The basics of information security. Part 2. Information and means of protection



    In the first part of the Fundamentals of Information Security, we examined the main types of threats to information security . In order for us to proceed with the choice of information protection tools, it is necessary to consider in more detail what can be attributed to the concept of information.

    Information and its classification


    There are many definitions and classifications of "Information". The most concise and at the same time comprehensive definition is given in the federal law of July 27, 2006 No. 149-FZ (as amended on July 29, 2017) “On Information, Information Technologies and the Protection of Information” , Article 2: Information is Information ( messages, data) regardless of the form of their presentation. "

    Information can be classified into several types and, depending on the category of access to it, is divided into publicly available information , as well as information that is restricted to access - confidential data and state secrets .

    Information depending on the procedure for its provision or distribution is divided into information:

    1. Freeware
    2. Provided by agreement of persons involved in relevant relations
    3. Which in accordance with federal laws is subject to the provision or distribution
    4. Distribution, which is restricted or prohibited in the Russian Federation

    Information for the purpose is of the following types:

    1. Mass - contains trivial information and operates with a set of concepts that are understandable to most of society.
    2. Special - contains a specific set of concepts that may not be understood by the bulk of society, but are necessary and understandable within a narrow social group where this information is used.
    3. Secret - access to which is provided to a narrow circle of persons and through closed (protected) channels.
    4. Personal (private) - a set of information about an individual that determines the social status and types of social interactions.

    Information protection tools must be applied directly to information access to which is limited - this is state secret and confidential data .

    According to the law of the Russian Federation of July 21, 1993 N 5485-1 (as amended on March 8, 2015 ) “On State Secrets”, article 5. “The list of information constituting state secrets” includes:

    1. Information in the military field.
    2. Information in the field of economics, science and technology.
    3. Information in the field of foreign policy and economics.
    4. Information in the field of intelligence, counter-intelligence and operational-search activities , as well as in the field of combating terrorism and in the field of ensuring the safety of persons in respect of whom a decision has been made to apply state protection measures.

    The list of information that may constitute confidential information is contained in Presidential Decree of March 6, 1997 No. 188 (as amended on July 13, 2015) “On Approving the List of Confidential Information” .

    Confidential data is information, access to which is limited in accordance with the laws of the state and the rules that companies establish themselves. The following types of sensitive data can be distinguished:

    • Personal confidential data: Information about facts, events and circumstances of a citizen’s private life, allowing him to identify his personality (personal data), with the exception of information to be distributed in the media in cases established by federal laws. The exception is only information that is distributed in the media.
    • Official confidential data: Official information, access to which is limited by public authorities in accordance with the Civil Code of the Russian Federation and federal laws (official secrets).
    • Judicial Confidential Data: On state protection of judges, law enforcement and regulatory authorities. On the state protection of victims, witnesses and other participants in criminal proceedings. Information contained in the personal files of convicted persons, as well as information on the enforcement of judicial acts, acts of other bodies and officials, except for information that is publicly available in accordance with Federal Law of October 2, 2007 N 229-ФЗ “On Enforcement Proceedings” .
    • Commercial confidential data: all types of information related to commerce (profit) and access to which is limited by law or information about the essence of the invention, utility model or industrial design prior to the official publication of information about them by the enterprise (secret developments, production technologies, etc. )
    • Professional confidential data: Information related to professional activities, access to which is limited in accordance with the Constitution of the Russian Federation and federal laws (medical, notarial, lawyer's secret, secret of correspondence, telephone conversations, mail, telegraphic or other messages, etc.)


    Figure 1. Classification of types of information.

    Personal data


    We should also pay attention and consider personal data. According to the Federal Law of July 27, 2006 No. 152-FZ (as amended on July 29, 2017) “On Personal Data” , Article 4: Personal data is any information relating directly or indirectly to a specific or determinable natural person (subject of personal data) .

    The personal data operator is a state body, municipal body, legal or natural person, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations ) committed with personal data.

    Processing personal data - any action (operation) or set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

    The right to process personal data is enshrined in the regulations on state bodies, federal laws, licenses for working with personal data issued by Roskomnadzor or FSTEC.

    Companies that professionally work with personal data of a wide range of people, for example, hosting virtual server companies or telecom operators, must enter the registry, it is maintained by Roskomnadzor.

    For example, our hosting of virtual servers VPS.HOUSE operates under the laws of the Russian Federation and in accordance with the licenses of the Federal Service for Supervision of Communications, Information Technologies and Mass Communications No. 129322 dated 12/25/2015 (Telematic Communication Services) and No. 139323 dated 25.12 .2015 (Communication services for the transfer of data, with the exception of communication services for the transfer of data for the purpose of transmitting voice information) .

    Based on this, any site on which there is a user registration form in which information related to personal data is indicated and subsequently processed is a personal data operator.

    Taking into account article 7 of Law No. 152-FZ “On Personal Data” , operators and other persons who have gained access to personal data are required not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law. Accordingly, any operator of personal data is required to provide the necessary security and confidentiality of this information.

    In order to ensure the security and confidentiality of information, it is necessary to determine what kind of information carriers there are, access to which is open and closed. Accordingly, the methods and means of protection are selected in the same way depending on the type of media.

    The main storage media:

    • Printed and electronic media, social networks, other resources on the Internet;
    • Employees of the organization who have access to information on the basis of their friendly, family, professional ties;
    • Communication facilities that transmit or store information: telephones, automatic telephone exchanges, and other telecommunication equipment;
    • Documents of all types: personal, official, state;
    • Software as an independent information object, especially if its version was developed specifically for a particular company;
    • Electronic storage media that process data in an automatic manner.

    Having determined what information is subject to protection, information carriers and possible damage during its disclosure, you can choose the necessary means of protection.

    Classification of information security




    In accordance with federal law of July 27, 2006 No. 149-ФЗ (as amended on July 29, 2017) “On Information, Information Technologies and Information Protection” , Article 7, Clause 1. and Clause 4:

    1. Protection Information is the adoption of legal, organizational and technical measures aimed at:

    • Ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information;
    • Respect for confidentiality of information of limited access;
    • Realization of the right to access information.

    4. The owner of the information, the operator of the information system, in cases established by the legislation of the Russian Federation, must ensure :

    • Prevention of unauthorized access to information and (or) its transfer to persons who do not have the right to access information;
    • Timely discovery of unauthorized access to information;
    • Prevention of the possibility of adverse consequences of violation of the procedure for access to information;
    • Prevention of impact on technical means of information processing, as a result of which their functioning is disrupted;
    • The ability to immediately restore information modified or destroyed due to unauthorized access to it;
    • Constant control over ensuring the level of information security;
    • Finding on the territory of the Russian Federation databases of information using which collection, recording, systematization, accumulation, storage, updating (updating, changing), extraction of personal data of citizens of the Russian Federation are carried out (Clause 7 was introduced by the Federal Law of July 21, 2014 No. 242- Federal Law ).

    Based on the law No. 149-FZ, information protection can also be divided into several levels:

    1. The legal level ensures compliance with state standards in the field of information security and includes copyright, decrees, patents and job descriptions.
      A properly built protection system does not violate user rights and data processing standards.
    2. The organizational level allows you to create rules for users to work with confidential information, select staff, organize work with documentation and data carriers.
      The rules of work for users with confidential information are called access control rules. The rules are established by the company’s management together with the security service and the supplier who implements the security system. The goal is to create conditions for access to information resources for each user, for example, the right to read, edit, transmit a confidential document.
      Access control rules are developed at the organizational level and implemented at the stage of work with the technical component of the system.
    3. The technical level is conventionally divided into physical, hardware, software and mathematical (cryptographic).

    Information Security Tools


    Information security tools are usually divided into regulatory (informal) and technical (formal) .

    Informal means of information security


    Informal means of information protection are normative (legislative), administrative (organizational) and moral and ethical means, which include: documents, rules, events.

    The legal basis ( legislative means ) of information security is provided by the state. Information protection is regulated by international conventions, the Constitution, federal laws “On information, information technologies and information protection”, laws of the Russian Federation “On security”, “On communications”, “On state secrets” and various by-laws.

    Also, some of the laws listed above were cited and considered by us above as the legal basis for information security. Failure to comply with these laws entails threats to information security, which can lead to significant consequences, which in turn is punishable under criminal law in accordance with these laws.

    The state will also determine the measure of responsibility for violation of the provisions of legislation in the field of information security. For example, chapter 28 “Crimes in the field of computer information” in the Criminal Code of the Russian Federation includes three articles:

    • Article 272, “Unlawful Access to Computer Information”;
    • Article 273 “Creation, Use and Distribution of Malicious Computer Programs”;
    • Article 274 "Violation of the rules for the operation of means of storage, processing or transmission of computer information and information and telecommunication networks."

    Administrative (organizational) measures play a significant role in creating a reliable information protection mechanism. Since the possibility of unauthorized use of confidential information is largely determined not by technical aspects, but by malicious actions. For example, negligence, negligence and negligence of users or security personnel.

    To reduce the impact of these aspects, a combination of organizational and legal and organizational and technical measures is needed that would eliminate or minimize the possibility of threats to confidential information.

    In this administrative and organizational activity to protect information for employees of security services, there is scope for creativity.

    These are architectural and planning solutions that protect the meeting rooms and management rooms from listening, and the establishment of various levels of access to information.

    From the point of view of regulating the activities of personnel, it will be important to complete a system of requests for access to the Internet, external email, and other resources. A separate element will be the receipt of an electronic digital signature to enhance the security of financial and other information that is transmitted to state bodies via electronic mail.

    To moral and ethicalmeans can be attributed to moral standards or ethical rules that have developed in a society or a given collective, the observance of which contributes to the protection of information, and their violation amounts to non-observance of the rules of conduct in a society or collective. These norms are not obligatory, as legislatively approved norms, however, their non-observance leads to a drop in authority, prestige of the person or organization.

    Formal Information Security


    Formal security features are special hardware and software that can be divided into physical, hardware, software, and cryptographic.

    Physical means of information protection are any mechanical, electrical and electronic mechanisms that operate independently of information systems and create obstacles to access to them.

    Locks, including electronic ones, screens, blinds are designed to create obstacles for the contact of destabilizing factors with systems. The group is supplemented by means of security systems, for example, video cameras, DVRs, sensors, detecting movement or excess of the degree of electromagnetic radiation in the area of ​​location of technical equipment for information collection.

    Hardware information security means any electrical, electronic, optical, laser and other devices that are embedded in information and telecommunication systems: special computers, employee monitoring systems, server and corporate network protection. They impede access to information, including through its disguise.

    The hardware includes: noise generators, surge protectors, scanning radios and many other devices that "block" potential channels of information leakage or allow them to be detected.

    Information security software is a simple and comprehensive program designed to solve tasks related to ensuring information security.

    An example of integrated solutions are DLP systems and SIEM systems.

    DLP-systems (“Data Leak Prevention” literally “preventing data leakage”) respectively serve to prevent leakage, reformat information and redirect information flows.

    SIEM systems (“Security Information and Event Management”, which means “Event and Information Security Management”) provide real-time analysis of security events (alarms) from network devices and applications. SIEM is represented by applications, devices or services, and is also used for data logging and reporting for compatibility with other business data.

    Software is demanding on the power of hardware devices, and additional reserves must be provided during installation.

    Mathematical (cryptographic) - the introduction of cryptographic and stenographic methods of data protection for secure transmission over a corporate or global network.

    Cryptography is considered one of the most reliable ways to protect data, because it protects the information itself, and not access to it. Cryptographically transformed information has a high degree of protection.

    The introduction of cryptographic information protection means involves the creation of a hardware-software complex, the architecture and composition of which is determined based on the needs of a particular customer, legal requirements, tasks and necessary methods, and encryption algorithms.

    This may include encryption software components (cryptographic providers), VPN organization tools, authentication tools, keys generation and verification tools, and electronic digital signatures.

    Encryption tools can support GOST encryption algorithms and provide the necessary classes of cryptographic protection depending on the required degree of protection, regulatory framework and compatibility requirements with other, including external systems. At the same time, encryption tools protect the entire set of information components, including files, file directories, physical and virtual storage media, entire servers and data storage systems.

    In conclusion of the second part, having briefly reviewed the main ways and means of information protection, as well as the classification of information, we can say the following: The fact that the well-known thesis that ensuring information security is a whole complex of measures that includes all aspects of protection is once again confirmed information, the creation and provision of which must be approached most carefully and seriously.

    It is necessary to strictly observe and under no circumstances should the Golden Rule be violated - this is an integrated approach.

    For a more visual representation of information security tools, namely, as an indivisible set of measures, are presented below in Figure 2, each of the bricks of which represents information security in a specific segment, remove one of the bricks and there will be a security risk.


    Figure 2. Classification of information security tools.

    Also popular now: