2. Antivirus system ESET NOD 32 to protect against computer viruses.

Databases are regularly updated and workstations are scanned.

3. Built-in Windows Backup to create archives.

OS Backup Wizard is a program designed for quick creation and restore backup copies of Windows. It allows you to create a copy of the entire Windows or just individual files and folders.

4. Encryption with 2048 bit key for vpn channel(connection to the office of the management company for mail and workflow).

Chapter 2. Improvement of the NIS

2.1 Weaknesses in the information security system

When analyzing the issues related to information security, it is necessary to take into account the specifics of this aspect of security, which consists in the fact that information security is an integral part of information technology - an area that is developing at an unprecedented pace. It is not so much important here separate solutions(laws, training courses, software and hardware products), which are at the modern level, how many mechanisms for generating new solutions that allow you to live at the pace of technical progress.

Modern technologies programming do not allow you to create error-free programs, which does not contribute to the rapid development of software information security.

After analyzing the information security of the enterprise, we can conclude that insufficient attention is paid to information security:

Lack of access passwords to the system;

The absence of passwords when working with the program with 1C: Enterprise, when changing data;

There is no additional protection of files and information (there is no elementary password request when opening or changing information in files, not to mention data encryption tools);

Irregular updating of the anti-virus program databases and scanning of workstations;

A large number of documents on paper are mainly in folders (sometimes without them) on the employee's desktop, which allows attackers to easily use this kind of information for their own purposes;

There is no regular discussion of information security issues at the enterprise and emerging problems in this area;

A regular check of the operability of the information systems of the enterprise is not organized, debugging is carried out only when they fail;

Lack of information security policy;

Lack of a system administrator.

All of the above are very important shortcomings in ensuring the information security of an enterprise.

2.2 Purpose and objectives of the information security system

Information security - the state of security information resources V computer networks and enterprise systems from unauthorized access, accidental or deliberate interference with the normal functioning of systems, attempts to destroy its components.

Information security goals:

prevention of threats to the security of the enterprise due to unauthorized actions to destroy, modify, distort, copy, block information or other forms of illegal interference in information resources and information systems;

preservation of commercial secrets processed using computer technology;

protection of the constitutional rights of citizens to maintain personal secrecy and confidentiality of personal data available in information systems.

To achieve the goals of protection, an effective solution of the following tasks should be ensured:

Protection against interference in the process of functioning of the enterprise by unauthorized persons;

protection against unauthorized actions with the information resources of the enterprise by unauthorized persons and employees who do not have the appropriate authority;

Ensuring the completeness, reliability and efficiency of information support for the adoption management decisions enterprise management;

Ensuring physical security technical means and enterprise software and protecting them from the action of man-made and natural sources of threats;

registration of events affecting the security of information, ensuring full control and accountability of the implementation of all operations performed at the enterprise;

timely identification, assessment and forecasting of sources of threats to information security, causes and conditions that contribute to damage to the interests of subjects, disruption of the normal functioning and development of the enterprise;

analysis of the risks of the implementation of threats to information security and assessment of possible damage, prevention of unacceptable consequences of a violation of enterprise information security, creation of conditions for minimizing and localizing the damage caused;

Ensuring the possibility of restoring the current state of the enterprise in case of violation of information security and the elimination of the consequences of these violations;

· Creation and formation of a purposeful information security policy of the enterprise.

2.3 Measures and means to improve the information security system

To achieve the set goals and solve problems, it is necessary to carry out activities at the levels of information security.

Administrative level of information security.

To form an information security system, it is necessary to develop and approve an information security policy.

A security policy is a set of laws, rules and norms of behavior aimed at protecting information and its associated resources.

It should be noted that the policy being developed should be consistent with existing laws and regulations relating to the organization, i.e. these laws and regulations need to be identified and taken into account in policy development.

The more reliable the system, the stricter and more diverse the security policy should be.

Depending on the formulated policy, you can choose specific mechanisms that ensure the security of the system.

Organizational level of information security.

Based on the shortcomings described in the previous section, the following measures can be proposed to improve information security:

Organization of work to train staff in the skills of working with new software products with the participation of qualified specialists;

Development of the necessary measures aimed at improving the system of economic, social and information security of the enterprise.

Conduct a briefing so that each employee realizes the importance and confidentiality of the information entrusted to him, as, as a rule, the reason for disclosure confidential information is insufficient knowledge by employees of the rules for protecting trade secrets and misunderstanding (or misunderstanding) of the need for their careful observance.

Strict control over compliance by employees with the rules for working with confidential information;

Monitoring compliance with the rules for storing working documentation of employees of the enterprise;

Scheduled meetings, seminars, discussions on enterprise information security issues;

Regular (scheduled) checking and maintenance of all information systems and information infrastructure for operability.

Appoint a system administrator on a permanent basis.

Software and hardware measures to protect information.

Software and hardware are one of the critical components in implementation information protection enterprise, therefore, to increase the level of information protection, it is necessary to introduce and apply the following measures:

Entering user passwords;

To regulate user access to the information resources of the enterprise, you must enter a list of users who will enter the system under their login. Using the OS Windows Server 2003 Std installed on the server, you can create a list of users with the corresponding passwords. Distribute passwords to employees with appropriate instructions for their use. You also need to enter the password expiration date, after which the user will be prompted to change the password. Limit the number of login attempts with an incorrect password (for example, to three).

Introduction of a password request in the 1C: Enterprise program when working with a database, when changing data. This can be done with software tools PC and programs.

Differentiation of access to files, directories, disks.

Differentiation of access to files and directories will be carried out system administrator, which will allow access to the appropriate drives, folders and files for each user specifically.

Regular scanning of workstations and updating anti-virus program databases.

Allows you to detect and neutralize malicious programs, eliminate the causes of infections. It is necessary to perform installation, configuration and maintenance of tools and systems antivirus protection.

To do this, you need to configure the antivirus program to regularly scan your PC and regularly update the databases from the server.

Installation of the Agnitum Outpost FireWall firewall on the server computer, which blocks attacks from the Internet.

Benefits of using Agnitum Outpost FireWall:

¾ controls your computer's connections to others, blocking hackers and preventing unauthorized external and internal network access.

After analyzing the information security of the enterprise, we can conclude that insufficient attention is paid to the following points in information security:

– irregular backup of the enterprise database;

– data is not backed up on personal computers of employees;

– messages Email stored on servers of mail services on the Internet;

– some employees have insufficient skills in working with automated systems;

employees have access to personal computers their colleagues;

- absence antivirus programs on some workstations;

- Poor access control network resources;

– There are no regulatory documents on safety.

All of the above are very important shortcomings in ensuring the information security of an enterprise.

Risk Analysis

The danger of a threat is determined by the risk in case of its successful implementation. Risk is the potential harm. Tolerability of the risk means that the damage in the event of a threat will not lead to serious negative consequences for the owner of the information. The organization faces the following risks:

1. Irregular backup of the enterprise database;

Consequences: loss of data on the operation of the enterprise.

2. There is no backup of data on personal computers of employees;

Consequences: When equipment fails, some important data may be lost.

3. Email messages are stored on the servers of mail services on the Internet;

4. Some employees have insufficient skills in working with automated systems;

Consequences: May cause incorrect data to appear in the system.

5. Employees have access to personal computers of their colleagues;

6. Lack of anti-virus programs on some workstations;

Consequences: the appearance of virus programs, malicious software in the system

7. Poor differentiation of access rights to network resources;

Consequences: by negligence can lead to data loss.

8. There are no normative documents on safety.

The purpose and objectives of the information security system

The main purpose of the enterprise security system is to prevent damage to its activities due to theft of material and technical means and documentation; destruction of property and valuables; disclosure, leakage and unauthorized access to sources of confidential information; violations of the technical means of ensuring production activities, including informatization tools, as well as preventing damage to the personnel of the enterprise.

The goals of the security system are:

protection of the rights of the enterprise, its structural divisions and employees;

· Preservation and efficient use of financial, material and information resources;

· Improving the image and growth of the company's profits by ensuring the quality of services and customer safety.

Tasks of the enterprise security system:

timely detection and elimination of threats to personnel and resources; causes and conditions contributing to the infliction of financial, material and moral damage to the interests of the enterprise, disruption of its normal functioning and development;

categorization of information limited access, and other resources - to different levels of vulnerability (danger) and subject to conservation;

creation of a mechanism and conditions for prompt response to security threats and manifestations of negative trends in the functioning of the enterprise;

effective suppression of encroachments on resources and threats to personnel based on an integrated approach to security;

The organization and functioning of the security system should be based on the following principles:

Complexity. It involves ensuring the security of personnel, material and financial resources, information from all possible threats by all available legal means and methods, throughout life cycle and in all modes of operation, as well as the ability of the system to develop and improve in the process of operation.

Reliability. Different security zones must be equally reliable in terms of the likelihood of a threat being realized.

Timeliness. The ability of the system to be proactive based on the analysis and prediction of security threats and the development of effective measures to counter them.

Continuity. No interruptions in the operation of security systems caused by repair, replacement, maintenance, etc.

Legality. Development of security systems based on existing legislation.

reasonable sufficiency. Establishment of an acceptable level of security, at which the probability and amount of possible damage will be combined with the maximum allowable costs for the development and operation of the security system.

Centralization of management. Independent functioning of the security system according to uniform organizational, functional and methodological principles.

Competence. The security system should be created and managed by persons who have professional training sufficient to correctly assess the situation and make adequate decisions, including in conditions of increased risk.

The most vulnerable place in the security system can be called employees of the enterprise and software and hardware. In particular, data is not backed up on personal computers in case of equipment failures, some important data may be lost; update not running operating system MS Windows XP and the software used, which may lead to unauthorized access to information stored on the PC or its damage due to errors in the software; employees' access to Internet resources is not controlled, which may result in data leakage; business email correspondence conducted over the Internet through insecure channels, e-mail messages are stored on the servers of mail services on the Internet; some employees have insufficient skills in working with automated systems used in the academy, which can lead to incorrect data appearing in the system; employees have access to personal computers of their colleagues, which by negligence can lead to data loss; all faculty members have access to the archive, as a result of which some personal files may be lost or their search may take a long time; there are no safety regulations.

The main goal of the information security system is to ensure the stable operation of the facility, prevent threats to its security, protect the legitimate interests of the enterprise from unlawful encroachments, prevent disclosure, loss, leakage, distortion and destruction of service information and personal information, ensuring the normal production activities of all departments of the facility.

Another goal of the information security system is to improve the quality of services provided and security guarantees.

The tasks of forming an information security system in an organization are: the integrity of information, the reliability of information and its confidentiality. When the tasks are completed, the goal will be realized.

The creation of information security systems in IS and IT is based on the following principles:

A systematic approach to building a protection system, which means the optimal combination of interrelated organizational, software, hardware, physical and other properties, confirmed by the practice of creating domestic and foreign protection systems and used at all stages of the technological cycle of information processing.

The principle of continuous development of the system. This principle, which is one of the fundamental ones for computer information systems, is even more relevant for NIS. Ways to implement threats to information in IT are constantly being improved, and therefore ensuring the security of IP cannot be a one-time act. This is a continuous process, which consists in substantiating and implementing the most rational methods, methods and ways to improve the ISS, continuous monitoring, identifying its bottlenecks and weaknesses, potential information leakage channels and new methods of unauthorized access.

Separation and minimization of powers for access to processed information and processing procedures, i.e. providing both users and IS employees with a minimum of strictly defined powers sufficient for them to perform their official duties.

Completeness of control and registration of unauthorized access attempts, i.e. the need to accurately establish the identity of each user and record his actions for a possible investigation, as well as the impossibility of performing any information processing operation in IT without its prior registration.

Ensuring the reliability of the protection system, i.e. the impossibility of reducing the level of reliability in the event of failures, failures, deliberate actions of a hacker or unintentional errors of users and maintenance personnel in the system.

Ensuring control over the functioning of the protection system, i.e. creation of means and methods for monitoring the performance of protection mechanisms.

Provision of various means of combating malware.

Ensuring the economic feasibility of using the protection system, which is expressed in the excess of possible damage to IS and IT from the implementation of threats over the cost of developing and operating the ISS.

The protective measures taken should be adequate to the likelihood of implementation of this type the threat and the potential damage that could be caused if the threat materialized (including the costs of defending against it).

It must be borne in mind that many protection measures require sufficiently large computing resources, which in turn significantly affects the information processing process. Therefore, a modern approach to solving this problem is to apply the principles of situational management of the security of information resources in automated control systems. The essence of this approach lies in the fact that the required level of information security is set in accordance with the situation that determines the ratio between the value of processed information, costs (decrease in the performance of automated control systems, additional random access memory etc.), which are necessary to achieve this level, and possible total losses (material, moral, etc.) from the distortion and unauthorized use of information.

The necessary characteristics of the protection of information resources are determined in the course of situational planning during the direct preparation of the technological process of secure information processing, taking into account the current situation, and also (in a reduced volume) during the processing process. When choosing protective measures, one has to take into account not only the direct costs of purchasing equipment and programs, but also the costs of introducing new products, training and retraining of personnel. An important circumstance is the compatibility of the new tool with the existing hardware and software structure of the object.

Foreign experience in the field of intellectual property protection and domestic experience in the protection of state secrets show that only comprehensive protection can be effective, combining such areas of protection as legal, organizational and engineering.

Legal direction provides for the formation of a set of legislative acts, regulatory documents, regulations, instructions, guidelines, the requirements of which are mandatory within the scope of their activities in the information security system.

Organizational direction- this is the regulation of production activities and the relationship of performers on a legal basis in such a way that disclosure, leakage and unauthorized access to confidential information become impossible or significantly hampered by organizational measures.

According to experts, organizational measures play an important role in creating a reliable mechanism for protecting information, since the possibility of unauthorized use of confidential information is largely due not to technical aspects, but to malicious actions, negligence, negligence and negligence of users or security personnel.

Organizational activities include:

Activities carried out in the design, construction and equipment of office and industrial buildings and premises;

Activities carried out in the selection of personnel;

Organization and maintenance of a reliable access control, security of premises and territory, control over visitors;

Organization of storage and use of documents and carriers of confidential information;

Organization of information security;

Organization of regular employee training.

One of the main components of the organizational information security of the company is the Information Security Service (ISS - the information security system management body). It is from the professional preparedness of information security service employees, the presence in their arsenal modern means security management largely depends on the effectiveness of measures to protect information. Its staff structure, size and composition are determined by the real needs of the company, the degree of confidentiality of its information and the general state of security.

The main purpose of the functioning of the ISS, using organizational measures and software and hardware, is to avoid or at least minimize the possibility of violating the security policy, as a last resort, to notice and eliminate the consequences of the violation in time.

To ensure the successful operation of the SIS, it is necessary to determine its rights and obligations, as well as the rules for interaction with other units on issues of protecting information at the facility. The number of service should be sufficient to perform all the functions assigned to it. It is desirable that the staff of the service does not have duties related to the functioning of the object of protection. The information security service must be provided with all the conditions necessary to perform its functions.

core engineering and technical direction are software and hardware information security tools, which include mechanical, electromechanical, electronic, optical, laser, radio and radio engineering, radar and other devices, systems and structures designed to ensure the security and protection of information.

Under software information security is understood as a set special programs, realizing the functions of information protection and the mode of operation.

The formed set of legal, organizational and engineering measures results in an appropriate security policy.

The security policy determines the appearance of the information security system in the form of a set of legal norms, organizational (legal) measures, a set of software and hardware tools and procedural solutions aimed at countering threats to eliminate or minimize the possible consequences of information impacts. After the adoption of one or another version of the security policy, it is necessary to assess the level of security of the information system. Naturally, the assessment of security is carried out according to a set of indicators, the main of which are cost, efficiency, and feasibility.

Evaluating the options for building an information security system is a rather complicated task, requiring the use of modern mathematical methods for multi-parametric performance evaluation. These include: the method of analysis of hierarchies, expert methods, the method of successive concessions, and a number of others.

When the intended measures are taken, it is necessary to check their effectiveness, that is, to make sure that the residual risks have become acceptable. Only then can the date of the next revaluation be set. Otherwise, you will have to analyze the mistakes made and conduct a second vulnerability analysis session, taking into account changes in the protection system.

The generated possible scenario of the intruder's actions requires verification of the information security system. This test is called "penetration testing". The goal is to provide assurance that there are no easy ways for an unauthorized user to bypass security mechanisms.

One of possible ways system security attestations - inviting hackers to hack without prior notice to network personnel. For this, a group of two or three people with high professional training is allocated. Hackers are provided with a protected automated system, and the group tries to find vulnerabilities for 1-3 months and develop test tools based on them to bypass protection mechanisms. Hired hackers submit a confidential report on the results of work with an assessment of the level of information availability and recommendations for improving protection.

Along with this method, software testing tools are used.

At the stage drawing up a protection plan in accordance with the chosen security policy, a plan for its implementation is developed. The protection plan is a document that puts into effect the information protection system, which is approved by the head of the organization. Planning is not only about best use all the possibilities available to the company, including allocated resources, but also with the prevention of erroneous actions that could lead to a decrease in the effectiveness of the measures taken to protect information.

The site information security plan should include:

Description of the protected system (the main characteristics of the protected object: the purpose of the object, the list of tasks to be solved, the configuration, characteristics and placement of hardware and software, the list of categories of information (packages, files, sets and databases in which they are contained) to be protected, and requirements for ensuring access, confidentiality, integrity of these categories of information, a list of users and their authority to access system resources, etc.);

The purpose of protecting the system and ways to ensure the security of the automated system and the information circulating in it;

List of significant security threats automated system from which protection is required and the most likely routes of harm;

Information security policy;

Funding plan and functional diagram information security systems at the facility;

Specification of information security tools and cost estimates for their implementation;

Calendar plan for carrying out organizational and technical measures to protect information, the procedure for putting the means of protection into effect;

Basic rules governing the activities of personnel on issues of ensuring the information security of the facility (special duties of officials servicing the automated system);

The procedure for reviewing the plan and upgrading the means of protection.

The protection plan is revised when the following components of the object are changed:

Architecture information system(connection of other local networks, change or modification of used computer equipment or software);

The territorial location of the components of the automated system.

As part of the protection plan, it is necessary to have an action plan for personnel in critical situations, i.e. supply plan continuous work and information recovery. It reflects:

The purpose of ensuring the continuity of the process of functioning of the automated system, restoring its performance and ways to achieve it;

List and classification of possible crisis situations;

Requirements, measures and means to ensure the continuous operation and restoration of the information processing process (the procedure for creating, storing and using backups information, maintenance of current, long-term and emergency archives; the composition of the reserve equipment and the procedure for its use, etc.);

Responsibilities and procedure for actions of various categories of personnel of the system in crisis situations, in the event of liquidation of their consequences, minimization of the damage caused and in the restoration of the normal functioning of the system.

If an organization exchanges electronic documents with partners in the execution of single orders, it is necessary to include in the protection plan an agreement on the procedure for organizing the exchange of electronic documents, which reflects the following issues:

Separation of responsibility of subjects participating in the processes of electronic document exchange;

Determination of the procedure for the preparation, execution, transmission, acceptance, verification of the authenticity and integrity of electronic documents;

The procedure for generating, certifying and distributing key information (keys, passwords, etc.);

The procedure for resolving disputes in case of conflicts.

The information security plan is a package of textual and graphic documents, therefore, along with the above components of this package, it may include:

Regulation on commercial secret, defining the list of information constituting a commercial secret and the procedure for its determination, as well as the duties of officials to protect commercial secrets;

Regulations on the protection of information, which regulates all areas of activity for the implementation of the security policy, as well as a number of additional instructions, rules, regulations that correspond to the specifics of the object of protection.

Implementation of the protection plan (management of the protection system) involves the development of the necessary documents, the conclusion of contracts with suppliers, the installation and configuration of equipment, etc. After the formation of the information security system, the task of its effective use, i.e. security management, is solved.

Management is a process of purposeful influence on an object, carried out to organize its functioning according to a given program.

Information security management should be:

Resistant to active interference by the intruder;

Continuous, providing a constant impact on the protection process;

Hidden, not allowing to reveal the organization of information security management;

Operational, providing the opportunity to timely and adequately respond to the actions of intruders and implement management decisions by a given date.

In addition, decisions on information security should be justified in terms of comprehensive consideration of the conditions for performing the task, the application various models, computational and information tasks, expert systems, experience and any other data that increase the reliability of the initial information and decisions.

An indicator of the effectiveness of information security management is the time of the control cycle for a given quality of decisions. The management cycle includes the collection of the necessary information to assess the situation, decision making, the formation of appropriate commands and their execution. As an efficiency criterion, the response time of the information security system to a violation can be used, which should not exceed the information obsolescence time based on its value.

As the development of real automated control systems shows, none of the methods (measures, means and activities) for ensuring information security is absolutely reliable, and the maximum effect is achieved when all of them are combined into an integral information protection system. Only the optimal combination of organizational, technical and program measures, as well as constant attention and control over keeping the protection system up to date will make it possible to ensure the solution of a permanent task with the greatest efficiency.

The methodological foundations for ensuring information security are fairly general recommendations based on world experience in creating similar systems. The task of each information security specialist is to adapt abstract provisions to their specific subject area (organization, bank), which always has its own peculiarities and subtleties.

An analysis of domestic and foreign experience convincingly proves the need to create an integrated information security system for a company that links operational, operational, technical and organizational protection measures. Moreover, the security system should be optimal from the point of view of the ratio of costs and the value of the protected resources. The system needs flexibility and adaptation to rapidly changing environmental factors, organizational and social conditions in the institution. It is impossible to achieve such a level of security without analyzing existing threats and possible channels of information leakage, as well as without developing an information security policy at the enterprise. As a result, a protection plan must be created that implements the principles laid down in the security policy.

But there are other difficulties and "pitfalls" that you definitely need to pay attention to. These are problems that have been identified in practice and are weakly amenable to formalization: problems of a social and political nature that are not of a technical or technological nature, which are solved in one way or another.

Problem 1. Lack of understanding among staff and managers of middle and lower ranks of the need to work to improve the level of information security.

At this rung of the managerial ladder, as a rule, the strategic tasks facing the organization are not visible. At the same time, security issues can even cause irritation - they create "unnecessary" difficulties.

The following arguments are often given against working and taking measures to ensure information security:

The emergence of additional restrictions for end users and specialists of departments, which makes it difficult for them to use the automated organization system;

The need for additional material costs both for carrying out such work and for expanding the staff of specialists dealing with the problem of information security.

This problem is one of the main ones. All other questions one way or another act as its consequences. To overcome it, it is important to solve the following tasks: firstly, to improve the skills of personnel in the field of information security by holding special meetings and seminars; secondly, to increase the level of staff awareness, in particular, about the strategic tasks facing the organization.

Problem 2 Confrontation between the automation service and the security service of organizations.

This problem is due to the type of activity and sphere of influence, as well as the responsibility of these structures within the enterprise. The implementation of the protection system is in the hands of technical specialists, and the responsibility for its security lies with the security service. Security specialists want to limit at all costs with the help of firewalls all traffic. But people who work in automation departments are unwilling to deal with the additional problems associated with maintaining special tools. Such disagreements do not have the best effect on the level of security of the entire organization.

This problem, like most similar ones, is solved by purely managerial methods. It is important, firstly, to have a mechanism for resolving such disputes in the organizational structure of the company. For example, both services can have a single boss who will solve the problems of their interaction. Secondly, technological and organizational documentation should clearly and competently divide the spheres of influence and responsibility of departments.

Problem 3. Personal ambitions and relationships at the level of middle and senior managers.

Relationships between leaders can be different. Sometimes, when carrying out work on the study of information security, one or another official shows an over-interest in the results of these works. Indeed, research is a powerful enough tool to solve their particular problems and satisfy their ambitions. The conclusions and recommendations recorded in the report are used as a plan for further actions of one or another link. A "free" interpretation of the report's conclusions is also possible in combination with problem 5, described below. This situation is an extremely undesirable factor, as it distorts the meaning of the work and requires timely identification and elimination at the level of the top management of the enterprise. Best Option business relationships are when the interests of the organization are put at the forefront, and not personal.

Problem 4. Low level of implementation of the planned action program to create an information security system.

This is a rather banal situation when strategic goals and objectives are lost at the level of execution. Everything can start out perfect. The General Director decides on the need to improve the information security system. An independent consulting firm is hired to perform the audit existing system information protection. Upon completion, a report is generated that includes all the necessary recommendations for protecting information, finalizing the existing workflow in the field of information security, introducing technical means of protecting information and organizational measures, and further supporting the created system. The protection plan includes short-term and long-term measures. Further recommendations are transferred for execution to one of the departments. And here it is important that they do not drown in the swamp of bureaucracy, personal ambitions, sluggishness of the staff and a dozen other reasons. The contractor may be poorly informed, not competent enough, or simply not interested in doing the work. It is important that the CEO monitors the implementation of the planned plan, so as not to lose, firstly, the funds invested in security at the initial stage, and secondly, so as not to suffer losses as a result of the lack of this security.

Problem 5. Low qualification of information security specialists.

This aspect can not be considered a serious obstacle if it is not an obstacle to the creation of an information security system. The fact is that the protection plan, as a rule, includes such an event as advanced training of specialists in the field of information protection in the company. Seminars on the basics of organizing information security can be held for specialists from other services. It is necessary to correctly assess the real qualifications of employees involved in the implementation of the protection plan. Often, incorrect conclusions or inability to apply protection methods in practice lead to difficulties in implementing the recommended measures. With a hint of such circumstances, the most correct way out would be to improve the skills of information security specialists in training centers specially created for this.

Thus, practical activities in the field of improving economic and information security clearly demonstrate that the creation of a real-life information security system is highly dependent on the timely solution of these problems. However, the accumulated experience shows that all the issues discussed can be successfully resolved if the representatives of the customer and the executing company work closely together. The main thing is to realize the importance of carrying out such work, identify existing threats in a timely manner and apply adequate countermeasures, which, as a rule, are specific to each particular enterprise. The presence of desire and opportunities is a sufficient condition for fruitful work, the purpose of which would be the creation of an integrated system for ensuring the security of the organization.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Hosted at http://www.allbest.ru/

COURSE PROJECT

In the discipline "Information Security"

On the topic

“Improvement of the information security system on

enterprise LLC "Oven"

Introduction

Speaking of information security, at the present time, in fact, they mean computer security. Indeed, the information in electronic media plays an increasingly important role in modern society. The vulnerability of such information is due to a number of factors: huge volumes, multipoint and possible anonymity of access, the possibility of "information sabotage" ... All this makes the task of ensuring the security of information placed in computer environment, a much more difficult problem than, say, maintaining the secrecy of traditional mail correspondence.

If we talk about the security of information stored on traditional media (paper, photo prints, etc.), then its safety is achieved by observing the measures physical protection(i.e., protection against unauthorized entry into the media storage area). Other aspects of the protection of such information are related to natural disasters and man-made disasters. Thus, the concept of "computer" information security as a whole is broader than information security in relation to "traditional" media.

If we talk about differences in approaches to solving the problem of information security at different levels (state, regional, level of one organization), then such differences simply do not exist. The approach to ensuring the security of the State Automated System "Elections" does not differ from the approach to ensuring security local network in a small firm. Therefore, the principles of ensuring information security in this paper are considered on examples of the activities of a separate organization.

The purpose of the course project is to improve the information security system of Oven LLC. tasks term paper will be - analysis of Oven LLC, its resources, structure and existing information security system at the enterprise and search for methods for its improvement.

At the first stage, an analysis of the information security system will be carried out. From the results obtained, at the second stage, a search will be made for methods to improve the protection of information, if there are weak sides in this system.

1. Analysis of the information security system at Oven LLC

1.1 Characteristics of the enterprise. Organizational structure of the enterprise. Service dealing with information resources and their protection

The full corporate name of the enterprise is the Limited Liability Company "Aries". The abbreviated name of the Company is Oven LLC. Further in the text Society. The company has no branches and representative offices, its only center is located in the Perm region, Suksunsky district, Martyanovo village.

The society was formed in 1990 as a small farm and had three founders. After the reorganization of the farm into a peasant economy in 1998, the only founder remained. The last reorganization was in April 2004. Since April 1, the enterprise has become known as Aries Limited Liability Company.

The main activity of the company is the cultivation of agricultural products, seed material, the sale of agricultural products. Today in Russia, the company occupies the thirteenth place among potato farms and the first in the Perm Territory.

Legal address: Russia, 617553, Perm Territory, Suksunsky, village Martyanovo.

The goals of the enterprise as a whole:

· Receiving profit from the main activity.

· Increasing the competitiveness of products and expanding sales markets.

· Concentration of capital and increase of investment resources for the implementation of investment and other projects.

Company enterprise mission:

1. Continue to take a leading position in the market.

2. Creation of a seed farm.

Organizational structure of the enterprise.

The company uses a linear-functional structure. In a linear-functional structure, a hierarchy of services is formed. In this structure, the heads of functional units have the right to give orders to the next level of management on functional issues.

The structure of the enterprise is shown in Figure 1.

Hosted at http://www.allbest.ru/

Figure 1 - Organizational structure of Aries LLC

1.2 Analysis and characterization of information resources of the enterprise

Today, everyone is concerned about the security of corporate information. Individual programs and entire complexes designed to protect data are becoming increasingly popular. However, no one thinks about the fact that you can have as much as you like. reliable protection but still lose important information. Because one of your employees will consider it insignificant and put it on public display. And if you are sure that you are protected from this, then you are greatly mistaken. At first glance, this situation looks like something unreal, like a joke. However, this does happen, and happens often. Indeed, technical staff, who in the vast majority of cases deal with information security issues, do not always understand what data should be hidden and which should not. In order to understand, you need to break down all the information into different types, which are usually called types, and clearly define the boundaries between them.

As a matter of fact, all companies specializing in the supply of complex systems for ensuring the security of computer information take into account the division of data into different types. This is where you have to be careful. The fact is that Western products follow international standards (in particular, ISO 17799 and some others). According to them, all data is divided into three types: open, confidential and strictly confidential. Meanwhile, in our country, according to the current legislation, a slightly different distinction is used: open information, for internal use and confidential.

Open means any information that can be freely transferred to other persons, as well as placed in the media. Most often, it is presented in the form of press releases, speeches at conferences, presentations and exhibitions, separate (naturally, positive) elements of statistics. In addition, this vulture includes all data obtained from open external sources. And, of course, information intended for a corporate website is also considered public.

At first glance, it seems that open information does not need protection. However, people forget that data can not only be stolen, but also replaced. Therefore, maintaining the integrity of open information is a very important task. Otherwise, instead of a pre-prepared press release, it may turn out to be incomprehensible. Or main page corporate website will be replaced with offensive inscriptions. So public information also needs to be protected.

Like any other enterprise, society has open information contained mainly in presentations shown to potential investors.

Information for internal use includes any data that is used by employees in the performance of their professional duties. But that is not all. This category includes all information that is exchanged among themselves by various departments or branches to ensure their performance. And, finally, the last type of data falling under this category of data is information obtained from open sources and subjected to processing (structuring, editing, clarification).

In fact, all this information, even if it falls into the hands of competitors or intruders, cannot cause serious harm to the company. However, some damage from her abduction can still be. Suppose employees have collected news for their boss on a topic of interest to him, among which they have chosen the most important messages and marked them. Such a digest is clearly information for internal use (information obtained from open sources and subjected to processing). At first glance, it seems that competitors, having acquired it, will not be able to benefit from it. But in fact, they can guess what direction your company's management is interested in, and, who knows, they may even be able to get ahead of you. Therefore, information for internal use must be protected not only from substitution, but also from unauthorized access. True, in the vast majority of cases, you can limit yourself to the security of the local network, because it is not economically profitable to spend large sums on this.

This type of information is also presented at the enterprise, which is contained in various kinds of reports, lists, extracts, etc.

Confidential information - documented information, access to which is restricted in accordance with the law Russian Federation, which is not publicly available and, if disclosed, is capable of damaging the rights and legally protected interests of the person who provided it. The list of data related to this neck is established by the state. On this moment it is as follows: personal information, information constituting a commercial, official or professional secret, information that is a secret of the investigation and office work. In addition, recently, data on the essence of an invention or scientific discovery before their official publication has been classified as confidential.

Confidential information in an enterprise includes such data as: development plan, research work, technical documentation, drawings, profit distribution, contracts, reports, resources, partners, negotiations, contracts, as well as information of a managerial and planning nature.

The company has about twenty PCs. As for the presence of a local network in an enterprise, PCs in society are not united into a single network. In addition, all computers are equipped with a standard set office programs And accounting programs. Three computers have Internet access through the WAN Miniport. At the same time, not a single computer in the enterprise is equipped with an anti-virus program. The exchange of information is carried out through media: flash drives, floppy disks. All information on "traditional" media is located in cabinets that are not locked. The most important documents are kept in a safe, the keys to which are kept by the secretary.

information protection safety

1.3 Threats and means of protecting information in the enterprise

Information security threat - a set of conditions and factors that create a potential or real danger associated with information leakage and / or unauthorized and / or unintentional influences on it

According to the methods of influencing information security objects, threats relevant to society are subject to the following classification: informational, software, physical, organizational and legal.

Information threats include:

Unauthorized access to information resources;

Theft of information from archives and databases;

Violation of information processing technology;

illegal collection and use of information;

Software threats include:

computer viruses and malware;

Physical threats include:

Destruction or destruction of information processing and communication facilities;

Theft of storage media;

The impact on staff

Organizational and legal threats include:

Procurement of imperfect or obsolete information technologies and means of informatization;

Information security tools are a set of engineering, electrical, electronic, optical and other devices and devices, instruments and technical systems, as well as other real elements used to solve various problems of information protection, including preventing leakage and ensuring the security of protected information.

Consider the information security tools used in the enterprise. There are four of them in total (hardware, software, mixed, organizational).

Hardware protection- locks, bars on windows, security alarms, network filters, video surveillance cameras.

Software protections: operating system tools such as protection, password, accounts are used.

Organizational means of protection: preparation of premises with computers.

2 Improving the information security system

2.1 Identified shortcomings in the information security system

The most vulnerable point in the protection of information in society is the protection computer security. In the course of even a superficial analysis of the enterprise, the following shortcomings can be identified:

§ Information is rarely backed up;

§ Insufficient level of information security software;

§ Some employees have insufficient PC skills;

§ There is no control over employees. Often employees can leave the place of work without turning off their PC and having a flash drive with service information.

§ Lack of normative documents on information security.

§ Not all computers use OS tools such as passwords and accounts.

2.2 Goals and objectives of the formation of the information security system in the enterprise

The main goal of the information security system is to ensure the stable operation of the facility, prevent threats to its security, protect the legitimate interests of the enterprise from unlawful encroachments, prevent theft of funds, disclosure, loss, leakage, distortion and destruction of official information, ensuring the normal production activities of all departments of the facility. Another goal of the information security system is to improve the quality of services provided and guarantee the security of property rights and interests.

The creation of information security systems (ISS) in IS and IT is based on the following principles:

Separation and minimization of powers for access to processed information and processing procedures, i.e. providing both users and IS employees themselves with a minimum of strictly defined powers sufficient for them to perform their official duties.

The completeness of control and registration of unauthorized access attempts, i.e. the need to accurately establish the identity of each user and record his actions for a possible investigation, as well as the impossibility of performing any information processing operation in IT without prior registration.

Ensuring the reliability of the protection system, i.e., the impossibility of reducing the level of reliability in the event of failures, failures, intentional actions of a hacker or unintentional errors of users and maintenance personnel in the system.

Ensuring control over the functioning of the protection system, i.e. creation of means and methods for monitoring the performance of protection mechanisms.

Providing all kinds of anti-malware tools.

2.3 Suggested actions to improve the information security system of the organization

Identified shortcomings at the enterprise require their elimination, therefore, the following measures are proposed.

§ Regular backup of the database with personal data of the company's employees, with accounting data and other databases available at the enterprise. This will prevent data loss due to disk failures, power outages, viruses, and other accidents. Careful planning and regular procedures Reserve copy allows you to quickly restore data in case of loss.

§ Using OS tools on each computer. Creation of accounts for specialists and regular password changes for these accounts.

§ Training of personnel of the enterprise to work with computers. Necessary condition for proper operation at workstations and prevention of loss and damage of information. The work of the entire enterprise depends on the skills of the PC staff in terms of correct execution.

§ Installation on computers of anti-virus programs such as: Avast, NOD, Doctor Web and so on. This will avoid infecting computers with various malicious programs called viruses. What is very important for this enterprise, since several PCs have Internet access and employees use flash media to exchange information.

§ Conducting control over employees, using video cameras. This will reduce cases of careless handling of equipment, the risk of equipment theft and damage, and will also allow controlling the “removal” of official information from the territory of the company.

§ Development of a regulatory document “Measures for protecting information in Oven LLC and responsibility for their violations”, which would comply with the current legislation of the Russian Federation and determine the risks, violations and liability for these violations (fines, punishments). As well as making the appropriate column in the employment contract of the company, that he is familiar with and undertakes to comply with the provisions of this document.

2.4 Effectiveness of the proposed measures

The proposed measures carry not only positive aspects, such as the elimination of the main problems in the enterprise related to information security. But at the same time, they will require additional investments in personnel training and the development of regulatory documents relating to security policy. It will require additional labor costs and will not completely eliminate the risks. There will always be a human factor, force majeure. But if such measures are not taken, the costs of restoring information, the lost opportunities will cost more than those required to develop a security system.

Consider the results of the proposed measures:

1. Increasing the reliability of the organization's information security system;

2. Increasing the level of PC proficiency of personnel;

3. Reduced risk of information loss;

4. Availability of a regulatory document defining the security policy.

5. Possibly reduce the risk of entering/removing information from the enterprise.

3 Information security model

The presented model of information security (Figure 2) is a set of objective external and internal factors and their influence on the state of information security at the facility and on the safety of material or information resources.

Figure 2 - Information security system model

This model complies with the special regulatory documents for ensuring information security adopted in the Russian Federation, the international standard ISO / IEC 15408 "Information technology - methods of protection - criteria for assessing information security", the standard ISO / IEC 17799 "Information security management", and takes into account development trends domestic regulatory framework (in particular, the State Technical Commission of the Russian Federation) on information security issues.

Conclusions and offers

The Information Age has brought about dramatic changes in the way people carry out their duties for a large number of professions. Now a mid-level non-technical specialist can do the work that a highly skilled programmer used to do. The employee has at his disposal as much accurate and up-to-date information as he never had.

But the use of computers and automated technologies leads to a number of problems for the management of the organization. Computers, often networked, can provide access to a huge amount of a wide variety of data. Therefore, people are worried about the security of information and the risks associated with automating and providing much more access to confidential, personal or other critical data. The number of computer crimes is constantly increasing, which can eventually lead to undermining the economy. And so it should be clear that information is a resource that needs to be protected.

And since automation has led to the fact that now operations with computer technology are carried out by ordinary employees of the organization, and not by specially trained technical personnel, it is necessary that end users are aware of their responsibility for protecting information.

There is no single recipe that provides a 100% guarantee of data safety and reliable network operation. However, the creation of a comprehensive, well-thought-out security concept that takes into account the specifics of the tasks of a particular organization will help minimize the risk of losing valuable information. Computer security is a constant struggle against the stupidity of users and the intelligence of hackers.

In conclusion, I would like to say that the protection of information is not limited to technical methods. The problem is much broader. The main lack of protection is people, and therefore the reliability of the security system depends mainly on the attitude of the company's employees towards it. In addition, protection must be constantly improved along with the development of a computer network. Do not forget that it is not the security system that interferes with the work, but its absence.

I would also like, summing up the results of this course project, to note that, after analyzing the information security system of the Aries enterprise, five shortcomings were identified. After the search, solutions were found to eliminate them, these shortcomings can be corrected, which will improve the information security of the enterprise as a whole.

In the course of the above actions, the practical and theoretical skills of studying the information security system were worked out, therefore, the goal of the course project was achieved. Thanks to the solutions found, we can say that all the tasks of the project were completed.

Bibliography

1. GOST 7.1-2003. Bibliographic record. Bibliographic description. General requirements and compilation rules (M.: Publishing house of standards, 2004).

2. Galatenko, V.A. "Fundamentals of Information Security". - M.: "Intuit", 2003.

3. Zavgorodniy, V. I. “Integrated information protection in computer systems". - M.: "Logos", 2001.

4. Zegzhda, D.P., Ivashko, A.M. "Fundamentals of information systems security".

5. Nosov, V.A. Introductory course on the discipline "Information Security".

6. Federal Law of the Russian Federation of July 27, 2006 N 149-FZ “On information, information technology and information protection"

Hosted on Allbest.ru

Improving the information security system at the enterprise. Improving the information security system at the enterprise LLC uk ashatli Improving the information security technology