Marina Prokhorova, editor of the magazine "Personal Data"
Natalya Samoilova, lawyer of the company "InfoTechnoProject"
The regulatory framework that has developed to date in the field of personal data processing, documents that have yet to be adopted for more effective organization of work on the protection of personal data in organizations, technical aspects of preparation information systems operators of personal data - these are the topics in Lately were touched upon in many newspaper and magazine publications devoted to the issue of personal data. In this article I would like to dwell on such an aspect of organizing the work of banking and credit institutions as the “non-technical” protection of personal data processed in these organizations
Let's start with a specific example
We are talking about a judicial review of a case on the protection of personal data, initiated against Sberbank in June 2008. The essence of the trial was as follows. A guarantee agreement was concluded between the citizen and the bank, according to which the citizen accepted the obligation to answer to the bank for the borrower’s fulfillment of obligations under the loan agreement. The latter did not fulfill his obligations within the period established by the loan agreement; information about the guarantor as an unreliable client was entered into the bank's automated information system "Stop List", which, in turn, was the basis for refusing to provide him with a loan. Moreover, the bank did not even notify the citizen about the borrower’s improper fulfillment of his obligations under the loan agreement. In addition, the guarantee agreement did not indicate that in the event of improper fulfillment by the borrower of its obligations, the bank has the right to enter information about the guarantor into the Stop List information system. Thus, the bank processed the citizen’s personal data by including information about him in the Stop List information system without his consent, which violates the requirements of Part 1 of Art. 9 of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”, according to which the subject of personal data decides to provide his personal data and consents to their processing of his own will and in his own interest. In addition, in the manner provided for in Part 1 of Art. 14 of the same law, a citizen contacted the bank with a demand to provide him with the opportunity to familiarize himself with the information entered about him in the Stop List information system, as well as to block this information and destroy it. The bank refused to satisfy the citizen's demands.
Based on the results of the consideration of the case, the Leninsky District Court of Vladivostok satisfied the claims of the Office of Roskomnadzor for the Primorsky Territory against Sberbank of Russia to protect the violated rights of a citizen and ordered the bank to destroy information about the citizen from the Stop List information system.
How is this example significant? Banks, storing personal data of a significant number of their clients, without hesitation, move them from one database to another, and most often without informing the subject of personal data about this, let alone obtaining his consent to such actions with his personal data. Of course, banking activity has a number of features, and often personal data of clients is used not only to fulfill agreements concluded by the bank, but also to control the bank over the client’s fulfillment of its obligations, but this means that any manipulation with personal data already requires the consent of its subject .
Difficulties in interpreting provisions
Why not make any operations with personal data legal? Of course, this will most likely require the involvement of third-party specialists, since even lawyers from the legal departments of large banks are first-class professionals only in a certain area, and they have to become familiar with the specifics of working in the field of personal data almost from scratch. So the best way out is to involve companies specializing in the provision of services for organizing work with personal data, including those capable of conducting an audit to ensure that the non-technical protection measures you are taking comply with the requirements of the legislator.
The results of analytical studies allow us to draw conclusions that the interpretation of which provisions of Federal Law No. 152-FZ “On Personal Data” causes the greatest difficulties.
In accordance with Part 1 of Article 22 of this regulatory document, the operator is obliged to notify the authorized body about the processing of personal data. Among the exceptions is the case when the processed personal data was received in connection with the conclusion of an agreement to which the subject of personal data is a party... and is used by the operator solely for the execution of the said agreement on the basis of clause 2 of part 2 of Article 22 of Federal Law No. 152-FZ "On personal data." Operating precisely with this provision, some banks do not submit a notification about the processing of personal data, and many do not consider themselves operators, which is fundamentally wrong.
Also, another common mistake of banks as operators of personal data related to the contract is the following. According to Art. 6 of the above law, the processing of personal data can be carried out by the operator with the consent of the subjects of personal data, with the exception of cases including the implementation of processing for the purpose of fulfilling a contract, one of the parties to which is the subject of personal data. Therefore, many banking institutions explain their lack of consent from the subject of personal data precisely by the fact of concluding such an agreement.
But let's think about it, doesn't the bank, being an operator, use the personal data of the subject received when concluding an agreement, for example, to send out notifications about new services, to maintain “Stop lists”? This means that the processing of personal data is carried out not only for the purpose of fulfilling the contract, but also for other purposes, the achievement of which is of commercial interest to banks, therefore:
- banks are required to submit a notification about the processing of personal data to the authorized body;
- banks must process personal data only with the consent of the subject.
This means that banks must organize a system for working with the personal data of their clients, that is, ensure non-technical protection of such data.
Written consent to the processing of personal data
As for the consent of the subject of personal data to the processing of personal data, Federal Law No. 152-FZ “On Personal Data” obliges operators to obtain written consent to process personal data only in cases specified by law. At the same time, in accordance with Part 3 of Art. 9, the obligation to prove receipt of the subject’s consent to the processing of his personal data rests with the operator. In order not to waste time collecting such evidence if necessary (for example, searching for witnesses), in our opinion, it is better in any case to obtain consent from the subjects in writing.
Let us give one more argument for the written form of processing personal data. Often, the activities of banks involve the transfer of data (including personal data) to the territory of a foreign state. On this occasion, Part 1 of Art. 12 of Federal Law No. 152-FZ “On Personal Data” states that before the start of cross-border transfer of personal data, the operator is obliged to ensure that the foreign state to whose territory the personal data is transferred provides adequate protection of the rights of personal data subjects. If such protection is not provided, cross-border transfer of personal data is possible only with the written consent of the subject of personal data. It can be assumed that it is easier for a bank employee to obtain the client’s written consent to process personal data than to establish the degree of adequacy of their protection in a foreign country.
Please note that the information that must be contained in the written consent is listed in Part 4 of Art. 9 of the above-mentioned Federal Law, and this list is exhaustive. And a signature under the phrase, for example, in a loan agreement: “I agree to the use of my personal data,” according to Federal Law No. 152-FZ “On Personal Data,” is not consent to their processing!
It would seem that there are only a few points of law, but how many complications, even litigation, can be caused by their incorrect interpretation. Moreover, today, when personal data of subjects often becomes a commodity in the competition of various structures, successful resolution of issues of their protection, ensuring the security of information systems of banking and credit institutions becomes the key to maintaining the reputation and good name of any organization.
Every day, citizens' awareness of the possible negative consequences of the dissemination of their personal data is increasing, which is facilitated by the emergence of specialized publications. There are also information resources various companies. Some of them generally cover the entire wide range of issues related to the concept of “information security”, others are devoted to reviews of measures and means of technical protection, while others, on the contrary, focus on problems associated with non-technical protection. In other words, information on issues of personal data protection is becoming more accessible, which means citizens will be more savvy in protecting their rights.
POSITION
on the protection of personal data
Clients (subscribers)
at Ortes-Finance LLC
Terms and Definitions
1.1. Personal Information- any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, email address, phone number, family, social, property status, education, profession, income, other information.
1.2. Processing of personal data— actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking.
1.3. Confidentiality of personal data— a mandatory requirement for the designated responsible person who has gained access to personal data to not allow their dissemination without the consent of the subject or other legal basis.
1.4. Dissemination of personal data- actions aimed at transferring personal data to a certain circle of persons (transfer of personal data) or to familiarize themselves with personal data of an unlimited number of persons, including the publication of personal data in the media, posting in information and telecommunication networks or providing access to personal data to any -or in another way.
1.5. Use of personal data— actions (operations) with personal data performed for the purpose of making decisions or performing other actions that give rise to legal consequences in relation to the subjects of personal data or otherwise affect their rights and freedoms or the rights and freedoms of other persons.
1.6. Blocking personal data— temporary cessation of the collection, systematization, accumulation, use, dissemination of personal data, including their transfer.
1.7. Destruction of personal data— actions as a result of which it is impossible to restore the content of personal data in the personal data information system or as a result of which material media of personal data are destroyed.
1.8. Depersonalization of personal data- actions as a result of which it is impossible without the use additional information determine the ownership of personal data to a specific subject.
1.9. Public personal data- personal data, access to an unlimited number of persons to which is provided with the consent of the subject or to which, in accordance with federal laws, is not subject to confidentiality requirements.
1.10. Information— information (messages, data) regardless of the form of their presentation.
1.11. Client (subject of personal data)- individual consumer of the services of Ortes-Finance LLC, hereinafter referred to as the “Organization”.
1.12. Operator- state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data. Within the framework of these Regulations, the Operator is the Limited Liability Company "Ortes-Finance";
2. General provisions.
2.1. This Regulation on the processing of personal data (hereinafter referred to as the Regulation) has been developed in accordance with the Constitution Russian Federation, Civil Code of the Russian Federation, Federal Law "On Information, Information Technologies and Information Protection", Federal Law 152-FZ "On Personal Data", other federal laws.
2.2. The purpose of developing the Regulations is to determine the procedure for processing and protecting personal data of all Clients of the Organization, whose data is subject to processing, based on the authority of the operator; ensuring the protection of the rights and freedoms of a person and citizen during the processing of his personal data, including the protection of the rights to privacy, personal and family secrets, as well as establishing the responsibility of officials with access to personal data for failure to comply with the requirements of the rules governing the processing and protection of personal data.
2.3. The procedure for putting into effect and changing the Regulations.
2.3.1. This Regulation comes into force from the moment of its approval by the Director General of the Organization and is valid indefinitely until it is replaced by a new Regulation.
2.3.2. Changes to the Regulations are made on the basis of Orders of the General Director of the Organization.
3. Composition of personal data.
3.1. Clients’ personal data includes, among other things:
3.1.1. Full Name.
3.1.2. Year of birth.
3.1.3. Month of birth.
3.1.4. Date of Birth.
3.1.5. Place of Birth.
3.1.6. Passport details
3.1.7. E-mail address.
3.1.8. Phone number (home, cell).
3.2. The following documents and information can be created (created, collected) and stored in the Organization, including in electronic format, containing data about Clients:
3.2.1. Application for a survey on the possibility of connecting an individual.
3.2.2. Agreement (public offer).
3.2.3. Confirmation of accession to the agreement.
3.2.5. Copies of identification documents, as well as other documents provided by the Client and containing personal data.
3.2.6. Data on payments for orders (goods/services), containing payment and other details of the Client.
4. Purpose of processing personal data.
4.1. The purpose of processing personal data is to carry out a set of actions aimed at achieving the goal, including:
4.1.1. Providing consulting and information services.
4.1.2. Other transactions not prohibited by law, as well as a set of actions with personal data necessary for the execution of the above transactions.
4.1.3. In order to comply with the requirements of the legislation of the Russian Federation.
4.2. The condition for termination of the processing of personal data is the liquidation of the Organization, as well as the corresponding request of the Client.
5. Collection, processing and protection of personal data.
5.1. Procedure for obtaining (collecting) personal data:
5.1.1. All personal data of the Client should be obtained from him personally with his written consent, except for the cases specified in clauses 5.1.4 and 5.1.6 of these Regulations and other cases provided for by the laws of the Russian Federation.
5.1.2. The Client’s consent to the use of his personal data is stored by the Organization in paper and/or electronic form.
5.1.3. The subject’s consent to the processing of personal data is valid for the entire duration of the agreement, as well as within 5 years from the date of termination of the Client’s contractual relationship with the Organization. After the expiration of the specified period, the consent is considered extended for every next five years in the absence of information about its revocation.
5.1.4. If the Client’s personal data can only be obtained from a third party, the Client must be notified of this in advance and written consent must be obtained from him. A third party providing the Client’s personal data must have the subject’s consent to transfer personal data to the Organization. The organization is obliged to obtain confirmation from the third party transferring the Client’s personal data that personal data is transferred with his consent. The organization is obliged, when interacting with third parties, to enter into an agreement with them on the confidentiality of information regarding the personal data of Clients.
5.1.5. The organization is obliged to inform the Client about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the Client’s refusal of personal data to give written consent to receive it.
5.1.6. Processing of Clients’ personal data without their consent is carried out in the following cases:
5.1.6.1. Personal data is publicly available.
5.1.6.2. At the request of authorized state bodies in cases provided for by federal law.
5.1.6.3. The processing of personal data is carried out on the basis of a federal law that establishes its purpose, the conditions for obtaining personal data and the range of subjects whose personal data is subject to processing, as well as defining the powers of the operator.
5.1.6.4. The processing of personal data is carried out for the purpose of concluding and executing an agreement, one of the parties to which is the subject of personal data - the Client.
5.1.6.5. The processing of personal data is carried out for statistical purposes, subject to the mandatory anonymization of personal data.
5.1.6.6. In other cases provided by law.
5.1.7. The organization does not have the right to receive and process the Client’s personal data about his race, nationality, political views, religious or philosophical beliefs, state of health, intimate life.
5.2. Procedure for processing personal data:
5.2.1. The subject of personal data provides the Organization with reliable information about himself.
5.2.2. Only employees of the Organization who are authorized to work with the Client’s personal data and who have signed a Non-Disclosure Agreement for the Client’s personal data may have access to the processing of Clients’ personal data.
5.2.3. The following have the right to access the Client’s personal data in the Organization:
General Director of the Organization;
Employees responsible for maintaining financial accounts (manager, accountant).
Employees of the Customer Relations Department (head of sales department, manager).
IT workers (technical director, system administrator).
Client as a subject of personal data.
5.2.3.1. The list of names of the Organization’s employees who have access to Clients’ personal data is determined by order of the General Director of the Organization.
5.2.4. The processing of the Client’s personal data may be carried out solely for the purposes established by the Regulations and compliance with laws and other regulatory legal acts of the Russian Federation.
5.2.5. When determining the volume and content of personal data processed, the Organization shall be guided by the Constitution of the Russian Federation, the law on personal data, and other federal laws.
5.3. Protection of personal information:
5.3.1. The protection of the Client’s personal data is understood as a set of measures (organizational, administrative, technical, legal) aimed at preventing unauthorized or accidental access to it, destruction, modification, blocking, copying, distribution of personal data of subjects, as well as other unlawful actions.
5.3.2. The protection of the Client’s personal data is carried out at the expense of the Organization in the manner established by the federal law of the Russian Federation.
5.3.3. When protecting Clients’ personal data, the Organization takes all necessary organizational, administrative, legal and technical measures, including:
Anti-virus protection.
Security analysis.
Intrusion detection and prevention.
Access control.
Registration and accounting.
Ensuring integrity.
Organization of normative and methodological local acts regulating the protection of personal data.
5.3.4. The general organization of the protection of personal data of Clients is carried out by the General Director of the Organization.
5.3.5. Employees of the Organization who need personal data in connection with the performance of their job duties have access to the Client’s personal data.
5.3.6. All employees associated with the receipt, processing and protection of Clients’ personal data are required to sign an Agreement on non-disclosure of Clients’ personal data.
5.3.7. The procedure for obtaining access to the Client’s personal data includes:
Familiarization of the employee with signature with these Regulations. If there are other regulations (orders, instructions, instructions, etc.) governing the processing and protection of the Client’s personal data, these acts are also familiarized with signature.
Requesting from an employee (with the exception of the General Director) a written commitment to maintain the confidentiality of Clients’ personal data and to comply with the rules for their processing in accordance with the Organization’s internal local regulations governing the security of confidential information.
5.3.8. An employee of the Organization who has access to personal data of Clients in connection with the performance of work duties:
Provides storage of information containing the Client’s personal data, excluding access to them by third parties.
In the absence of an employee, there should be no documents containing personal data of Clients at his workplace.
When going on vacation, during a business trip and in other cases of long-term absence of an employee from his workplace, he is obliged to transfer documents and other media containing the Clients’ personal data to the person who will be entrusted with the execution of it by a local act of the Company (order, decree). labor responsibilities.
If such a person is not appointed, then documents and other media containing the Clients’ personal data are transferred to another employee who has access to the Clients’ personal data as directed by the General Director of the Organization.
Upon dismissal of an employee who has access to the Clients’ personal data, documents and other media containing the Clients’ personal data are transferred to another employee who has access to the Clients’ personal data on the instructions of the General Director.
In order to fulfill the assigned task and on the basis of a memo with a positive resolution of the General Director, access to the Client’s personal data may be provided to another employee. Access to the Client’s personal data to other employees of the Organization who do not have properly authorized access is prohibited.
5.3.9. The HR Manager provides:
Familiarization of employees with these Regulations against signature.
Requesting from employees a written commitment to maintain the confidentiality of the Client’s personal data (Non-Disclosure Agreement) and compliance with the rules for their processing.
General control over employees’ compliance with measures to protect the Client’s personal data.
5.3.10. Protection of Clients’ personal data stored in the Organization’s electronic databases from unauthorized access, distortion and destruction of information, as well as from other unlawful actions, is ensured by the System Administrator.
5.4. Storage of personal data:
5.4.1. Personal data of Clients on paper is stored in safes.
5.4.2. Personal data of Clients is stored electronically in the Organization’s local computer network, in electronic folders and files in personal computers General Director and employees authorized to process Clients’ personal data.
5.4.3. Documents containing personal data of Clients are stored in locked cabinets (safes) that provide protection from unauthorized access. At the end of the working day, all documents containing personal data of Clients are placed in cabinets (safes) that provide protection from unauthorized access.
5.4.4. Protection of access to electronic databases containing personal data of Clients is ensured by:
Using licensed anti-virus and anti-hacker programs that do not allow unauthorized entry into the Organization’s local network.
Differentiation of access rights using account.
Two-level password system: at the local computer network level and at the database level. Passwords are set by the Organization's System Administrator and are communicated individually to employees who have access to Clients' personal data.
5.4.4.1. Unauthorized entry into PCs containing Clients’ personal data is blocked by a password, which is set by the System Administrator and is not subject to disclosure.
5.4.4.2. All electronic folders and files containing personal data of Clients are protected by a password, which is set by the Organization employee responsible for the PC and reported to the System Administrator.
5.4.4.3. Passwords are changed by the System Administrator at least once every 3 months.
5.4.5. Copying and making extracts of the Client’s personal data is permitted solely for official purposes with the written permission of the General Director of the Organization.
5.4.6. Responses to written requests from other organizations and institutions about Clients’ personal data are given only with the written consent of the Client himself, unless otherwise provided by law. Responses are provided in writing, on the Organization’s letterhead, and to the extent that allows not to disclose an excessive amount of the Client’s personal data.
6. Blocking, depersonalization, destruction of personal data
6.1. The procedure for blocking and unblocking personal data:
6.1.1. Blocking of Clients’ personal data is carried out with a written application from the Client.
6.1.2. Blocking personal data implies:
6.1.2.2. Prohibition of dissemination of personal data by any means (e-mail, cellular, material media).
6.1.2.4. Removal of paper documents relating to the Client and containing his personal data from the Organization’s internal document flow and prohibition of their use.
6.1.3. The blocking of the Client’s personal data can be temporarily lifted if this is required to comply with the legislation of the Russian Federation.
6.1.4. Unblocking the Client’s personal data is carried out with his written consent (if there is a need to obtain consent) or the Client’s application.
6.1.5. Repeated consent of the Client to the processing of his personal data (if it is necessary to obtain it) entails the unblocking of his personal data.
6.2. Procedure for depersonalization and destruction of personal data:
6.2.1. Depersonalization of the Client’s personal data occurs upon a written application from the Client, provided that all contractual relations have been completed and at least 5 years have passed from the date of expiration of the last contract.
6.2.2. When depersonalizing, personal data in information systems is replaced by a set of characters, which makes it impossible to determine whether personal data belongs to a specific Client.
6.2.3. When personal data is depersonalized, paper document carriers are destroyed.
6.2.4. The organization is obliged to ensure confidentiality with respect to personal data if it is necessary to test information systems on the developer’s territory and to depersonalize personal data in information systems transferred to the developer.
6.2.5. Destruction of the Client’s personal data implies termination of any access to the Client’s personal data.
6.2.6. If the Client’s personal data is destroyed, the Organization’s employees cannot access the subject’s personal data in information systems.
6.2.7. When personal data is destroyed, paper document carriers are destroyed, and personal data in information systems is anonymized. Personal data cannot be restored.
6.2.8. The operation of destroying personal data is irreversible.
6.2.9. The period after which the destruction of the Client’s personal data is possible is determined by the end of the period specified in clause 7.3 of these Regulations.
7. Transfer and storage of personal data
7.1. Transfer of personal data:
7.1.1. The transfer of personal data of a subject means the dissemination of information through communication channels and on tangible media.
7.1.2. When transferring personal data, employees of the Organization must comply with the following requirements:
7.1.2.1. Do not disclose the Client’s personal data for commercial purposes.
7.1.2.2. Do not disclose the Client’s personal data to a third party without the Client’s written consent, except in cases established by the federal law of the Russian Federation.
7.1.2.3. Warn persons receiving the Client’s personal data that this data can only be used for the purposes for which they were communicated, and require confirmation from these persons that this rule is complied with;
7.1.2.4. Allow access to Clients’ personal data only to specially authorized persons, and these persons must have the right to receive only those Clients’ personal data that are necessary to perform specific functions.
7.1.2.5. Transfer the Client’s personal data within the Organization in accordance with these Regulations, regulatory and technological documentation and job descriptions.
7.1.2.6. Provide the Client with access to his personal data when contacting or upon receiving the Client’s request. The organization is obliged to inform the Client about the availability of personal data about him, as well as provide the opportunity to familiarize himself with it within ten working days from the date of application.
7.1.2.7. Transfer the Client’s personal data to the Client’s representatives in the manner prescribed by law and regulatory and technological documentation and limit this information only to those personal data of the subject that are necessary for the said representatives to perform their functions.
7.2. Storage and use of personal data:
7.2.1. The storage of personal data refers to the existence of records in information systems and on tangible media.
7.2.2. Personal data of Clients is processed and stored in information systems, as well as on paper in the Organization. Clients’ personal data is also stored electronically: on the Organization’s local computer network, in electronic folders and files on the PC of the General Director and employees authorized to process Clients’ personal data.
7.2.3. The Client’s personal data can be stored no longer than required for the purposes of processing, unless otherwise provided by federal laws of the Russian Federation.
7.3. Periods for storing personal data:
7.3.1. The storage period for civil contracts containing personal data of Clients, as well as documents accompanying their conclusion and execution is 5 years from the date of expiration of the contracts.
7.3.2. During the storage period, personal data cannot be anonymized or destroyed.
7.3.3. Upon expiration of the storage period, personal data can be anonymized in information systems and destroyed on paper in the manner established in the Regulations and the current legislation of the Russian Federation. (Appendix Act on Destruction of Personal Data)
8. Rights of the personal data operator
The organization has the right:
8.1. Defend your interests in court.
8.2. Provide Clients’ personal data to third parties if required by current legislation (tax, law enforcement agencies, etc.).
8.3. Refuse to provide personal data in cases provided for by law.
8.4. Use the Client’s personal data without his consent, in cases provided for by the legislation of the Russian Federation.
9. Client's rights
The client has the right:
9.1. Require clarification of your personal data, their blocking or destruction if the personal data is incomplete, outdated, unreliable, illegally obtained or not necessary for the stated purpose of processing, and also take measures provided by law to protect your rights;
9.2. Require a list of processed personal data available in the Organization and the source of its receipt.
9.3. Receive information about the terms of processing of personal data, including the periods of their storage.
9.4. Require notification of all persons who were previously provided with incorrect or incomplete personal data about all exceptions, corrections or additions made to them.
9.5. Appeal to the authorized body for the protection of the rights of personal data subjects or in court against unlawful actions or inactions during the processing of his personal data.
10. Responsibility for violation of the rules governing the processing and protection of personal data
10.1. Employees of the Organization who are guilty of violating the rules governing the receipt, processing and protection of personal data bear disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the Russian Federation and internal local acts of the Organization.
control over the implementation of the necessary rules. List of used literature:
1. Federal Law “On Banks and Banking Activities”
2. www.Grandars.ru [ Electronic resource] Access mode: http://www.grandars.ru/student/finansy/vozniknovenie-bankov.html (Date of access: 05.5.2016)
3. In-bank.ru [Electronic resource] Access mode: http://journal.ib-bank.ru/post/411 (Access date: 05.5.2016)
Khlestova Daria Robertovna
Email: [email protected]
FEATURES OF PERSONAL DATA PROTECTION IN THE BANKING SECTOR
annotation
This article discusses the features of protecting client personal data in the banking industry. A number of regulatory and legal acts are listed, on the basis of which the system for processing and protecting personal data in the bank should be built. A list of measures has been highlighted for organizing data security in banking institutions.
Keywords
Personal data, security in banks, information security,
protection of personal information
The protection of personal data in the age of information technology has become especially relevant. There are more and more cases where attackers gain access to any confidential information by attacking the information systems of organizations. Undoubtedly, attacks do not bypass the banking sector. Since banking systems contain a large number of personal data of clients, their security should be under the close attention of the state and the owners of financial institutions themselves.
First, it’s worth understanding what personal data of a person may become available to the bank if he becomes its client. So, this is required: last name, first name and patronymic; Date and place of birth; citizenship; place of registration and actual residence; all passport data (series, number, when and by whom the document was issued); mobile number and home phone; place of work, position held. In most cases, institutions ask a person for additional information, but even without it, the list of data that a person entrusts to the bank turns out to be impressive. Of course, the client hopes that his personal data will be reliably protected during processing and storage.
In order for financial institutions to be able to efficiently organize a system for processing and protecting personal data, it is necessary to outline a list of regulatory and legal acts on which the bank should rely when working with clients’ personal data: The Constitution of the Russian Federation is the most important document of the country; Labor Code of the Russian Federation; Civil Code and Criminal Code of the Russian Federation; Federal Law No. 152 “On Personal Data”; Federal Law No. 149 “On
information, information technologies and information protection”; Federal Law No. 395-1 “On Banks and Banking Activities”. Also in banks, when creating a system for processing and storing personal data, a number of local documents are created that provide additional control over work with data.
When a banking organization receives personal data from a client, it assumes the obligation to carry out all organizational and technical measures to protect the information entrusted to it from unauthorized access (accidental or intentional), blocking, modification, destruction and other illegal actions. It is worth highlighting a number of measures for the high-quality organization of processing and protection of personal data in banks: appointment of those responsible for processing and ensuring the security of data in the bank’s information system; implementation of control measures and familiarization of employees with the relevant regulatory framework and internal documents on which the bank’s data security system is based; identification of threats during the processing of personal data in the bank and measures to counter them; assessment of the effectiveness of the applied organizational and technical measures to ensure data protection, before putting the protection system into operation; accounting of all computer storage media of personal data; establishing rules for access to the processing and security system for employees; if unauthorized access to protected data is detected, measures are taken to eliminate the threat and restore lost data. And a mandatory measure for banks with an existing system for storing and protecting client personal data is constant monitoring and improvement of the security system.
Thus, it is worth noting that the processing, storage and protection of personal data in banks should be carried out on the basis of the conditions defined by the regulatory framework of the Russian Federation. Each financial institution must: observe the principle of legality when organizing the protection of personal data of its clients; carry out a full range of measures for organizational and technical data protection; when creating local documents related to information security, rely on the best Russian and international practices in this area; comply with all requirements of regulatory authorities (FSTEK, Roskomnadzor, FSB) to ensure the protection of the client’s personal data.
List of used literature:
1. Khlestova D.R., Popov K.G. “On the issue of legal aspects of personal data protection”
2. Federal Law “On Banks and Banking Activities”
3. Bank of Russia [Electronic resource] Access mode: http://www.cbr.ru/ (Date of access: 05/06/2016)
©Khlestova D.R., Popov K.G., 2016
Khlestova Daria Robertovna
2nd year student of IUPP BashSU, Ufa, Russian Federation E-mail: [email protected] Popov Kirill Gennadievich Ph.D., Associate Professor, Department of Information Security, Bashkir State University, Ufa, Russian Federation
Email: [email protected]
BUSINESS INTELLIGENCE AS THE MOST LEGAL WAY OF OBTAINING INFORMATION
annotation
The article discusses business intelligence methods. It also explains why business intelligence is a legal activity in business. The highlighted basic principles to adhere to are:
1. THEORETICAL FOUNDATIONS OF PERSONAL DATA SECURITY
1.1 Legislative framework for the protection of personal data in the Russian Federation
1.3.1 general characteristics sources of threats of unauthorized access in the personal data information system.
1.3.2 General characteristics of threats of direct access to the operating environment of the personal data information system
1.3.3 General characteristics of threats to the security of personal data implemented using internetworking protocols
1.4 Characteristics of the Bank and its activities
1.5 Personal data databases
1.5.1 Information system of personal data of employees of the organization
1.5.2 Personal data information system of access control and management system
1.5.3 Personal data information system of the automated banking system
1.6 Device and local threats computer network Jar
1.7 Information security measures
2.2 Software and hardware protection
2.3 Basic security policy
2.3.1 System for raising employee awareness of information security issues
2.3.4 Procedure for employees to use email
2.3.5 Password policy of the Bank
3. ECONOMIC JUSTIFICATION OF THE PROJECT
CONCLUSION
Applications.
INTRODUCTION
Widespread computerization, which began at the end of the 20th century, continues to this day. Automation of processes in enterprises increases worker productivity. Users of information systems can quickly obtain the data necessary to perform their job duties. At the same time, along with facilitating access to data, there are problems with the safety of this data. Having access to various information systems, attackers can use them for personal gain: collecting data for selling on the black market, stealing Money from clients of the organization, theft of trade secrets of the organization.
Therefore the problem of protection is critical important information for organizations it is very acute. Increasingly, it is becoming known from the media about various techniques or methods for stealing funds through hacking the information systems of financial organizations. Having gained access to personal data information systems, an attacker can steal data from clients of financial organizations and distribute information about their financial transactions, causing both financial and reputational harm to the bank client. In addition, having learned information about the client, fraudsters can call the client directly, posing as bank employees and fraudulently, using social engineering techniques, find out passwords for remote banking systems and withdraw money from the client’s account.
In our country, the problem of theft and illegal distribution of personal data is very acute. There are a large number of resources on the Internet that contain stolen personal data databases, with the help of which, for example, by number mobile phone, you can find very detailed information on a person, including his passport details, residential addresses, photographs and much more.
In this thesis project, I explore the process of creating a personal data protection system at PJSC Citibank.
1. BASICS OF PERSONAL DATA SECURITY
1.1 Legislative framework for the protection of personal data
Today in Russia there is state regulation in the field of ensuring the security of personal data. The main legal acts regulating the system of personal data protection in the Russian Federation are the Constitution of the Russian Federation and the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ. These two main legal acts establish the main theses about personal data in the Russian Federation:
Every citizen has the right to privacy, personal and family secrets, protection of his honor and good name;
Everyone has the right to privacy of correspondence, telephone conversations, postal, telegraph and other messages. Restriction of this right is permitted only on the basis of a court decision;
Collection, storage, use and dissemination of information about the private life of a person without his consent is not permitted;
The processing of personal data must be carried out on a lawful and fair basis;
The processing of personal data must be limited to the achievement of specific, pre-defined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted.
It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.
Only personal data that meets the purposes of their processing are subject to processing.
When processing personal data, the accuracy of personal data, their sufficiency, and, where necessary, relevance in relation to the purposes of processing personal data must be ensured. The operator must take the necessary measures or ensure that they are taken to delete or clarify incomplete or inaccurate data.
The storage of personal data must be carried out in a form that makes it possible to identify the subject of personal data, no longer than required by the purposes of processing personal data, unless the period for storing personal data is established by federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor. The processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or in the event of the loss of the need to achieve these goals, unless otherwise provided by federal law.
Other regulations that have a legal impact in the field of personal data protection in organizations in the banking sector of the Russian Federation are:
Federal Law of the Russian Federation dated July 27, 2006 No. 149 FZ “On information, information technologies and information protection”;
Labor Code of the Russian Federation (Chapter 14);
Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems”;
Order of the FSTEC of Russia dated February 18, 2013 No. 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems.”
Let's consider the main definitions used in legislation.
Personal data - any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).
Personal data operator - a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
Processing of personal data - any action (operation) or set of actions (operations) performed using automation tools or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
Automated processing of personal data - processing of personal data using tools computer technology;
Dissemination of personal data - actions aimed at disclosing personal data to an indefinite number of persons;
Providing personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons;
Blocking of personal data - temporary cessation of processing of personal data (except for cases where processing is necessary to clarify personal data);
Destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material media of personal data are destroyed;
Depersonalization of personal data - actions as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without the use of additional information;
Information system of personal data - a set of personal data contained in databases and information technologies that ensure their processing and technical means;
Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.
Biometric personal data - information that characterizes the physiological and biological characteristics of a person, on the basis of which one can establish his identity (biometric personal data) and which is used by the operator to establish the identity of the subject of personal data.
Security of personal data is the state of security of personal data, characterized by the ability of users, technical means and information technologies to ensure the confidentiality, integrity and availability of personal data when processed in personal data information systems
1.2 Classification of threats to information security of personal data.
An information security threat is understood as a threat of violation of information security properties - the availability, integrity or confidentiality of an organization's information assets.
The list of threats, an assessment of the likelihood of their implementation, as well as the model of the intruder serve as the basis for analyzing the risk of the threat’s implementation and formulating requirements for the automated system’s protection system. In addition to identifying possible threats, it is necessary to analyze the identified threats based on their classification according to a number of characteristics. Threats corresponding to each classification attribute allow us to detail the requirement reflected by this attribute.
Since the information stored and processed in modern automated systems is exposed to an extremely large number of factors, it becomes impossible to formalize the task of describing the complete set of threats. Therefore, for the protected system, not a list of threats is usually determined, but a list of threat classes.
The classification of possible threats to NPP information security can be carried out according to the following basic criteria:
By nature of occurrence:
Onatural threats caused by impacts on the NPP of objective physical processes or natural phenomena;
Artificial threats to NPP safety caused by human activity.
According to the degree of intentionality of manifestation:
Threats caused by errors or negligence of personnel, for example, incorrect use of protective equipment, negligence when working with data;
Threats of deliberate action, for example, hacking of an automated system by attackers, destruction of data by employees of an organization for the purpose of revenge on the employer.
By direct source of threats:
Onatural hazards, such as natural disasters, man-made disasters;
Human threats, for example: destruction of information, disclosure of confidential data;
Permitted hardware and software, such as physical hardware failure, software errors, software conflicts;
Unauthorized software and hardware, for example, the introduction of hardware bookmarks, software bookmarks.
By position of the threat source:
Outside the controlled area, for example, interception of data transmitted via communication channels;
O within the controlled area, for example, unauthorized copying of information, unauthorized access to the protected area;
Directly in an automated system, for example, incorrect use of AS resources.
According to the degree of dependence on AS activity:
Regardless of the activity of the AS, for example, physical theft of storage media;
Oonly during data processing, such as malware infection.
According to the degree of impact on the speakers:
Passive threats that, when implemented, do not change anything in the structure and content of the AS, for example, the threat of copying secret data;
Active threats that, when exposed, make changes to the structure and content of the AS, for example, deleting data or modifying them.
By stages of user or program access to resources:
Threats that appear at the stage of access to AS resources, for example: threats of unauthorized access to AS;
Threats that appear after permission to access AS resources, for example, incorrect use of AS resources.
By method of accessing AS resources:
Threats carried out using the standard access path to AS resources
Threats carried out using a hidden non-standard path to access AS resources, for example: unauthorized access to AS resources by using undocumented capabilities of installed software.
According to the current location of information stored and processed in the AS:
Threats to access information located on external storage devices, for example: copying confidential information from storage media;
Threats to access information located in random access memory, for example: reading residual information from RAM, access to the system area of RAM from application programs;
Threats of access to information circulating in communication lines, for example: illegal connection to communication lines for the purpose of removing information, sending modified data;
Dangerous impacts on an automated system are divided into accidental and intentional.
The causes of accidental impacts during NPP operation may be:
Emergency situations due to natural disasters and power outages;
Service failures;
Software errors;
Errors in the work of maintenance personnel and users;
Interference in communication lines due to environmental influences.
The use of software errors is the most common way to violate the information security of information systems. Depending on the complexity of the software, the number of errors increases. Attackers can find these vulnerabilities and through them gain access to an organization's information system. To minimize these threats, it is necessary to constantly keep software versions up to date.
Intentional threats involve targeted actions by attackers. Attackers are divided into two types: internal attacker and external attacker. An internal attacker commits illegal actions while being within the controlled area of the automated system and can use official authority for authorized access to the automated system. An external attacker does not have access to the controlled area, but can act simultaneously with an internal attacker to achieve his goals.
There are three main threats to information security aimed directly at protected information:
Violation of confidentiality - confidential information is not changed, but becomes available to third parties who are not authorized to have access to this information. If this threat is implemented, there is a high probability that the attacker will disclose stolen information, which may result in financial or reputational damage. Violation of the integrity of protected information - distortion, modification or destruction of information. The integrity of information may be violated not intentionally, but as a result of the incompetence or negligence of an enterprise employee. Integrity can also be violated by an attacker to achieve his own goals. For example, changing account details in an automated banking system in order to transfer funds to an attacker’s account or replacing the personal data of an organization’s client in order to obtain information about the client’s cooperation with the organization.
Violation of the availability of protected information or denial of service - actions in which an authorized user cannot access protected information due to reasons such as: failure of hardware, software, failure of the local computer network.
After considering the threats of automated systems, you can move on to analyzing the threats to the personal data information system.
Personal data information system is a set of personal data contained in databases and information technologies and technical means that ensure their processing.
Personal data information systems are a set of information, software and hardware elements, as well as information technologies used in the processing of personal data.
The main elements of ISPD are:
Personal data contained in databases;
Information technologies used in the processing of personal data;
Technical means that process personal data (computer equipment, information and computing complexes and networks, means and systems for transmitting, receiving and processing personal data, means and systems for sound recording, sound amplification, sound reproduction, means for producing, replicating documents and other technical means processing of speech, graphic, video and alphanumeric information);
Software(operating systems, database management systems, etc.);
ISPD information security tools;
Auxiliary technical means and systems - technical means and systems, their communications, not intended for processing personal data, but located in the premises in which the ISPD is located.
Threats to the security of personal data - a set of conditions and factors that create the danger of unauthorized, including accidental, access to personal data, which may result in destruction, modification, blocking, copying, distribution of personal data, as well as other unauthorized actions during their processing in information personal data system.
The characteristics of the personal data information system that determine the emergence of UBPDn include the category and volume of personal data processed in the personal data information system, the structure of the personal data information system, the presence of ISPDn connections to public communication networks and (or) international information exchange networks, characteristics of the subsystem security of personal data processed in ISPD, modes of processing personal data, modes for delimiting access rights of ISPD users, location and conditions for placement of ISPD technical means.
The properties of the distribution medium of informative signals containing protected information are characterized by the type of physical environment in which the PD is distributed and are determined when assessing the possibility of implementing UBPD. The capabilities of UBPD sources are determined by a combination of methods of unauthorized and (or) accidental access to personal data, which may result in a violation of confidentiality (copying, unauthorized distribution), integrity (destruction, modification) and availability (blocking) of personal data.
A threat to the security of personal data is realized as a result of the formation of a UBPD implementation channel between the source of the threat and the carrier (source) of PD, which creates conditions for a violation of PD security.
The main elements of the UBPDn implementation channel (Figure 1) are:
Source UBPDn - subject, material object or physical phenomenon creating UBPDn;
The environment for the distribution of personal data or impacts, in which a physical field, signal, data or programs can spread and affect the protected properties of personal data;
Personal data carrier - an individual or a material object, including a physical field in which personal data are reflected in the form of symbols, images, signals, technical solutions and processes, quantitative characteristics of physical quantities.
Figure 1. Generalized diagram of the channel for implementing threats to the security of personal data
PD media may contain information presented in the following forms:
Acoustic (speech) information contained directly in the spoken speech of the ISPD user when he performs the function of voice input of PD in the personal data information system, or reproduced by acoustic means of ISPD (if such functions are provided for by PD processing technology), as well as contained in electromagnetic fields and electrical signals , which arise due to transformations of acoustic information;
View information (VI), presented in the form of text and images various devices displaying information from computer equipment, information and computing systems, technical means for processing graphic, video and alphanumeric information included in the ISPD;
Information processed (circulating) in the ISPD in the form of electrical, electromagnetic, optical signals;
Information processed in ISPD, presented in the form of bits, bytes, files and other logical structures.
In order to form a systematized list of UBPDn when processing them in ISPD and developing private models based on them in relation to a specific type of ISPD, threats are classified in accordance with the following criteria (Figure 2):
According to the type of information containing PD protected from UBPD;
By types of possible sources of UBPDn;
By type of ISPD, which the implementation of UBPD is aimed at;
According to the method of implementation of UBPD;
By the type of information property being violated (type of unauthorized actions carried out with personal data);
By vulnerability used;
By object of influence.
According to the types of possible sources of UBPDn, the following are distinguished:
Threat classes:
Threats associated with intentional or unintentional actions of persons with access to the ISPD, including users of the personal data information system who implement threats directly in the ISPD (internal violator);
Threats associated with intentional or unintentional actions of persons who do not have access to ISPD, implementing threats from external public communication networks and (or) international information exchange networks (external intruder).
In addition, threats can arise as a result of the introduction of hardware and malware.
Based on the type of ISPD that the implementation of UBPD is aimed at, the following classes of threats are distinguished:
UBPDn processed in ISPDn based on an autonomous automated workstation (AWS);
UBPDn processed in ISPDn based on an automated workplace connected to the public network (to the international information exchange network);
UBPDn processed in ISPDn on the basis of local information systems without connection to the public network (to the international information exchange network);
UBPDn processed in ISPDn based on local information systems with a connection to the public network (to the international information exchange network);
UBPDn processed in ISPDn based on distributed information systems without connecting to a public network (international information exchange network);
UBPDn processed in ISPDn based on distributed information systems with a connection to a public network (to an international information exchange network).
Based on the methods of implementing UBPD, the following classes of threats are distinguished:
Threats associated with unauthorized access to personal data (including threats of introducing malware);
Threats of personal data leakage through technical channels of information leakage;
Threats of special influences on ISPD.
Based on the type of unauthorized actions carried out with personal data, the following classes of threats are distinguished:
Threats leading to violation of confidentiality of personal data (copying or unauthorized distribution), the implementation of which does not directly affect the content of information;
Threats leading to unauthorized, including accidental, influence on the content of information, as a result of which PD is changed or destroyed;
Threats leading to unauthorized, including accidental, impact on software or hardware and software elements of the information system, resulting in blocking of personal information.
Based on the vulnerability used, the following threat classes are distinguished:
Threats implemented using system software vulnerabilities;
Threats implemented using application software vulnerabilities;
Threats arising from the exploitation of a vulnerability caused by the presence of a hardware bug in the system;
Threats implemented using vulnerabilities in network communication protocols and data transmission channels;
Threats arising from the exploitation of vulnerabilities caused by shortcomings in the organization of technical information from non-distributive information;
Threats implemented using vulnerabilities that create technical channels for information leakage;
Threats implemented using information security vulnerabilities.
The following classes of threats are distinguished by the object of influence:
Threats to the security of personal data processed on automated workstations;
Threats to the security of personal data processed in dedicated processing tools (printers, plotters, plotters, remote monitors, video projectors, sound reproduction facilities, etc.);
Threats to the security of personal data transmitted over communication networks;
Threats to application programs that process personal data;
Threats to the system software that ensures the functioning of the ISPD.
The implementation of one of the UBPDs of the listed classes or their combination can lead to the following types of consequences for PD subjects:
Significant negative consequences for personal data subjects;
Negative consequences for personal data subjects;
Minor negative consequences for personal data subjects.
Threats of personal data leakage through technical channels are unambiguously described by the characteristics of the source of information, the distribution medium and the receiver of the information signal, that is, they are determined by the characteristics of the technical channel of personal data leakage.
Threats associated with unauthorized access (AAT) are presented as a set of generalized classes of possible sources of AAT threats, software vulnerabilities and hardware ISPD, methods of implementing threats, objects of influence (media of protected information, directories, directories, files with PD or PD themselves) and possible destructive actions. This representation is described by the following formalized notation (Fig. 2).
1.3 General characteristics of sources of threats in personal data information systems
Threats to digital access data in ISPD with the use of software and hardware are implemented when unauthorized, including accidental, access is carried out, resulting in a violation of the confidentiality, integrity and availability of personal data, and include:
Threats of unauthorized access to the computer operating environment using standard software (operating system tools or general application programs);
Threats of creating abnormal operating modes of software (hardware and software) due to deliberate changes in service data, ignoring the restrictions on the composition and characteristics of the processed information provided for in standard conditions, distortion (modification) of the data themselves, etc.;
Figure 2 Classification of UBPD processed in personal data information systems
Threats of introduction of malicious programs (software and mathematical influence).
The composition of the elements for describing threats to information in the information management system in the ISPD is shown in Figure 3.
In addition, combined threats are possible, representing a combination of these threats. For example, through the introduction of malicious programs, conditions can be created for unauthorized access into the computer operating environment, including through the formation of non-traditional information access channels.
Threats of unauthorized access to the ISPD operating environment using standard software are divided into threats of direct and remote access. Direct access threats are carried out using computer software and hardware input/output tools. Remote access threats are implemented using network communication protocols.
Such threats are realized in relation to ISPD both on the basis of an automated workstation that is not included in the public communication network, and in relation to all ISPD that are connected to public communication networks and international information exchange networks.
Figure 3 Classification of UBPD processed in personal data information systems
1.3.1 General characteristics of sources of threats of unauthorized access in the personal data information system.
Sources of threats in the personal data information system can be:
Intruder;
Malicious program carrier;
Hardware bookmark.
Threats to the security of personal data associated with the implementation of hardware bookmarks are determined in accordance with the regulatory documents of the Federal Security Service of the Russian Federation in the manner established by it.
Based on the right of permanent or one-time access to the controlled area of the ISPD, violators are divided into two types:
Violators who do not have access to ISPD and implement threats from external public communication networks and (or) international information exchange networks are external violators;
Violators who have access to the ISPD, including ISPD users who implement threats directly in the ISPD, are internal violators.
External intruders can be:
Competing organizations;
Unfair partners;
External entities (individuals).
An external intruder has the following capabilities:
Provide unauthorized access to communication channels outside the premises;
Carry out unauthorized access through automated workstations connected to public communication networks and (or) international information exchange networks;
Provide unauthorized access to information using special software influences through software viruses, malware, algorithmic or software bookmarks;
Execute unauthorized access through elements of the information infrastructure of the personal data information system, which in the process of its life cycle(upgrades, maintenance, repairs, disposal) end up outside the controlled area;
Carry out unauthorized access through the information systems of interacting departments, organizations and institutions when they are connected to the ISPD.
Internal potential violators are divided into eight categories depending on the method of access and access authority to personal data.
The first category includes persons who have authorized access to ISPD, but do not have access to PD. This type of violator includes officials who ensure the normal functioning of the ISPD.
Have access to fragments of information containing personal data and distributed through internal communication channels of the ISPD;
Have fragments of information about the topology of the ISPD and the communication protocols used and their services;
Have names and identify passwords of registered users;
Change the configuration of ISPD technical means, add hardware and software bookmarks to it and ensure information retrieval using a direct connection to ISPD technical means.
Has all the capabilities of persons of the first category;
Knows at least one legal access name;
Has all the necessary attributes that provide access to a certain subset of personal data;
Has confidential data to which he has access.
His access, authentication and rights to access a certain subset of personal data must be regulated by the appropriate access control rules.
Has all the capabilities of persons of the first and second categories;
Has information about the topology of the ISPD based on the local and (or) distributed information system through which access is provided, and about the composition of the technical means of the ISPD;
Has the ability to direct (physical) access to fragments of ISPD technical means.
Has complete information about the system and application software used in the ISPD segment (fragment);
Has complete information about the technical means and configuration of the ISPD segment (fragment);
Has access to information security and logging tools, as well as to individual elements used in a segment (fragment) of an ISPD;
Has access to all technical means of the segment (fragment) of the ISPD;
Has the rights to configure and administratively set up a certain subset of technical means of a segment (fragment) of an ISPD.
The powers of the ISPD system administrator.
Has all the capabilities of persons of the previous categories;
Has complete information about the system and application software of ISPD;
Has complete information about the technical means and configuration of ISPD;
Has access to all technical means of information processing and ISPD data;
Has the rights to configure and administratively set up ISPD technical means.
The system administrator configures and manages software and hardware, including equipment responsible for the security of the protected object: tools cryptographic protection information, monitoring, registration, archiving, protection against unauthorized access.
Has all the capabilities of persons of the previous categories;
Has complete information about ISPD;
Has access to information security and logging tools and to some of the key elements of the ISPD;
Does not have access rights to configure network technical equipment with the exception of control (inspection) ones.
Has information about algorithms and programs for processing information on ISPD;
It has the ability to introduce errors, undeclared capabilities, software bookmarks, and malware into software ISPD at the stage of its development, implementation and maintenance;
May have any pieces of information about the topology of the ISPD and the technical means of processing and protecting the PD processed in the ISPD.
Has the ability to add bookmarks to ISPD technical tools at the stage of their development, implementation and maintenance;
May have any pieces of information about the topology of the ISPD and the technical means of processing and protecting information in the ISPD.
The malware carrier can be a computer hardware element or a software container. If the malicious program is not associated with any application program, then the following are considered as its carrier:
Alienable medium, i.e. floppy disk, optical disk, flash memory;
Built-in storage media ( hard disks, RAM chips, processor, microcircuits motherboard, microcircuits of devices built into system unit, - video adapter, network card, sound card, modem, magnetic hard and magnetic input/output devices optical disks, power supply, etc., direct memory access chips, data buses, input/output ports);
Microcircuits of external devices (monitor, keyboard, printer, modem, scanner, etc.).
If a malicious program is associated with any application program, with files with certain extensions or other attributes, with messages transmitted over the network, then its carriers are:
Packets of messages transmitted over a computer network;
Files (text, graphic, executable, etc.).
1.3.2 General characteristics of threats of direct access to the operating environment of the personal data information system
The threats of unauthorized access to the computer operating environment and unauthorized access to personal data are associated with access to:
To information and commands stored in the basic I/O system of ISPD, with the ability to intercept control of loading the operating system and obtain the rights of a trusted user;
Into the operating environment, that is, into the operating environment of the local operating system of a separate ISDN technical tool with the ability to perform unauthorized access by calling standard operating system programs or launching specially designed programs that implement such actions;
In the operating environment of application programs (for example, to local system database management);
Directly to user information (files, text, audio and graphic information, fields and records in electronic databases) and are caused by the possibility of violation of its confidentiality, integrity and availability.
These threats can be realized if physical access to the ISPD is obtained, or at least to the means of entering information into the ISPD. They can be combined according to the conditions of implementation into three groups.
The first group includes threats that are implemented during the loading of the operating system. These threats to information security are aimed at intercepting passwords or identifiers, modifying the software of the basic input/output system, intercepting loading control with changing the necessary technological information to receive the data sheet into the ISPD operating environment. Most often, such threats are implemented using alienated media.
The second group consists of threats that are implemented after the operating environment is loaded, regardless of which application program is launched by the user. These threats are usually aimed at directly unauthorized access to information. When gaining access to the operating environment, the intruder can use both standard functions of the operating system or any public application program (for example, a database management system), and programs specially created to perform unauthorized access, for example:
Programs for viewing and modifying the registry;
Text search programs in text files By keywords and copying;
Special programs for viewing and copying records in databases;
Programs for quickly viewing graphic files, editing or copying them;
Programs to support the ability to reconfigure the software environment (ISPD settings in the interests of the offender).
Finally, the third group includes threats, the implementation of which is determined by which of the application programs is launched by the user, or the fact of launching any of the application programs. Most of these threats are malware threats.
1.3.3 General characteristics of threats to the security of personal data implemented using internetworking protocols
If an ISPD is implemented on the basis of a local or distributed information system, then threats to information security can be implemented in it through the use of internetworking protocols. In this case, the NSD to the PD can be provided or the threat of denial of service can be realized. Threats are especially dangerous when the ISPD is a distributed information system connected to public networks and (or) international information exchange networks. The classification scheme of threats implemented over the network is shown in Figure 4. It is based on the following seven primary classification criteria.
Figure 4 Classification scheme of threats using internetworking protocols
1. Nature of the threat. According to this criterion, threats can be passive or active. A passive threat is a threat, the implementation of which does not directly affect the operation of the information system, but may violate the established rules for restricting access to personal data or network resources. An example of such threats is the “Network Traffic Analysis” threat, aimed at listening to communication channels and intercepting transmitted information. An active threat is a threat associated with an impact on PDIS resources, the implementation of which has a direct impact on the operation of the system (configuration changes, disruption, etc.), and with a violation of the established rules for restricting access to PD or network resources. An example of such threats is the Denial of Service threat, implemented as a “TCP request storm.”
2. The purpose of implementing the threat. According to this criterion, threats can be aimed at violating the confidentiality, integrity and availability of information (including disrupting the functionality of the ISPD or its elements).
3. Condition for starting the process of implementing the threat. Based on this feature, a threat can be realized:
Upon request from the object against which the threat is being implemented. In this case, the intruder expects the transmission of a request of a certain type, which will be the condition for the initiation of unauthorized access;
Upon the occurrence of an expected event at the facility in relation to which the threat is being implemented. In this case, the intruder constantly monitors the state of the ISPD operating system and, when a certain event occurs in this system, begins unauthorized access;
Unconditional impact. In this case, the beginning of unauthorized access is unconditional in relation to the purpose of access, that is, the threat is realized immediately and regardless of the state of the system.
4. Availability feedback with ISPDn. According to this feature, the process of implementing a threat can be with or without feedback. The threat, carried out in the presence of feedback from the personal data information system, is characterized by the fact that the offender needs to receive a response to some requests transmitted to the ISPD. Consequently, there is a feedback between the violator and the personal data information system, which allows the violator to adequately respond to all changes occurring in the ISPD. Unlike threats implemented in the presence of feedback from the personal data information system, when threats are implemented without feedback, it is not necessary to respond to any changes occurring in the information system.
5. The location of the offender relative to the ISPD. In accordance with this feature, the threat is implemented both intrasegmentally and intersegmentally.
A network segment is a physical association of hosts (ISPD hardware or communication elements with a network address). For example, a personal data information system segment forms a set of hosts connected to the server using a “common bus” scheme. In the case where there is an intra-segment threat, the intruder has physical access to the hardware elements of the ISPD. If there is an inter-segment threat, then the intruder is located outside the ISPD, implementing the threat from another network or from another segment with a personal data information system.
6. Interaction reference model level open systems(ISO/OSI) on which the threat is implemented. According to this feature, the threat can be implemented at the physical, channel, network, transport, session, presentation and application levels of the ISO/OSI model.
7. The ratio of the number of violators and ISPD elements against which the threat is realized. Based on this criterion, the threat can be classified as a threat implemented by one violator against one ISPD technical means (a “one-to-one” threat), against several ISPD technical means at once (a “one-to-many” threat), or by several violators with different computers regarding one or more technical means of ISPD (distributed or combined threats).
Taking into account the classification carried out, we will highlight the main types of attacks on the personal data information system:
1. Network traffic analysis.
This threat is implemented using special packet sniffer software that intercepts all packets transmitted over a network segment and identifies among them those that contain a user ID and password. During the implementation of the threat, the intruder studies the logic of the network - that is, he strives to obtain a one-to-one correspondence between the events occurring in the system and the commands sent by the hosts at the moment these events occur. In the future, this allows an attacker, based on the assignment of appropriate commands, to obtain privileged rights to act in the system or expand their powers in it, to intercept the flow of transmitted data exchanged between components of a network operating system in order to extract confidential or identification information, its substitution and modification.
2. Network scanning.
The essence of the threat implementation process is to transmit requests to the network services of the ISDN hosts and analyze the responses from them. The goal is to identify the protocols used, available ports of network services, laws for the formation of connection identifiers, determination of active network services, selection of user identifiers and passwords.
3. Threat of password revelation.
The goal of the threat is to obtain unauthorized access data by overcoming password protection. An attacker can implement a threat using a number of methods, such as brute force, brute force using special dictionaries, installing malicious software to intercept passwords, spoofing a trusted network object, and packet interception. Threats are mainly used to implement special programs, which try to gain access to the host by sequentially guessing passwords. If successful, the attacker can create an entry point for future access that will remain valid even if the access password is changed on the host.
4. Substitution of a trusted network object and transmission of messages via communication channels on its behalf with the assignment of its access rights.
This threat is effectively implemented in systems that use weak algorithms for identifying and authenticating hosts and users. A trusted object is a network object (computer, firewall, router, etc.) legally connected to the server. Two types of the process of implementing this threat can be distinguished: with and without establishing a virtual connection. The implementation process with the establishment of a virtual connection consists of assigning the rights of a trusted subject of interaction, which allows an intruder to conduct a session with a network object on behalf of a trusted subject. The implementation of a threat of this type requires overcoming the system of identification and authentication of messages. The process of implementing a threat without establishing a virtual connection can take place in networks that identify transmitted messages only by network address sender. The essence is the transmission of service messages on behalf of network control devices (for example, on behalf of routers) about changes in routing address data.
As a result of the threat being implemented, the intruder receives the access rights set by the user for the trusted subscriber to the ISPD technical tool.
5.Imposing a false network route.
This threat is realized in one of two ways: through intra-segment or inter-segment imposition. The possibility of imposing a false route is due to the shortcomings inherent in routing algorithms (in particular, due to the problem of identifying network control devices), as a result of which you can get, for example, to the host or network of an attacker, where you can enter the operating environment of a technical device as part of an ISPD . The implementation of the threat is based on unauthorized use routing and network management protocols to make changes to routing tables. In this case, the attacker needs to send a control message on behalf of the network control device (for example, a router).
6.Introduction of a false network object.
This threat is based on exploiting flaws in remote search algorithms. If network objects initially do not have address information about each other, various remote search protocols are used, which consist of transmitting special requests over the network and receiving responses with the required information. In this case, there is a possibility of interception by an intruder search query and issuing a false response to it, the use of which will lead to the required change in the routing and address data. In the future, the entire flow of information associated with the victim object will pass through the false network object
7. Denial of service.
These threats are based on the shortcomings of network software, its vulnerabilities, which allow an attacker to create conditions when operating system appears unable to process incoming packets. Several types of such threats can be distinguished:
Hidden denial of service caused by using part of the ISPD resources to process packets transmitted by an attacker with reduced bandwidth communication channels, productivity network devices, violation of requirements for request processing time. Examples of the implementation of threats of this kind include: a directed storm of echo requests via the ICMP protocol, a storm of requests to establish TCP connections, a storm of requests to an FTP server;
An obvious denial of service caused by the exhaustion of ISDN resources when processing packets transmitted by an attacker (occupying the entire bandwidth of communication channels, overflowing service request queues), in which legitimate requests cannot be transmitted through the network due to the unavailability of the transmission medium or are denied maintenance due to overflow of request queues, disk space, etc. Examples of threats of this type include a storm of broadcast ICMP echo requests, a directed storm, a storm of messages to a mail server;
Explicit denial of service caused by a violation of logical connectivity between ISDN technical means when the offender transmits control messages on behalf of network devices, leading to changes in routing and address data or identification and authentication information;
An explicit denial of service caused by an attacker transmitting packets with non-standard attributes or having a length exceeding the maximum permissible size, which can lead to a failure of network devices involved in processing requests, provided there are errors in programs that implement network exchange protocols. The result of the implementation of this threat may be a disruption of the functionality of the corresponding service for providing remote access to personal data in the ISPD, the transmission from one address of such a number of requests for connection to a technical means as part of the ISPD, which can process the traffic as much as possible, which entails an overflow of the request queue and the failure of one from network services or a complete computer stop due to the inability of the system to do anything other than process requests.
8.Remote launch of applications.
The threat lies in the desire to run various pre-installed malicious software on the ISPD host: bookmark programs, viruses, “network spies”, the main purpose of which is to violate the confidentiality, integrity, availability of information and complete control over the operation of the host. In addition, unauthorized launch of user application programs is possible for unauthorized obtaining of data necessary for the intruder, for launching processes controlled by the application program, etc. There are three subclasses of these threats:
Distribution of files containing unauthorized executable code;
Remote application launch by buffer overflow of application servers;
Remote application launch by using remote system control capabilities provided by hidden software and hardware bookmarks or standard tools.
Typical threats of the first of these subclasses are based on the activation of distributed files when they are accidentally accessed. Examples of such files include: files containing executable code in the form of macro commands (documents Microsoft Word, Excel), html documents containing executable code in the form ActiveX controls, Java applets, interpreted scripts (for example, JavaScript malware); files containing executable program codes.
Email, file transfer, and network file system services can be used to distribute files.
Threats of the second subclass take advantage of shortcomings in programs that implement network services (in particular, the lack of buffer overflow control). By adjusting system registers, it is sometimes possible to switch the processor after an interrupt caused by a buffer overflow to execute code contained outside the buffer boundary.
For threats of the third subclass, the attacker uses remote system control capabilities provided by hidden components or standard management and administration tools computer networks. As a result of their use, it is possible to achieve remote control over a station on the network. Schematically, the main stages of operation of these programs are as follows: installation in memory; waiting for a request from a remote host on which the client program is running and exchanging readiness messages with it; transferring intercepted information to the client or giving him control over the attacked computer. Possible consequences from the implementation of threats of various classes are shown in Table 1
Table 1. Possible consequences of the implementation of threats of various classes
|
№
p/p |
Attack type | Possible consequences | |
| 1 | Network traffic analysis | Research of network traffic characteristics, interception of transmitted data, including user IDs and passwords | |
| 2 | Network Scan | Determination of protocols, available ports of network services, laws for the formation of connection identifiers, active network services, user IDs and passwords | |
| 3 | "Password" attack | Performing any destructive action related to gaining unauthorized access | |
| 4 | Substitution of a trusted network object | Changing the route of messages, unauthorized changing of routing and address data. Unauthorized access to network resources, imposition of false information | |
| 5 | Imposing a false route | Unauthorized change of routing and address data, analysis and modification of transmitted data, imposition of false messages | |
| 6 | False Network Object Injection | Interception and viewing of traffic. Unauthorized access to network resources, imposition of false information | |
| 7 | Denial of service | Partial exhaustion of resources | Reduced communication channel capacity and network device performance. Reduced performance of server applications. |
| Complete exhaustion of resources | Inability to transmit messages due to lack of access to the transmission medium, refusal to establish a connection. Refusal to provide service. | ||
| Violation of logical connection between attributes, data, objects | Inability to transmit messages due to lack of correct routing and address data. Inability to receive services due to unauthorized modification of identifiers, passwords, etc. | ||
| Using errors in programs | Malfunction of network devices. | ||
| 8 | Remote application launch | By sending files containing destructive executable code, virus infection. | Violation of confidentiality, integrity, and availability of information. |
| By overflowing the server application buffer | |||
| By taking advantage of opportunities remote control system provided by hidden software and hardware bookmarks or standard tools used | Hidden system control. | ||
The threat implementation process generally consists of four stages:
Collection of information;
Intrusions (penetrations into the operating environment);
Implementation of unauthorized access;
Eliminating traces of unauthorized access.
At the stage of collecting information, the offender may be interested in various information about the ISPD, including:
About the topology of the network in which the system operates. In this case, the area around the network can be examined (for example, the attacker may be interested in the addresses of trusted, but less secure hosts). There are utilities that perform parallel determination of host availability, which are capable of scanning a large area of the address space for host availability in a short period of time.;
About the type of operating system (OS) in ISPDn. You can note the method for determining the OS type as simple request to establish a connection using the Telnet remote access protocol, as a result of which " appearance" response, you can determine the type of host OS. The presence of certain services can also serve as an additional sign to determine the type of host OS;
About services running on hosts. Determining the services running on a host is based on a method of identifying “open ports” aimed at collecting information about the availability of the host.
At the invasion stage, the presence of typical vulnerabilities in system services or errors in system administration is investigated. Successful exploitation of vulnerabilities typically results in the attacker process gaining privileged execution mode (access to the processor's privileged execution mode), introducing an illegal user account into the system, obtaining a password file, or disrupting the functionality of the attacked host.
This stage of threat development is usually multiphase. The phases of the threat implementation process may include, for example: establishing communication with the host against which the threat is being implemented; vulnerability identification; introduction of a malicious program in the interests of expanding rights, etc.
Threats implemented at the intrusion stage are divided into levels of the TCP/IP protocol stack, since they are formed at the network, transport or application level, depending on the intrusion mechanism used. Typical threats implemented on the network and transport levels, include the following:
A threat aimed at replacing a trusted object;
A threat aimed at creating a false route in the network;
Threats aimed at creating a false object using shortcomings of remote search algorithms;
Denial of service threats.
Typical threats implemented at the application level include threats aimed at unauthorized launch of applications, threats whose implementation is associated with the introduction of software bookmarks, with the identification of access passwords to a network or a specific host, etc. If the implementation of a threat does not give the intruder the highest access rights in the system, attempts may be made to expand these rights to the highest possible level. For this purpose, vulnerabilities not only of network services, but also vulnerabilities of the system software of ISDN hosts can be used.
At the stage of implementing unauthorized access, the goal of implementing the threat is achieved:
Violation of confidentiality (copying, unauthorized distribution);
Violation of integrity (destruction, change);
Availability violation (blocking).
At the same stage, after these actions, as a rule, a so-called “back door” is formed in the form of one of the services that serves a certain port and executes the intruder’s commands. The “backdoor” is left in the system in the interests of ensuring: the ability to gain access to the host, even if the administrator eliminates the vulnerability used to successfully implement the threat; the ability to gain access to the host as secretly as possible; the ability to gain access to the host quickly (without repeating the process of implementing the threat again). A “backdoor” allows an attacker to introduce a malicious program into a network or on a specific host, for example, a “password analyzer” - a program that extracts user IDs and passwords from network traffic when high-level protocols are running). Objects of malware injection can be authentication and identification programs, network services, operating system kernel, file system, libraries, etc.
Finally, at the stage of eliminating traces of the threat, an attempt is made to destroy traces of the intruder’s actions. In this case, the corresponding entries are deleted from all possible audit logs, including entries about the fact of collecting information.
1.4 Characteristics of the Bank and its activities
PJSC Citibank is a financial and credit organization of the Banking system of the Russian Federation, carrying out financial transactions with money and securities. The bank provides financial services to individuals and legal entities.
Main areas of activity: lending to legal entities and individuals, account servicing corporate clients, attracting funds from the population in deposits, transactions in the foreign exchange and interbank markets, investments in bonds and bills.
The Bank has been carrying out its financial activities since August 1, 1990, on the basis of the General License of the Bank of Russia for banking activities No. 356.
The Bank has three personal data information systems:
Information system for personal data of Bank employees - allows you to identify 243 subjects of personal data;
Information system of personal data of the access control and management system - allows you to identify 243 subjects of personal data;
Personal data information system of the automated banking system - allows you to identify 9681 personal data subjects.
1.5 Personal data databases
The Bank needs to protect several personal information data at once, namely:
Information system of personal data of Bank employees;
Personal data information system, access control and management system;
Information system of personal data of the automated banking system.
1.5.1 Information system of personal data of employees of the organization
The ISPD of Bank employees is used to pay salaries to Bank employees, automate the work of HR department employees, automate the work of Bank accounting employees and resolve other personnel and accounting issues. It consists of the 1C “Salary and Personnel Management” database, located on a separate automated workstation with the ability to connect to the workstation via the network. The workstation is located in the office of the HR department. An operating room is installed at the automated workstation Microsoft system Windows XP. There is no connection to the Internet on the workstation.
Full Name;
Date of Birth;
Passport series and number;
Phone number;
The following have the right to work with 1C “Salary and Personnel Management” software and the personal data database:
Chief Accountant;
Chief accountant's assistant;
Head of HR Department;
An employee responsible for calculating wages for Bank employees.
Manual data modification;
1.5.2 Personal data information system of access control and management system
The personal data information system of the access control and management system is used to store personal data of employees and visitors of the Bank who have access to various premises of the Bank. The access control and management system ISDN is used by the Bank's security department. The ISPD database is installed on an automated workstation located in the security room of the security department. The operating system is installed on the ISPD workstation Microsoft Windows 7, DBMS is used as a database management system Microsoft SQL Server 2012. The ISPD workstation does not have access to the local network, and also does not have access to the Internet.
The following personal data is stored in the ISPD:
Full Name;
Employee photo.
The following have the right to work with ISPD access control and management systems:
Head of the Bank's Security Department;
Deputy Head of the Bank's Security Department;
Employees of the Bank's security department.
Access to the automated workstation of the access control and management system is available to:
System administrators, for administering the automated workstation and 1C software “Salary and Personnel Management” and the personal data database;
Employees of the department responsible for information security of the Bank to administer the automated workplace information security system.
In the ISPD of bank employees the following functions can be performed:
Automated deletion of personal data;
Manual deletion of personal data;
Manual data modification;
Manual addition personal data;
Automated search of personal data.
The personal data information system stores data that allows the identification of 243 Bank employees.
After achieving the goals of processing the employee’s personal data, his personal data is deleted from the ISPD.
1.5.3 Personal data information system of the automated banking system
The personal data information system of the automated banking system is designed to automate the work of the majority of bank employees. It allows you to increase employee productivity. The complex of software products “CFT-Bank”, produced by the group of companies “Center for Financial Technologies”, is used as an automated banking system. Oracle software is used as a database management system. The ISPD is deployed on the Bank's server, the operating system installed on the server is Microsoft Windows Server 2008 R2. The ISPD of the automated banking system is connected to the bank's local computer network, but does not have access to the Internet. Users are connected to the ISPD database using CFT-Bank software products from dedicated virtual terminals. Each user has his own login and password in the ISPD.
Personal data processed in ISPDn:
Full Name;
Date of Birth;
Passport series and number;
Phone number;
The following have the right to work with the CFT-Bank software and the personal data database:
Accounting staff;
Credit department employees;
Risk management department employees;
Collateral Department employees;
Personal managers;
Client managers;
Security department staff.
Access to the automated workstation is available to:
System administrators, for administering the server, personal data database and CFT-Bank software;
Employees of the department responsible for information security of the Bank for administering the server, personal data database and CFT-Bank software.
In the ISPD of bank employees the following functions can be performed:
Automated deletion of personal data;
Manual deletion of personal data;
Manually adding personal data;
Manual data modification;
Automated search of personal data.
The personal data information system stores data that allows the identification of 243 Bank employees and 9,438 Bank clients.
After achieving the goals of processing the employee’s personal data, his personal data is deleted from the ISPD.
1.6 Design and threats of the Bank’s local computer network
The bank has deployed a client-server network. The name of the domain containing user workstations is vitabank.ru. In total, the bank has 243 automated user workstations, as well as 10 virtual servers and 15 virtual workstations. The system administration department monitors the performance of the network. The network is built primarily on Cisco network equipment. Communication with additional offices is maintained using VPN channels using the Internet through the current and backup channels of the Internet provider. The exchange of information with the Central Bank occurs through a dedicated channel, as well as through regular communication channels.
All users have access to the Internet on local workstations, but work with documents and information systems of the Bank is carried out only using virtual workstations, where Internet access is limited and only local Bank resources are loaded.
Access to the Internet from local workstations is delimited by access groups:
Minimum access - access only to the resources of federal services, to the website of the Bank of Russia;
Regular access - all resources are allowed except entertainment ones, social networks, viewing videos and downloading files is prohibited.
Full access - all resources and file uploads are allowed;
Filtering of resources by access groups is implemented by a proxy server.
Below is a diagram of the network of PJSC Citibank (Fig. 5).
1.7 Information security measures
Information security means are a set of engineering, electrical, electronic, optical and other devices and devices, instruments and technical systems, as well as other elements used to solve various problems of information protection, including preventing leaks and ensuring the security of protected information .
Information security measures in terms of preventing intentional actions, depending on the method of implementation, can be divided into groups:
Technical (hardware) means. These are devices of various types (mechanical, electromechanical, electronic, etc.), which use hardware to solve information security problems. They prevent access to information, including by masking it. Hardware includes: noise generators, surge protectors, scanning radios and many other devices that “block” potential information leakage channels or allow them to be detected. The advantages of technical means are associated with their reliability, independence from subjective factors, and high resistance to modification. Weak sides- insufficient flexibility, relatively large volume and weight, high cost.
Figure 5 Network diagram of PJSC Citibank
Software tools include programs for user identification, access control, information encryption, removal of residual (working) information such as temporary files, test control of the security system, etc. The advantages of software tools are versatility, flexibility, reliability, ease of installation, ability to modify and develop. Disadvantages - limited network functionality, use of part of the resources of the file server and workstations, high sensitivity to accidental or intentional changes, possible dependence on the types of computers (their hardware).
Mixed hardware and software implement the same functions as hardware and software separately, and have intermediate properties.
All office premises of the Bank are controlled by the security service using an access management and control system, as well as a video surveillance system. Entry to the bank's office premises is subject to the appropriate permissions in the access control and management system. An employee, when applying for a job, or a visitor to the Bank, if necessary, access to the Bank's office premises, is issued contactless Proximity cards, on which a user identifier is recorded and when attempting to access the office premises, this identifier is transferred to the access control and management system. The system compares the list of premises into which the card user is allowed to enter with the premises he wants to enter and allows or restricts entry into the premises.
Anti-virus software is installed on the Bank's workstations Kaspersky Endpoint Security 10, which has a certificate of compliance with FSTEC of Russia No. 3025, valid until November 25, 2019, the virus signature database is updated centrally by the server part of the antivirus installed on a server located in the Bank.
To organize electronic document flow with the Central Bank, authorities in the Bank have established a dedicated communication line.
To organize electronic document flow with federal services (Federal Tax Service, Pension Fund of Russia, Financial Monitoring Service, etc.), an electronic signature is used. To work with electronic signature specialized software is installed on the local workstations of performers responsible for document flow with federal services:
Crypto-Pro CSP;
Crypto-ARM;
CIPF Verba-OW;
CIPF Validata;
Signal-COM CSP.
The use of certain software by the contractor depends on the requirements of a certain Federal authority.
On the border local network The bank has a Cisco ASA 5512 firewall, manufactured by Cisco Corporation. Also, critical banking systems (Workstation of the Client of the Bank of Russia, SWIFT, ISPDn of the Bank) are additionally separated from the Bank’s local network by Cisco firewalls. VPN tunnels for communication with additional office organized using Cisco firewalls.
1.8 Organizational protection measures
According to a study conducted by the British auditing and consulting company Ernst&Yong in 2014, 69 percent of companies participating in the study consider company employees to be the main source of information security threats.
Company employees may, out of ignorance or their incompetence in the field of information security, disclose critical information necessary to carry out targeted attacks on the organization. Attackers also send phishing messages with embedded malicious software, which allows attackers to gain control of an employee’s workplace and from this workplace launch an attack on the Bank’s information systems.
Therefore, in the Bank, the information security department is obliged to carry out work to train Bank employees in the fundamental principles of information security, monitor compliance with security requirements when working in the workplace, and inform Bank employees about new information security threats that they may encounter.
At PJSC Citibank, all employees undergo induction training upon employment. Also, new employees and employees transferred from other structural divisions undergo initial training in the information security department, during which employees are explained the basic information security rules when working with the Bank’s information systems, security rules when working on the Internet, security rules when working with e-mail Bank, Bank password policy.
Employees of the Bank's information security department participate in the development and implementation of new information systems of the Bank at all levels of system development.
At the stage of system design and drawing up technical specifications for the development of an information system, the information security department sets security requirements for the system.
At the information system development stage, information security department employees study current documentation and test the software for possible vulnerabilities in the program code.
At the stage of testing and commissioning of an information system, the information security department actively participates in testing the information system, conducts penetration tests into the information system and denial of service tests, and also distributes access rights to the information system.
At the stage of operation of an information system that has already been put into operation, the information security department conducts monitoring and identifies suspicious activity.
At the stage of finalizing the information system, the information security department, based on the data obtained during the operation of the information system, builds new requirements for the information system.
The Information Security Department at PJSC Citibank coordinates all requests for access to resources on the Internet, as well as to the Bank’s internal resources.
1.9 Personal data processing cycle
Personal data stored in the Bank is obtained only legally.
The received personal data of a Bank employee is processed only for the Bank to fulfill its obligations under the agreement concluded with the employee. Personal data of the Bank employee was obtained from the employee himself. All Bank employees are familiarized, against signature, with the Bank documents establishing the procedure for processing personal data of Bank employees, as well as their rights and obligations in this area.
Personal data of bank employees stored in the access control and management system ISPD are intended for the employee’s access to workplace.
Personal data of the Bank's clients stored in the information system of the automated banking system is processed there only for the Bank to fulfill its obligations under the agreement concluded with the Bank's client. Also, the ISPD of the automated banking system processes personal data of persons who have not entered into an agreement with the Bank, but obtained legally, for example, personal data received and processed at the request of Federal Law No. 115-FZ of August 7, 2001 “On Combating the Legalization (Laundering) of Income obtained by criminal means and the financing of terrorism.”
After achieving the purposes of processing personal data, they are destroyed or anonymized.
2. DEVELOPMENT OF MEASURES FOR PROTECTING PERSONAL DATA IN THE BANK
At PJSC Citibank, the personal data protection system is regulated both by state-level laws and local regulations (for example, “Rules for remote banking legal entities and individual entrepreneurs in PJSC "CITIBANK" in Appendix 1).
PJSC Citibank’s personal data protection system is sufficiently developed to avoid simple attacks such as phishing and infection of workstations with ransomware viruses, but it is not able to withstand targeted attacks aimed at stealing personal data.
I carried out work to rebuild and modernize the personal data protection system.
2.1 Measures to protect the bank’s local computer network and personal data information system
The network of PJSC Citibank has pronounced weaknesses, using which attackers can gain full access to the bank’s network and seize control over it, after which they can easily steal, change or delete the personal data of clients or Bank employees.
Since the Bank’s network represents one single segment, to minimize the risk of intruders penetrating the Bank’s network, it must be divided into several segments using technology virtual networks.
The concept of virtual network technology (VLAN) is that the network administrator can create logical groups of users in it, regardless of what part of the network they are connected to. You can unite users into logical work groups, for example, based on the commonality of the work being performed or the task being solved together. In this case, groups of users can interact with each other or be completely invisible to each other. Group membership can be changed, and a user can be a member of multiple logical groups. Virtual networks form logical broadcast domains, restricting the passage of broadcast packets across the network, much like routers isolate broadcast traffic between network segments. In this way, the virtual network prevents broadcast storms from occurring because broadcast messages are limited to members of the virtual network and cannot be received by members of other virtual networks. Virtual networks can allow access to members of another virtual network in cases where this is necessary to access shared resources, such as file servers or application servers, or where a common task requires the interaction of different services, such as credit and payment departments. Virtual networks can be created based on switch ports, physical addresses of devices included in the network, and logical addresses of layer 3 protocols of the OSI model. The advantage of virtual networks is high speed operation of switches, since modern switches contain a specialized set of integrated circuits specifically designed to solve switching problems at the second level of the OSI model. Third-level virtual networks are the most simple to install, unless reconfiguration of network clients is required, and the most difficult to administer, because any action with a network client requires either reconfiguration of the client itself or the router, and is the least flexible, since routing is required to connect virtual networks, which increases the cost of the system and reduces its performance.
Thus, the creation of virtual networks in the Bank will prevent ARP-spoofing attacks. Attackers will not be able to intercept information passing between the server and client. When infiltrating the network, attackers will not be able to scan the entire Bank network, but only the network segment to which they gained access.
When infiltrating the Bank's network, attackers will first scan the network to find critical network nodes. These nodes are:
Domain controller;
Proxy server;
Mail server;
File server;
Applications server.
Since the Bank's local network will be organized using virtual network technology, attackers will not be able to detect these nodes without additional actions. In order to make it difficult for attackers to find critical nodes of the local network and confuse them, and in the future to study the strategy of attackers when carrying out an attack on the network, it is necessary to use false objects that will attract attackers. These objects are called Honeypots.
The task of a Honeypot is to be subject to an attack or unauthorized research, which will subsequently make it possible to study the strategy of attackers and determine a list of means by which attacks can be made on real-life security objects. A Honeypot implementation can be either a special dedicated server or a single network service whose task is to attract the attention of hackers.
A honeypot is a resource that does nothing without being acted upon. Honeypot collects a small amount of information, after analysis of which it builds statistics on the methods used by hackers, and also determines the presence of any new solutions that will subsequently be used in the fight against them.
For example, a web server that has no name and is virtually unknown to anyone should therefore not have guests accessing it, so all people who try to break into it are potential attackers. Honeypot collects information about the behavior of these attackers and their methods of influencing the server. After that, information security department specialists collect information about the attack by attackers on the resource and develop strategies to repel attacks in the future.
To control information incoming from the Internet and detect threats to information security at the stage of their transmission over the network, as well as detect the activity of intruders who have penetrated the Bank’s local network, it is necessary to install an intrusion prevention system at the edge of the network.
An intrusion prevention system is a software or hardware network and computer security system that detects intrusions or security breaches and automatically protects against them.
Intrusion Prevention Systems can be considered an extension of Intrusion Detection Systems, since the task of tracking attacks remains the same. However, they differ in that the intrusion prevention system monitors activity in real time and quickly implements actions to prevent attacks.
Intrusion detection and prevention systems are divided into:
Network intrusion prevention systems - analyze traffic directed to the organization’s network, passing through the network itself or directed to a specific computer. Intrusion detection and prevention systems can be implemented by software or hardware-software methods, installed on the perimeter of the corporate network and sometimes inside it.
Personal intrusion prevention systems are software that is installed on workstations or servers and allows you to monitor application activity, as well as monitor network activity for possible attacks.
A network intrusion prevention system was selected for deployment in the Bank's network.
Considered network systems intrusions by IBM, Check Point, Fortinet, Palo Alto, since the declared functionality of the manufacturers of these systems met the requirements of the Bank’s information security department.
After deploying test benches and testing intrusion prevention systems, a system manufactured by Check Point was chosen, as it showed the best performance, the best subsystem for detecting virus software transmitted over a local network, the best tools for logging and logging important events and the purchase price.
IBM's intrusion prevention system was rejected because the cost of the devices exceeded the information security department's budget for purchasing the intrusion prevention system.
Fortinet's intrusion prevention system was rejected due to incomplete response when information security department employees performed tests to transfer infected files and insufficiently informative tools for logging important events.
Palo Alto's intrusion prevention system was rejected because it lacked meaningful event logging, was too complex to use, and acted more like a router.
The Check Point intrusion prevention system was chosen for implementation into the local network. This system has demonstrated a high level of detection of information security threats, flexible settings, the ability to expand functionality by purchasing additional software modules, and has powerful system logging of important events and powerful tools for providing incident reports, with the help of which you can much more easily investigate information security incidents that have occurred.
A diagram of the Citibank PJSC network with a modified architecture is presented in Figure 6.
2.2 Software and hardware protection
Since the security of personal data cannot be ensured only by network protection, because attackers, despite all measures taken to protect the network, can gain access to the Bank’s network.
Figure 6 Network diagram of Citibank PJSC with additional protection systems
For more attack-resistant protection, it is necessary to add to the devices designed to protect the network, software and hardware devices for protecting local workstations, virtual workstations, virtual and regular servers.
As is known antivirus programs do not provide complete protection against malicious software, as they work on the principle of signature analysis. An antivirus software development company employs experts who monitor virus activity on the Internet, study the behavior of virus software at test stations, and create signatures that are subsequently sent to users' computers by updating antivirus software signature databases. The antivirus, having received an updated database of antivirus software signatures, checks the files on the user's workstation and looks for signs of malicious software; if such signs are detected during the scanning process, the antivirus signals this and acts in accordance with the settings set by the user or the antivirus administrator. Thus, if the malicious software is not detected and analyzed by the experts of the antivirus software company, then the antivirus will not be able to detect the malicious software and will not take any action, considering the scanned file to be safe. Therefore, in order to reduce the likelihood of malicious software being accessed into the network and launched, the Bank installed a second circuit of anti-virus protection. Since antivirus software companies mostly work separately from each other, malicious software that has not yet been detected by one antivirus software company may be detected by another development company and signatures may already be created for the detected threat.
To implement such a scheme, a virtual work station, on which the Doctor WEB Enterprise security suit antivirus was installed, which has a certificate of conformity of FSTEC of Russia No. 2446, valid until September 20, 2017. All files that bank employees downloaded during their work go to this station and are scanned by the antivirus. If malicious software is detected, the antivirus sends a letter to information security department employees with the name of the threat and the path where the infected file is stored. Information security department employees are taking measures to remove malicious software. If files downloaded by users pass the anti-virus software scan, the user who downloaded the file makes a request to the information security department and department employees transfer the downloaded file to the user.
Also, a large amount of malicious software is sent to Bank employees by email. These can be regular encryption viruses or malicious software that allows attackers to penetrate the infected computer of a Bank employee using a remote connection.
To minimize the risks of such threats, ClamAW anti-virus software was installed on the Bank's mail server, designed to protect mail servers.
To protect against unauthorized access by internal attackers who somehow learned the password of a user of a local station that has access to personal data information systems, it is necessary to install an information protection system against unauthorized access on the local workstations of users working with personal data information systems.
.Training of Bank employees is carried out by a specialist from the information security department.
An employee of the information security department conducts training in a designated division of the Bank. After the training, department employees pass tests in which they confirm the knowledge acquired during the training.
The basic security policy regulates training in each department at least four times a year.
Also, in parallel with employee training, employees of the information security department are required to send information letters to all Bank employees at least once a month, which describe the basic security rules and new threats to the Bank’s information security, if any are detected.
2.3.2 Procedure for employee access to Internet resources
The Bank has created 3 Internet access groups, but this division of access is ineffective, since an employee, in order to perform his job duties, may need to obtain information from a network resource that is part of a full access group, then he will have to be given full access to the Internet , which is unsafe.
Group 6: downloading archives - the group does not provide any access to Internet resources;Group 7: downloading executable files - the group does not provide any access to Internet resources;
Group 8: full access to the Internet - full access to Internet resources, downloading any files.
To gain access to Internet resources, an employee creates a request through the ServiceDesk system and, after approval by the head of the department or department and an employee of the information security department, the employee is granted access to Internet resources according to the requested group.
2.3.3 Procedure for employees’ access to internal bank resources
The main documents related to the employee’s work are located at the local workplace or in the automated system in which he works. Also, each division of the Bank has a section on the Bank’s file server in which information is stored that is necessary for several employees of the division and which is large in size for transmission by email to the Bank.
When a new employee gets a job at the Bank, his direct supervisor sends an application through the ServiceDesk system to the system administration department for access to an internal bank resource, and after approval of the application by an employee of the information security department, the employee of the system administration department gives the new employee access to the requested resource.
Situations often arise in which the work of several divisions of the Bank intersects and in order to exchange information these divisions need a separate one on the Bank’s file server.
To create this section, the project manager, the head of one of the departments involved in the process of working on the project, creates a request through the ServiceDesk system for the creation of a shared resource and access to this resource for certain employees of his department working on a joint project and the head of the department with whom he collaborates within the project . After approval by the Information Department employee, the System Administration Department employee creates the requested resource and grants access to it to the requested employees. Each head of a department participating in the project requests access only for those employees who are subordinate to him.
2.3.4 Procedure for employees to use email
Previously, before the creation of a basic security policy, each employee himself determined the degree of danger of letters and files received by e-mail from external mail servers.
After creating a basic security policy, each user is required to send every file received by email from external mail servers to the information security department to check it for malicious software; the employee determines the degree of danger of the letters independently. If a Bank employee suspects that incoming message contains spam or phishing, he is obliged to send the letter in full, that is, containing all the official information about the sender, his Mailbox and IP address, to the information security department. After analyzing a suspicious letter and confirming the threat of this letter, the information security department forwards the address of the sender of the letter to the system administration department, and an employee of the system administration department blacklists the address of the sender of the letter.
Always block the workplace when leaving it.
2.3.6 Rules for employee access to personal data
According to Article 89 of Chapter 14 of the Labor Code of the Russian Federation, a Bank employee has the right to access his personal data, but is allowed to process the personal data of other Bank employees or Bank clients only to perform his official duties.
To ensure control over access to personal data information systems, the bank has established the following rules for access to personal data information systems:
Only employees whose job responsibilities include processing personal data have access to the ISPD;
Access to the ISPD is permitted only from the local workplace of the employee working with personal data;
The Bank has created a document identifying by name the employees who are allowed access to the personal data of the Bank’s employees and clients, indicating the Personal Data Information System and a list of personal data permitted for processing by the employee.
3. ECONOMIC JUSTIFICATION OF THE PROJECT
To implement a personal data protection system, it is necessary to purchase:
Equipment to protect the Bank's network;
Hardware information security;
Information security software.
To rebuild the organization's network, it is necessary to purchase switches Cisco Catalyst 2960 in the amount of 3 copies. One switch is required to operate at the core level of the Bank’s network, 2 others to operate at the distribution level. network hardware, who worked at the bank before the network restructuring will also be involved.
Total cost (RUB) 9389159 613
Doctor WEB Enterprise security suit155005500
Total cost1,371,615
CONCLUSION
In my graduation project, I reviewed the legal framework for the protection of personal data. I reviewed the main sources of threats to the security of personal data.
Based on the considered threats to personal data, I analyzed the existing personal data protection system at PJSC Citibank and came to the conclusion that it needs serious improvement.
During the thesis project, weaknesses were discovered in the Bank's local network. Taking into account the detected weak points in the Bank's local network, measures have been determined to minimize the risks of information security of the Bank's network.
Devices and software were also reviewed and selected to protect local workplaces of employees processing personal data of Bank employees and clients.
With my participation, a system was created to increase employee awareness of information security issues.
The procedure for accessing the Bank's employees to the Internet has been thoroughly revised, and Internet access groups have been redesigned. New Internet access groups make it possible to significantly minimize information security risks due to the limited ability of users to download files and access untrusted resources.
Calculations of the cost of rebuilding the network and creating a viable personal data protection system capable of repelling most information security threats are provided.
LIST OF REFERENCES USED
1. “Constitution of the Russian Federation” (adopted by popular vote on December 12, 1993) (taking into account the amendments introduced by the Laws of the Russian Federation on amendments to the Constitution of the Russian Federation dated December 30, 2008 N 6-FKZ, dated December 30, 2008 N 7-FKZ, dated February 5, 2014 N 2-FKZ, dated 07/21/2014 N 11-FKZ) // The official text of the Constitution of the Russian Federation as amended on 07/21/2014 was published on the Official Internet portal of legal information http://www.pravo.gov.ru, 08/01/2014
2. “Basic model of threats to the security of personal data during their processing in personal data information systems” (Extract) (approved by the FSTEC of the Russian Federation on February 15, 2008)
3. Federal Law of July 27, 2006 N 149-FZ (as amended on July 6, 2016) “On information, information technologies and information protection” // The document was not published in this form. The original text of the document was published in Rossiyskaya Gazeta, No. 165, 07.29.2006
4. “Labor Code of the Russian Federation” dated December 30, 2001 N 197-FZ (as amended on July 3, 2016) (with amendments and additions, entered into force on October 3, 2016) // The document was not published in this form , the original text of the document was published in Rossiyskaya Gazeta, N 256, 12/31/2001
5. Decree of the Government of the Russian Federation of November 1, 2012 N 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems” // “Rossiyskaya Gazeta”, N 256, 11/07/2012
6.Order of the FSTEC of Russia dated February 18, 2013 N 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems” (Registered with the Ministry of Justice of Russia on May 14, 2013 N 28375) // “Russian newspaper", N 107, 05/22/2013
7. “Standard of the Bank of Russia “Ensuring information security of organizations of the banking system of the Russian Federation. General provisions "STO BR IBBS-1.0-2014" (adopted and put into effect by Order of the Bank of Russia dated May 17, 2014 N R-399) // "Bulletin of the Bank of Russia", N 48-49, 05.30.2014
8. “Regulations on the requirements for ensuring the protection of information when making money transfers and on the procedure for the Bank of Russia to monitor compliance with the requirements for ensuring the protection of information when making money transfers” (approved by the Bank of Russia on 06/09/2012 N 382-P) (as amended dated 08/14/2014) (Registered with the Ministry of Justice of Russia on 06/14/2012 N 24575) // The document was not published in this form, the original text of the document was published in “Bulletin of the Bank of Russia”, N 32, 06/22/2012
9. “Regulations on the procedure for credit institutions to submit to the authorized body the information provided for by the Federal Law “On Combating the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism” (approved by the Bank of Russia on August 29, 2008 N 321-P) (as amended. dated 10/15/2015) (together with the “Procedure for ensuring information security during the transmission and reception of ECO”, “Rules for the formation of ECO and filling out individual fields of ECO records”) (Registered with the Ministry of Justice of Russia on September 16, 2008 N 12296) // The document was published in this form was not, The original text of the document was published in “Bulletin of the Bank of Russia”, N 54, 09/26/2008
10. Order of the FSTEC of Russia dated February 18, 2013 N 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems” (Registered with the Ministry of Justice of Russia on May 14, 2013 N 28375) // “Russian newspaper", N 107, 05/22/2013
11.Averchenkov V.I., Rytov M.Yu., Gainulin T.R. Protection of personal data in organizations. M.: Flinta, 2018
12. Agapov A. B. Fundamentals of public administration in the field of informatization in the Russian Federation. M.: Yurist, 2012
13. Kostin A. A., Kostina A. A., Latyshev D. M., Moldovyan A. A. “AURA” series software systems for protecting personal data information systems // Izv. universities instrument making. 2012. T. 55, No. 11
14.Moldovyan A. A. Cryptography for protecting computer information (part 1) // Integral. 2014. No. 4 (18)
15. Romanov O.A., Babin S.A., Zhdanov S.G. Organizational support information security. - M.: Academy, 2016
16. Shultz V.L., Rudchenko A.D., Yurchenko A.V. Business safety. M.: Publishing house "Urayt", 2017
Applications (available in the archive with the work).
Similar documents
Legislative framework for the protection of personal data. Classification of information security threats. Personal data base. Design and threats of an enterprise LAN. Basic software and hardware protection for PCs. Basic security policy.
thesis, added 06/10/2011
Prerequisites for creating a personal data security system. Information security threats. Sources of unauthorized access to ISPD. Design of personal data information systems. Information security tools. Security policy.
course work, added 10/07/2016
Analysis of the structure of a distributed information system and personal data processed in it. Selection of basic measures and means to ensure the security of personal data from current threats. Determining the costs of creating and maintaining the project.
thesis, added 07/01/2011
Enterprise access control and management system. Analysis of processed information and classification of ISPD. Development of a model of threats to the security of personal data during their processing in the personal data information system ACS of OJSC MMZ.
thesis, added 04/11/2012
Description of the main technical solutions for equipping the personal data information system located in the computer class. Anti-virus protection subsystem. Activities to prepare for the implementation of information security measures.
course work, added 09/30/2013
Confidentiality and security of documented information. Types of personal data used in the activities of the organization. Development of legislation in the field of ensuring their protection. Methods for ensuring information security of the Russian Federation.
presentation, added 11/15/2016
Information security risk analysis. Assessment of existing and planned means of protection. A set of organizational measures to ensure information security and protection of enterprise information. Test example of project implementation and its description.
thesis, added 12/19/2012
Regulatory documents in the field of information security in Russia. Analysis of threats to information systems. Characteristics of the organization of the clinic’s personal data protection system. Implementation of an authentication system using electronic keys.
thesis, added 10/31/2016
General information about the activities of the enterprise. Information security objects in the enterprise. Measures and means of information protection. Copying data to removable media. Installing an internal Backup server. Efficiency of improving the information security system.
test, added 08/29/2013
Main threats to information. Concepts, methods and methods of ensuring data protection. Requirements for the protection system. An authorization mechanism in the infobase to determine the user type. Administrator's work with the security system.
