Information security tools in business. The concept and types of threats to business information security. Trade secret security
Before talking about what information security risks can await you at work, I want to introduce myself: my name is Kamila Iosipova. I am a senior information security manager at the IT company ICL Services, I have been working in this organization for 5 years. I am also a CISA certified information systems auditor (ISACA certification, stands for Certified Information Systems Auditor).
In 2018, the volume of data leaks in companies grew by 5%. The human factor is one of the main causes of information security incidents. Carelessness, carelessness, motive, intent - these are the reasons why employees of your companies can intentionally or unintentionally bring the business to the bottom. How to protect yourself and your customers, what to do to develop a culture of working with data among employees, and what methods to apply at the same time, I will tell you below.
Plan for establishing work in the field of information security
If you look globally, you can see that a certain pattern can be traced in the field of information security: attention to information security largely depends on the activities of the company. For example, in government or the banking sector, there are more stringent requirements, therefore, more attention is paid to training employees, which means that the culture of working with data is more developed. However, today everyone should pay attention to this problem.
So, here are a few practical steps that will help you set up your work in the field of information security:
Step 1... Develop and implement a general information security policy, which will contain the basic principles of the company, goals and objectives in the field of information security management.
Step 2... Enter classifications policy and privacy levels.
In this case, it is necessary not only to write a document to which the employee will have access 24 by 7, but also to conduct various training events, talk about the changes being made. Stick to the rule: forewarned is forearmed. Let the company constantly work in this direction.
Step 3... Develop a proactive approach.
It's like prevention in medicine. Agree, it is much cheaper and easier to undergo a preventive examination than to treat a neglected disease. For example, in our company, a proactive approach works like this: to work with information in commercial projects, we have developed a Standard for Information Security Management in Projects, which contains the necessary minimum information security requirements to ensure a certain level of maturity of information security processes in a commercial project. It describes what needs to be done to maintain a certain level of maturity in the security management process. We have implemented this standard in projects and now we annually conduct internal audits: we check how projects meet these requirements, identify information security risks and best practices that can help other project managers.
Apart from audits, Knowledge sharing works well. If "thunder has struck" in one of the projects, it is good for the rest to learn about it and have time to take the necessary measures.
Step 4... Make all the documents explaining the rules: structured, understandable and concise.
As practice shows, no one reads long multi-page texts. The document must be written in understandable language. Also, it must be in accordance with business goals and sanctioned by top management - this will be a more powerful argument for employees why these rules should be followed.
Step 5... Conduct trainings, conversations, business games, and the like.
Very often people do not understand how some rules are related to their specific work, so you need to give examples, explain, show how they can apply this. Here it is important to show the consequences, up to the loss of the business, and what specific consequences await the employee, up to criminal liability.
To implement all of the above in a company, resources are needed, both material and human. Therefore, now in many companies the position of the Director of Information Security (CISO) has begun to appear. Thanks to this position, it is possible to convey to business leaders the importance of promoting any decisions, allocating funds, etc. CISO is able to promote information security in a company at all levels.
The tasks that he undertakes are extensive: communication with top management, justification of certain decisions, communication with process owners for the implementation of security in all directions. From the point of view of cyber threats, he is the point of contact, at the same time he controls, defines strategies for responding to cyber threats, coordinates the work on responding to attacks.
Employee training: difficult, time-consuming, but necessary
However, before teaching people certain rules, it is necessary to understand one thing: you cannot dwell on the human factor, there may be something else behind it - a lack of resources, knowledge or technology. The most effective method here is to analyze the true causes, to get to the root cause.
When working with people, it is necessary to select a key for literally everyone. All people are different, respectively, and methods need to be applied differently. In one of the interviews with an employee, a specialist told me: I will do something only if I know what I will get for non-fulfillment of the requirement. And vice versa, for some, only positive motivation acts, such as a good assessment of the quality of work, rewards for the successful completion of trainings.
There is an opinion that information security specialists often act as a brake on innovation, especially when they restrict the use of new technologies and business models. This may indeed be the case, however, it is important to remember the following: “Security is like brakes on your car. Their function is to slow you down. But their purpose is to allow you to go fast. Dr. Gary Hinson "(" Safety is like the brakes on your car. Their function is to slow you down. But their purpose is to enable you to move quickly "). It is important to understand that without these rules it is impossible to go further, because at some point you simply will not be able to develop your business if you do not defend against cyber threats and manage information security risks. In order to strike a balance, our company uses a risk-based approach, which is the basis of the ISO 27001 standard. This approach allows us to select the requirements and security measures that apply to us, which are necessary in order to protect against threats that are relevant to us. Using this approach, we can also choose from a financial point of view: how expedient is the use of certain measures. For example, we can put a biometric scanner at every meeting room, but to what extent do we need it, what value does it bring, what risks does it reduce? The answer is not always obvious.
We at ICL Services understand that the confidentiality of the information we work with is important to us, for this we encrypt laptops, because even if the laptop is lost, the information will not fall into the hands of intruders. This is critical, and we are ready to spend money on this.
I believe that this is the only way to strike a balance between security and value for the business: choose, be aware of innovations and always assess risks (how much the cost of realizing a risk is comparable to the cost of purchasing one or another security solution).
An integrated approach is the perfect recipe for information security
In my opinion, an integrated approach to working with security is the most effective, because information security is a matter of human awareness, behavior and correct organization business processes, taking into account security requirements. Incidents most often happen because of employees: people make mistakes, get tired, they can press the wrong button, so here half of the success is technical limitations, from accidental unintentional incidents, the other half is the safety culture of each employee.
Therefore, it is important to conduct preventive talks and trainings. In the modern world, cyber threats are designed for people: if you receive a phishing email, it is harmless until you reach the link and click on it. Our company focuses on the conscientiousness of the staff, on working with people, on awareness. Well, the third point is organizational, people must know the rules, the rules must be spelled out, there must be a certain policy that everyone must follow.
Remember: cyber threats are very widespread in the world, and at the same time the consequences of attacks are very serious - up to a complete loss of business, bankruptcy. Naturally, the issue is on the agenda. Safety in our time is simply obliged to be part of the corporate culture, and top management is the first stakeholder in this issue, since he manages the business, and when the risks are realized, he will bear responsibility in the first place.
Here are some tips to help your employees avoid information security incidents:
- You cannot follow unverified links;
- You can not distribute confidential information;
- You cannot write down the password on a piece of paper and glue a sticker;
- You cannot use USB drives that you are not sure about (an attacker can leave an infected physical device in the place where the victim will surely find it);
- When registering on sites, indicating the phone number and mailing address, carefully look at what this information is needed for, perhaps in this way you will subscribe to a paid mailing list.
I hope that over time, safety will become a key element of the corporate culture in every company.
You can perfectly master the skills for work in the field of information security at the faculty.
Companies often neglect cybersecurity issues and suffer multi-million dollar losses as a result. In a new special project, the site experts will tell you how to prevent attacks by malefactors without encroaching on the freedom of employees.
Business is under constant cyberattacks by cybercriminals aimed at emptying company accounts or stealing customer data.
15:33 15.07.2019
Many Russian companies forget about basic cybersecurity measures for their industrial assets and are forced to spend huge sums to cope with the consequences of attacks, although there are simpler solutions.
A year ago, many Russian and foreign companies became victims of large-scale cyber attacks by WannaCry and ExPetr. Since then, there have been no such cases - does this mean that the business has become more responsible for cybersecurity, or has the situation changed in some other way? The head of Kaspersky Industrial CyberSecurity spoke about them.
It is important to understand that these attacks did not target the industry, but "hooked" it. Typically, high-profile cyberattacks occur due to a combination of several factors. In this case, the public disclosure of the vulnerability in very common Windows operating systems and the unwillingness of users to quickly fix it across the entire enterprise played a role. The absence of such cases now has nothing to do with the fact that companies have become more responsible for their safety.
Those enterprises that were affected by WannaCry or in which we investigated incidents and made recommendations for strengthening protection, took certain measures. With a high degree of probability, we can say that they will not repeat the same attack.
But in most companies, nothing has changed, although they are well aware of the risks, and there have been enough incidents.
Good news for Russian enterprises is the appearance of No. 187-FZ “On the Security of Critical Information Infrastructure”. It also applies to industrial process automation systems. In Russia, this law is the most powerful driver in building real protection systems. It entered into force at the beginning of 2018, and in 2019–2021. we will already see an increase in security.
What are the key threats now?
The most common cause of infections in industrial infrastructures is common malware. software... Basically, these are Trojans that get there by accident. You don't have to be a target to be a victim.
Obviously, there is a contradiction: when laws are passed and they talk about cybersecurity in general, they are mainly worried about attacks by motivated and qualified attackers, they are afraid of targeted attacks. But now the maturity of industrial cybersecurity is such that companies admit commonplace infection with massive malware.
Could you list such curious attacks?
Malicious software is written by people, and not always of high quality - it contains bugs.
Incidents in industrial networks most often occur due to accidental infection: a contractor connected a laptop with a virus to a secure network, an employee was provided with remote access ... A virus can provoke a denial of service, equipment failures, or a stop of technological processes, although this does not happen intentionally ...
For example, one of the three versions of WannaCry could not encrypt, but was very poorly compatible with Windows XP, as a result of which the system crashed into a blue screen of death. In a number of cases, it was precisely with this, and not with the encryption in the industrial network, that had to be dealt with.
What precautions can be taken to minimize the likelihood of such occurrences?
The more employees are aware of a particular type of cyberattack, the easier it is to avoid them.
8-10 years ago, when most industrial specialists were receiving education, industrial systems were attacked less often - as a rule, they were isolated from the outside world. But in recent years, industrial networks have been integrated with corporate networks at the request of the business, for example, for order management and supply chain management. Contractors gain access to technological networks in order to quickly provide services to industrial enterprises. Networks are becoming exposed to a wide range of cyber threats.
These threats are being successfully dealt with in the corporate segment, but engineers and metrologists have never encountered them before.
It is worth telling them about basic questions: what does a fake letter or a virus look like on a USB flash drive, why it is impossible to charge a mobile phone from the machine control panel, why it is necessary to call a "security officer" when providing remote access to a contractor ...
If employees knew about the potential vectors of penetration and their consequences, they simply would not do such things. This is one of the first priority, quick and very cheap measures.
At Kaspersky Lab, we see our mission not only in developing products that help prevent or detect attacks, but also in professional education. To this end, we initiate partnerships with training centers and universities that “speak” the language of engineers. In Russia, our partner is Abiroy, which has been professionally engaged in training in the industrial environment for many years, and now also in the field of cybersecurity. In Europe, a few months ago, we announced a partnership with the Fraunhofer IOSB institute, now our cyber security courses are available in their portfolio, and they give us an even deeper understanding of the specifics of the industry.
Finally, don't forget about basic technical measures. Antiviruses, means of organizing remote access, network segmentation are very effective in protection.
How energy and financial are the costs of dealing with cyber risks in industry?
Design difficulties are really a problem. Imagine an industrial network built eight years ago that is connected to a corporate network for remote access or data transmission. Potentially, you can penetrate into it, get to the level of programmable logic controllers, change the logic of process control and disable them. But often industrial networks at the lower level are built on unmanaged network equipment, from which it is impossible to organize traffic mirroring in order to connect an intrusion detection system. As a result, it is possible to penetrate such a network, but it is very difficult to detect such attacks.
In many cases, the entire network will need to be redesigned to implement all of the protections. But the industrial world has its own rules: "if it works, you don't have to climb."
It has its own modernization cycle and the network can be built according to new, protected rules in 5-10, or even 15 years. It is extremely difficult to protect the old infrastructure with modern means: in order to deliver an intrusion detection tool for $ 50 thousand, you need to do a project to modernize the network for another $ 500 thousand.
The second difficulty is qualified personnel. There are not so many ICS information security specialists in the world, and even more so in Russian regions, where industrial enterprises are mainly located. Modern systems cybersecurity is difficult to use and requires an understanding of how threats will evolve.
Of course, there are financial issues as well. The first projects to protect a large number of already built infrastructures are costly: services, inspection, design, implementation, new personnel ... There are many companies with state capital in Russia that cannot easily raise prices for their services and goods. For example, in the energy sector, overinvestment in cybersecurity can ultimately affect our electricity bills.
But I am sure that we will overcome this and move to a new level of security. The main thing is to constantly maintain the proper level of cybersecurity as your systems develop.
In Europe, the number of computers that undergo accidental infection attempts is much smaller than in Russia. In developed countries, companies use a service model for servicing industrial infrastructures: an automation system supplier or integrator constantly maintains these systems, step by step, including introducing cybersecurity measures. Thus, Western companies have a more secure infrastructure without shock costs, spreading them over several years. In our country, companies themselves are responsible for their industrial infrastructure and operate according to the principle "if the system works, there is no need to modernize it." So the backlog accumulates, and it is quite "painful" to eliminate it.
As a rule, ready-made solutions are suitable for customers or do they need individual projects due to non-standard parameters?
Customers need individual projects that contain "cubes" of ready-made solutions... Integration work, inspection and design of the protection system are very important, but there is no point in redesigning the industrial protection for each system.
Now the industry is unifying: standardized data transfer protocols, the same operating systems ... Yes, sometimes very unusual industrial networks come across, but, as a rule, it turns out that they will be modernized in the coming years.
If you need to protect a unique infrastructure, then after a comprehensive analysis it becomes clear that it will be cheaper and more correct to do this in two years, together with its modernization, and before that take any compensatory measures.
Few of the leaders realize that the employee is the “entry point” into his company. How can we take business cybersecurity to the next level so that employees do not consider it a restriction of freedom?
One of the key business information security problems is the lack of risk awareness among employees. How can it be increased in simple ways?
Shares key knowledge on this topic, the head of the regional corporate sales department " Kaspersky Labs»:
People who know little about threats still have to master the basics of cybersecurity in order to feel protected. After all, you should understand which letters do not need to be opened, which links do not need to be clicked on, which programs do not need to be downloaded.
At the same time, few of the leaders realize that the employee is the “entry point” into the company: especially if he has access to documents and client databases. Man is always the weakest link.
Traditional cybersecurity training looks like this: a person listens to a training that lasts from one to three days, signs a document on the completed studies and goes to work. At best, 10% of the knowledge gained is deposited in my head if it is not applied and worked out in practice.
This is not quite the right approach. Every employee must be aware of and enforce cybersecurity rules. Our approach assumes online learning, as today the easiest way to learn is on the Internet. Has developed an online course that can be downloaded for free if you have less than five employees and licensed if you have more. You can track your progress in a single control center.
The course contains 32 modules in total. In the "Mail" module, the employee sees a sample letter, which contains information about potential threats and cybersecurity measures (for example, you cannot provide a PIN and CVV code, even if the bank requests them). After a person reads the letter, he is offered to take a test in a playful way. If the employee chooses the correct answer, then he is encouraged, and if the wrong one, then they explain what and why he did wrong.
Such practical tasks require 15 minutes a week and hardly distract the employee from his main duties.
After the employee completes the training module, control point a message comes in and a check is scheduled in a couple of weeks. If a person does not click on malicious links or download questionable programs, then they have learned their lesson.
If the employee makes the same mistakes, then a signal is sent to the control center that the employee needs to repeat the lesson and take the test again. Such training takes place throughout the year, it is very affordable and convenient.
What is the proportion of staff who need to learn the basics, and what is the proportion of those who successfully master the material the first time in the learning process?
According to our statistics, 85% of employees learn everything the first time. I think this program will be useful to everyone. The development was tested on employees of Kaspersky Lab. I have never passed any module 100% correctly, although I have been working in the information security market for 12 years. Some questions only seem accessible and simple.
Opening suspicious links - simplest example... It's no secret that everyone uses social media during working hours. Imagine that a person receives a link to an interesting video from a friend: 99% of people will open it on their work computer and not at all in safe mode. Nobody knows what will be downloaded in parallel with the video.
About 30% of small businesses outsource cybersecurity issues to non-specialists. What tools should you use to increase your security?
It's already good if such a company bought a legal antivirus. Until now, not everyone even uses this. And small businesses need at least a full-time system administrator who would ensure the operation of all computers and protect them from viruses and possible attacks.
Antivirus is often viewed as a panacea: since it is there, then you can really not think about security, they say, it will do everything by itself.
Unfortunately, this is not so. Antivirus can be compared to a bulletproof iron door. There are keys to it, and if you lost them or gave them to someone, then the protection will not work. For companies that are truly concerned about the safety of their information, there are higher-level solutions - to protect against targeted attacks. When an attacker purposefully wants to open the protection, he usually does not use loud methods, but works very quietly: he secretly gets to the place where he can get the necessary information. It is not profitable for him to be discovered until he has achieved his goal. A very similar situation is observed in cyberspace. In large companies, attackers can wait for months.
Are there more often intentional or unintentional attacks?
We assume that high quality attacks account for 1% of all threats. But they are very significant: for example, the ExPetr virus was targeted at certain companies and simultaneously hooked thousands of other companies. The world is saturated with information technologies, and people from different structures communicate and interact with each other.
What other measures can be effective when dealing with intentional interference? Is it always realistic to detect this process, or does it happen that they learn about it months and years later?
The process is realizable if you do it. There are special services for checking the corporate network. On average, a highly skilled attack takes six months: first, the attacker infiltrates the company, looks around, and a few months later, for example, encrypts all computers and simultaneously withdraws money from the accounts.
To protect against targeted attacks, our specialists, if the client wishes, view traffic online, report suspicious activities and ask what to do with them: you can block the actions of the attacker, or you can create an imitation of the infrastructure inside the system to find out the intentions of the attacker. In parallel, experts are investigating and looking for the source of the attack.
Are small or large companies more likely to target such attacks?
Both happen. But to attack a large company, you need to attract professionals, whose work is expensive. And big business has a whole cybersecurity system. For small businesses, the limit of protection is often antivirus. Sometimes, in order to get to a large organization, attackers attack their suppliers.
Often, attacks, not necessarily high-profile, come from resentful former employees or possibly contractors. Probably even unintentionally.
If the company has built a security system, such incidents can be minimized. But in practice, there are examples when the dismissed sysadmin was not blocked access. For example, in a large logistics center former employee blocked all printers: for almost a day in the center they could not send and receive goods, since they could not print a single document.
In the security measures, it is necessary to prescribe that when an employee is fired, his access to the system is blocked, the passwords of important systems are changed.
There are unique cases: on one financial enterprise the password was required to be changed once a month. For ordinary employees, this is an unnecessary gesture, and 95% of people entered a password according to the "month and year" scheme. This allowed former employee take advantage of the loophole and penetrate the company's internal network.
By the way, one of the modules of the Kaspersky Lab's online course is not to set passwords like “12345”, as many people still do.
It is necessary to remember the basics of cybersecurity: do not use social networks from a work computer if they are not required for work. Changing passwords may restrict Internet access to those employees who do not need it directly. Prohibit the use of flash drives and other removable devices.
But the usual office staff perceive all these measures as restriction of personal freedom. On the one hand, these measures are correct, on the other, information technologies are developing so rapidly that we will never be able to control everything completely. You cannot close the entire enterprise under a box - then nothing will work. Even in defense enterprises, where there are closed networks and you cannot use Wi-Fi, Bluetooth and flash drives, there are people who monitor the system and the compliance of all parameters. They get bored of sitting for 12 hours and manage to play a movie or surf the Internet.
A person will always find how to get around restrictions, so the best option is to improve computer literacy.
Business is under constant cyberattacks by cybercriminals aimed at emptying company accounts or stealing customer data. Companies, especially small ones, often save on information security (IS), and half of the information security directors are sure that financial losses will be the payment for this.
How can attacks be prevented and what to look out for to protect your business? Tells the head of the sales department for small and medium-sized businesses at Kaspersky Lab.
Often times, cyber security leaders understand the inevitability of threats, but are faced with a lack of budgets. How big is the problem and how can businesses deal with it?
Unfortunately, cybersecurity in Russia is indeed underfunded.
This is likely due to the fact that many business leaders and owners underestimate the scale of losses that cyber incidents can cause.
It is important to soberly assess what losses the company will incur if the company is idle for several days - if the site or all corporate computers stop working. Of course, for a flower seller doing bookkeeping in a notebook, a two-day computer lock will not be a serious problem. But access to data is critical for a travel agency, an insurance company, a retailer that does bookkeeping electronically, delivers goods on credit, records future payments and debts. These are all real cases from our practice.
The volume of upcoming payments and funds that have not yet arrived in the company's accounts can be 20-30% of the annual turnover.
When an entrepreneur realizes how much he can lose, he roughly represents how much he is ready to invest in smooth operation, preserving the company's intellectual property and its reputation - that is, ensuring cyber and IT security. On the one hand, these are a bit ephemeral calculations - how to estimate the value of a reputation? On the other hand, they are quite obvious. For example, if an airline cannot sell tickets online, customers won't wait long and simply buy tickets from another carrier.
Loss of data will lead to difficulties, at least with access to 20-30% of the company's annual turnover
Typically, the cybersecurity and information security budget is 10-15% of the total IT budget. The cost of mobile devices, computers, cartridges, the Internet is on average 30-50 thousand rubles. per employee per year. And high-quality protection of one workplace in small and medium-sized businesses - from 1,000 to 3,500 rubles.
Therefore, saving on IT security is saving on matches. Office spending on coffee, toilet paper, and stationery can be higher.
It is important to understand that protecting your information is a critical cost that should not be neglected.
Small and medium businesses are now under the scrutiny of cybercriminals - in some cases, cyberattacks have even led to bankruptcy of enterprises.
Cybercriminals are looking for ways to infiltrate the organization. Most often, letters are sent to the accounting department for this, and then to the legal, personnel and marketing departments.
The emails may contain malware or suggest you go to a phishing page. After being infected, the attackers begin to collect various data: they track keystrokes on the keyboard, mouse movements, study the correspondence, contacts and positions of the senders of letters, etc.
After examining the processes in the company, attackers can compose a targeted phishing email aimed at a specific employee.
For example, write to an employee of the personnel department with a request to consider a resume, attaching a file in Word format.
Employees of companies use such documents every day, but they may contain an executable script that will launch a virus and begin to encrypt data within the company - at all locations where this employee has access. Conventional antivirus programs that work only with the signature method cannot track such ransomware.
Cryptographers are the scourge of the current time. Their activity increases in the fourth quarter of the year, when the most active sales are taking place, and from the end of March to June, when companies file tax reports for the past period. What threats from the competent authorities can there be if you do not file your tax return on time?
Now imagine that all the data on the servers was encrypted, and there is simply no access to accounting and accounting programs.
The company is forced to pay cybercriminals, or inform the tax authorities that it cannot submit reports. Therefore, the ransom amount increases during peak periods.
There are statistics on which part of the attacked companies agree to pay, and which part is trying to decrypt the data and fight against intruders?
It is impossible to recover data without an encryption key after an attack by a modern ransomware. Whereas previously there was one universal key for all affected computers, modern malware creates keys for each individual machine.
Protection against ransomware will be the use of not ordinary antiviruses, but a multilayered cybersecurity system. It should include monitoring the activity of programs, users, heuristic behavioral analysis, the ability to 100% prevent the launch of the ransomware.
If you check incoming messages on mail servers, attachments with malicious files will not even reach the employee's computer
The second line of defense is at the employee's workplace: Application Launch Control checks all files used. The third barrier is web control: the network administrator creates "white" lists of sites, where the allowed resources are listed, and all others are considered prohibited.
Maximum attention in cybersecurity issues should be paid to protecting the workstations of the accountant, lawyer, CFO and CEO - the people who have access to the company's money. Most often, they are susceptible to targeted attacks by cybercriminals.
The next level of protection against ransomware is anti-cryptor or system monitoring. The anti-cryptor monitors user behavior: if he suddenly starts encrypting data, which he has never done before, then suspicious activity will be suspended, and the computer is cut off from the rest of the network. Part of the data will be put into a backup for later recovery. In this way, we prevent the development of ransomware attacks on our customers.
- One of the most sensational malware -Buhtrap. How can you deal with it?
Buhtrap is a malicious program that allows you to gain access to electronic banking and the ability to conduct financial transactions in a company.
The attempts of intruders to find people who can carry out such operations are becoming more sophisticated. Sites of specialized media are infected, which are most often visited by accountants and CFOs, sites visited by company executives, business owners.
In some cases, hackers even create sites with interesting content to attract more specialized users.
- What are the consequences of a Buhtrap infection?
The amount of damage to Russian companies from such malicious programs last year alone is estimated at tens of millions of dollars. You can deal with Buhtrap, but you need to fight not with the consequences of the attack, but with its original source.
Qualified solutions, like those of Kaspersky Lab, can detect malicious news resources through which Buhtrap gets to workstations and completely block them along with the malware.
Sometimes cybersecurity in small and medium-sized companies is handled by non-specialists. How can a business leader realize the importance of this task and hand it over to the right hands?
Specialized solutions for small and medium-sized businesses, for example, Kaspersky Small Office Security, allow you to protect companies with fewer than 25 workstations. This product includes protection of financial transactions, password manager, protection of mobile devices, servers and workstations. The program uses technologies that were developed including for the protection large companies.
The larger segment will be interested in the Kaspersky Security Cloud solution. It is suitable for companies with up to 250 employees.
At the same time, protection can be managed not only from the workplace, but from anywhere in the world where there is Internet access.
That is, an employee can go on vacation to Bali and from there monitor the company's cybersecurity. The console is intuitive and adapted for non-specialists - even the chief accountant or business leader can figure out the settings.
- Can a business rely on free solutions to protect against financial threats?
Like home solutions, they are not suitable for corporate users because they are not designed to protect organizations. And attackers are improving their methods of work. Basically, free versions include only basic protection against malware, they cannot ensure the security of online financial transactions, do not block fraudulent links, do not help control the use of resources and programs, etc.
Can you protect your data from ransomware? Interactive game
How can small businesses protect themselves from malicious attacks and prevent the spread of malware before it becomes a problem?
We are too small to be a target, ”so many small business leaders say. According to statistics from Kaspersky Lab, 58% of victims of cybercriminals are small businesses, and the average damage from a successful attack for companies from the SMB segment is 4.3 million rubles.
How can small and medium-sized businesses protect their employees from malicious attacks? What remedies should you use? A senior product marketing manager at Kaspersky Lab.
When does the management of the enterprise understand that it is necessary to take any protective measures?
In most cases after the first incident. Unfortunately, in a small business, the priority of IT security becomes very high only after a company was first attacked by a ransomware virus. The business owner will set aside additional costs to the maximum if he is not an advanced user.
The cost of a mistake is very high. A large organization can reallocate its infrastructure and move on. But if in a small business the entire network falls from a malware attack, it simply stops providing services - the work of the company stops entirely. And the competition is very high: according to statistics, half of the small businesses that have become victims of the attack fly out of the market in six months, because they could not restore their resources in time.
In my practice, there was a very difficult case. The cybercriminals knew about the breach in the cybersecurity of the enterprise, sharpened the "malware" for stealing the organization's data and gradually took away clients from it. Most likely, they acted "on a tip". But the company had some smart people who were able to recognize a targeted attack and save the company - this is extremely rare.
In most cases, attacks are massive, and employees are always the weak link. They look for information from work computers, download the program that they need for work, and may be wrong. If there is no specialist who monitors this, then no one controls the situation in the company.
Minimal protection for small businesses helps to avoid negative consequences from just such mistakes. Imagine you are faced with a phishing attack. If you have 50-100 people in your organization, it doesn't matter how many of them clicked on the link - even one click is enough to infect the network. Small business solutions are designed to prevent the spread of malware even before it becomes a problem.
Typically, large companies train employees to identify files and links from cybercriminals in e-mail. Do small companies shield their employees from such threats?
Small businesses spend a lot of time and effort on their core business. Fixed assets are always invested in those areas that can potentially increase the company's revenues. Minimum resources are left for supporting processes, therefore IT and IT security financing is not a priority, and when choosing these services, ease of use and automatic operation are important. That is, decisions should require a minimum of attention.
In addition, in small business, personnel issues are always acute. A small firm often has a visiting system administrator rather than a full-time employee. In slightly larger companies, one specialist may be responsible for both IT and information security.
Small and midsize business leaders focus on IT security based on their bad experiences in the area. If they generally represent a spectrum of threats, have encountered such incidents before, or realize the need to protect the company after massive cyber attacks, then they will look for protection that works in an automatic mode.
Kaspersky Lab offers just such solutions - Kaspersky Endpoint Security for Business. We call these products “Install and Forget,” which means install and forget. They will provide maximum automatic protection - small businesses often do not have special employees on staff to configure the program.
Protection against phishing emails should also be automatic, so that such mailings, in principle, do not reach users.
Are employees in small companies more likely to receive such letters than in large businesses?
There is a dangerous misconception among small business leaders that they are not the target of cybercriminals, nor a tidbit for them. But according to statistics, small and medium-sized companies are victims of organized criminal groups in 50% of cases. In the case of global fan attacks like WannaCry, everyone gets it: corporations, small firms, and private users.
Targeted attacks are more relevant to large enterprises, when attackers understand the size of their potential "prey". But in my memory there were cases when such attacks were carried out on online stores and medium-sized companies in the wholesale trade.
The chance of an attack increases if attackers somehow find out that the company is not engaged in information and cybersecurity - in small businesses, they often hope for it.
Do these entrepreneurs leave IT security at the mercy of incoming employees or a single employee, or is the role of automatic protection increasing?
In microbusiness, IT is often the most advanced person, whose main job is different - sometimes even in logistics and sales. But if it turns out that a person is versed in information systems, then he assumes, among other things, the protection of computers and cyber security. The minimum he needs to do is install antivirus software. And he needs business solutions, not home protection.
They pose solutions that the average person does not understand. An advanced IT level is enough for him to establish this protection.
In a larger company, where there is an incoming or even its own admin, there is also a requirement for control. That is, the enterprise realizes that they need to implement minimum security policies in order to understand what is happening, to reduce the range of risks and threats. We are ready to offer more and more advanced solutions as the company matures.
Is it more profitable to use cloud protection than the services of a regular incoming specialist?
An IT specialist still needs tools: this solution does not replace him, but becomes a means by which he will protect the organization. Kaspersky Small Office is a do it yourself solution. With it, the organization will be able to protect itself from current threats and not yet resort to the help of a professional.
What is the key difference between Endpoint Security Cloud and what are the benefits of a cloud solution?
Non-cloud protection is installed on the server - this requires a narrow-profile specialist. You need to be a technically competent person to deploy an Endpoint solution on a server, install agents, connect all this, set up a security policy, and so on. The cloud solution allows you to get fast protection: you do not need to buy a server and maintain it - that is, there are no costs for maintaining hardware. You save staff time and money.
The cloud solution is downloaded and installed in a few minutes, the whole task takes no more than an hour. The main advantage of this method is speed: the protection takes effect within a few minutes.
Our solutions for small businesses are simplified as much as possible from a management point of view. Small Office Security does not require you to go to the web console at all. In Kaspersky Endpoint Security Cloud, the console is greatly simplified: all settings are automatically applied to new devices connected to protection. Although, if desired, the admin can add something manually. Moreover, both solutions are cloud-based and do not require hardware or a server.
As a rule, more advanced organizations resort to such solutions, or not necessarily?
The degree of maturity of the organization, the leader and the IT specialist, if any, is important here. In general, the level of IT competence in Russia is quite high. An organization as a whole may strive for a modern infrastructure: some companies are abandoning their own hardware in order to be more flexible and dynamic.
Cloud solutions are very easy to scale. If you open a new point of sale or a new office, you can protect it using Kaspersky Endpoint Security Cloud in a matter of minutes. The speed at which your business scales and grows is not tied to your own infrastructure. Offices can be scattered across the country, and you do everything remotely, because all solutions are in the cloud. Companies that are geared towards growth and understand the issues involved in scaling initially choose the cloud because traditional solutions will not allow them to change so quickly.
What other important trend do you see in the area of small business security?
Another trend is work on mobile devices. Large organizations have corporate mobility programs: they buy devices centrally, install collaboration tools, security tools on them, and so on. All this is controlled by the "security officer", and in principle it is impossible to connect to the company's infrastructure.
And in a small business, no one understands whether this is a personal device or not. A person chooses the most convenient gadget in order to cope with his work faster and more efficiently. We are ready to support such enterprises and provide protection for mobile devices as well. If the company is not yet using cloud protection, it can be connected later. And it doesn't matter where the person is - all protection can be installed remotely.
"The mobile device is becoming a surveillance tool, and that surveillance is essentially legal by the company." How do employees' personal smartphones and laptops create a business security breach?
Small companies cannot always afford to purchase all the necessary gadgets for their employees, for example, work smartphones and laptops. At the same time, the use of personal devices for work purposes is encouraged so that the employee can always be in touch.
This is how a trend called BYOD (bring your own device) arose, and it is increasingly spreading in medium and small businesses.
“Due to BYOD, the company greatly saves money on the purchase and maintenance of hardware, eliminates the risk of loss and damage to mobile devices. And this is significant money ", - comments Victor Chebyshev , antivirus expert " Kaspersky Labs».
However, the BYOD concept itself is controversial. Access of an employee's personal device to the internal perimeter of the company is convenient for the employee himself, but creates risks of data leakage and uncontrolled access to information.
In this case, the BYOD approach is a complicating factor and can become a "point of entry" into the company for cybercriminals. Therefore, the organization needs to configure access and control the entrance in such a way that it will not always be convenient for the user.
To mitigate the risks of BYOD, there are many data protection measures that need to be taken. Personal gadgets of staff, as a rule, are less protected than corporate ones and are more susceptible to cyber threats and loss. According to a study by Kaspersky Lab, 35% of SME companies (with a staff of 1 to 249 employees) have encountered malware infected with gadgets of their employees, which they used, including for work purposes. Employees of 28% of organizations lost personal devices and media with corporate information: smartphones, laptops, external hard drives, flash drives. And the average damage from a successful attack on a company from the small and medium-sized business segment was estimated at 4.3 million rubles.
Personal devices of employees in business: what is the danger?
The severity of threats depends on how a company's IT department monitors the security of workers' mobile devices. Several solutions can be used here:
1.MDM profiles. Mobile Device Management (mobile device management) is a set of services and technologies that provide control and protection of the gadgets of the company and its employees. One part of MDM is installed on the employee's gadget, and the other is a "control center" for remote device management.
2. Limiting Policies. Not all employees need access to some resources. For example, why would an accountant go to social networks from work devices? This can be dangerous if the gadget contains confidential documents and an employee accidentally clicks on a malicious Internet link. Therefore, flexible configuration of access rights to social networks or other programs or resources is a very important and necessary decision.
3. Antiviruses with centralized control that protect against malware. These solutions will allow you to immediately cut off the infected device from the company's infrastructure and conduct an investigation of the incident.
If none of these methods are practiced, then the company faces significant cybersecurity risks, warns Viktor Chebyshev. According to him, when a mobile device is infected, several scenarios are possible:
1. The malware collects all data from a mobile device - in fact, it spies. In this case, you can intercept important files in the device's memory, record conversations using the built-in microphone, take pictures of cameras, and so on. The mobile device is becoming a surveillance tool, and this surveillance is essentially legal by the company.
2. The malware establishes a so-called tunnel. The mobile phone has two network interfaces - WIFI and 3G / 4G / LTE. An attacker from any world can gain access to the company's internal infrastructure through these network interfaces, since the mobile phone is constantly on the network, and the company's internal WIFI networks are available to BYOD. The consequences of such an infection can be arbitrarily sad.
Controlling data on laptops is a separate conversation. Unprotected information on a personal computer that can be lost at the airport or forgotten in a coffee shop is a typical IT nightmare.
To avoid this threat, a number of companies only allow employees to work on office computers with severely limited data transfer capabilities and disabled USB ports for flash drives. But this approach won't work in a BYOD-focused company, warns Viktor Chebyshev. Protection implies restrictions that not all users can go to.
How can entrepreneurs secure corporate information on personal gadgets?
There are several basic data protection techniques that should be applied in the BYOD concept. “You shouldn't neglect them: the price of negligence can be incomparable with the price of even a complete set of protection,” says Viktor Chebyshev.
In no case should you neglect the protection of mobile gadgets (in addition to the main working devices - computers). Protect your computers, file servers, and tablets and smartphones from Internet attacks, online financial fraud, ransomware, and data loss with comprehensive protection. Such protection is provided, for example, by the program Kaspersky Small Office Security specially designed for small companies with up to 25 employees, or Kaspersky Endpoint Security Cloud that helps protect small businesses without putting additional strain on IT resources, time, and finances.
Activate the special Anti-Theft module for Android devices as part of comprehensive protection. This feature allows you to remotely lock a lost device, erase data on it or locate it on a map.
Use full or partial encryption of corporate data. Then, even if a laptop or USB drive is lost or stolen, it will be impossible to access the information contained on them without a password.
Backup technologies will save your business. With the help of a backup, you will always have a spare storage with the most up-to-date version of valuable working information in the event, for example, of a successful ransomware attack.
System administrators should always know what devices employees use for work and have a remote “fuse” (remote control) for corporate data in such devices in case it is lost, stolen, or the owner leaves the company.
But in general, you shouldn't allow secret documents to leak outside the company's perimeter, even to cloud storages like Yandex.Disk and Google.drive - and then you won't have to destroy anything.
To secure the correspondence on corporate topics in personal messengers, you can give several recommendations. First, the latest version of the operating system must be installed on the mobile device. Secondly, always use a security solution - otherwise, the device cannot be allowed into the company perimeter.
Countermeasures include solutions from the line of Kaspersky Security for Business and Kaspersky Small Office Security. They include equally effective protection for corporate and personal computers and for mobile devices, which is especially important for small businesses. Kaspersky Small Office Security allows owners to focus on running their business because it is easy to use and does not require specialized IT administration knowledge to secure a company's network.
Will using employees' personal devices become more secure for the company?
The technical side of the cybersecurity issue in the BYOD concept will be improved, and that's it. more companies will refuse to purchase devices, I am sure Viktor Chebyshev. It is likely that only companies that use specific mobile devices, such as shockproof and waterproof devices, will follow the old methods.
“The logic of device profiles on mobile operating systems is likely to get more complex. That is, the mobile device itself will decide that the owner is at work at the moment and block activities associated with the risk of infection or the device's access to places prohibited for him. At the same time, the mechanisms for controlling personal devices in the enterprise network are evolving, and in the foreseeable future, machine learning solutions will be introduced that fix anomalies from BYOD devices. Such systems are the future, ”summarizes the Kaspersky Lab anti-virus expert.
2019
IS-priorities of SMB
Companies in the SMB segment are drawn to the clouds, to a service consumption model based on the MSSP (Managed Security Service Provider) model. This helps them to significantly reduce operating costs in the field of information security.
| Now some vendors offer their clients cloud information security services on a subscription model. In my opinion, medium and small business will go to just such a service model of information security, - Dmitry Livshits notes, general manager Digital Design. |
The service model of information security consumption is becoming more and more in demand by small and medium-sized businesses, since these companies cannot afford a large staff of security specialists.
According to Vladimir Balanin, Head of the Information Security Department of I-Teco Group of Companies, the SMB segment is becoming the main consumer of the services of service providers that provide services immediately with integrated information security services: there are no costs for administration, monitoring and maintenance of their own infrastructure, but risks regulatory requirements are borne by the service provider itself.
At the same time for Russian market now there is a very limited supply of information security for SMEs. According to Andrey Yankin, director of the Information Security Center of Jet Infosystems, almost all services are aimed at large customers. Typical and inexpensive, but not primitive information security services for SMB, according to him, practically do not exist, although in a number of other countries this market is well developed.
At the same time, with the development of the segment of managed information security services and the prospect of the development of the cyber risk insurance market, this category of customers will receive measures adequate to modern threats.
In the meantime, SMB companies are implementing basic IT security, rarely rising to the level of business processes.
According to Dmitry Pudov, Deputy General Director of Angara Technologies Group for Technologies and Development, SMB representatives, given their budgets, have practically no access to high-tech or complex solutions. This is not solely due to the cost of the solutions, but rather the OPEX they carry.
The main solutions that customers of the SMB segment purchase are antiviruses and software firewalls, says Yakov Grodzensky, head of information security at System Soft. In addition, companies in this segment are actively interested in information security audit and penetration testing, because such organizations do not always employ a separate information security specialist, not to mention pentesters.
Vyacheslav Medvedev, a leading analyst at Doctor Web, adds that surveys of medium-sized businesses have shown that such companies do not have funds for security solutions other than basic ones.
Cybersecurity priorities of large business
It is always important for shareholders, owners and top management to have an objective picture of information security and technological processes within an organization, therefore, the general level of information security maturity in companies is growing every year. However, some large organizations still lack elementary order in the business processes that ensure the operation of information systems, which can lead to chaos in information security. Therefore, the main priority for large companies is in solving these problems, says Nikolay Zabusov, Director of the Department of Information and Network Security at Step Logic.
In addition, big business focuses on meeting the requirements of regulators and internal standards, trying to create a more or less uniformly protected infrastructure. Industry standards in the field of information security are developed and "implemented" in many corporations.
Large commercial companies in fact, they faced a choice: to follow the path of digital transformation, or to work without changing the paradigm of doing business. But in the second case, sooner or later they will have to give up their positions in the market to competitors who have shown great flexibility.
| Among the priorities for the enterprise segment, I can point out, on the one hand, increasing the efficiency of using classic information security solutions, and, on the other, introducing new type of threat protection tools as part of the implementation of digitalization projects. The latter is very important, since security restrictions are often one of the main reasons for the slow progress along the path of digital transformation, - notes Oleg Shaburov, Head of the Information Security Department at Softline. |
From point of view practical safety the vector is increasingly shifting from preventing attacks to detecting and responding, says Andrey Zaikin, head of information security at Krok. This leads to the fact that relatively young classes of solutions are becoming more popular and in demand: EDR, IRP. Automated response systems have different sets of scripts, scripts and allow you to block attempts to spread threats.
Cybersecurity services
SMB companies that understand the criticality of information security for their business are following the path of using service models.
Introduction
Business leaders must understand the importance of information security, learn to predict and manage trends in this area.
Today's business cannot exist without information technology. It is known that about 70% of the world's total national product depends in one way or another on the information stored in information systems. The widespread introduction of computers has created not only well-known conveniences, but also problems, the most serious of which is the problem of information security.
Along with control elements for computers and computer networks, the standard pays great attention to the development of security policy, work with personnel (hiring, training, dismissal from work), ensuring the continuity of the production process, and legal requirements.
Undoubtedly, this topic of term paper is very relevant in modern conditions.
The object of the course work: information security of the professional activity of the organization.
Research subject: information security.
V term paper it is planned to create a draft management solution for the organization of information security on the basis of a real organization.
Chapter 1. Information security of professional activity
Information security is a relatively new area of professional activity of specialists. The main goals of such activities are:
Ensuring protection from external and internal threats in the formation, distribution and use of information resources;
Prevention of violations of the rights of citizens and organizations to maintain confidentiality and secrecy of information;
Providing conditions that prevent deliberate distortion or concealment of information in the absence of legal grounds for this.
The customers of specialists in this field are:
Federal bodies of state power and administration of the Russian Federation;
State authorities of the constituent entities of the Russian Federation;
Government agencies, organizations and enterprises;
Defense industry;
Local government bodies;
Non-governmental institutions, organizations and enterprises
property.
The appearance in the free, albeit illegal sale of the company's customer database cellular MTS again and again forces us to address the problem of computer security. It looks like this topic is inexhaustible. Its relevance is the more, the higher the level of computerization of commercial firms and non-commercial organizations. High technologies, playing a revolutionary role in the development of business and practically all other aspects of modern society, make their users very vulnerable from the point of view of information and, ultimately, economic security.
This is a problem not only in Russia, but in most countries of the world, primarily Western ones, although there are laws that restrict access to personal information and impose strict requirements for its storage. The markets offer various systems for protecting computer networks. But how to protect yourself from your own “fifth column” - unscrupulous, disloyal, or simply careless employees who have access to classified information? The scandalous leak of the MTS client database could not have happened, apparently, without collusion or criminal negligence of the company's employees.
It seems that many, if not most, entrepreneurs simply do not understand the seriousness of the problem. Even in countries with developed market economies, according to some studies, 80% of companies do not have a well-thought-out, planned system for protecting storage and operational databases. What can we say about us, who are accustomed to relying on the famous "maybe".
Therefore, it is not useless to turn to the topic of the dangers of leaks. confidential information, talk about measures to reduce such risks. A publication in the Legal Times (October 21, 2002), a publication devoted to legal issues (Mark M. Martin, Evan Wagner, “Vulnerability and Information Security”) will help us in this. The authors list the most typical types and methods of information threats. Which ones?
Declassification and theft of trade secrets. Everything is more or less clear here. Classic economic espionage dating back to ancient history. Whereas previously secrets were kept in secret places, in massive safes, under reliable physical and (later) electronic protection, today many employees have access to office databases, often containing very sensitive information, for example, the same customer data.
Dissemination of compromising materials. Here the authors mean the intentional or accidental use of information by employees in electronic correspondence that tarnishes the reputation of the company. For example, the name of the company is reflected in the domain of the correspondent, who admits defamation, insults, in short, anything that can compromise the organization in his letters.
Infringement of Intellectual Property. It is important not to forget that any intellectual product produced in an organization belongs to the organization and cannot be used by employees (including generators and authors of intellectual values) except in the interests of the organization. Meanwhile, in Russia on this occasion, conflicts often arise between organizations and employees, claiming the intellectual product they have created and using it in their personal interests, to the detriment of the organization. This often happens due to the vague legal situation at the enterprise, when the labor contract does not contain clearly defined rules and regulations outlining the rights and obligations of employees.
Dissemination (often unintentional) of inside information that is not secret, but could be useful to competitors. For example, about new vacancies in connection with the expansion of the business, about business trips and negotiations.
Visits to competitors' sites. Now more and more companies use programs on their open sites (in particular, designed for CRM), which allow you to recognize visitors and track their routes in detail, record the time and duration of their viewing of the site pages. It is clear that if your visit to a competitor's website is known in detail to its operator, then it is not difficult for the latter to conclude what exactly interests you. This is not a call to abandon a critical channel of competitive information. Competitor websites have been and remain a valuable source for analysis and forecasting. But when visiting sites, you must remember that you leave traces and you are also being watched.
Abuse of office communications for personal purposes (listening, watching music and other content that is not related to work, loading an office computer) does not pose a direct threat to information security, but creates additional loads on the corporate network, reduces efficiency, and interferes with the work of colleagues.
And finally, external threats - unauthorized intrusions, etc. This is a topic for another serious conversation.
How can you protect yourself from internal threats? 100% guaranteed against damage that may be caused own employees, just doesn't exist. This is a human factor that does not lend itself to complete and unconditional control. At the same time, the authors mentioned above give useful advice - to develop and implement a clearly formulated communication (or information) policy within the company. Such a policy should draw a clear line between what is permissible and what is not permissible in the use of office communications. Crossing the border leads to punishment. There should be a system for monitoring who uses computer networks and how. The rules adopted in the company must comply with both national and internationally recognized standards for the protection of state and commercial secrets, personal, private information.
Chapter 2. Information security
professional activity in LLC "Laspi"
2.1. a brief description of LLC "Laspi"
LLC "Laspi" was established in 1995 as a representative office of a Czech company in Russia. The company is engaged in the supply of Czech equipment and Supplies for the production of various concrete products (from paving slabs and ending with fences, flowerpots, etc.). The equipment is of high quality and reasonable cost. Customers contacting the Samara office are organizations from various cities of Russia and the CIS (Kazan, Ufa, Izhevsk, Moscow, Nizhny Novgorod, etc.). Naturally, such a large-scale activity requires special attention to information security within the company.
Information security today leaves much to be desired. Various documentation (technical, economic) is in the public domain, which allows almost any employee of the company (from the founder to the driver) to familiarize himself with it without hindrance.
Critical records are kept in the safe. Only the director and his secretary have the keys to the safe. But here the so-called human factor plays an essential role. Often, the keys are forgotten in the office on the table and the safe can be opened even by a cleaning lady.
Economic documents (reports, invoices, invoices, invoices, etc.) are arranged in folders and shelves in a cabinet that cannot be locked.
Employees do not sign any nondisclosure agreements for information that are trade secrets when applying for a job, which does not prohibit them from distributing such information.
The recruitment of employees is carried out through an interview, which consists of two stages: 1. communication with the immediate supervisor (at which the skills and abilities of a potential employee are revealed) 2. communication with the founder (it is more personal in nature and the conclusion of such a dialogue can be either "we will work together" or " we will not work together ").
All this requires closer attention from the management and a competent program to ensure the information security of the company, because today Laspi LLC has a lot of competitors who are unlikely to miss the opportunity to take advantage of, for example, the company's client base or supplier base.
2.2. Project of a management solution to ensure information security of professional activities of Laspi LLC.
It is important to have a place in the system of organizational, administrative, legal and other measures that make it possible to qualitatively solve the problems of information support of scientific and industrial and commercial activities, physical safety of material carriers of classified information, prevention of their leakage, preservation of commercial secrets is occupied by a permissive system of access of performers to classified documents and information.
Taking into account the Law of the RSFSR "On enterprises and entrepreneurial activity"the head of the enterprise (firm), regardless of the form of ownership, can establish special rules access to information leaving a commercial secret and its carriers, thereby ensuring their safety.
In the system of security measures, the optimal distribution of production, commercial and financial-credit information, leaving the secret of the enterprise, between the specific performers of the relevant work and documents, is of essential importance. When distributing information, on the one hand, it is necessary to ensure that a specific employee is provided with a full amount of data for high-quality and timely performance of the work entrusted to him, and on the other hand, it is necessary to exclude the performer's acquaintance with unnecessary classified information that he does not need for work.
In order to ensure lawful and reasonable access of the contractor to information constituting a commercial secret of the company, it is recommended to develop and implement an appropriate licensing system at enterprises.
Access is understood as obtaining written permission from the head of the company (or, with his approval, from other executives) to issue specific (or in full) classified information to an employee, taking into account his official duties (official powers).
Registration of access to CT can be carried out in accordance with the Regulations on the authorization system of access approved by the director, where the powers of the company's officials for the distribution and use of information are legally enshrined. The head of the organization can authorize the use of any protected information to any employee of this enterprise or to a person who arrived at the facility from another organization to resolve any issues, if this information is not subject to restrictions on familiarization from production and commercial partners in joint production, etc. So, in LLC "Laspi" it is recommended to restrict access to information that is a commercial secret (contracts with suppliers and customers, final reports on transactions), to the following employees:
1. founder of the company.
2. director of the company.
3. secretary to the director.
Only the founder and director of the firm can authorize access to information to other employees.
All of the above employees and managers who conduct these transactions should have access to information about current transactions with clients.
Initial information on the purchase prices of equipment should be similarly limited. Only the founder, the director of the company have access to it, who provide the rest of the employees only with the already worked out prices (with various "markups"), as well as the secretary who maintains the entire document flow in the organization.
Effective work of the permitting system is possible only if certain rules are observed:
1. The authorization system, as a mandatory rule, includes a differentiated approach to authorizing access, taking into account the importance of classified information in relation to which the issue of access is being decided.
2. A documentary reflection of the issued permission for the right to use one or another protected information is required. This means that the manager who has given permission for the right to use must obligatorily record it in writing on the corresponding document or in the accounting form in force at the enterprise. Any verbal instructions and requests for access from anyone (with the exception of the head of the enterprise) are not legally binding. This requirement also applies to managers at all levels working with classified information and its carriers. Thus, only the written permission of the head (within the limits of authority) is a permission for the issuance of protected information to a particular person.
3. The principle of control should be strictly observed. Each permit must have the date of its registration and issue.
Such a traditional form of resolution as the resolution of the head on the classified document itself is widespread. Such permission must contain a list of the names of employees who are obliged to familiarize themselves with the documents or execute them, the deadline for execution, other instructions, the signature of the manager and the date. The manager can, if necessary, provide for restrictions on the access of specific employees to certain information.
The resolution, as a type of permission, is used mainly for the prompt delivery to interested parties of classified information contained in documents and products received from outside and created at the enterprise.
The head of the enterprise can give permission for access in administrative documents: orders, instructions, instructions for the enterprise. They must contain the names, positions of persons, specific classification documents and products to which they can be admitted (familiarized).
Another type of permits - by family lists of persons entitled to get acquainted and perform any actions with classified documents and products. Family lists are approved by the director of the enterprise or, in accordance with the current licensing system, by managers who, as a rule, occupy positions not lower than the heads of the relevant departments.
By family lists of persons can be used when organizing access to classified documents and products that are of particular importance for the enterprise, when registering access to restricted areas, to various kinds of closed events (conferences, meetings, exhibitions, meetings of scientific and technical councils, etc. .). In the family lists, specific managers can be identified, who are allowed by the manager to all closed documents and products without appropriate written permissions. They indicate the full name of the person. performer of work, department, position held, category of documents and products to which he is admitted. In practice, the option of job lists is also applicable, which indicates: the position of the contractor, the volume of documents (categories of documents) and the types of products that must be used by employees of enterprises holding the position corresponding to the list. It should be noted that for enterprises with a small volume of classified documents and products, it may be sufficient to use such types of permission as the head's resolution on the document itself, by family lists, job lists.
Organizationally, family lists should be prepared by interested leaders. structural units... The list of employees included in the list is endorsed by the head of the Security Council and approved by the head of the enterprise, who can delegate approval rights to other persons from the management.
The permitting system must meet the following requirements:
· Apply to all types of classified documents and products available at the enterprise, regardless of their location and creation;
· Determine the access procedure for all categories of employees who have received the right to work with CT, as well as specialists who temporarily arrived at the enterprise and are related to joint closed orders;
· Establish a simple and reliable procedure for issuing permits for access to protected documents and products, which allows you to immediately respond to changes in the field of information at the enterprise;
· Clearly delineate the rights of managers of various job levels in the design of access for the relevant categories of performers;
· Exclude the possibility of uncontrolled and unauthorized issuance of documents and products to anyone;
· Do not allow persons working with classified information and objects to make changes to even data, as well as to replace accounting documents.
When developing a permitting system, special attention should be paid to highlighting the main information that is especially valuable for the enterprise, which will ensure strictly limited access to them. In the presence of joint work with other enterprises (organizations), foreign firms or their individual representatives, it is necessary to provide for the procedure for access of these categories to the commercial secrets of the enterprise. It is advisable to determine the order of interaction with representatives of service government organizations: technical supervision, sanitary and epidemiological station, etc.
In the Regulation on the licensing system of the company, it is necessary to indicate that the transfer of classified documents and products from the contractor to the contractor is possible only within the structural unit and with the permission of its head. The transfer, return of such product documents is made according to the order established by the company and only during the working hours of the given day.
All classified documentation and products received and developed by the enterprise are accepted and taken into account by the middle management and the secretary. After registration, the documentation is submitted for consideration to the head of the enterprise against receipt.
In the Regulation on the licensing system of the company, it is necessary to indicate that closed meetings on business matters are held only with the permission of the head of the company or his deputies. Special requirements may apply to meetings of academic councils, meetings to review the results of R&D and financial and commercial activities, etc. For such events, it is recommended to draw up permissive lists without fail and include in them only those employees of the enterprise who are directly related to the planned events and participation in which is caused by official necessity.
As noted above, employees of other firms can participate in closed meetings only with the personal permission of the firm's management. Prepares lists, as a rule, is responsible for organizing the meeting in contact with interested heads of structural units. The list is the basis for organizing control over admission to this meeting. Before the start of the meeting, those present are warned that the information discussed is classified and cannot be disseminated outside the scope of circulation established by the company, and give instructions on how to keep records.
It is important to emphasize that the establishment at a company of a certain procedure for handling classified information and products significantly increases the reliability of protection of trade secrets, reduces the likelihood of disclosure, loss of carriers of this information.
To ensure the safety of the documents, it is proposed to purchase the appropriate furniture, which allows the documents to be securely locked. It is also necessary to seal the cabinets every day, before leaving.
Keys to the safe and cabinets must be handed over to the security service against signature. It is also recommended to purchase a special tube for storing keys and seal it in the same way.
Particular attention should be paid to the security of computer information. In LLC "Laspi" today several databases have been created: clients of the company (indicating not only their work addresses and phone numbers, but also home, as well as personal information); a database containing prices and characteristics of the supplied equipment; database of employees of the organization. The computer also stores various contracts, agreements, etc.
In any case, getting this information into the hands of competitors is highly undesirable. To prevent such a development of events, it is recommended to create passwords for access to each database (and software tools allow you to do this). When booting a computer, it is also recommended to set two-level protection (when loading BIOS and when loading OS Windows'2000, which does not allow passwordless access to the contents of the hard drive, unlike previous versions of this operating system). Naturally, passwords should also be available only to those company employees who directly work with these databases (secretary, managers, programmers).
In the event of any problems related to the computer and the need to contact a third party, it is necessary to fully control the process of repairing equipment. Since it is at such a moment when all the passwords are removed, when the programmer "from the outside" has free and unimpeded access to the contents of the hard disk, it is possible for him to withdraw information and then use it for various purposes.
It is necessary to constantly update antivirus software in order to prevent the entry and spread of viruses in computers.
Particular attention should be paid to the issues of hiring new employees. Today, many organizations practice a toughened approach to this process, which is associated with the desire to preserve information within the company and not allow it to go beyond it due to the "human factor".
Whereas, in most cases, recruitment is carried out in two stages (they are summarized above), then four stages are proposed here.
1. Conversation with the head of the personnel department. The head of the personnel department gets acquainted with the candidate, his resume, asks questions about his professional activities, making preliminary notes. This stage is professional in nature. Then the head of the personnel department analyzes the information received from the candidates and passes it on to the head.
2. To supervise to get acquainted with the resume of candidates and the notes about them of the head of the personnel department, choosing the most suitable ones and inviting them for an interview. The interview is personal in nature and involves non-standard questions (for example, what does the person like to eat, what is his hobby, etc.) Thus, the manager receives information to make a decision about how suitable this person is for him, predicts possible problems with which he may come across when communicating with this candidate.
3. Testing. Here the level of intelligence of the employee is already determined, his psychological portrait is drawn up on the basis of various tests. But first, you need to determine how the manager and colleagues want to see the new employee.
4. Security service. It offers two stages: a) verification of candidates in various instances (whether he was brought to court, served time in places of detention, is he registered in a drug treatment clinic, is the information he provided about previous jobs true); b) checking on special equipment, which is most often called a "lie detector". At the second stage, it is determined how loyal the employee is to the company, what reactions he has to provocative questions (for example, what he will do if he finds out that one of his colleagues is taking documents home), etc.
And only after the candidate has passed all these four stages, it is possible to make a decision - whether to hire him or not.
After a positive decision is made, a probationary period is set for the employee (according to the legislation of the Russian Federation, it can vary from 1 month to three, but it is recommended not less than 2 months, and preferably 3). During probationary period management and security service should keep an eye on the new employee, observe his activities.
In addition, immediately upon hiring, it is necessary, along with the conclusion of an employment contract, the signing of an agreement on non-disclosure of commercial secrets. Recommended clauses of this agreement:
This is not a complete list of what may be included in the agreement.
Conclusion
Today, the issue of organizing information security is of concern to organizations of any level - from large corporations to entrepreneurs without a legal entity. Competition in modern market relations is far from perfect and is often not conducted in the most legal ways. Industrial espionage is flourishing. But there are also cases of inadvertent dissemination of information related to the trade secret of an organization. As a rule, the negligence of employees, their lack of understanding of the situation, in other words, the "human factor", plays a role here.
The term paper presents a project of a management solution for organizing information security in Laspi LLC. The project covers three main areas of security organization: 1.documentation area (access to materials presented on paper media, with the differentiation of this access); 2. computer security; 3. security in terms of recruiting new employees.
It should be borne in mind that although this project was developed for a specific organization, its provisions can be used for organizing security in other firms belonging to the category of medium-sized ones.
Ministry of Education and Science of the Russian Federation
federal state budgetary educational institution
higher professional education
"PERM NATIONAL RESEARCH
POLITECHNICAL UNIVERSITY"
by discipline
INFORMATION SECURITY OF THE ENTERPRISE
Topic "Information security in business on the example of OJSC" Alfa-Bank "
Completed by a student
group FK-11B:
Smyshlyaeva Maria Sergeevna
Checked by the teacher:
Shaburov Andrey Sergeevich
Perm - 2013
Introduction
Conclusion
Bibliography
Introduction
The information resources of most companies are among the most valuable resources. For this reason, commercial, confidential information and personal data must be reliably protected from unauthorized use, but at the same time easily accessible to the subjects participating in the processing of this information or using it in the process of performing assigned tasks. The use of special tools for this contributes to the stability of the company's business and its viability.
As practice shows, the issue of organizing business protection in modern conditions has become the most urgent. Online stores are being “opened” and customers' credit cards are emptied, casinos and sweepstakes are blackmailed, corporate networks are under external control, computers are “brainwashed” and included in botnets, and fraudulent use of stolen personal data is becoming a national disaster.
Therefore, company leaders must understand the importance of information security, learn to predict and manage trends in this area.
The purpose of this work is to identify the advantages and disadvantages of a business information security system using the example of Alfa-Bank.
Characteristics of the activities of OJSC "Alfa-Bank"
Alfa-Bank was founded in 1990. Alfa-Bank is a universal bank that carries out all the main types of banking operations on the financial services market, including servicing private and corporate clients, investment banking, trade finance and asset management.
The head office of Alfa-Bank is located in Moscow; in total, 444 branches and branches of the bank have been opened in the regions of Russia and abroad, including a subsidiary bank in the Netherlands and financial affiliated companies in the USA, UK and Cyprus. Alfa-Bank employs about 17 thousand people.
Alfa-Bank is the largest Russian private bank in terms of total assets, total capital and deposits. The bank has a large client base of both corporate clients and individuals. Alfa-Bank is developing as a universal bank in the main areas: corporate and investment business (including small and medium-sized businesses (SME), trade and structured finance, leasing and factoring), retail business (including a system of bank branches, car loans and mortgages). Special attention is paid to the development of banking products for corporate business in the mass and SME segments, as well as the development of remote self-service channels and Internet acquiring. Alfa-Bank's strategic priorities are maintaining the status of a leading private bank in Russia, strengthening stability, increasing profitability, setting industry standards for manufacturability, efficiency, quality of customer service and teamwork.
Alfa-Bank is one of the most active Russian banks in the world capital markets. Leading international rating agencies assign Alfa-Bank one of the most high ratings among Russian private banks. It was ranked number one in the Customer Experience Index four times in a row. The retail banking sector after the financial crisis ", held by Senteo together with PricewaterhouseCoopers. Also in 2012, Alfa-Bank was recognized as the best Internet bank by GlobalFinance magazine, awarded for the best analytics by the National Association of Stock Market Participants (NAUFOR), became the best Russian private the bank according to the confidence index calculated by the research holding Romir.
Today the Bank has a federal-scale network of 83 points of sale. Alfa Bank has one of the largest networks among commercial banks, consisting of 55 offices and covering 23 cities. As a result of the increase in the network, the Bank has additional opportunities to increase the client base, expand the range and quality of banking products, implement interregional programs, comprehensive service backbone clients from among the largest enterprises.
Analysis of the theoretical basis of the issue of information security of business
Relevanceand the importance of the problem of ensuring information security is due to the following factors:
· The current levels and rates of development of information security tools lag significantly behind the levels and rates of development of information technology.
· High growth rates of the park personal computers applied in various fields human activity... According to research by Gartner Dataquest, there are currently more than a billion personal computers in the world.
information security business bank
· A sharp expansion of the circle of users with direct access to computing resources and data arrays;
At present, the importance of information stored in banks has increased significantly, important and often secret information about financial and economic activity many people, companies, organizations and even entire states. The bank stores and processes valuable information that affects the interests of a large number of people. The bank stores important information about its customers, which expands the circle of potential intruders interested in stealing or damaging such information.
Over 90% of all crimes are associated with the use of automated information processing systems of the bank. Consequently, when creating and modernizing ASOIB, banks need to pay close attention to ensuring its security.
The main attention should be paid to the computer security of banks, i.e. security of automated systems for processing bank information, as the most urgent, complex and pressing problem in the field of banking information security.
The rapid development of information technology has opened up new business opportunities, but has led to the emergence of new threats. Due to competition, modern software products are sold with errors and defects. Developers, including all sorts of functions in their products, do not have time to perform high-quality debugging of the created software systems. Errors and flaws left in these systems lead to accidental and deliberate breaches of information security. For example, most of the accidental loss of information is caused by failures in the operation of software and hardware, and most attacks on computer systems are based on found errors and flaws in the software. For example, in the first six months after the release of the server operating system of Microsoft Windows, 14 vulnerabilities were discovered, 6 of which are critical. Despite the fact that over time, Microsoft develops service packs that eliminate the identified shortcomings, users are already suffering from information security breaches that have occurred due to the remaining errors. Until these many other problems are resolved, the insufficient level of information security will be a serious brake on the development of information technologies.
Under information securitymeans the security of information and supporting infrastructure from accidental or intentional influences of a natural or artificial nature that can cause unacceptable damage to the subjects of information relations, including the owners and users of information and supporting infrastructure.
In the modern business world, there is a process of migration of tangible assets towards information assets. As an organization develops, its information system becomes more complex, the main task of which is to ensure maximum business efficiency in an ever-changing competitive market.
Considering information as a commodity, we can say that ensuring information security in general can lead to significant cost savings, while the damage caused to it leads to material costs. For example, the disclosure of the manufacturing technology of the original product will lead to the appearance of a similar product, but from another manufacturer, and as a result of a breach of information security, the owner of the technology, and maybe the author, will lose part of the market, etc. On the other hand, information is the subject of control, and its change can lead to catastrophic consequences in the control object.
According to GOST R 50922-2006, information security is an activity aimed at preventing information leakage, unauthorized and unintentional influences on protected information. Information security is relevant for both enterprises and government agencies. With the aim of comprehensive protection of information resources, work is being carried out on the construction and development of information security systems.
There are many reasons that can seriously affect the operation of local and global networks, lead to the loss of valuable information. Among them are the following:
Unauthorized access from the outside, copying or modification of information, accidental or deliberate actions, leading to:
distortion or destruction of data;
familiarization of unauthorized persons with information constituting banking, financial or state secrets.
Incorrect software operation resulting in loss or corruption of data due to:
errors in application or network software;
infecting systems with computer viruses.
Technical failures of equipment caused by:
power outage;
failure of disk systems and data archiving systems;
disruption of servers, workstations, network cards, modems.
Maintenance personnel errors.
Of course, there is no one-size-fits-all solution that excludes all of these reasons, but many organizations have developed and applied technical and administrative measures to minimize the risk of data loss or unauthorized access to them.
Today there is a large arsenal of methods for ensuring information security, which is also used at Alfa-Bank:
· means of identification and authentication of users (the so-called complex 3A);
· encryption tools for information stored on computers and transmitted over networks;
· firewalls;
· virtual private networks;
· content filtering tools;
· tools for checking the integrity of the contents of disks;
· anti-virus protection means;
· network vulnerability detection systems and network attack analyzers.
"Complex 3A" includes authentication (or identification), authorization and administration. Identificationand authorization are key elements of information security. When you try to access any program, the identification function answers the question: "Who are you?" and "Where are you?" if you are an authorized user of the program. The authorization function is responsible for which resources a particular user has access to. The administration function is to endow the user with certain identification features within a given network and determine the scope of actions allowed for him. In Alfa-Bank, when opening programs, the password and login of each employee is requested, and when performing any operations, in some cases, authorization of the head or his deputy in the department is required.
Encryption systemsallow you to minimize losses in the event of unauthorized access to data stored on a hard disk or other medium, as well as interception of information when it is sent by e-mail or transmitted over network protocols. The purpose of this protection is to ensure confidentiality. The main requirements for encryption systems are a high level of cryptographic strength and legality of use on the territory of Russia (or other states).
Firewallis a system or combination of systems that forms a protective barrier between two or more networks to prevent unauthorized data packets from entering or leaving the network. The basic principle of firewalls. checking each data packet for compliance with the incoming and outgoing IP_addresses to the base of allowed addresses. Thus, firewalls greatly enhance the sharding capabilities. information networks and control over the circulation of data.
When it comes to cryptography and firewalls, there are secure virtual private networks (VPNs) that should be mentioned. Their use makes it possible to solve the problems of confidentiality and integrity of data when they are transmitted over open communication channels.
An effective means of protecting against the loss of confidential information. Filtering the content of incoming and outgoing e-mail. Validating email messages and their attachments based on organizational rules can also help keep companies from liable for legal claims and protect their employees from spam. Content filtering tools allow you to scan files of all common formats, including compressed and graphic. At the same time, the network bandwidth remains practically unchanged.
Modern antivirustechnologies allow detecting almost all already known virus programs by comparing the code of a suspicious file with samples stored in the anti-virus database. In addition, behavioral modeling technologies have been developed to detect newly created virus programs. Discoverable objects can be disinfected, isolated (placed in quarantine) or deleted. Antivirus protection can be installed on workstations, file and mail servers, firewalls running under almost any of the common operating systems (Windows, Unix - and Linux_systems, Novell) on various types of processors. Spam filters significantly reduce the overhead associated with parsing spam, reduce traffic and server load, improve the mental health of the team, and reduce the risk of employee involvement in fraudulent transactions. In addition, spam filters reduce the risk of infection with new viruses, since messages containing viruses (even those that have not yet been included in the anti-virus databases) often show signs of spam and are filtered out. True, the positive effect of filtering spam can be crossed out if the filter, along with junk, deletes or marks as spam and useful messages, business or personal.
There are several of the most typical types and methods. information threats:
Declassification and theft of trade secrets. Whereas previously secrets were kept in secret places, in massive safes, under reliable physical and (later) electronic protection, today many employees have access to office databases, often containing very sensitive information, for example, the same customer data.
Dissemination of compromising materials. That is, the deliberate or accidental use by employees in electronic correspondence of such information that casts a shadow on the reputation of the bank.
Infringement of Intellectual Property. It is important not to forget that any intellectual product produced in banks, as in any organization, belongs to it and cannot be used by employees (including generators and authors of intellectual values) except in the interests of the organization. Meanwhile, in Russia on this occasion, conflicts often arise between organizations and employees, claiming the intellectual product they have created and using it in their personal interests, to the detriment of the organization. This often happens due to the vague legal situation at the enterprise, when the labor contract does not contain clearly defined rules and regulations outlining the rights and obligations of employees.
Dissemination (often unintentional) of inside information that is not secret, but may be useful to competitors (other banks).
Visits to the websites of competing banks. Now more and more companies use programs on their open sites (in particular, designed for CRM), which allow you to recognize visitors and track their routes in detail, record the time and duration of their viewing of the site pages. Competitor websites have been and remain a valuable source for analysis and forecasting.
Abuse of office communications for personal purposes (listening, watching music and other content that is not related to work, loading an office computer) does not pose a direct threat to information security, but creates additional loads on the corporate network, reduces efficiency, and interferes with the work of colleagues.
And finally, external threats - unauthorized intrusions, etc.
The rules adopted by the bank must comply with both national and internationally recognized standards for the protection of state and commercial secrets, personal and private information.
Organizational protection of information at Alfa-Bank
Alfa Bank OJSC has implemented a security policy based on a selective method of access control. Such management in OJSC "Alfa Bank" is characterized by a set of permitted access relations specified by the administrator. The access matrix is filled in directly by the system administrator of the company. The application of a selective information security policy complies with the requirements of the management and the requirements for information security and access control, accountability, and also has an acceptable cost for its organization. The implementation of the information security policy is fully entrusted to the system administrator of OJSC "Alfa Bank".
Along with the existing security policy, Alfa Bank OJSC uses specialized hardware and software security tools.
The security hardware is Cisco 1605. The router is equipped with two Ethernet interfaces (one with TP and AUI interfaces, the other with TP only) for the LAN and one expansion slot for installing one of the modules for Cisco 1600 series routers. In addition, the Cisco IOS FirewallFeatureSet software makes the Cisco 1605-R the ideal flexible router / security system for the small office. Depending on the installed module, the router can support a connection both through ISDN and through a dial-up or leased line from 1200 bps to 2 Mbps, FrameRelay, SMDS, x.25.
To protect information, the owner of the LAN must secure the "perimeter" of the network, for example, by establishing control at the junction of the internal network with the external network. Cisco IOS provides high flexibility and security both by standard means such as: Extended Access Lists (ACLs), Blocking Systems (Dynamic ACLs), and Routing Authorization. In addition, the Cisco IOS FirewallFeatureSet available for the 1600 and 2500 series routers provides comprehensive security features including:
contextual access control (CBAC)
Java blocking
logbook
detection and prevention of attacks
immediate alert
In addition, the router supports virtual overlay networks, tunnels, priority control system, resource reservation system and different methods control routing.
The Kaspersky OpenSpaceSecurity solution is used as a software protection tool. KasperskyOpenSpaceSecurity is fully responsive modern requirements applicable to corporate network security systems:
a solution to protect all types of network nodes;
protection against all types of computer threats;
effective technical support;
"proactive" technologies combined with traditional signature protection;
innovative technologies and a new antivirus engine that increases performance;
ready-to-use protection system;
centralized management;
full protection of users outside the network;
compatibility with third-party solutions;
efficient use of network resources.
The system being developed should provide full control, automated accounting and analysis of the protection of personal information, allow to reduce the time of customer service, receive information about codes for protecting information and personal data.
To formulate the requirements for the system being developed, it is necessary to formulate the requirements for the organization of the database, information compatibility for the system being developed.
Database design should be based on the views of the end users of a particular organization - the conceptual requirements for the system.
In this case, the IS contains data about the employees of the company. One of the technologies that significantly illustrates the work of an information system is the development of a workflow scheme for documents.
The functions of the system being developed can be achieved through the use of computer technology and software. Considering that the search for information, information and accounting documents in the activities of bank specialists make up about 30% of the working time, the implementation automated system accounting will significantly free up qualified specialists, can lead to savings in the wage fund, a decrease in the staff, however, it can also lead to the introduction of the staff of the department of the operator's staff, whose responsibilities will include entering information about the ongoing business processes: personal data accounting documents and access codes.
It should be noted that the introduction of the system being developed will reduce, and ideally, completely eliminate errors in accounting for personal and information and security codes. Thus, the introduction of an automated workstation for the manager will lead to significant economic effect, reducing the staff by 1/3, saving the payroll, increasing labor productivity.
Alfa-Bank, like any other bank, has developed an Information Security Policy, which defines a system of views on the problem of ensuring information security and is a systematic statement of the goals and objectives of protection, as one or more rules, procedures, practices and guidelines in the field of information security.
The Policy takes into account the current state and immediate prospects for the development of information technologies in the Bank, goals, objectives and legal basis for their operation, modes of operation, and also contains an analysis of security threats to objects and subjects of information relations of the Bank.
Basic provisions and requirements of this document apply to all structural divisions of the Bank, including additional offices. The main issues of the Policy also apply to other organizations and institutions interacting with the Bank as suppliers and consumers of the Bank's information resources in one capacity or another.
The legislative basis of this Policy is the Constitution of the Russian Federation, the Civil and Criminal Codes, laws, decrees, decrees, other normative documents of the current legislation of the Russian Federation, documents of the State Technical Commission under the President of the Russian Federation, the Federal Agency for Government Communications and Information under the President of the Russian Federation.
The policy is methodological framework for:
· formation and implementation of a unified policy in the field of information security in the Bank;
· making managerial decisions and developing practical measures to implement the information security policy and developing a set of coordinated measures aimed at identifying, reflecting and eliminating the consequences of the implementation of various types of threats to information security;
· coordination of the activities of the Bank's structural divisions when carrying out work on the creation, development and operation of information technologies in compliance with the requirements for ensuring information security;
· development of proposals for improving the legal, regulatory, technical and organizational security of information in the Bank.
A systematic approach to building an information security system in the Bank involves taking into account all interrelated, interacting and time-changing elements, conditions and factors that are significant for understanding and solving the problem of ensuring the security of the Bank's information.
Ensuring the security of information- a process carried out by the Bank's Management, information protection units and employees of all levels. This is not only and not so much a procedure or policy that is implemented in a certain period of time or a set of remedies, but a process that must constantly go on at all levels within the Bank and every employee of the Bank must take part in this process. Information security activities are an integral part of the Bank's day-to-day operations. And its effectiveness depends on the participation of the Bank's management in ensuring information security.
In addition, most individuals and technical means protection for the effective performance of its functions requires constant organizational (administrative) support (timely change and ensure the correct storage and use of names, passwords, encryption keys, redefinition of powers, etc.). Interruptions in the operation of protection means can be used by intruders to analyze the applied methods and means of protection, to introduce special software and hardware "tabs" and other means of overcoming protection.
Personal responsibilityimplies the assignment of responsibility for ensuring the security of information and its processing system to each employee within the limits of his authority. In accordance with this principle, the distribution of rights and responsibilities of employees is structured in such a way that in the event of any violation the circle of perpetrators is clearly known or minimized.
Alfa-Bank constantly monitors the activities of any user, each means of protection and in relation to any object of protection must be carried out on the basis of the use of means operational control and registration and should cover both unauthorized and authorized user actions.
The bank has developed the following organizational and administrative documents:
· Regulations on commercial secrets. The said Regulation regulates the organization, the procedure for working with information constituting a commercial secret of the Bank, duties and responsibilities of employees admitted to this information, the procedure for transferring materials containing information constituting a commercial secret of the Bank to state (commercial) institutions and organizations;
· The list of information constituting an official and commercial secret. The list defines information classified as confidential, the level and terms of ensuring restrictions on access to protected information;
· Orders and instructions for establishing a security regime for information:
· admission of employees to work with information of limited distribution;
· appointing administrators and persons responsible for working with restricted information in the corporate information system;
· Instructions and responsibilities for employees:
· on the organization of security and access control;
· on the organization of office work;
· administration of information resources of the corporate information system;
· other regulatory documents.
Conclusion
Today, the issue of organizing information security is of concern to organizations of any level - from large corporations to entrepreneurs without a legal entity. Competition in modern market relations is far from perfect and is often not conducted in the most legal ways. Industrial espionage is flourishing. But there are also frequent cases of inadvertent dissemination of information related to the trade secret of an organization. As a rule, the negligence of employees, their lack of understanding of the situation, in other words, the "human factor", plays a role here.
Alfa-Bank protects the following information:
trade secret
personal data (clients, bank employees)
bank secrecy
bank documents (reports of the Security Department, annual estimate of the bank, information on the income of bank employees, etc.)
Information in the bank is protected by such threats as:
Natural
· Artificial threats (unintentional (unintentional, accidental) threats caused by errors in the design of the information system and its elements, errors in the actions of personnel, etc.; intentional (intentional) threats associated with selfish, ideological or other aspirations of people (intruders).
Sources of threats in relation to the information system itself can be both external and internal.
Bibliography
1. Decree of the President of the Russian Federation "On measures to ensure the information security of the Russian Federation when using information and telecommunication networks of international information exchange" dated 17.03.2008 No. 351;
Galatenko, V.A. Fundamentals of information security. Internet University of Information Technologies. INTUIT. ru, 2008;
Galatenko, V.A. Information security standards. Internet University of Information Technologies. INTUIT. ru, 2005;
Lopatin, V.N. Information Security of Russia: Man, Society, State. Series: Human and Society Safety. M .: 2000. - 428 s;
Shangin, V.F. Protection of computer information. Effective methods and funds. M .: DMK Press, 2008 .-- 544 p.
Shcherbakov, A. Yu. Modern computer security. Theoretical basis. Practical aspects. M .: Knizhnyi mir, 2009 .-- 352 p.
Magazine Legal Times , edition dated 21.10.2013
Instructions for working with confidential documents at the Bank
Tutoring
Need help exploring a topic?
Our experts will advise or provide tutoring services on topics of interest to you.
Send a request with the indication of the topic right now to find out about the possibility of obtaining a consultation.
It might be helpful to read:
- Craft from plasticine for the day of cosmonautics;
- School riddles - fun activity for kids;
- How to mold a plasticine bat step by step with a photo;
- Embroidered keyrings Embroidered keychain diagram;
- Station game "fair";
- Games in the summer day camp for primary school children;
- Camp competitions for children;
- Children's riddles about transport;