information security administrator in the ISPD about all events and facts of manifestation of software and mathematical influences (PMI); availability of detailed documentation on the operation of the anti-virus protection tool; the ability to periodically test or self-test the anti-virus protection tool; the ability to expand the composition of means of protection against WWII with new additional means without significant restrictions on the performance of ISPD and “conflict” with other types of means of protection. A description of the procedure for installing, configuring, configuring and administering anti-virus protection tools, as well as the procedure for action in case of detection of a virus attack or other violations of the requirements for protection against program-mathematical influences should be included in the information security administrator’s manual in the ISPD. To restrict access to ISDN resources during internetwork interaction, firewalling is used, which is implemented by software and hardware-software firewalls (FW). A firewall is installed between the protected network, called the internal network, and the external network. The firewall is part of the protected network. For it, through settings, rules are separately set that restrict access from the internal network to the external one and vice versa. To ensure secure internetworking in class 3 and 4 ISPD, it is recommended to use ME at least the fifth security level. To ensure secure internetworking in Class 2 ISPD, it is recommended to use ME at least the fourth security level. To ensure secure internetworking in Class 1 ISPD, it is recommended to use ME at least the third level of security. The security analysis subsystem is implemented based on the use of testing (security analysis) and information security control (audit) tools. Security analysis tools are used to monitor the security settings of operating systems on workstations and servers and allow assessing the possibility of attackers carrying out attacks on network equipment and monitoring software security. To do this, they examine the network topology, looking for unprotected or unauthorized network connections, check the firewall settings. Such analysis is carried out based on detailed descriptions of vulnerabilities in security settings (for example, switches, routers, firewalls) or vulnerabilities in operating systems or application software. The result of the security analysis tool is a report that summarizes information about detected vulnerabilities. Vulnerability detection tools can operate on network level(in this case they are called “network-based”), operating system level (“host-based”) and application level (“application-based”). Using scanning software, you can quickly create a map of all available ISDN nodes, identify the services and protocols used on each of them, determine their basic settings and make assumptions regarding the likelihood of implementing the NSD. Based on the scanning results, the systems develop recommendations and measures to eliminate the identified deficiencies. In the interests of identifying NSD threats through internetworking, intrusion detection systems are used. Such systems are built taking into account the specifics of the implementation of attacks, the stages of their development, and are based on a number of attack detection methods. There are three groups of attack detection methods: signature methods; anomaly detection methods; combined methods (using together algorithms defined in signature methods and anomaly detection methods). To detect intrusions into class 3 and 4 ISPDs, it is recommended to use network attack detection systems that use signature analysis methods. To detect intrusions into class 1 and class 2 ISPDs, it is recommended to use network attack detection systems that use anomaly detection methods along with signature analysis methods. To protect personal data from leakage through technical channels, organizational and technical measures are used aimed at eliminating the leakage of acoustic (speech), type information, as well as information leakage due to side effects. electromagnetic radiation and tips. As a conclusion to the second chapter of the work, we draw the following conclusions. Protection of personal information is the state of security of information and its supporting infrastructure from accidental or intentional impacts of a natural or artificial nature, fraught with damage to the owners or users of this information. The objects of information security in accounting are defined as: information resources containing information classified as trade secrets and tools and systems informatization. The main methods used within the framework of information protection are: detecting and directly protecting. CONCLUSION The problem of information security of economic objects is multifaceted and needs further study. In the modern world, informatization is becoming a strategic national resource, one of the main assets of an economically developed state. The rapid improvement of informatization in Russia, its penetration into all spheres of vital interests of the individual, society and the state, have entailed, in addition to undoubted advantages, the emergence of a number of significant problems. One of them was the need to protect information. Considering that currently the economic potential is increasingly determined by the level of development of the information infrastructure, the potential vulnerability of the economy in relation to information influences is growing proportionally. The implementation of information security threats consists of violating the confidentiality, integrity and availability of information. From the standpoint of a systematic approach to information protection, it is necessary to use the entire arsenal of available security means in all structural elements of an economic entity and at all stages of the technological cycle of information processing. Methods and means of protection must reliably block possible ways of unauthorized access to protected secrets. The effectiveness of information security means that the costs of its implementation should not be greater than the possible losses from implementation information threats. Information security planning is carried out by each department developing detailed information security plans. There is a need for clarity in the exercise of powers and rights of users to access certain types of information, in ensuring control over security measures and immediate response to their failure. BIBLIOGRAPHY 1.Automated information technologies in banking / ed. prof. G.A. Titorenko. - M.: Finstatinform, 2007 2.Automated information technologies in economics / Ed. prof. G.A. Titorenko. - M.: UNITY, 2010 .Ageev A. S. Organization and modern methods of information protection. - M.: Concern "Bank. Business Center", 2009 .Adzhiev, V. Myths about software security: lessons from famous disasters. - Open systems, 199. №6
.Alekseev, V.I. Information Security municipalities. - Voronezh: VSTU Publishing House, 2008. .Alekseev, V.M. International criteria for assessing the security of information technologies and their practical use: Textbook. - Penza: Penz Publishing House. state University, 2002 .Alekseev, V.M. Regulatory provision of information protection from unauthorized access. - Penza: Penz Publishing House. state University, 2007 .Alekseev, V.M. Ensuring information security during software development. - Penza: Penz Publishing House. state University, 2008 .Aleshin, L.I. Information protection and information security: Course of lectures L. I. Aleshin; Moscow state University of Culture. - M.: Moscow. state University of Culture, 2010 .Akhramenka, N.F. etc. Crime and punishment in the payment system with electronic documents// Information Security Management, 1998 .Banks and banking operations. Textbook / Ed. E.F. Zhukova. - M.: Banks and exchanges, UNITY, 2008 .Barsukov, V.S. Security: technologies, tools, services. - M.: Kudits - Image, 2007 .Baturin, Yu.M. Problems of computer law. - M.: Legal. lit., 1991 .Baturin, Yu.M. Computer crime and computer security. M.: Yur.lit., 2009 .Bezrukov, N.N. Introduction to computer virology. General principles of operation, classification and catalog of the most common viruses in M5-005. K., 2005 .Bykov, V.A. Electronic business and security / V. A. Bykov. - M.: Radio and communication, 2000 .Varfolomeev, A.A. Information Security. Mathematical foundations of cryptology. Part 1. - M.: MEPhI, 1995 .Vekhov, V.B. Computer crimes: Methods of commission and detection. - M.: Law and Law, 1996 .Volobuev, S.V. Introduction to information security. - Obninsk: Obn. Institute of Atomic Energy, 2001 .Volobuev, S.V. Information security of automated systems. - Obninsk: Obn. Institute of Atomic Energy, 2001 .All-Russian Scientific and Practical Conference "Information Security in the System high school", November 28-29, 2000, NSTU, Novosibirsk, Russia: IBVSh 2000. - Novosibirsk, 2001 23.Galatenko, V.A. Information security: a practical approach V. A. Galatenko; Ed. V. B. Betelina; Ross. acad. Sciences, Research Institute of Systems. research - M.: Science, 1998 .Galatenko, V.A.. Fundamentals of information security: A course of lectures. - M.: Internet University of Information. technologies, 2003 .Gennadieva, E.G. Theoretical foundations of computer science and information security. - M.: Radio and communication, 2000 .Ghika, Sebastian Narchis. Hiding information in graphic files of the VMR format Dis. ...cand. tech. Sciences: 05.13.19 - St. Petersburg, 2001 .Ghika, S.N. Hiding information in graphic files of the BMP format: Author's abstract. dis. ...cand. tech. Sciences: 05.13.19 St. Petersburg. state int. point mechanics and optics. - St. Petersburg, 2001 .Golubev, V.V. Security management. - St. Petersburg: Peter, 2004 .Gorbatov, V.S. Information Security. Fundamentals of legal protection. - M.: MEPhI (TU), 1995 .Gorlova, I.I., ed. Information freedom and information security: Materials of the international. scientific Conf., Krasnodar, October 30-31. 2001 - Krasnodar, 2001 .Greensberg, A.S. and others. Protection of information resources of public administration. - M.: UNITY, 2003 .Information security of Russia in a global context information society"INFOFORUM-5": Sat. materials 5th All-Russian. Conf., Moscow, February 4-5. 2003 - M.: LLC Ed. magazine Business and Security of Russia, 2003 .Information security: Sat. method. materials Ministry of Education Russian Federation. Federation [and others]. - M.: TSNIIATOMINFORM, 2003 34.Information Technology// Economics and life. No. 25, 2001 35.Information technologies in marketing: Textbook for universities. - M.: 2003 .Information technologies in economics and management: Textbook / Kozyrev A.A. - M.: Publishing house Mikhailov V.A., 2005 .Lopatin, V.N. Information security of Russia Dis. ... Doctor of Law. Sciences: 12.00.01 .Lukashin, V.I. Information Security. - M.: Moscow. state University of Economics, Statistics and Informatics .Luchin, I.N., Zheldakov A.A., Kuznetsov N.A. Hacking password protection // Informatization of law enforcement systems. M., 1996 .McClure, Stuart. Hacking on the Web. Attacks and defense Stuart McClar, Saumil Shah, Sriraj Shah. - M.: Williams, 2003 .Malyuk, A.A. Theoretical foundations for formalizing predictive assessment of the level of information security in data processing systems. - M.: MEPhI, 1998SPb., 2000 .Economic efficiency of information security systems. Chebotar P.P. - Moldavian Economic Academy, 2003 .Yakovlev, V.V. Information security and information protection in corporate networks railway transport. - M., 2002 .Yarochkin, V.I. Information Security. - M.: Mir, 2003 .Yarochkin, V.I. Information Security. - M.: Foundation "Mir", 2003: Acad. Project .Yasenev, V.N. Automated information systems in the economy and ensuring their security: Tutorial. - N. Novgorod, 2002Similar works to - Personal data protection in online banking systems
It has become especially popular for Russian divisions of foreign companies due to the addition of Part 5 of Article 18 to 152-FZ “On Personal Data”: “... the operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval personal data citizens of the Russian Federation using databases located on the territory of the Russian Federation" . There are a number of exceptions in the law, but you must admit that in case of inspection by the regulator, you want to have stronger trump cards than “but this does not concern us.”
The penalties for violators are very serious. Online stores, social media, information sites, other businesses related to Internet when claims from supervisory authorities may actually be closed. It is possible that during the first inspection the regulator will be given time to eliminate the shortcomings, but the period is usually limited. If the problem is not resolved very quickly (which without preliminary preparation difficult to do), losses cannot be compensated in any way. Blocking sites not only leads to a pause in sales, it means a loss of market share.
The appearance of violators of the personal data law on the “black list” for offline companies is less dramatic. But this entails reputational risks, which is a significant factor for foreign companies. In addition, there are now almost no types of activity left that are not at all affected by the protection of personal data. Banks, trade, even manufacturing - all maintain client databases, which means they are subject to the relevant laws.
It is important to understand here that the issue cannot be considered in isolation within companies either. Personal data protection cannot be limited to installing certified security measures on servers and locking paper cards in safes. Personal data has many entry points into the company - sales departments, HR, customer service, sometimes also training centers, purchasing commissions and other units. Managing personal data protection is a complex process that affects IT, document flow, regulations, legal registration.
Let's look at what it would take to run and maintain such a process.
What data is considered personal
Strictly speaking, any information that relates directly or indirectly to a specific individual is his personal data. Please note that we are talking about people, not legal entities. It turns out that it is enough to indicate your full name and residential address to initiate the protection of this (as well as related) data. However, receiving email with someone’s personal data in the form of a signature and phone number this is not a reason to defend them. Key term: “The concept of collecting personal data.” To clarify the context, I would like to highlight several articles of the Law “On Personal Data”.
Article 5. Principles for processing personal data. There should be clear objectives that make it clear why the information is being collected. Otherwise, even with full compliance with all other rules and regulations, sanctions are likely.
Article 10. Special categories of personal data. For example, the HR department may record restrictions on business travel, including pregnancy of employees. Of course, such additional information are also protected. This greatly expands the understanding of personal data, as well as the list of departments and information repositories of the company in which attention needs to be paid to protection.
Article 12. Cross-border transfer of personal data. If an information system with data on citizens of the Russian Federation is located in a country that has not ratified the Convention on the Protection of Personal Data (for example, in Israel), the provisions of Russian legislation should be adhered to.
Article 22. Notification about the processing of personal data. A prerequisite in order not to attract undue attention from the regulator. If you are conducting business activities related to personal data, report it yourself without waiting for inspections.
Where personal data may be located
Technically, PD can be located anywhere, from printed media (paper files) to machine media ( hard disks, flash drives, CDs, etc.). That is, the focus of attention any data storage that fall under the definition of ISPD (personal data information systems).
Geography of location is a separate big issue. On the one hand, personal data of Russians ( individuals who are citizens of the Russian Federation) must be stored on the territory of the Russian Federation. On the other hand, at the moment this is more a vector of development of the situation than a fait accompli. Many international and export companies, various holdings, and joint ventures have historically had a distributed infrastructure - and this will not change overnight. In contrast to methods of storing and protecting personal data, which must be adjusted almost now, immediately.
Minimum list of departments involved in recording, systematization, accumulation, storage, clarification (updating, changing), retrieving personal data:
- Personnel service.
- Sales department.
- Legal department.
Since there is rarely perfect order, in reality, the most unpredictable units can often be added to this “expected” list. For example, a warehouse may record personalized information about suppliers, or a security service may keep its own detailed records of everyone entering the premises. Thus, by the way, the composition of personal data for employees can be supplemented with data on clients, partners, contractors, as well as random and even other people’s visitors - whose personal data becomes a “crime” when photographed for a pass, scanning an ID card, and in some other cases. ACS (access control and management systems) can easily become a source of problems in the context of personal data protection. Therefore, the answer to the question “Where?” from the point of view of compliance with the Law, it sounds like this: everywhere in the reporting territory. A more precise answer can only be given by conducting an appropriate audit. This is the first stage project on the protection of personal data. Full list its key phases:
1) Audit of the current situation in the company.
2) Design of a technical solution.
3) Preparation of the process for the protection of personal data.
4) Checking the technical solution and process for protecting personal data for compliance with the legislation of the Russian Federation and company regulations.
5) Implementation of a technical solution.
6) Launching the process to protect personal data.
1. Audit of the current situation in the company
First of all, check with the HR department and other departments that use paper media with personal data:
- Are there consent forms for the processing of personal data? Are they filled out and signed?
- Is the “Regulation on the specifics of the processing of personal data carried out without the use of automation tools” dated September 15, 2008 No. 687 observed?
Determine the geographic location of the ISPD:
- In what countries are they located?
- On what basis?
- Are there agreements for their use?
- What technological protection used to prevent data leakage ?
- What organizational measures are taken to protect personal data?
Ideally, an information system with personal data of Russians should comply with all the requirements of Law 152-FZ “On Personal Data”, even if it is located abroad.
Finally, pay attention to the impressive list of documents that are required in case of verification (this is not all, just the main list):
- Notification about PD processing.
- A document identifying the person responsible for organizing the processing of personal data.
- List of employees authorized to process personal data.
- A document defining the storage location of PD.
- Certificate on the processing of special and biometric categories of personal data.
- Certificate of cross-border transfer of personal data.
- Standard forms of documents with personal data.
- Standard form of consent for personal data processing.
- Procedure for transferring PD to third parties.
- The procedure for recording requests from PD subjects.
- List of personal data information systems (ISPD).
- Documents regulating data backup in ISPD.
- List of information security tools used.
- The procedure for destroying personal data.
- Access matrix.
- Threat model.
- Logbook for recording machine media PDn.
- A document defining the security levels for each ISPD in accordance with PP-1119 dated November 1, 2012 “On approval of requirements for the protection of personal data during their processing in personal data information systems.”
2. Design of technical solution
A description of the organizational and technical measures that must be taken to protect personal data is given in Chapter 4. “Responsibilities of the operator” of Law 152-FZ “On Personal Data”. The technical solution must be based on the provisions of Article 2 of Law 242-FZ of July 21, 2014.
But how to comply with the law and process the personal data of citizens of the Russian Federation on the territory of Russia in the case when the data source is still located abroad? There are several options here:
- Physical transfer information system and database on the territory of the Russian Federation. If it is technically feasible, this will be the easiest.
- We leave the PD data abroad, but in Russia we create a copy of it and set up one-way replication of the PD data of Russian citizens from the Russian copy to the foreign one. At the same time, in a foreign system, it is necessary to exclude the possibility of modifying the personal data of citizens of the Russian Federation; all changes must be made only through the Russian ISPD.
- There are several ISPDs and they are all abroad. The transfer can be expensive or technically infeasible (for example, it is impossible to select part of the database with personal data of citizens of the Russian Federation and move it to Russia). In this case, the solution may be to create a new ISPD on any available platform on a server in Russia, from where one-way replication will be carried out to each foreign ISPD. I note that the choice of platform remains with the company.
If the PDn is not completely and exclusively transferred to Russia, do not forget to indicate in the certificate of cross-border data transfer to whom and what specific set of PD is sent. The processing notice must indicate the purpose of the transfer of personal data. Again, this goal must be legitimate and clearly justified.
3. Preparation of the process for the protection of personal data
The personal data protection process should determine at least the following points:
- List of those responsible for processing personal data in the company.
- The procedure for providing access to ISPD. Ideally, this is an access matrix with an access level for each position or specific employee (read/read-write/modify). Or a list of available personal data for each position. It all depends on the implementation of the IP and the requirements of the company.
- Audit of access to personal data and analysis of access attempts in violation of access levels.
- Analysis of the reasons for the unavailability of personal data.
- The procedure for responding to requests from PD subjects regarding their PD.
- Revision of the list of personal data that is transferred outside the company.
- Review of recipients of personal data, including abroad.
- Periodic review of the threat model for personal data, as well as changes in the level of protection of personal data in connection with changes in the threat model.
- Keeping company documents up to date (the list is above, and it can be supplemented if necessary).
Here you can detail each point, but I would like to pay special attention to the level of security. It is determined based on the following documents (read sequentially):
1. “Methodology for identifying current threats security personal data when processed in personal data information systems" (FSTEC RF February 14, 2008).
2. Decree of the Government of the Russian Federation No. 1119 of November 1, 2012 “On approval of requirements for the protection of personal data during their processing in personal data information systems.”
3. FSTEC Order No. 21 of February 18, 2013 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems.”
Also, do not forget to consider the need to have such expense categories as:
- Organization project team and project management.
- Developers for each of the ISPDn platforms.
- Server capacity (own or rented in a data center).
By the end of the second and third stages of the project you should have:
- Cost calculation.
- Quality requirements.
- Project deadlines and schedule.
- Technical and organizational risks of the project.
4. Checking the technical solution and process for protecting personal data for compliance with the legislation of the Russian Federation and company regulations
Short in wording, but important stage, within which you need to make sure that all planned actions do not contradict the legislation of the Russian Federation and company rules (for example, security policies). If this is not done, a bomb will be placed in the foundation of the project, which can “explode” in the future, destroying the benefits of the results achieved.
5. Implementation of a technical solution
Everything here is more or less obvious. The specifics depend on the initial situation and decisions. But in general the picture should look something like this:
- Server capacity has been allocated.
- Network engineers have provided sufficient channel capacity between the PDn receiver and transmitter.
- The developers have established replication between ISPDn databases.
- Administrators prevented changes to ISPDs located abroad.
The person responsible for protecting personal data or the “process owner” may be the same person or different. The very fact is that the “process owner” must prepare all the documentation and organize the entire process of protecting personal data. To do this, all interested parties must be notified, employees must be instructed, and the IT service must facilitate the implementation of technical measures to protect data.
6. Launching the process to protect personal data
This is an important step, and in a sense the goal of the entire project is to bring control to the flow. Besides technical solutions and regulatory documentation, the role of the process owner is critical here. He must monitor changes not only in legislation, but also in IT infrastructure. This means that appropriate skills and competencies are required.
In addition, what is critically important in conditions real work, the owner of the process for protecting personal data needs all the necessary powers and administrative support from the company’s management. Otherwise, he will be an eternal “supplicant” to whom no one pays attention, and after some time the project can be restarted, starting again with the audit.
Nuances
A few points that are easy to overlook:
- If you work with a data center, you need a service agreement for the provision of server capacity, according to which your company stores data legally and controls it.
- You need licenses for the software that is used to collect, store and process personal data, or lease agreements.
- If the ISPD is located abroad, an agreement is required with the company that owns the system there - to guarantee compliance with the legislation of the Russian Federation in relation to the personal data of Russians.
- If personal data is transferred to a contractor of your company (for example, an IT outsourcing partner), then in the event of a personal data leak from the outsourcer, you will be liable for claims. In turn, your company may file claims against the outsourcer. Perhaps this factor may influence the very fact of outsourcing work.
And once again, the most important thing is that the protection of personal data cannot be simply ensured. It's a process. An ongoing iterative process that will be highly dependent on further changes in legislation, as well as on the format and rigor of applying these rules in practice.
