Information security in business on the example of a bank. Summary: Information security in business. Plan for establishing work in the field of information security

Information Security enterprises
Business information security

* From Wikipedia

Information Security- this is the state of security of the information environment. Information protection is an activity to prevent leakage of protected information, unauthorized and unintentional influences on protected information, that is, a process aimed at achieving this state.

Enterprise information security: an internal threat

A number of serious specialists in information security of the organization calls the internal threat the most important, giving it up to 80% of the total number of potential risks. Indeed, if we consider the average damage from hacker attacks, it will be close to zero, due to the large number of hacking attempts and their very low effectiveness. A single case of personnel error or the successful atrocity of an insider can cost the company multimillion-dollar losses (direct and indirect), litigation and notoriety in the eyes of customers. In fact, the very existence of the company may be under threat and this, alas, is reality. How to provide ? How to protect yourself from information leaks? How to recognize and prevent an internal threat in time? What methods of dealing with it are most effective today?

The enemy within

An internal attacker, or insider, can be virtually any employee who has access to confidential information companies. The motivation behind the insider's actions is not always obvious, which entails significant difficulties in his identification. A recently laid off employee who harbors a grudge against an employer; a dishonest employee who wants to earn extra money by selling data; modern Herostratus; a specially embedded agent of a competitor or a criminal group are just a few of the archetypes of the insider.

The root of all the ills that malicious acts of insiders can bring lies in the underestimation of the importance of this threat. According to a study carried out by the Perimetrix company, the leakage of more than 20% of the company's confidential information in most cases leads to its collapse and bankruptcy. An especially frequent, but still the most vulnerable victim of insiders is financial institutions, and of any size - with a staff of hundreds to several thousand workers. Despite the fact that in most cases companies try to hide or significantly underestimate the real figures of damage from the actions of insiders, even the officially announced amounts of losses are truly impressive. Much more painful than financial losses for the company are the damage to the reputation of the company and a sharp decline in customer confidence. Often, indirect losses can be many times greater than actual direct damage. So, the case with the Liechtenstein bank LGT is widely known, when in 2008 a bank employee transferred a database of depositors to the special services of Germany, the USA, Great Britain and other countries. As it turned out, great amount The bank's foreign clients used the special status of LGT to conduct transactions bypassing the tax laws in force in their countries. A wave of financial investigations and related litigation swept the world, while LGT lost all its significant clients, suffered critical losses and plunged the entire Liechtenstein into a severe economic and diplomatic crisis. You don't have to go far for very fresh examples either - in early 2011, such a financial giant as Bank of America acknowledged the fact of leaking personal data of clients. As a result of fraudulent activities, the bank leaked information with names, addresses, social security and telephone numbers, bank account and driver's license numbers, email addresses, PIN codes and other personal data of depositors. It will hardly be possible to accurately determine the real scale of the bank's losses, if only the amount of "more than $ 10 million" was officially announced. The reason for the data leak is the actions of an insider who transmitted information to an organized criminal group. However, under the threat of insider attacks not only banks and funds, it will be enough to recall a number of high-profile scandals related to the publication of confidential data on the WikiLeaks resource - according to experts, a fair amount of information was obtained precisely through insiders.

Prose of life

Unintentional harm, leakage or loss of confidential company data is a much more frequent and prosaic thing than harm caused by insiders. Carelessness of staff and lack of proper technical support for information security can lead to a direct leak of corporate secrets. Such negligence brings not only serious losses to the budget and the company's reputation, but can also cause widespread public discord. Breaking free, classified information becomes the property of not a narrow circle of intruders, but of the entire information space - the leak is discussed on the Internet, on television, in the press. Let us recall the loud scandal with the publication of SMS messages by the largest Russian cellular operator Megafon. Due to the carelessness of the technical staff, SMS messages were indexed by Internet search engines, and correspondence of subscribers containing information of both personal and business nature got into the network. A very recent case: the publication of personal data of clients of the Russian Pension Fund. The mistake of representatives of one of the regional offices of the fund led to the indexing of personal information of 600 people - names, registration numbers, detailed amounts of the PFR clients' savings could be read by any Internet user.

A very common reason for leaks of confidential data through negligence is associated with the daily rotation of documents within the company. For example, an employee can copy a file containing classified data to a laptop, USB drive or PDA to work with data outside the office. Also, information can get to a file hosting service or the employee's personal mail. In such situations, the data is completely defenseless for intruders who can take advantage of an unintentional leak.

Gold armor or body armor?

To protect against data leakage in the information security industry, a variety of information leakage protection systems are being created, traditionally denoted by the abbreviation DLP from the English. Data Leakage Prevention. As a rule, these are the most complex software systems that have a wide functionality to prevent malicious or accidental leakage of classified information. A feature of such systems is that for their correct operation, a strictly debugged structure of the internal circulation of information and documents is required, since the analysis of the security of all actions with information is based on working with databases. This explains the high cost of installing professional DLP solutions: even before direct implementation, a client company has to purchase a database management system (usually Oracle or SQL), order an expensive analysis and audit of the information flow structure, and develop a new security policy. A common situation is when more than 80% of the information in the company is unstructured, which gives a visual idea of ​​the scale of the preparatory activities. Of course, the DLP system itself also costs a lot of money. It's no wonder that a professional DLP system can only be afforded by large companies willing to spend millions on information security of the organization.

But what should small and medium-sized businesses do that need to provide business information security, but there are no funds and opportunities to implement a professional DLP system? The most important thing for the head of a company or a security officer is to determine what information to protect and which aspects of information activities of employees to control. In Russian business, the opinion still prevails that absolutely everything needs to be protected, without classifying information and calculating the effectiveness of protection means. With this approach, it is quite obvious that having learned the amount of expenses for information security of the enterprise, the head of a small and medium-sized business waves his hand and hopes to "maybe".

There are alternative protection methods that do not affect databases and established life cycle information, but provide reliable protection against the actions of intruders and the negligence of employees. It is flexible modular complexes that work seamlessly with other security tools, both hardware and software (for example, antivirus software). A well-designed security system provides very reliable protection from both external and internal threats, providing an ideal balance of price and functionality. According to experts of the Russian company-developer of information security systems SafenSoft, the optimal is a combination of elements of protection against external threats (for example, HIPS for intrusion prevention, plus an anti-virus scanner) with tools for monitoring and controlling user and application access to individual information sectors. With this approach, the entire network structure of the organization is completely protected from possible hacking or virus infection, and the means of monitoring and monitoring the actions of personnel when working with information can effectively prevent data leaks. In the presence of all the necessary arsenal of protective equipment, the cost of modular systems is ten times less than complex DLP solutions and does not require any costs for preliminary analysis and adaptation of the company's information structure.

So, let's summarize. Threats information security of the enterprise are completely real, they should not be underestimated. In addition to countering external threats, special attention should be paid to internal threats. It is important to remember that leaks of corporate secrets happen not only by malicious intent - as a rule, they are caused by elementary negligence and carelessness of the employee. When choosing means of protection, you do not need to try to cover all imaginable and inconceivable threats, there simply will not be enough money and energy for this. Build a reliable modular security system that is closed from the risks of intrusion from the outside and allows you to control and monitor the flow of information within the company.

The company "Bureau of Economic Security (Business)" is professionally engaged in ensuring information security at enterprises.

According to statistics, more than half of all business problems arise due to "gaps" in information security. Leakage of information to competitors, loss of data, transfer of classified company information to the wrong hands - all this carries a great risk for business.

In the first place is the protection of financial data, the second is the protection against leaks, and the third is the protection against DDoS attacks. And if the first two points have been in the top three for a long time, then the problem with attacks appeared only recently. The reason for this interest is the increased number of DDoS attacks on small and medium-sized companies.

Basic methods of business information security:

1. Intrusion protection

- installation of programs or equipment necessary to control traffic in the network. When the first danger (intrusion) appears, the system reacts and blocks access. At the same time, the responsible employee is notified.

2. Leakage protection

- a set of measures to prevent confidential information from falling into the wrong hands. Leakage can happen in two ways:

- by malicious theft (espionage, raiders, insiders);
- due to staff oversight (loss of media, sending a password by mail, switching to a page with a virus, lack of people responsible for the transfer of rights to access data, and so on).

In case of malicious theft, the methods of protection are as follows - restricting the access regime to the enterprise, installing surveillance cameras, installing means of destroying data on servers, encrypting information, storing data on foreign servers.

In addition, to protect against accidental errors, it is important to organize - recording telephone conversations, monitoring traffic and work of an employee on a PC, encrypting USB cards, using RMS, implementing DLP systems, and so on.

3. Protection of IP networks

the rapid development of IP networks, including the Internet, has contributed to the creation and improvement of a large number of time-tested and business-proven security tools and mechanisms. Their use makes information exchange over IP networks much safer than data transmission over specialized communication lines.

IP security is a reality.

4. File protection

implies the safety of all the most important information that is stored on computers and servers within the company. It is implemented as follows:

- encryption of file systems (data)- the use of systems EFS, Qnap, CryptoPro and so on;

- encryption of laptops (netbooks), storage media, mobile devices - software solutions (Kasperskiy, SecretDisk, Endpoint Encryption) or encryption modules from Sony, Asus and other companies;

- protection of information from the system administrator using TrueCrypt, for example;

- registration of mobile on trackers of monitoring systems(using Kaspersky or Prey);

- prohibition (restriction) of access to various electronic files(One of the best options is Active Directory Rights Management Services).

- single authentication. You can use two schemes - for domain authorization (the equipment is tied to the domain structure), using the electronic key E-token or using SMS notification.

5. Optimization and protection of 1C

- when working with the 1C base- encryption of disks, restriction of access rights, installation of a system for protecting data exchange processes and files;

- when working with a 1C database DBMS- restricting administrator rights for users, using encryption systems, taking measures to restrict remote or physical access to servers, and so on;

- protection of confidential data NS.

In addition to the measures listed above, methods of ensuring information security include:

- protection of corporate communications;
- quick removal of information from the server;
- control over the work of employees;
- ensuring fault tolerance and stability of all business processes.

Ministry of Education and Science of the Russian Federation

federal state budgetary educational institution

higher professional education

"PERM NATIONAL RESEARCH

POLITECHNICAL UNIVERSITY"

Test

by discipline

INFORMATION SECURITY OF THE ENTERPRISE

Topic "Information security in business on the example of OJSC" Alfa-Bank "

Completed by a student

group FK-11B:

Smyshlyaeva Maria Sergeevna

Checked by the teacher:

Shaburov Andrey Sergeevich

Perm - 2013

Introduction

Conclusion

Bibliography

Introduction

The information resources of most companies are among the most valuable resources. For this reason, commercial, confidential information and personal data must be reliably protected from unauthorized use, but at the same time easily accessible to the subjects participating in the processing of this information or using it in the process of performing assigned tasks. The use of special tools for this contributes to the stability of the company's business and its viability.

As practice shows, the issue of organizing business protection in modern conditions has become the most relevant. Online stores are "opened" and customers' credit cards are emptied, casinos and sweepstakes are subject to blackmail, corporate networks are subject to external management, computers are “zombified” and included in botnets, and fraud using stolen personal data is becoming a national disaster.

Therefore, company leaders must understand the importance of information security, learn to predict and manage trends in this area.

The purpose of this work is to identify the advantages and disadvantages of a business information security system using the example of Alfa-Bank.

Characteristics of the activities of OJSC "Alfa-Bank"

Alfa-Bank was founded in 1990. Alfa-Bank is a universal bank that carries out all the main types of banking operations on the financial services market, including servicing private and corporate clients, investment banking, trade finance and asset management.

The head office of Alfa-Bank is located in Moscow; in total, 444 branches and branches of the bank have been opened in the regions of Russia and abroad, including a subsidiary bank in the Netherlands and financial affiliated companies in the USA, UK and Cyprus. Alfa-Bank employs about 17 thousand people.

Alfa-Bank is the largest Russian private bank in terms of total assets, total capital and deposits. The bank has a large client base of both corporate clients and individuals... Alfa-Bank is developing as universal bank in the main areas: corporate and investment business (including small and medium business(SME), trade and structured finance, leasing and factoring), retail business(including the system of bank branches, car loans and mortgages). Special attention is paid to the development of banking products for corporate business in the mass and SME segments, as well as the development of remote self-service channels and Internet acquiring. Alfa-Bank's strategic priorities are maintaining the status of a leading private bank in Russia, strengthening stability, increasing profitability, setting industry standards for manufacturability, efficiency, quality of customer service and teamwork.

Alfa-Bank is one of the most active Russian banks in the world capital markets. Leading international rating agencies assign Alfa-Bank one of the highest ratings among Russian private banks. It was ranked number one in the Customer Experience Index four times in a row. The retail banking sector after the financial crisis ", held by Senteo jointly with PricewaterhouseCoopers. Also in 2012, Alfa-Bank was recognized the best internet according to the GlobalFinance magazine, awarded for the best analytics by the National Association of Stock Market Participants (NAUFOR), became the best Russian private bank according to the confidence index calculated by the research holding Romir.

Today the Bank has a federal-scale network of 83 points of sale. Alfa Bank has one of the most large networks among commercial banks, consisting of 55 offices and covering 23 cities. As a result of the network expansion, the Bank acquired additional features to increase the client base, expand the range and quality of banking products, implement interregional programs, comprehensive service backbone clients from among the largest enterprises.

Analysis of the theoretical basis of the issue of information security of business

Relevanceand the importance of the problem of ensuring information security is due to the following factors:

· Modern levels and rates of development of information security tools lag significantly behind the levels and rates of development information technologies.

· High growth rates of the park of personal computers used in various spheres of human activity. According to research by Gartner Dataquest, there are currently more than a billion personal computers in the world.

information security business bank

· A sharp expansion of the circle of users with direct access to computing resources and data arrays;

At present, the importance of information stored in banks has increased significantly, important and often secret information about financial and economic activity many people, companies, organizations and even entire states. The bank stores and processes valuable information that affects the interests of a large number of people. The bank stores important information about its customers, which expands the circle of potential intruders interested in stealing or damaging such information.

Over 90% of all crimes are associated with the use of automated information processing systems of the bank. Consequently, when creating and modernizing ASOIB, banks need to pay close attention to ensuring its security.

The main attention should be paid to the computer security of banks, i.e. security of automated systems for processing bank information, as the most urgent, complex and pressing problem in the field of banking information security.

The rapid development of information technology has opened up new business opportunities, but has led to the emergence of new threats. Due to competition, modern software products are sold with errors and defects. Developers, including all sorts of functions in their products, do not have time to perform high-quality debugging of the created software systems... Errors and flaws left in these systems lead to accidental and deliberate breaches of information security. For example, most of the accidental loss of information is caused by failures in the operation of software and hardware, and most attacks on computer systems are based on found errors and flaws in the software. So, for example, in the first six months after the release of the server operating system Microsoft Windows has discovered 14 vulnerabilities, 6 of which are critical. Despite the fact that over time, Microsoft develops service packs that eliminate the identified shortcomings, users are already suffering from information security breaches that have occurred due to the remaining errors. Until these many other problems are resolved, the insufficient level of information security will be a serious brake on the development of information technologies.

Under information securitymeans the security of information and supporting infrastructure from accidental or intentional influences of a natural or artificial nature that can cause unacceptable damage to the subjects of information relations, including the owners and users of information and supporting infrastructure.

In the modern business world, there is a process of migration of tangible assets towards information assets. As an organization develops, its information system becomes more complex, the main task of which is to ensure maximum business efficiency in an ever-changing competitive market.

Considering information as a commodity, we can say that ensuring information security in general can lead to significant savings, while the damage caused to it leads to material costs... For example, the disclosure of the manufacturing technology of the original product will lead to the appearance of a similar product, but from another manufacturer, and as a result of a breach of information security, the owner of the technology, and maybe the author, will lose part of the market, etc. On the other hand, information is the subject of control, and its change can lead to catastrophic consequences in the control object.

According to GOST R 50922-2006, information security is an activity aimed at preventing information leakage, unauthorized and unintentional influences on protected information. Information security is relevant for both enterprises and government agencies. With the aim of comprehensive protection of information resources, work is being carried out on the construction and development of information security systems.

There are many reasons that can seriously affect the operation of local and global networks, lead to the loss of valuable information. Among them are the following:

Unauthorized access from the outside, copying or modification of information, accidental or deliberate actions, leading to:

distortion or destruction of data;

familiarization of unauthorized persons with information constituting banking, financial or state secrets.

Incorrect software operation resulting in loss or corruption of data due to:

errors in application or network software;

infecting systems with computer viruses.

Technical failures of equipment caused by:

power outage;

failure of disk systems and data archiving systems;

disruption of servers, workstations, network cards, modems.

Maintenance personnel errors.

Of course, there is no one-size-fits-all solution that excludes all of these reasons, but many organizations have developed and applied technical and administrative measures to minimize the risk of data loss or unauthorized access to them.

Today there is a large arsenal of methods for ensuring information security, which is also used at Alfa-Bank:

· means of identification and authentication of users (the so-called complex 3A);

· encryption tools for information stored on computers and transmitted over networks;

· firewalls;

· virtual private networks;

· content filtering tools;

· tools for checking the integrity of the contents of disks;

· anti-virus protection means;

· network vulnerability detection systems and network attack analyzers.

"Complex 3A" includes authentication (or identification), authorization and administration. Identificationand authorization are key elements of information security. When you try to access any program, the identification function answers the question: "Who are you?" and "Where are you?" if you are an authorized user of the program. The authorization function is responsible for which resources a particular user has access to. The administration function is to endow the user with certain identification features within a given network and determine the scope of actions allowed for him. In Alfa-Bank, when opening programs, the password and login of each employee is requested, and when performing any operations, in some cases, authorization of the head or his deputy in the department is required.

Firewallis a system or combination of systems that forms a protective barrier between two or more networks to prevent unauthorized data packets from entering or leaving the network. The basic principle of firewalls. checking each data packet for compliance with the incoming and outgoing IP_addresses to the base of allowed addresses. Thus, firewalls significantly expand the capabilities of segmenting information networks and controlling data circulation.

When it comes to cryptography and firewalls, there are secure virtual private networks (VPNs) that should be mentioned. Their use makes it possible to solve the problems of confidentiality and integrity of data when they are transmitted over open communication channels.

An effective means of protecting against the loss of confidential information. Filtering the content of incoming and outgoing e-mail. Validating email messages and their attachments based on organizational rules can also help keep companies from liable for legal claims and protect their employees from spam. Content filtering tools allow you to scan files of all common formats, including compressed and graphic. At the same time, the network bandwidth remains practically unchanged.

Modern antivirustechnologies allow detecting almost all already known virus programs by comparing the code of a suspicious file with samples stored in the anti-virus database. In addition, behavioral modeling technologies have been developed to detect newly created virus programs. Discoverable objects can be disinfected, isolated (placed in quarantine) or deleted. Virus protection can be installed on workstations, file and mail servers, firewalls running under almost any of the common operating systems (Windows, Unix - and Linux_systems, Novell) on processors different types... Spam filters significantly reduce the overhead associated with parsing spam, reduce traffic and server load, improve the mental health of the team, and reduce the risk of employee involvement in fraudulent transactions. In addition, spam filters reduce the risk of infection with new viruses, since messages containing viruses (even those that have not yet been included in the anti-virus databases) often show signs of spam and are filtered out. True, the positive effect of filtering spam can be crossed out if the filter, along with junk, deletes or marks as spam and useful messages, business or personal.

There are several of the most typical types and methods. information threats:

Declassification and theft of trade secrets. Whereas previously secrets were kept in secret places, in massive safes, under reliable physical and (later) electronic protection, today many employees have access to office databases, often containing very sensitive information, for example, the same customer data.

Dissemination of compromising materials. That is, the deliberate or accidental use by employees in electronic correspondence of such information that casts a shadow on the reputation of the bank.

Infringement of Intellectual Property. It is important not to forget that any intellectual product produced in banks, as in any organization, belongs to it and cannot be used by employees (including generators and authors of intellectual values) except in the interests of the organization. Meanwhile, in Russia on this occasion, conflicts often arise between organizations and employees, claiming the intellectual product they have created and using it in their personal interests, to the detriment of the organization. This often happens due to the vague legal situation at the enterprise, when in labor contract there are no clearly defined rules and regulations outlining the rights and obligations of employees.

Dissemination (often unintentional) of inside information that is not secret, but may be useful to competitors (other banks).

Visits to the websites of competing banks. Now more and more companies use programs on their open sites (in particular, designed for CRM), which allow you to recognize visitors and track their routes in detail, record the time and duration of their viewing of the site pages. Competitor websites have been and remain a valuable source for analysis and forecasting.

Abuse of office communications for personal purposes (listening, watching music and other content that is not related to work, loading an office computer) does not pose a direct threat to information security, but creates additional burdens on corporate network, reduces efficiency, interferes with the work of colleagues.

And finally, external threats - unauthorized intrusions, etc.

The rules adopted by the bank must comply with both national and internationally recognized standards for the protection of state and commercial secrets, personal and private information.

Organizational protection of information at Alfa-Bank

Alfa Bank OJSC has implemented a security policy based on a selective method of access control. Such management in OJSC "Alfa Bank" is characterized by a set of permitted access relations specified by the administrator. The access matrix is ​​filled in directly by the system administrator of the company. The application of a selective information security policy complies with the requirements of the management and the requirements for information security and access control, accountability, and also has an acceptable cost for its organization. The implementation of the information security policy is fully entrusted to the system administrator of OJSC "Alfa Bank".

Along with the existing security policy, Alfa Bank OJSC uses specialized hardware and software security tools.

The security hardware is Cisco 1605. The router is equipped with two Ethernet interfaces (one has TP and AUI interfaces, the other only TP) for local network and one expansion slot for installing one of the modules for the Cisco 1600 series routers. software The Cisco IOS Firewall FeatureSet makes the Cisco 1605-R the ideal flexible router / security system for the small office. Depending on the installed module, the router can support a connection both through ISDN and through a dial-up or leased line from 1200 bps to 2 Mbps, FrameRelay, SMDS, x.25.

To protect information, the owner of the LAN must secure the "perimeter" of the network, for example, by establishing control at the junction of the internal network with the external network. Cisco IOS provides high flexibility and security both by standard means such as: Extended Access Lists (ACLs), Blocking Systems (Dynamic ACLs), and Routing Authorization. In addition, the Cisco IOS FirewallFeatureSet available for the 1600 and 2500 series routers provides comprehensive security features including:

contextual access control (CBAC)

Java blocking

logbook

detection and prevention of attacks

immediate alert

In addition, the router supports virtual overlay networks, tunnels, priority control, resource reservation, and various routing control methods.

The Kaspersky OpenSpaceSecurity solution is used as a software protection tool. Kaspersky OpenSpaceSecurity fully meets the modern requirements for security systems for corporate networks:

a solution to protect all types of network nodes;

protection against all types of computer threats;

effective technical support;

"proactive" technologies combined with traditional signature protection;

innovative technologies and a new antivirus engine that increases performance;

ready-to-use protection system;

centralized management;

full protection of users outside the network;

compatibility with third-party solutions;

efficient use of network resources.

The system being developed should provide full control, automated accounting and analysis of the protection of personal information, allow to reduce the time of customer service, receive information about codes for protecting information and personal data.

To formulate the requirements for the system being developed, it is necessary to formulate the requirements for the organization of the database, information compatibility for the system being developed.

Database design should be based on the views of the end users of a particular organization - the conceptual requirements for the system.

In this case, the IS contains data about the employees of the company. One of the technologies that significantly illustrates the work of an information system is the development of a workflow scheme for documents.

The functions of the system being developed can be achieved through the use of computer technology and software. Considering that the search for information, information and accounting documents in the activities of bank specialists make up about 30% of the working time, the implementation automated system accounting will significantly free up qualified specialists, can lead to savings in the wage fund, a decrease in the number of employees, however, it can also lead to the introduction of the staff of the department staff unit operator, whose responsibilities will include entering information about ongoing business processes: personal data accounting documents and access codes.

It should be noted that the introduction of the system being developed will reduce, and ideally, completely eliminate errors in accounting for personal and information and security codes. Thus, the introduction of an automated workplace for a manager will lead to a significant economic effect, a reduction in staff by 1/3, savings in the wage bill, and an increase in labor productivity.

Alfa-Bank, like any other bank, has developed an Information Security Policy, which defines a system of views on the problem of ensuring information security and is a systematic statement of the goals and objectives of protection, as one or more rules, procedures, practices and guidelines in the field of information security.

Policy takes into account state of the art and the immediate prospects for the development of information technologies in the Bank, goals, objectives and legal basis for their operation, modes of operation, and also contains an analysis of security threats to objects and subjects of information relations of the Bank.

The main provisions and requirements of this document apply to all structural divisions of the Bank, including additional offices. The main issues of the Policy also apply to other organizations and institutions interacting with the Bank as suppliers and consumers of the Bank's information resources in one capacity or another.

The legislative basis of this Policy is the Constitution of the Russian Federation, the Civil and Criminal Codes, laws, decrees, resolutions, and others. regulations the current legislation of the Russian Federation, documents of the State Technical Commission under the President of the Russian Federation, the Federal Agency for Government Communications and Information under the President of the Russian Federation.

The policy is the methodological basis for:

· formation and implementation of a unified policy in the field of information security in the Bank;

· making management decisions and developing practical measures to implement the information security policy and developing a set of coordinated measures aimed at identifying, reflecting and eliminating the consequences of implementation different types information security threats;

· coordination of activities structural units The Bank when carrying out work on the creation, development and operation of information technologies in compliance with the requirements for ensuring the security of information;

· development of proposals for improving the legal, regulatory, technical and organizational security of information in the Bank.

Systems approach to building an information security system in the Bank involves taking into account all interrelated, interacting and time-changing elements, conditions and factors that are significant for understanding and solving the problem of ensuring the security of the Bank's information.

Ensuring the security of information- a process carried out by the Bank's Management, information protection units and employees of all levels. This is not only and not so much a procedure or policy that is implemented in a certain period of time or a set of remedies, but a process that must constantly go on at all levels within the Bank and every employee of the Bank must take part in this process. Information security activities are an integral part of the Bank's day-to-day operations. And its effectiveness depends on the participation of the Bank's management in ensuring information security.

In addition, most individuals and technical means protection for the effective performance of its functions requires constant organizational (administrative) support (timely change and ensure the correct storage and use of names, passwords, encryption keys, redefinition of powers, etc.). Interruptions in the operation of protection means can be used by intruders to analyze the applied methods and means of protection, to introduce special software and hardware "tabs" and other means of overcoming protection.

Personal responsibilityimplies the assignment of responsibility for ensuring the security of information and its processing system to each employee within the limits of his authority. In accordance with this principle, the distribution of rights and responsibilities of employees is structured in such a way that in the event of any violation the circle of perpetrators is clearly known or minimized.

Alfa-Bank constantly monitors the activities of any user, each means of protection and in relation to any object of protection should be carried out on the basis of the use of operational control and registration and should cover both unauthorized and authorized actions of users.

The bank has developed the following organizational and administrative documents:

· Regulations on commercial secrets. The said Regulation regulates the organization, the procedure for working with information constituting a commercial secret of the Bank, duties and responsibilities of employees admitted to this information, the procedure for transferring materials containing information constituting a commercial secret of the Bank to state (commercial) institutions and organizations;

· The list of information constituting an official and commercial secret. The list defines information classified as confidential, the level and terms of ensuring restrictions on access to protected information;

· Orders and instructions for establishing a security regime for information:

· admission of employees to work with information of limited distribution;

· appointing administrators and persons responsible for working with restricted information in the corporate information system;

· Instructions and functional responsibilities employees:

· on the organization of security and access control;

· on the organization of office work;

· administration of information resources of the corporate information system;

· other regulatory documents.

Conclusion

Today, the issue of organizing information security is of concern to organizations of any level - from large corporations to entrepreneurs without education. legal entity... Competition in modern market relations is far from perfect and is often not conducted in the most legal ways. Industrial espionage is flourishing. But there are also frequent cases of inadvertent dissemination of information related to the trade secret of an organization. As a rule, the negligence of employees, their lack of understanding of the situation, in other words, the "human factor", plays a role here.

Alfa-Bank protects the following information:

trade secret

bank secrecy

bank documents (reports of the Security Department, annual estimate of the bank, information on the income of bank employees, etc.)

Information in the bank is protected by such threats as:

· Natural

· Artificial threats (unintentional (unintentional, accidental) threats caused by errors in the design of the information system and its elements, errors in the actions of personnel, etc.; intentional (intentional) threats associated with selfish, ideological or other aspirations of people (intruders).

Sources of threats in relation to the information system itself can be both external and internal.

Bibliography

1. Decree of the President of the Russian Federation "On measures to ensure the information security of the Russian Federation when using information and telecommunication networks of international information exchange" dated 17.03.2008 No. 351;

Galatenko, V.A. Fundamentals of information security. Internet University of Information Technologies. INTUIT. ru, 2008;

Galatenko, V.A. Information security standards. Internet University of Information Technologies. INTUIT. ru, 2005;

Business security Is a set of measures and measures aimed at comprehensive protection entrepreneurial activity from various types of threats (information, legal, physical, economic, organizational and personnel). All decisions regarding the comprehensive protection of the business and the measures taken are entrusted to the security service, the heads of the relevant departments and the director of the organization.

Types of business security problems and ways to solve them

There is always room for risk in any kind of business. At the same time, a good leader will not wait for problems - he will take timely measures to protect against the most likely business problems. These include:

- corporate troubles- disputes and conflict situations between the shareholders of the company, conflicts between top managers or the complexity of the relationship between the owners of the company and the heads of departments;

- external hazards- Threats from criminal structures, conflicts with law enforcement and state structures, raider raids and so on;

- financial losses- fraudulent actions of staff (clients), theft, unscrupulous intermediaries or suppliers, inappropriate use of company resources, bribes for certain activities against the interests of the company;

- informational hazards- leakage of the company's secret information (its concealment or destruction), obtaining unauthorized access to confidential data, disclosing commercial secrets, and the like;

- security "holes"- theft of material and technical values ​​by unauthorized persons, unauthorized entry into the territory of the company, violation of labor discipline;

- reputation problems- presence in the structure of employees with a bad reputation, cooperation with people (counterparties) with a bad reputation.

To solve all of the listed business problems, you need the following types protection:

- physical- security systems, security guards, surveillance cameras and so on;
- economic- counterparty verification, protection of the client bank, tax optimization;
- organizational and personnel- checking the personnel entering the work, control of already existing employees;
- informational- protection against intrusions, protection of files and documents, optimization and protection of 1C, unified authentication, protection against information leaks, and so on;
- legal- examination of completed transactions, verification of draft documents, subscription services, and so on.

business

According to statistics, more than half of all business problems arise due to "gaps" in information security. Leakage of information to competitors, loss of data, transfer of classified company information to the wrong hands - all this carries a great risk for business. In such a situation, IT managers of the company take a number of effective measures to ensure comprehensive protection of the company.

In the first place is the protection of financial data, the second is the protection against leaks, and the third is the protection against DDoS attacks. And if the first two points have been in the top three for a long time, then the problem with attacks appeared only recently. The reason for this interest is the increased number of DDoS attacks on small and medium-sized companies.

Among the main measures that Russian companies have taken in the field of security, one can single out - protection against malware, update management, application control, network structure, solutions for the protection of financial transfers, control of the use of external devices, protection mobile phones etc.


The main methods of business information security are as follows:

1. Intrusion protection- installation of programs or equipment necessary to control traffic in the network. When the first danger (intrusion) appears, the system reacts and blocks access. At the same time, the responsible employee is notified.

The protection system is implemented in one of two ways:

- IPS system. Its task is to block any suspicious network activity, effectively filtering out "unnecessary" traffic. The advantage of the system is the ability not only to detect, but also to prevent an intrusion. Minus - a high percentage of false positives, which leads to constant distraction of employees from the case and downtime of the computer network during the check;

- IDS system- monitors the current anomalous activity, when it appears, a signal is given to the administrator. Positive features - effective fight against intrusion, transfer of decision-making authority to the administrator. The downside is that the responsible employee may not have time to take action and the system will be irreparably damaged.

An ideal intrusion defense system is as follows:

2. Leakage protection- a set of measures to prevent confidential information from falling into the wrong hands. Leakage can happen in two ways:

By malicious theft (espionage, raiders, insiders);
- due to staff oversight (loss of media, sending a password by mail, switching to a page with a virus, lack of people responsible for the transfer of rights to access data, and so on).

In case of malicious theft, the methods of protection are as follows - restriction of the admission regime, installation of surveillance cameras, installation of means of destruction of data on servers, encryption of information, storage of data on foreign servers.

To protect against personnel errors, the following methods can be called effective - minimization of access rights to confidential information, individual responsibility of employees, use of secure channels, creation of regulations for employees' work with important documents, introduction of responsibility for data carriers transferred to employees.

In addition, to protect against accidental errors, it is important to organize - recording telephone conversations, monitoring traffic and employee work at the PC, encrypting USB cards, using RMS, implementing DLP systems, and so on.

3. File protection implies the safety of all the most important information that is stored on computers and servers within the company. It is implemented as follows:

- encryption of file systems (data)- the use of systems EFS, Qnap, CryptoPro and so on;

- encryption of laptops (netbooks), storage media, mobile devices - software solutions (Kasperskiy, SecretDisk, Endpoint Encryption) or encryption modules from Sony, Asus and other companies;

Introduction

Business leaders must understand the importance of information security, learn to predict and manage trends in this area.

Today's business cannot exist without information technology. It is known that about 70% of the world total national product depends in one way or another on the information stored in information systems... The widespread introduction of computers has created not only well-known conveniences, but also problems, the most serious of which is the problem of information security.

Along with control elements for computers and computer networks, the standard pays great attention to the development of security policy, work with personnel (hiring, training, dismissal from work), ensuring the continuity of the production process, and legal requirements.

Undoubtedly, this topic of term paper is very relevant in modern conditions.

Coursework object: information security professional activity organizations.

Research subject: information security.

V term paper it is planned to create a project management decision on the organization of information security on the basis of a real organization.

Chapter 1. Information security of professional activity

Information security is a relatively new area of ​​professional activity of specialists. The main goals of such activities are:

Ensuring protection from external and internal threats in the formation, distribution and use of information resources;

Prevention of violations of the rights of citizens and organizations to maintain confidentiality and secrecy of information;

Providing conditions that prevent deliberate distortion or concealment of information in the absence of legal grounds for this.

The customers of specialists in this field are:

Federal bodies of state power and administration of the Russian Federation;

State authorities of the constituent entities of the Russian Federation;

Government agencies, organizations and enterprises;

Defense industry;

Local government bodies;

Non-governmental institutions, organizations and enterprises
property.

The appearance in the free, albeit illegal sale of a database of customers of the mobile company MTS again and again forces us to address the problem of computer security. It looks like this topic is inexhaustible. Its relevance is the greater, the higher the level of computerization. commercial firms and non-profit organizations. High tech playing a revolutionary role in the development of business and practically all other aspects of modern society, make their users very vulnerable from the point of view of information and, ultimately, economic security.

This is a problem not only in Russia, but in most countries of the world, primarily Western ones, although there are laws that restrict access to personal information and impose strict requirements for its storage. The markets offer various systems for protecting computer networks. But how to protect yourself from your own “fifth column” - unscrupulous, disloyal, or simply careless employees who have access to classified information? The scandalous leak of the MTS client database could not have happened, apparently, without collusion or criminal negligence of the company's employees.

It seems that many, if not most, entrepreneurs simply do not understand the seriousness of the problem. Even in countries with developed market economies, according to some studies, 80% of companies do not have a well-thought-out, planned system for protecting storage and operational databases. What can we say about us, who are accustomed to relying on the famous "maybe".

Therefore, it is not useless to turn to the topic of the dangers of confidential information leaks, to talk about measures to reduce such risks. A publication in the Legal Times (October 21, 2002), a publication devoted to legal issues (Mark M. Martin, Evan Wagner, “Vulnerability and Information Security”) will help us in this. The authors list the most typical types and methods of information threats. Which ones?

Declassification and theft of trade secrets. Everything is more or less clear here. Classic, going into ancient history, economic espionage. Whereas previously secrets were kept in secret places, in massive safes, under reliable physical and (later) electronic protection, today many employees have access to office databases, often containing very sensitive information, for example, the same customer data.

Dissemination of compromising materials. Here the authors mean the intentional or accidental use of information by employees in electronic correspondence that tarnishes the reputation of the company. For example, the name of the company is reflected in the domain of the correspondent, who admits defamation, insults, in short, anything that can compromise the organization in his letters.

Infringement of Intellectual Property. It is important not to forget that any intellectual product produced in an organization belongs to the organization and cannot be used by employees (including generators and authors of intellectual values) except in the interests of the organization. Meanwhile, in Russia on this occasion, conflicts often arise between organizations and employees, claiming the intellectual product they have created and using it in their personal interests, to the detriment of the organization. This often happens due to the vague legal situation at the enterprise, when the labor contract does not contain clearly defined rules and regulations outlining the rights and obligations of employees.

Dissemination (often unintentional) of inside information that is not secret, but could be useful to competitors. For example, about new vacancies in connection with the expansion of the business, about business trips and negotiations.

Visits to competitors' sites. Now more and more companies use programs on their open sites (in particular, designed for CRM), which allow you to recognize visitors and track their routes in detail, record the time and duration of their viewing of the site pages. It is clear that if your visit to a competitor's website is known in detail to its operator, then it is not difficult for the latter to conclude what exactly interests you. This is not a call to abandon a critical channel of competitive information. Competitor websites have been and remain a valuable source for analysis and forecasting. But when visiting sites, you must remember that you leave traces and you are also being watched.

Abuse of office communications for personal purposes (listening, watching music and other content that is not related to work, loading an office computer) does not pose a direct threat to information security, but creates additional loads on the corporate network, reduces efficiency, and interferes with the work of colleagues.

And finally, external threats - unauthorized intrusions, etc. This is a topic for another serious conversation.

How can you protect yourself from internal threats? There is simply no 100% guarantee against damage caused by your own employees. This is a human factor that does not lend itself to complete and unconditional control. At the same time, the authors mentioned above give helpful advice- develop and implement within the company a clearly formulated communication (or information) policy. Such a policy should draw a clear line between what is permissible and what is not permissible in the use of office communications. Crossing the border leads to punishment. There should be a system for monitoring who uses computer networks and how. The rules adopted in the company must comply with both national and internationally recognized standards for the protection of state and commercial secrets, personal, private information.

Chapter 2. Information security

professional activity in LLC "Laspi"

2.1. Brief description of LLC "Laspi"

LLC "Laspi" was established in 1995 as a representative office of a Czech company in Russia. The company is engaged in the supply of Czech equipment and Supplies for the production of various concrete products (from paving slabs to fences, flowerpots, etc.). The equipment is of high quality and reasonable cost. Customers contacting the Samara office are organizations from various cities of Russia and the CIS (Kazan, Ufa, Izhevsk, Moscow, Nizhny Novgorod, etc.). Naturally, such a large-scale activity requires special attention to information security within the company.

Information security today leaves much to be desired. Various documentation (technical, economic) is in the public domain, which allows almost any employee of the company (from the founder to the driver) to familiarize himself with it without hindrance.

Critical records are kept in the safe. Only the director and his secretary have the keys to the safe. But here the so-called human factor plays an essential role. Often, the keys are forgotten in the office on the table and the safe can be opened even by a cleaning lady.

Economic documents (reports, invoices, invoices, invoices, etc.) are arranged in folders and shelves in a cabinet that cannot be locked.

Employees do not sign any nondisclosure agreements for information that are trade secrets when applying for a job, which does not prohibit them from distributing such information.

The recruitment of employees is carried out through an interview, which consists of two stages: 1.Communication with immediate superior(on which the skills and abilities of a potential employee are revealed) 2. communication with the founder (is more personal in nature and the conclusion of such a dialogue can be either "we will work together" or "we will not work together").

All this requires closer attention from the management and a competent program to ensure the information security of the company, because today Laspi LLC has a lot of competitors who are unlikely to miss the opportunity to take advantage of, for example, the company's client base or supplier base.

2.2. Project of a management solution to ensure information security of professional activities of Laspi LLC.

It is important to have a place in the system of organizational, administrative, legal and other measures that make it possible to qualitatively solve the problems of information support of scientific and industrial and commercial activities, physical safety of material carriers of classified information, prevention of their leakage, preservation of commercial secrets is occupied by a permissive system of access of performers to classified documents and information.

Taking into account the Law of the RSFSR "On Enterprises and Entrepreneurial Activity", the head of an enterprise (firm), regardless of the form of ownership, can establish special rules for access to information that leaves a trade secret and its carriers, thereby ensuring their safety.

In the system of security measures, the optimal distribution of production, commercial and financial-credit information, leaving the secret of the enterprise, between the specific performers of the relevant work and documents, is of essential importance. When distributing information, on the one hand, it is necessary to ensure that a specific employee is provided with a full amount of data for high-quality and timely performance of the work entrusted to him, and on the other hand, it is necessary to exclude the performer's acquaintance with unnecessary classified information that he does not need for work.

In order to ensure lawful and reasonable access of the contractor to information constituting a commercial secret of the company, it is recommended to develop and implement an appropriate licensing system at enterprises.

Access is understood as obtaining written permission from the head of the company (or, with his approval, from other executives) to issue specific (or in full) classified information to an employee, taking into account his official duties (official powers).

Registration of access to CT can be carried out in accordance with the Regulations on the authorization system of access approved by the director, where the powers of the company's officials for the distribution and use of information are legally enshrined. The head of the organization can authorize the use of any protected information to any employee of this enterprise or to a person who arrived at the facility from another organization to resolve any issues, if no restrictions are imposed on this information on the part of production and commercial partners for joint production, etc. NS. So, in LLC "Laspi" it is recommended to restrict access to information that is a commercial secret (contracts with suppliers and customers, final reports on transactions), to the following employees:

1. founder of the company.

2. director of the company.

3. secretary to the director.

Only the founder and director of the firm can authorize access to information to other employees.

All of the above employees and managers who conduct these transactions should have access to information about current transactions with clients.

Initial information on the purchase prices of equipment should be similarly limited. Only the founder, the director of the company have access to it, who provide the rest of the employees only with the already worked out prices (with various "markups"), as well as the secretary who maintains the entire document flow in the organization.

Effective work of the permitting system is possible only if certain rules are observed:

1. The authorization system, as a mandatory rule, includes a differentiated approach to authorizing access, taking into account the importance of classified information in relation to which the issue of access is being decided.

2. A documentary reflection of the issued permission for the right to use one or another protected information is required. This means that the manager who has given permission for the right to use must obligatorily record it in writing on the corresponding document or in the accounting form in force at the enterprise. Any verbal instructions and requests for access from anyone (with the exception of the head of the enterprise) are not legally binding. This requirement also applies to managers at all levels working with classified information and its carriers. Thus, only the written permission of the head (within the limits of authority) is a permission for the issuance of protected information to a particular person.

3. The principle of control should be strictly observed. Each permit must have the date of its registration and issue.

Such a traditional form of resolution as the resolution of the head on the classified document itself is widespread. Such permission must contain a list of the names of employees who are obliged to familiarize themselves with the documents or execute them, the deadline for execution, other instructions, the signature of the manager and the date. The manager can, if necessary, provide for restrictions on the access of specific employees to certain information.

The resolution, as a type of permission, is used mainly for the prompt delivery to interested parties of classified information contained in documents and products received from outside and created at the enterprise.

The head of the enterprise can give permission for access to administrative documents: orders, instructions, instructions for the enterprise. They must contain the names, positions of persons, specific classification documents and products to which they can be admitted (familiarized).

Another type of permits - by family lists of persons entitled to get acquainted and perform any actions with classified documents and products. Family lists are approved by the director of the enterprise or, in accordance with the current licensing system, by managers who, as a rule, occupy positions not lower than the heads of the relevant departments.

By family lists of persons can be used when organizing access to classified documents and products that are of particular importance for the enterprise, when registering access to restricted areas, to various kinds of closed events (conferences, meetings, exhibitions, meetings of scientific and technical councils, etc. .). In the family lists, specific managers can be identified, who are allowed by the manager to all closed documents and products without appropriate written permissions. They indicate the full name of the person. performer of work, department, position held, category of documents and products to which he is admitted. In practice, the option of job lists is also applicable, which indicates: the position of the contractor, the volume of documents (categories of documents) and the types of products that must be used by employees of enterprises holding the position corresponding to the list. It should be noted that for enterprises with a small volume of classified documents and products, it may be sufficient to use such types of permission as the head's resolution on the document itself, by family lists, job lists.

Organizationally, family lists should be prepared by interested heads of structural divisions. The list of employees included in the list is endorsed by the head of the Security Council and approved by the head of the enterprise, who can delegate approval rights to other persons from the management.

The permitting system must meet the following requirements:

· Apply to all types of classified documents and products available at the enterprise, regardless of their location and creation;

· Determine the access procedure for all categories of employees who have received the right to work with CT, as well as specialists who temporarily arrived at the enterprise and are related to joint closed orders;

· Establish a simple and reliable procedure for issuing permits for access to protected documents and products, which allows you to immediately respond to changes in the field of information at the enterprise;

· Clearly delineate the rights of managers of various job levels in the design of access for the relevant categories of performers;

· Exclude the possibility of uncontrolled and unauthorized issuance of documents and products to anyone;

· Do not allow persons working with classified information and objects to make changes to even data, as well as to replace accounting documents.

When developing a permitting system, special attention should be paid to highlighting the main information that is especially valuable for the enterprise, which will ensure strictly limited access to them. In the presence of joint work with other enterprises (organizations), foreign firms or their individual representatives, it is necessary to provide for the procedure for access of these categories to the commercial secrets of the enterprise. It is advisable to determine the procedure for interaction with representatives of serving state organizations: technical supervision, sanitary and epidemiological station, etc.

In the Regulation on the licensing system of the company, it is necessary to indicate that the transfer of classified documents and products from the contractor to the contractor is possible only within the structural unit and with the permission of its head. The transfer, return of such product documents is made according to the order established by the company and only during the working hours of the given day.

All classified documentation and products received and developed by the enterprise are accepted and taken into account by the middle management and the secretary. After registration, the documentation is submitted for consideration to the head of the enterprise against receipt.

In the Regulation on the licensing system of the company, it is necessary to indicate that closed meetings on business matters are held only with the permission of the head of the company or his deputies. Special requirements may apply to meetings of academic councils, meetings to review the results of R&D and financial and commercial activities, etc. For such events, it is recommended to draw up permissive lists without fail and include in them only those employees of the enterprise who are directly related to the planned events and participation in which is caused by official necessity.

As noted above, employees of other firms can participate in closed meetings only with the personal permission of the firm's management. Prepares lists, as a rule, is responsible for organizing the meeting in contact with interested heads of structural units. The list is the basis for organizing control over admission to this meeting. Before the start of the meeting, those present are warned that the information discussed is classified and cannot be disseminated outside the scope of circulation established by the company, and give instructions on how to keep records.

It is important to emphasize that the establishment at the company of a certain procedure for handling classified information and products significantly increases the reliability of protection of trade secrets, reduces the likelihood of disclosure, loss of carriers of this information.

To ensure the safety of the documents, it is proposed to purchase the appropriate furniture, which allows the documents to be securely locked. It is also necessary to seal the cabinets every day, before leaving.

Keys to the safe and cabinets must be handed over to the security service against signature. It is also recommended to purchase a special tube for storing keys and seal it in the same way.

Particular attention should be paid to the security of computer information. In LLC "Laspi" today several databases have been created: clients of the company (indicating not only their work addresses and phone numbers, but also home, as well as personal information); a database containing prices and characteristics of the supplied equipment; database of employees of the organization. The computer also stores various contracts, agreements, etc.

In any case, getting this information into the hands of competitors is highly undesirable. To prevent such a development of events, it is recommended to create passwords for access to each database (and software tools allow you to do this). When booting a computer, it is also recommended to set two-level protection (when loading BIOS and when loading OS Windows'2000, which does not allow passwordless access to the contents of the hard drive, unlike previous versions of this operating system). Naturally, passwords should also be available only to those company employees who directly work with these databases (secretary, managers, programmers).

In the event of any problems related to the computer and the need to contact a third party, it is necessary to fully control the process of repairing equipment. Since it is at such a moment when all passwords are removed, when the programmer "from the outside" has free and unimpeded access to the contents of the hard disk, it is possible for him to withdraw information and then use it for various purposes.

It is necessary to constantly update antivirus software in order to prevent the entry and spread of viruses in computers.

Particular attention should be paid to the issues of hiring new employees. Today, many organizations practice a toughened approach to this process, which is associated with the desire to preserve information within the company and not allow it to go beyond it due to the "human factor".

Whereas, in most cases, recruitment is carried out in two stages (they are summarized above), then four stages are proposed here.

1. Conversation with the head of the personnel department. The head of the personnel department gets acquainted with the candidate, his resume, asks questions about his professional activities, making preliminary notes. This stage is professional in nature. Then the head of the personnel department analyzes the information received from the candidates and passes it on to the head.

2. To supervise to get acquainted with the resume of candidates and the notes about them of the head of the personnel department, choosing the most suitable ones and inviting them for an interview. The interview is personal in nature and involves non-standard questions (for example, what does the person like to eat, what is his hobby, etc.) Thus, the manager receives information to make a decision about how suitable this person is for him, predicts possible problems that he may encounter when communicating with this candidate.

3. Testing. Here the level of intelligence of the employee is already determined, his psychological portrait is drawn up based on various tests... But first, you need to determine how the manager and colleagues want to see the new employee.

4. Security service. Two stages are proposed here: a) checking candidates in various instances (whether he was brought to court, served time in places of deprivation of liberty, is he registered in a narcological dispensary, is the information he provided about previous jobs true); b) checking on special equipment, which is most often called a "lie detector". At the second stage, it is determined how loyal the employee is to the company, what reactions he has to provocative questions (for example, what he will do if he finds out that one of his colleagues is taking documents home), etc.

And only after the candidate has passed all these four stages, it is possible to make a decision - whether to hire him or not.

After a positive decision is made, a probationary period is set for the employee (according to the legislation of the Russian Federation, it can vary from 1 month to three, but it is recommended not less than 2 months, and preferably 3). During probationary period management and security service should keep an eye on the new employee, observe his activities.

In addition, immediately upon hiring, it is necessary, along with the conclusion employment contract, signing an agreement on non-disclosure of commercial secrets. Recommended clauses of this agreement:

This is not a complete list of what may be included in the agreement.

Conclusion

Today, the issue of organizing information security is of concern to organizations of any level - from large corporations to entrepreneurs without a legal entity. Competition in modern market relations is far from perfect and is often not conducted in the most legal ways. Industrial espionage is flourishing. But there are also cases of inadvertent dissemination of information related to the trade secret of an organization. As a rule, the negligence of employees, their lack of understanding of the situation, in other words, the "human factor", plays a role here.

The term paper presents a project of a management solution for organizing information security in Laspi LLC. The project touches upon three main areas of security organization: 1. documentation area (access to materials presented on paper, with the delimitation of this access); 2. computer security; 3. security in terms of recruiting new employees.

It should be borne in mind that although this project was developed for a specific organization, its provisions can also be used for organizing security in other firms belonging to the category of medium-sized ones.