Graduate theses on information security (Information systems security). Information security system List of WRC topics on information security
Similar documents
Relevance of information security issues. Software and hardware for the Mineral LLC network. Building a model of corporate security and protection against unauthorized access. Technical solutions for information system protection.
thesis, added 01/19/2015
The security of an information system is its ability to withstand various influences. Types of computer threats, the concept of unauthorized access. Viruses and malware. Methods and means of protecting information systems.
abstract, added 11/14/2010
Classification of information security threats. Errors in the development of computer systems, software, and hardware. The main methods of obtaining unauthorized access (UNA) to information. Methods of protection against NSD. Virtual private networks.
course work, added 11/26/2013
External threats to information security, forms of their manifestation. Methods and means of protection against industrial espionage, its goals: obtaining information about a competitor, destroying information. Methods of unauthorized access to confidential information.
test, added 09/18/2016
The most common ways of unauthorized access to information, channels of its leakage. Methods of protecting information from natural (emergency) threats and from random threats. Cryptography as a means of protecting information. Industrial espionage.
abstract, added 06/04/2013
Concept, meaning and directions of information security. A systematic approach to organizing information security, protecting information from unauthorized access. Information security tools. Information security methods and systems.
abstract, added 11/15/2011
Concept and principles of information security. Consideration of the main types of hazardous effects on a computer system. Classification of channels for unauthorized access to computers. Characteristics of hardware and software information security tools.
presentation, added 11/15/2011
Information security, its goals and objectives. Information leakage channels. Software and hardware methods and means of protecting information from unauthorized access. Model of security threats to information processed at a computer facility.
thesis, added 02/19/2017
The influence of the type of activity of an enterprise on the organization of a comprehensive information security system. Composition of protected information. Potential channels for unauthorized access to organizational information. Efficiency of the information security system.
practice report, added 10/31/2013
Historical aspects of the emergence and development of information security. Information security means and their classification. Types and principles of operation of computer viruses. Legal basis for protecting information from unauthorized access.
focus (profile) “Information systems and technologies”
areas of training 09.03.02 “Information systems and technologies”
design and technological,
service and operational.
1. Virtualization of the information infrastructure of the enterprise (name of the enterprise).
2. Integration of enterprise information systems based on Linux OS and a freely distributed DBMS.
3. Modernization and administration of the corporate information system of the enterprise (name of the enterprise).
4. Modernization, administration and maintenance of the information network of the enterprise (name of the enterprise).
5. Modernization of the information and management system of the enterprise (process) (name of the enterprise or process) and development of measures to support it.
6. Development of an Intranet portal for the enterprise (name of the enterprise).
7. Design of an enterprise information network (name of enterprise).
8. Design of a corporate information system for an enterprise (name of enterprise).
9. Development and maintenance of the corporate web portal of the enterprise (name of the enterprise).
10. Development of an automated information processing system for the enterprise (name of the enterprise).
11. Development of a prototype of an enterprise information system for process management (name of the process or object).
12. Development of a web service for the information system of the enterprise (name of the enterprise).
13. Development of a reference information system for the enterprise (name of the enterprise).
14. Development of a model and design of an enterprise information management system (name of enterprise).
15. Development of technological software for system maintenance (name of system).
16. Development of software for a microprocessor device (name of device).
17. Development of a mobile client application for the information system of the enterprise (name of the enterprise).
18. Development of a simulation model to optimize production process parameters.
19. Design of virtual servers based on tools (name of virtualization tools) and data transmission channels for an enterprise (name of enterprise).
20. Development of a module (subsystem) (name of the implemented function) of the information (corporate information) system of the enterprise (name of the enterprise).
in the educational program of applied bachelor's degree
areas of training 03/09/04 “Software Engineering”
production and technological,
organizational and managerial,
service and operational.
1. Development of an application for parsing a website, social network, portal.
2. Design and software implementation of an information (information and reference) system (purpose or function of the system).
3. Development of firmware for the device (name of the device).
4. Development of application software for the system (name of the system).
5. Development of a software information system (name of the area of use or the process being implemented).
6. Development of methods for testing and debugging software (name of software).
7. Development of a software module (name of the module) for the 1C: Enterprise system (name of the enterprise).
8. Development of a web service for the enterprise information management system (name of the enterprise).
9. Development of an application to support the information-measuring system (purpose of the system).
10. Study of information security of web services of the 1C:Enterprise system.
11. Development of a module (subsystem) (name of the implemented function) of the information (corporate information) system of the enterprise (name of the enterprise).
12. Development of server (client) software for the system (name of the system).
Topics of final qualifying works
in the educational program of applied bachelor's degree
focus (profile) “Information service”
:service,
1. Modernization, administration and maintenance of the local network of the enterprise (name of the enterprise).
2. Modernization and administration of the enterprise information system (name of the enterprise).
3. Design of an enterprise information system (name of enterprise).
4. Design and development of technology for operating a local network of an enterprise (name of enterprise).
5. Design of hardware and software protection of the information system of the enterprise (name of the enterprise).
6. Development of technology for diagnostics, repair and maintenance of the device (name of the device, group of devices, measuring equipment, computer unit, computer or microprocessor system, local network).
7. Development and administration of the company’s website (name of the company).
8. Development of the server configuration for the data transmission network of the enterprise (name of the enterprise).
9. Development and administration of the enterprise information system database (name of the enterprise).
10. Development of an Intranet portal for the enterprise (name of the enterprise).
11. Development of a subsystem for monitoring production processes on the 1C:Enterprise platform.
12. Development of a project for a distributed information system (name of the system) of the enterprise (name of the enterprise).
13. Development of an information and reference accounting system (name of the accounting object).
14. Development of a WCF service for an enterprise information system.
15. Development of a model of an enterprise information system (name or area of activity of the enterprise).
16. Development of methods for testing and debugging software (name of software).
17. Development of a set of measures for the administration and maintenance of a software information system (name of the area of use or the process being implemented).
18. Modeling and research of the data transmission system (name of the system).
19. Research and optimization of parameters of a distributed information system on the 1C:Enterprise platform.
20. Design of a division of the enterprise (name of the enterprise) for repair and maintenance of electronic (computer) equipment and organization of operation of technical equipment.
21. Design of virtual servers based on tools (name of virtualization tools) and data transmission channels for an enterprise (name of enterprise).
22. Development of server (client) software for the system (name of the system).
Topics of final qualifying works
in the educational program of applied bachelor's degree
directivity (profile) "Electronic equipment service"
areas of training 03.43.01 “Service”
Types of professional activities:service,
production and technological.
1. Development of technology for diagnostics, repair and maintenance of the device (name of the electronic device, microprocessor or telecommunication system, measuring equipment, data transmission network).
2. Development of an electronic system (name of the system) of the enterprise (name of the enterprise, shopping and office center, entertainment complex).
3. Development of an information input/output device (name of the device).
4. Development of software for a microprocessor device (name of device).
5. Development of a corporate telecommunications network for an enterprise (name of enterprise).
6. Development of a digital device (module) (name of the device, module; name of the function being implemented).
7. Development of a power supply device for electronic equipment (name of equipment).
8. Development of technology for monitoring (controlling parameters) of objects (name of objects).
9. Development and research of a wireless sensor (name of the measured parameter).
10. Design of a division of the enterprise (name of the enterprise) for repair and maintenance of electronic (computer) equipment and organization of operation of technical equipment.
11. Development of a subsystem (name of the subsystem) of an integrated security system for the enterprise (name of the enterprise).
Topics of final qualifying works
in the educational program of applied bachelor's degree
directivity (profile) “Radio engineering means of transmitting, receiving and processing signals”
areas of training 03/11/01 “Radio Engineering”
design and engineering,
service and operational.
1. Development of a device (block, module; receiving, transmitting, transceiver) system (name of the system).
2. Development of a wireless interface for electronic equipment (name of equipment).
3. Study of the virtual model of the device (specify the type of device) in the environment (name of the software environment).
4. Development of a subsystem (name of the subsystem) of an integrated enterprise security system (name of the enterprise.
Topics of final qualifying works
in the educational program of applied bachelor's degree
directivity (profile) "Mobile communication systems"
areas of training 11.03.02 “Infocommunication technologies and communication systems”
Types of professional activities:design
1. Design of a telecommunications network for an enterprise (name of enterprise).
2. Administration and maintenance of the telecommunications network of the enterprise (name of the enterprise).
3. Development of a block (codec, vocoder, synchronization device, matching device) of a digital telecommunication system.
4. Development of a wireless interface adapter (name of interfaces).
5. Development of an information processing device (device type) system (system name).
6. Development of a device for interfacing systems (name of systems).
7. Development of a system controller (system name).
8. Development of a synchronization device for a telecommunication system (name of system).
9. Development of a technological device for testing telecommunications equipment (name of equipment).
10. Development of a wireless communication network (network segment) based on technology (name of technology).
11. Development of technology for remote monitoring of object parameters (name of parameters).
12. Development of a sensor network for monitoring the state of an object (name of the object).
13. Development of technology for diagnostics and measurement of parameters of a telecommunication device (name of device, system, network, environment).
14. Development of a transceiver device for the system (name of the system).
15. Development of telecommunication devices for remote control of an object (name of object).
16. Development of a parameter meter for telecommunications equipment components (name of components).
17. Development of a wireless information input/output device (name of device).
18. Development of hardware and software for infocommunication technology (name of technology).
19. Study of information transfer protocols in the system (name of the system).
20. Research of digital signal processing methods for the system (name of the system).
21. Development of infocommunication technology and facility management system (name of facility).
22. Development of a wireless system for measuring a parameter (name of parameter).
23. Design of virtual servers based on tools (name of virtualization tools) and data transmission channels for an enterprise (name of enterprise).
Topics of final qualifying works
according to the educational program of secondary vocational education
specialty 09.02.01 “Computer systems and complexes”
Professional modules:PM.01 Design of digital devices,
PM.02 Application of microprocessor systems, installation and configuration of peripheral training,
PM.03 Maintenance and repair of computer systems and complexes.
1. Diagnostics of faults and monitoring of the technical condition of equipment (name of hardware and software of computer technology or computer network).
2. Assembling, configuring and setting up tools (name of computer hardware and software or computer network).
3. Development of a set of measures to ensure information security of the computer network of the enterprise (name of the enterprise).
4. Development of a contactless identification system for the enterprise (name of the enterprise).
5. Maintenance and administration of the enterprise information system (name of the enterprise).
6. Maintenance and administration of the computer network of the enterprise (name of the enterprise).
7. Hardware and software maintenance and support (name of computer hardware or computer network).
8. Installation, adaptation and maintenance of software (name of software).
9. Development and research of a digital (microprocessor) device (module) (name of device, module).
10. Development of testing technology and comprehensive debugging of software (name of software).
Topics of final qualifying works for graduates
focus (profile) “Elements and devices of computer technology and information systems”
areas of training 09.04.01 “Informatics and Computer Science”
Types of professional activities:design,
scientific research.
1. Modeling and research of network protocols for information transfer (the type of information is indicated).
2. Research and development of computer methods for improving system parameters (parameters or parameters and type of system are indicated).
3. Computer modeling, research and optimization of information or telecommunication systems (the class of systems is indicated).
4. Research and optimization of the construction of wireless sensor networks.
5. Research and analysis of the construction of wireless Internet of Things networks.
6. Development of efficiency criteria and study of the distribution of virtual machines within the cloud infrastructure.
7. Development, research and evaluation of the effectiveness of distributed information (or information-measuring) systems (the area of application or type of systems is indicated).
8. Development and research of a wireless interface for equipment (name of equipment).
9. Development and research of an object tracking device (name of objects).
10. Development and research of devices for monitoring the condition of an object (name of object).
11. Development of hardware and software diagnostic tools for devices (name of devices).
12. Development and research of a wireless sensor (name of the measured parameter).
13. Study of correction algorithms for converters of a parameter (parameter name) into code.
14. Development of algorithms and software for monitoring the parameters of the facility management system (name of the facility).
15. Development and research of wireless control devices for the object (name of the object).
16. Modeling and research of parameter converters (name of parameters).
17. Methods for assessing the quality of software (the purpose of the software is indicated).
18. Study of the functioning of devices (name of devices) under conditions (conditions are indicated) in order to improve the characteristics (characteristics are indicated).
19. Development of methods for analysis and synthesis of devices (name of devices) in order to improve characteristics (characteristics are indicated).
Topics of final qualifying works
in the academic master's program
focus (profile) “Development of software and information systems”
areas of training 09.04.04 “Software Engineering”
research,
design
1. Development and research of a REST service for displaying schedules in higher education institutions.
2. Research and development of software testing tools for cellular operators.
3. Recognition of the physiological state of a person based on the theory of systems with a random structure.
4. Design of a sales automation information system (name of enterprise) based on the MDA approach.
5. Development and research of a software information system for assessing the quality of software (the name of the software is indicated).
6. Development of distributed software and information systems (the scope of application of the system is indicated) and research into the possibilities of their optimization based on efficiency criteria (the criteria are indicated).
7. Development of software to support input/output devices for the system (name of the system).
8. Study of the safety of components of the software information system (name of the system).
Introduction
Chapter 1. Theoretical aspects of adoption and information security
1.1The concept of information security 3 Information security methods Chapter 2. Analysis of the information security system 1 Scope of activity of the company and analysis of financial indicators 2 Description of the company’s information security system 3 Development of a set of measures to modernize the existing information security system Conclusion Bibliography Application Appendix 1. Balance sheet for 2010 Appendix 1. Balance sheet for 2010 Introduction The relevance of the topic of the thesis is determined by the increased level of information security problems, even in the context of the rapid growth of technologies and tools for data protection. It is impossible to ensure a 100% level of protection for corporate information systems while correctly prioritizing data protection tasks given the limited share of the budget allocated to information technology. Reliable protection of the computing and network corporate infrastructure is a basic information security task for any company. With the growth of an enterprise's business and the transition to a geographically distributed organization, it begins to go beyond the confines of a single building. Effective protection of IT infrastructure and corporate application systems today is impossible without the introduction of modern network access control technologies. Increasing cases of theft of media containing valuable business information increasingly force organizational measures to be taken. The purpose of this work will be to evaluate the existing information security system in the organization and develop measures to improve it. This goal determines the following objectives of the thesis: ) consider the concept of information security; ) consider the types of possible threats to information systems and options for protection against possible threats of information leakage in the organization. ) identify a list of information resources, violation of the integrity or confidentiality of which will lead to the greatest damage to the enterprise; ) develop on their basis a set of measures to improve the existing information security system. The work consists of an introduction, two chapters, a conclusion, a list of sources used and applications. The introduction substantiates the relevance of the research topic and formulates the purpose and objectives of the work. The first chapter discusses the theoretical aspects of the concepts of information security in an organization. The second chapter provides a brief description of the company’s activities, key performance indicators, describes the current state of the information security system and proposes measures to improve it. In conclusion, the main results and conclusions of the work are formulated. The methodological and theoretical basis of the thesis was the works of domestic and foreign experts in the field of information security. During the work on the thesis, information was used that reflected the content of laws, legislative acts and regulations, decrees of the Government of the Russian Federation regulating information security, international standards for information security . The theoretical significance of the thesis research lies in the implementation of an integrated approach when developing an information security policy. The practical significance of the work is determined by the fact that its results make it possible to increase the degree of information protection in an enterprise through the competent design of an information security policy. Chapter 1. Theoretical aspects of adoption and information security 1.1 Concept of information security Information security refers to the security of information and its supporting infrastructure from any accidental or malicious influences that may result in damage to the information itself, its owners or supporting infrastructure. The objectives of information security come down to minimizing damage, as well as predicting and preventing such impacts. Parameters of information systems that need protection can be divided into the following categories: ensuring the integrity, availability and confidentiality of information resources. accessibility is the ability to obtain, in a short period of time, the required information service; integrity is the relevance and consistency of information, its protection from destruction and unauthorized changes; confidentiality - protection from unauthorized access to information. Information systems are primarily created to obtain certain information services. If obtaining information for any reason becomes impossible, this causes damage to all subjects of information relations. From this we can determine that the availability of information comes first. Integrity is the main aspect of information security when accuracy and truthfulness are the main parameters of information. For example, prescriptions for medical drugs or a set and characteristics of components. The most developed component of information security in our country is confidentiality. But the practical implementation of measures to ensure the confidentiality of modern information systems faces great difficulties in Russia. Firstly, information about technical channels of information leakage is closed, so most users are unable to get an idea of the potential risks. Second, there are numerous legislative obstacles and technical challenges standing in the way of custom cryptography as a primary means of ensuring privacy. Actions that can cause damage to an information system can be divided into several categories. targeted theft or destruction of data on a workstation or server; Damage to data by the user as a result of careless actions. . "Electronic" methods of influence carried out by hackers. Hackers are understood as people who engage in computer crimes both professionally (including as part of competition) and simply out of curiosity. These methods include: unauthorized entry into computer networks; The purpose of unauthorized entry into an enterprise network from the outside may be to cause harm (destruction of data), steal confidential information and use it for illegal purposes, use the network infrastructure to organize attacks on third-party nodes, steal funds from accounts, etc. A DOS attack (abbreviated from Denial of Service) is an external attack on enterprise network nodes responsible for its safe and efficient operation (file, mail servers). Attackers organize massive sending of data packets to these nodes in order to overload them and, as a result, put them out of action for some time. This, as a rule, entails disruptions in the business processes of the victim company, loss of customers, damage to reputation, etc. Computer viruses. A separate category of electronic methods of influence are computer viruses and other malicious programs. They pose a real danger to modern businesses that widely use computer networks, the Internet and e-mail. The penetration of a virus into corporate network nodes can lead to disruption of their functioning, loss of working time, loss of data, theft of confidential information and even direct theft of financial resources. A virus program that has penetrated a corporate network can give attackers partial or complete control over the company's activities. Spam. In just a few years, spam has grown from a minor irritation to one of the most serious security threats: email has recently become the main channel for the spread of malware; spam takes a lot of time to view and subsequently delete messages, causing employees a feeling of psychological discomfort; both individuals and organizations become victims of fraudulent schemes carried out by spammers (victims often try not to disclose such events); important correspondence is often deleted along with spam, which can lead to the loss of customers, broken contracts and other unpleasant consequences; the danger of losing correspondence especially increases when using RBL blacklists and other “crude” spam filtering methods. "Natural" threats. A company’s information security can be affected by a variety of external factors: data loss can be caused by improper storage, theft of computers and media, force majeure, etc. An information security management system (ISMS or Information Security Management System) allows you to manage a set of measures that implement a certain intended strategy, in this case in relation to information security. Note that we are talking not only about managing an existing system, but also about building a new one/redesigning an old one. The set of measures includes organizational, technical, physical and others. Information security management is a complex process, which allows for the most effective and comprehensive information security management in a company to be implemented. The goal of information security management is to maintain the confidentiality, integrity and availability of information. The only question is what kind of information needs to be protected and what efforts should be made to ensure its safety. Any management is based on awareness of the situation in which it occurs. In terms of risk analysis, awareness of the situation is expressed in the inventory and assessment of the organization's assets and their environment, that is, everything that ensures the conduct of business activities. From the point of view of information security risk analysis, the main assets include information, infrastructure, personnel, image and reputation of the company. Without an inventory of assets at the business activity level, it is impossible to answer the question of what exactly needs to be protected. It is important to understand what information is processed within an organization and where it is processed. In a large modern organization, the number of information assets can be very large. If the activities of an organization are automated using an ERP system, then we can say that almost any material object used in this activity corresponds to some kind of information object. Therefore, the primary task of risk management is to identify the most significant assets. It is impossible to solve this problem without the involvement of managers of the main activity of the organization, both middle and senior levels. The optimal situation is when the top management of the organization personally sets the most critical areas of activity, for which it is extremely important to ensure information security. The opinion of senior management regarding priorities in ensuring information security is very important and valuable in the risk analysis process, but in any case it should be clarified by collecting information about the criticality of assets at the average level of company management. At the same time, it is advisable to carry out further analysis precisely in the areas of business activity designated by top management. The information received is processed, aggregated and transmitted to senior management for a comprehensive assessment of the situation. Information can be identified and localized based on a description of business processes in which information is considered as one of the types of resources. The task is somewhat simplified if the organization has adopted an approach to regulating business activities (for example, for the purposes of quality management and optimization of business processes). Formalized descriptions of business processes are a good starting point for asset inventory. If there are no descriptions, you can identify assets based on information received from the organization's employees. Once assets have been identified, their value must be determined. The work of determining the value of information assets across the entire organization is both the most significant and complex. It is the assessment of information assets that will allow the head of the information security department to choose the main areas of activity to ensure information security. But the economic efficiency of the information security management process largely depends on the awareness of what needs to be protected and what efforts this will require, since in most cases the amount of effort applied is directly proportional to the amount of money spent and operating expenses. Risk management allows you to answer the question of where you can take risks and where you can’t. In the case of information security, the term “risk” means that in a certain area it is possible not to make significant efforts to protect information assets, and at the same time, in the event of a security breach, the organization will not suffer significant losses. Here we can draw an analogy with the protection classes of automated systems: the more significant the risks, the more stringent the protection requirements should be. To determine the consequences of a security breach, you must either have information about recorded incidents of a similar nature, or conduct a scenario analysis. Scenario analysis examines the cause-and-effect relationships between asset security events and the consequences of these events on the organization's business activities. The consequences of scenarios should be assessed by several people, iteratively or deliberatively. It should be noted that the development and evaluation of such scenarios cannot be completely divorced from reality. You must always remember that the scenario must be probable. The criteria and scales for determining value are individual for each organization. Based on the results of scenario analysis, information about the value of assets can be obtained. If assets are identified and their value is determined, we can say that the goals of providing information security are partially established: the objects of protection and the importance of maintaining them in a state of information security for the organization are determined. Perhaps all that remains is to determine who needs to be protected from. After determining the goals of information security management, you should analyze the problems that prevent you from approaching the target state. At this level, the risk analysis process descends to the information infrastructure and traditional information security concepts - intruders, threats and vulnerabilities. To assess risks, it is not enough to introduce a standard violator model that divides all violators by type of access to the asset and knowledge of the asset structure. This division helps determine what threats can be directed at an asset, but does not answer the question of whether these threats can, in principle, be realized. In the process of risk analysis, it is necessary to assess the motivation of violators in implementing threats. In this case, the violator does not mean an abstract external hacker or insider, but a party interested in obtaining benefits by violating the security of an asset. It is advisable to obtain initial information about the offender’s model, as in the case of choosing the initial directions of information security activities, from top management, who understands the organization’s position in the market, has information about competitors and what methods of influence can be expected from them. The information necessary to develop a model of an intruder can also be obtained from specialized research on computer security violations in the business area for which the risk analysis is being carried out. A properly developed intruder model complements the information security objectives determined when assessing the organization's assets. The development of a threat model and the identification of vulnerabilities are inextricably linked with an inventory of the environment of the organization’s information assets. The information itself is not stored or processed. Access to it is provided using an information infrastructure that automates the organization’s business processes. It is important to understand how an organization's information infrastructure and information assets are related to each other. From the perspective of information security management, the importance of information infrastructure can be established only after determining the relationship between information assets and infrastructure. If the processes for maintaining and operating the information infrastructure in an organization are regulated and transparent, the collection of information necessary to identify threats and assess vulnerabilities is greatly simplified. Developing a threat model is a job for information security professionals who have a good understanding of how an attacker can gain unauthorized access to information by breaching the security perimeter or using social engineering methods. When developing a threat model, you can also talk about scenarios as sequential steps according to which threats can be realized. It very rarely happens that threats are implemented in one step by exploiting a single vulnerable point in the system. The threat model should include all threats identified through related information security management processes, such as vulnerability and incident management. It must be remembered that threats will need to be ranked relative to each other according to the level of likelihood of their implementation. To do this, in the process of developing a threat model for each threat, it is necessary to indicate the most significant factors, the existence of which influences its implementation. The security policy is based on an analysis of risks that are recognized as real for the organization’s information system. Once the risks have been analyzed and the protection strategy has been determined, an information security program is drawn up. Resources are allocated for this program, responsible persons are appointed, the procedure for monitoring the implementation of the program is determined, etc. In a broad sense, security policy is defined as a system of documented management decisions to ensure the security of an organization. In a narrow sense, a security policy is usually understood as a local regulatory document that defines security requirements, a system of measures or a procedure, as well as the responsibilities of the organization’s employees and control mechanisms for a certain area of security. Before we begin to formulate the information security policy itself, it is necessary to understand the basic concepts with which we will operate. Information - information (messages, data) regardless of the form of their presentation. Confidentiality of information is a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without the consent of its owner. Information security (IS) is the state of security of the information environment of society, ensuring its formation, use and development in the interests of citizens, organizations, and states. The concept of “information” today is used quite widely and versatilely. Ensuring information security cannot be a one-time act. This is a continuous process consisting of justification and implementation of the most rational methods, methods and ways of improving and developing the security system, continuous monitoring of its condition, identifying its weaknesses and illegal actions. Information security can be ensured only through the integrated use of the entire range of available security means in all structural elements of the production system and at all stages of the information processing technological cycle. The greatest effect is achieved when all the means, methods and measures used are combined into a single integral mechanism - an information security system. At the same time, the functioning of the system must be monitored, updated and supplemented depending on changes in external and internal conditions. According to the GOST R ISO/IEC 15408:2005 standard, the following types of safety requirements can be distinguished: functional, corresponding to the active aspect of protection, requirements for security functions and the mechanisms that implement them; trust requirements corresponding to the passive aspect imposed on the technology and the development and operation process. It is very important that security in this standard is not considered statically, but in relation to the life cycle of the object being assessed. The following stages are distinguished: determination of purpose, conditions of use, goals and safety requirements; design and development; testing, evaluation and certification; implementation and operation. So, let’s take a closer look at the functional security requirements. They include: user data protection; protection of security functions (requirements relate to the integrity and control of these security services and the mechanisms that implement them); security management (the requirements of this class relate to the management of security attributes and parameters); security audit (identification, registration, storage, analysis of data affecting the security of the object being assessed, response to a possible security violation); privacy (protecting the user from disclosure and unauthorized use of his identification data); use of resources (requirements for information availability); communication (authentication of parties involved in data exchange); trusted route/channel (for communication with security services). In accordance with these requirements, it is necessary to formulate an organization’s information security system. The organization's information security system includes the following areas: regulatory; organizational (administrative); technical; software; To fully assess the situation at an enterprise in all areas of security, it is necessary to develop an information security concept that would establish a systematic approach to the problem of security of information resources and represent a systematic statement of goals, objectives, design principles and a set of measures to ensure information security in an enterprise. The corporate network management system should be based on the following principles (tasks): ensuring the protection of the existing information infrastructure of the enterprise from intruders; providing conditions for localizing and minimizing possible damage; eliminating the emergence of sources of threats at the initial stage; ensuring the protection of information against three main types of emerging threats (availability, integrity, confidentiality); The solution to the above problems is achieved by; regulation of user actions when working with the information system; regulation of user actions when working with the database; uniform requirements for the reliability of hardware and software; procedures for monitoring the operation of the information system (logging events, analyzing protocols, analyzing network traffic, analyzing the operation of technical equipment); The information security policy includes: the main document is the “Security Policy”. It generally describes the organization’s security policy, general provisions, and also indicates the relevant documents for all aspects of the policy; instructions for regulating the work of users; job description for local network administrator; job description of the database administrator; instructions for working with Internet resources; instructions for organizing password protection; instructions for organizing anti-virus protection. The Security Policy document contains the main provisions. On the basis of it, an information security program is built, job descriptions and recommendations are built. Instructions for regulating the work of users of an organization's local network regulate the procedure for allowing users to work in the organization's local computer network, as well as the rules for handling protected information processed, stored and transmitted in the organization. The job description of a local network administrator describes the responsibilities of a local network administrator regarding information security. The job description of a database administrator defines the main responsibilities, functions and rights of a database administrator. It describes in great detail all the job responsibilities and functions of a database administrator, as well as rights and responsibilities. Instructions for working with Internet resources reflect the basic rules for safe work with the Internet, and also contain a list of acceptable and unacceptable actions when working with Internet resources. The instructions for organizing anti-virus protection define the basic provisions, requirements for organizing anti-virus protection of an organization's information system, all aspects related to the operation of anti-virus software, as well as responsibility in the event of a violation of anti-virus protection. The instructions for organizing password protection regulate the organizational and technical support for the processes of generating, changing and terminating passwords (deleting user accounts). The actions of users and maintenance personnel when working with the system are also regulated. Thus, the basis for organizing the information protection process is the security policy, formulated in order to determine from what threats and how the information in the information system is protected. Security policy refers to a set of legal, organizational and technical measures to protect information adopted in a specific organization. That is, the security policy contains many conditions under which users gain access to system resources without losing the information security properties of this system. The problem of ensuring information security must be solved systematically. This means that various protections (hardware, software, physical, organizational, etc.) must be applied simultaneously and under centralized control. Today there is a large arsenal of methods for ensuring information security: means of identification and authentication of users; means of encrypting information stored on computers and transmitted over networks; firewalls; virtual private networks; content filtering tools; tools for checking the integrity of disk contents; antivirus protection tools; network vulnerability detection systems and network attack analyzers. Each of the listed tools can be used either independently or in integration with others. This makes it possible to create information security systems for networks of any complexity and configuration, independent of the platforms used. System of authentication (or identification), authorization and administration. Identification and authorization are key elements of information security. The authorization function is responsible for which resources a specific user has access to. The administration function is to provide the user with certain identification characteristics within a given network and determine the scope of actions allowed for him. Encryption systems make it possible to minimize losses in the event of unauthorized access to data stored on a hard drive or other media, as well as interception of information when sent by email or transmitted via network protocols. The purpose of this protection tool is to ensure confidentiality. The main requirements for encryption systems are a high level of cryptographic strength and legality of use on the territory of Russia (or other states). A firewall is a system or combination of systems that forms a protective barrier between two or more networks to prevent unauthorized data packets from entering or leaving the network. The basic operating principle of firewalls is to check each data packet for compliance of the incoming and outgoing IP addresses with a database of allowed addresses. Thus, firewalls significantly expand the capabilities of segmenting information networks and controlling the circulation of data. When talking about cryptography and firewalls, we should mention secure virtual private networks (VPN). Their use makes it possible to solve problems of confidentiality and integrity of data when transmitted over open communication channels. Using a VPN can be reduced to solving three main problems: protection of information flows between different offices of the company (information is encrypted only at the exit to the external network); secure access of remote network users to the company’s information resources, usually carried out via the Internet; protection of information flows between individual applications within corporate networks (this aspect is also very important, since most attacks are carried out from internal networks). An effective means of protecting against the loss of confidential information is filtering the contents of incoming and outgoing email. Screening the email messages themselves and their attachments based on the rules established by the organization also helps protect companies from liability in lawsuits and protects their employees from spam. Content filtering tools allow you to scan files of all common formats, including compressed and graphic files. At the same time, the network throughput remains virtually unchanged. All changes on a workstation or server can be monitored by the network administrator or other authorized user thanks to the technology of checking the integrity of the contents of the hard drive (integrity checking). This allows you to detect any actions with files (change, deletion or simply opening) and identify virus activity, unauthorized access or data theft by authorized users. Control is carried out based on the analysis of file checksums (CRC sums). Modern anti-virus technologies make it possible to identify almost all already known virus programs by comparing the code of a suspicious file with samples stored in the anti-virus database. In addition, behavior modeling technologies have been developed that make it possible to detect newly created virus programs. Detected objects can be treated, isolated (quarantined), or deleted. Virus protection can be installed on workstations, file and mail servers, firewalls running under almost any common operating system (Windows, Unix and Linux systems, Novell) on various types of processors. Spam filters significantly reduce unproductive labor costs associated with parsing spam, reduce traffic and server load, improve the psychological background in the team and reduce the risk of company employees being involved in fraudulent transactions. In addition, spam filters reduce the risk of infection with new viruses, since messages containing viruses (even those not yet included in the databases of anti-virus programs) often have signs of spam and are filtered out. True, the positive effect of spam filtering can be negated if the filter, along with junk messages, removes or marks as spam and useful messages, business or personal. The enormous damage caused to companies by viruses and hacker attacks is largely a consequence of weaknesses in the software used. They can be identified in advance, without waiting for a real attack, using computer network vulnerability detection systems and network attack analyzers. Such software securely simulates common attacks and intrusion methods and determines what a hacker can see on the network and how he can exploit its resources. To counter natural threats to information security, the company must develop and implement a set of procedures to prevent emergency situations (for example, to ensure physical protection of data from fire) and to minimize damage if such a situation does arise. One of the main methods of protecting against data loss is backup with strict adherence to established procedures (regularity, types of media, methods of storing copies, etc.). The information security policy is a package of documents regulating the work of employees, describing the basic rules for working with information, information systems, databases, local networks and Internet resources. It is important to understand what place information security policy occupies in the overall management system of an organization. The following are general organizational measures related to security policies. At the procedural level, the following classes of measures can be distinguished: personnel Management; physical protection; maintaining performance; responding to security violations; planning of restoration work. Human resource management begins with hiring, but even before that, you should determine the computer privileges associated with the position. There are two general principles to keep in mind: segregation of duties; minimization of privileges. The principle of separation of duties prescribes how to distribute roles and responsibilities so that one person cannot disrupt a process critical to the organization. For example, it is undesirable for one person to make large payments on behalf of an organization. It is safer to instruct one employee to process applications for such payments, and another to certify these applications. Another example is procedural restrictions on superuser actions. You can artificially “split” the superuser password by sharing the first part of it with one employee and the second part with another. Then they can perform critical actions to administer the information system only together, which reduces the likelihood of errors and abuses. The principle of least privilege requires that users be given only those access rights that they need to perform their job responsibilities. The purpose of this principle is obvious - to reduce damage from accidental or deliberate incorrect actions. Preliminary preparation of a job description allows you to assess its criticality and plan the procedure for screening and selecting candidates. The more responsible the position, the more carefully you need to check the candidates: make inquiries about them, perhaps talk with former colleagues, etc. Such a procedure can be lengthy and expensive, so there is no point in complicating it further. At the same time, it is unreasonable to completely refuse pre-screening in order to avoid accidentally hiring someone with a criminal record or mental illness. Once a candidate has been identified, he or she will likely need to undergo training; at the very least, he should be thoroughly familiarized with job responsibilities and information security regulations and procedures. It is advisable that he understand the security measures before taking office and before establishing his system account with login name, password and privileges. The security of an information system depends on the environment in which it operates. It is necessary to take measures to protect buildings and surrounding areas, supporting infrastructure, computer equipment, and storage media. Let's consider the following areas of physical protection: physical access control; protection of supporting infrastructure; protection of mobile systems. Physical access control measures allow you to control and, if necessary, restrict the entry and exit of employees and visitors. The entire building of an organization can be controlled, as well as individual premises, for example, those where servers, communication equipment, etc. are located. Supporting infrastructure includes electrical, water and heat supply systems, air conditioning and communications. In principle, the same integrity and availability requirements apply to them as to information systems. To ensure integrity, equipment must be protected from theft and damage. To maintain availability, you should select equipment with the maximum MTBF, duplicate critical components, and always have spare parts on hand. Generally speaking, a risk analysis should be performed when selecting physical protective equipment. Thus, when deciding to purchase an uninterruptible power supply, it is necessary to take into account the quality of the power supply in the building occupied by the organization (however, it will almost certainly turn out to be poor), the nature and duration of power failures, the cost of available sources and possible losses from accidents (breakdown of equipment, suspension of the organization’s work and so on.) Let's consider a number of measures aimed at maintaining the functionality of information systems. It is in this area that the greatest danger lurks. Unintentional mistakes of system administrators and users can lead to loss of performance, namely damage to equipment, destruction of programs and data. This is the worst case scenario. At best, they create security holes that enable system security threats to occur. The main problem of many organizations is the underestimation of safety factors in everyday work. Expensive security features are meaningless if they are poorly documented, conflict with other software, and the system administrator password has not been changed since installation. For daily activities aimed at maintaining the functionality of the information system, the following actions can be distinguished: user support; software support; configuration management; backup; media management; documentation; routine maintenance. User support implies, first of all, consultation and assistance in solving various kinds of problems. It is very important to be able to identify problems related to information security in a stream of questions. Thus, many difficulties for users working on personal computers may be the result of virus infection. It is advisable to record user questions in order to identify their common mistakes and issue reminders with recommendations for common situations. Software support is one of the most important means of ensuring information integrity. First of all, you need to keep track of what software is installed on your computers. If users install programs at their own discretion, this can lead to infection with viruses, as well as the emergence of utilities that bypass protection measures. It is also likely that the “independent activities” of users will gradually lead to chaos on their computers, and the system administrator will have to correct the situation. The second aspect of software support is control over the absence of unauthorized changes to programs and access rights to them. This also includes support for reference copies of software systems. Control is typically achieved through a combination of physical and logical access controls, as well as the use of verification and integrity utilities. Configuration management allows you to control and record changes made to the software configuration. First of all, you need to insure yourself against accidental or ill-conceived modifications, and be able to at least return to a previous, working version. Committing changes will make it easy to restore the current version after a disaster. The best way to reduce errors in routine work is to automate it as much as possible. Automation and security depend on each other, because the one who cares primarily about making his task easier is actually the one who optimally shapes the information security regime. Backup is necessary to restore programs and data after disasters. And here it is advisable to automate the work, at a minimum, by creating a computer schedule for creating full and incremental copies, and, at a maximum, by using the appropriate software products. It is also necessary to arrange for the placement of copies in a safe place, protected from unauthorized access, fires, leaks, that is, from anything that could lead to theft or damage to the media. It is advisable to have several copies of backup copies and store some of them off-site, thus protecting against major accidents and similar incidents. From time to time, for test purposes, you should check the possibility of restoring information from copies. Media management is necessary to provide physical security and accounting for floppy disks, tapes, printed output, etc. Media management must ensure the confidentiality, integrity, and availability of information stored outside computer systems. Physical protection here means not only repelling unauthorized access attempts, but also protection from harmful environmental influences (heat, cold, moisture, magnetism). Media management must cover the entire lifecycle, from procurement to decommissioning. Documentation is an integral part of information security. Almost everything is documented in the form of documents - from the security policy to the media log. It is important that the documentation is up-to-date and reflects the current state of affairs, and in a consistent manner. Confidentiality requirements apply to the storage of some documents (containing, for example, an analysis of system vulnerabilities and threats), while others, such as a disaster recovery plan, are subject to integrity and availability requirements (in a critical situation, the plan must be found and read). Routine work is a very serious safety hazard. An employee performing routine maintenance receives exclusive access to the system, and in practice it is very difficult to control exactly what actions he performs. This is where the degree of trust in those doing the work comes to the fore. The security policy adopted by the organization must provide for a set of operational measures aimed at detecting and neutralizing violations of the information security regime. It is important that in such cases the sequence of actions is planned in advance, since measures need to be taken urgently and in a coordinated manner. Response to security breaches has three main goals: localizing the incident and reducing harm; prevention of repeated violations. Often the requirement to localize an incident and reduce harm comes into conflict with the desire to identify the offender. The organization's security policy must be prioritized early. Since, as practice shows, it is very difficult to identify an attacker, in our opinion, first of all, care should be taken to reduce the damage. No organization is immune from serious accidents caused by natural causes, malicious actions, negligence or incompetence. At the same time, every organization has functions that management considers critical and must be performed no matter what. Planning restoration work allows you to prepare for accidents, reduce damage from them and maintain the ability to function at least to a minimum extent. Note that information security measures can be divided into three groups, depending on whether they are aimed at preventing, detecting or eliminating the consequences of attacks. Most measures are precautionary in nature. The restoration planning process can be divided into the following stages: identifying critical functions of the organization, setting priorities; identification of resources needed to perform critical functions; determination of the list of possible accidents; development of a restoration strategy; preparation for the implementation of the chosen strategy; checking the strategy. When planning restoration work, you should be aware that it is not always possible to fully maintain the functioning of the organization. It is necessary to identify critical functions, without which the organization loses its face, and even prioritize among critical functions in order to resume work after an accident as quickly as possible and at minimal cost. When identifying the resources needed to perform critical functions, remember that many of them are non-computer in nature. At this stage, it is advisable to involve specialists of different profiles in the work. Thus, there are a large number of different methods for ensuring information security. The most effective is to use all these methods in a single complex. Today, the modern security market is saturated with information security tools. Constantly studying existing security market offerings, many companies see the inadequacy of previously invested funds in information security systems, for example, due to obsolescence of equipment and software. Therefore, they are looking for solutions to this problem. There may be two such options: on the one hand, a complete replacement of the corporate information protection system, which will require large investments, and on the other, the modernization of existing security systems. The last option for solving this problem is the least expensive, but it brings new problems, for example, it requires an answer to the following questions: how to ensure compatibility of old, retained from existing hardware and software security tools, and new elements of the information security system; how to provide centralized management of heterogeneous security tools; how to assess and, if necessary, reassess the company’s information risks. Chapter 2. Analysis of the information security system 1 Scope of activity of the company and analysis of financial indicators OJSC Gazprom is a global energy company. The main activities are geological exploration, production, transportation, storage, processing and sales of gas, gas condensate and oil, as well as the production and sale of heat and electricity. Gazprom sees its mission in reliable, efficient and balanced provision of consumers with natural gas, other types of energy resources and their processed products. Gazprom has the world's richest natural gas reserves. Its share in world gas reserves is 18%, in Russian - 70%. Gazprom accounts for 15% of global and 78% of Russian gas production. Currently, the company is actively implementing large-scale projects for the development of gas resources of the Yamal Peninsula, the Arctic shelf, Eastern Siberia and the Far East, as well as a number of projects for the exploration and production of hydrocarbons abroad. Gazprom is a reliable gas supplier to Russian and foreign consumers. The company owns the world's largest gas transportation network - the Unified Gas Supply System of Russia, the length of which exceeds 161 thousand km. Gazprom sells more than half of the gas it sells on the domestic market. In addition, the company supplies gas to 30 countries of the near and far abroad. Gazprom is Russia's only producer and exporter of liquefied natural gas and provides about 5% of global LNG production. The company is one of the five largest oil producers in the Russian Federation, and is also the largest owner of generating assets on its territory. Their total installed capacity is 17% of the total installed capacity of the Russian energy system. The strategic goal is to establish OAO Gazprom as a leader among global energy companies through the development of new markets, diversification of activities, and ensuring reliability of supplies. Let's consider the financial performance of the company over the past two years. The company's operating results are presented in Appendix 1. As of December 31, 2010, sales revenue amounted to 2,495,557 million rubles, this figure is much lower compared to 2011 data, that is, 3,296,656 million rubles. Sales revenue (net of excise tax, VAT and customs duties) increased by RUB 801,099 million, or 32%, for the nine months ended September 30, 2011 compared to the same period last year, amounting to RUB 3,296 656 million rubles. Based on the results of 2011, net revenue from gas sales accounted for 60% of total net sales revenue (60% for the same period last year). Net revenue from gas sales increased from RUB 1,495,335 million. for the year up to 1,987,330 million rubles. for the same period in 2011, or by 33%. Net revenue from gas sales to Europe and other countries increased by RUB 258,596 million, or 34%, compared to the same period last year, and amounted to RUB 1,026,451 million. The overall increase in gas sales to Europe and other countries was due to an increase in average prices. The average price in rubles (including customs duties) increased by 21% for the nine months ended September 30, 2011 compared to the same period in 2010. In addition, gas sales volumes increased by 8% compared to the same period last year. Net revenue from gas sales to the countries of the former Soviet Union increased over the same period in 2010 by 168,538 million rubles, or 58%, and amounted to 458,608 million rubles. The change was primarily driven by a 33% increase in gas sales to the former Soviet Union for the nine months ended September 30, 2011 compared to the same period last year. In addition, the average price in rubles (including customs duties, less VAT) increased by 15% compared to the same period last year. Net revenue from gas sales in the Russian Federation increased by RUB 64,861 million, or 15%, compared to the same period last year, and amounted to RUB 502,271 million. This is mainly due to an increase in the average price of gas by 13% compared to the same period last year, which is associated with an increase in tariffs set by the Federal Tariff Service (FTS). Net revenue from the sale of oil and gas products (less excise tax, VAT and customs duties) increased by 213,012 million rubles, or 42%, and amounted to 717,723 million rubles. compared to the same period last year. This increase is mainly explained by an increase in world prices for oil and gas products and an increase in sales volumes compared to the same period last year. Gazprom Neft Group's revenue amounted to 85% and 84% of the total net revenue from the sale of oil and gas products, respectively. Net revenue from the sale of electrical and thermal energy (excluding VAT) increased by RUB 38,097 million, or 19%, and amounted to RUB 237,545 million. The increase in revenue from the sale of electrical and thermal energy is mainly due to an increase in tariffs for electrical and thermal energy, as well as an increase in the volume of sales of electrical and thermal energy. Net revenue from the sale of crude oil and gas condensate (less excise tax, VAT and customs duties) increased by RUB 23,072 million, or 16%, and amounted to RUB 164,438 million. compared to RUB 141,366 million. for the same period last year. The change is mainly caused by rising prices for oil and gas condensate. In addition, the change was caused by an increase in gas condensate sales. Revenue from the sale of crude oil amounted to RUB 133,368 million. and 121,675 million rubles. in net proceeds from the sale of crude oil and gas condensate (less excise tax, VAT and customs duties) in 2011 and 2010, respectively. Net revenue from the sale of gas transportation services (net of VAT) increased by RUB 15,306 million, or 23%, and amounted to RUB 82,501 million, compared to RUB 67,195 million. for the same period last year. This growth is mainly due to an increase in gas transportation tariffs for independent suppliers, as well as an increase in gas volumes. ѐ mov of gas transportation for independent suppliers compared to the same period last year. Other revenue increased by RUB 19,617 million, or 22%, and amounted to RUB 107,119 million. compared to RUB 87,502 million. for the same period last year. Expenses for trade operations without actual delivery amounted to RUB 837 million. compared to income of RUB 5,786 million. for the same period last year. As for operating expenses, they increased by 23% and amounted to RUB 2,119,289 million. compared to RUB 1,726,604 million. for the same period last year. The share of operating expenses in sales revenue decreased from 69% to 64%. Labor costs increased by 18% and amounted to RUB 267,377 million. compared to RUB 227,500 million. for the same period last year. The increase is mainly due to an increase in average wages. Depreciation for the analyzed period increased by 9% or by 17,026 million rubles, and amounted to 201,636 million rubles, compared to 184,610 million rubles. for the same period last year. The increase was mainly due to the expansion of the fixed asset base. As a result of the above factors, sales profit increased by RUB 401,791 million, or 52%, and amounted to RUB 1,176,530 million. compared to RUB 774,739 million. for the same period last year. Sales profit margin increased from 31% to 36% for the nine months ended September 30, 2011. Thus, OJSC Gazprom is a global energy company. The main activities are geological exploration, production, transportation, storage, processing and sales of gas, gas condensate and oil, as well as the production and sale of heat and electricity. The financial condition of the company is stable. Performance indicators are showing positive dynamics. 2 Description of the company’s information security system Let's consider the main areas of activity of the divisions of the Corporate Protection Service of OJSC Gazprom: development of targeted programs for the development of systems and complexes of engineering and technical security equipment (ITSE), information security systems (IS) of OAO Gazprom and its subsidiaries and organizations, participation in the formation of an investment program aimed at ensuring information and technical security; implementation of the powers of the customer for the development of information security systems, as well as ITSO systems and complexes; consideration and approval of budget requests and budgets for the implementation of measures for the development of information security systems, ITSO systems and complexes, as well as for the creation of IT in terms of information security systems; review and approval of design and pre-project documentation for the development of information security systems, ITSO systems and complexes, as well as technical specifications for the creation (modernization) of information systems, communication and telecommunications systems in terms of information security requirements; organization of work to assess the compliance of ITSO systems and complexes, information security systems (as well as works and services for their creation) with the established requirements; coordination and control of work on technical information security. Gazprom has created a system to ensure the protection of personal data. However, the adoption by federal executive authorities of a number of regulatory legal acts in development of existing laws and government regulations necessitates the need to improve the current system of personal data protection. In the interests of solving this problem, a number of documents have been developed and are being approved within the framework of research work. First of all, these are draft standards of the Gazprom Development Organization: "Methodology for classifying information systems of personal data of OAO Gazprom, its subsidiaries and organizations"; "Model of threats to personal data during their processing in personal data information systems of OAO Gazprom, its subsidiaries and organizations." These documents were developed taking into account the requirements of the Decree of the Government of the Russian Federation of November 17, 2007 No. 781 "On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems" in relation to the class of special systems, which include most of the OJSC ISPDn " Gazprom". In addition, the development of “Regulations on the organization and technical support of the security of personal data processed in personal data information systems of OAO Gazprom, its subsidiaries and organizations” is currently underway. It should be noted that within the framework of the standardization system of OJSC Gazprom, standards for the information security system have been developed, which will also make it possible to solve the problems of protecting personal data processed in the information systems of OJSC Gazprom. Seven standards related to the information security system have been approved and are being put into effect this year. The standards define the basic requirements for building information security systems for OAO Gazprom and its subsidiaries. The results of the work done will make it possible to more rationally use material, financial and intellectual resources, create the necessary regulatory and methodological support, introduce effective means of protection and, as a result, ensure the security of personal data processed in the information systems of OAO Gazprom. As a result of the analysis of information security of OJSC Gazprom, the following shortcomings in ensuring information security were identified: the organization does not have a single document regulating a comprehensive security policy; Considering the size of the network and the number of users (more than 100), it should be noted that one person is responsible for system administration, information security and technical support; there is no classification of information assets by degree of importance; information security roles and responsibilities are not included in job descriptions; in the employment contract concluded with the employee there is no clause on the information security responsibilities of both those employed and the organization itself; personnel training in the field of information security is not provided; from the point of view of protection from external threats: no typical behavior procedures have been developed for data recovery after accidents that occurred as a result of external and environmental threats; the server room is not a separate room, the room is assigned the status of two departments (one more person, in addition to the system administrator, has access to the server room); technical probing and physical examination for unauthorized devices connected to cables are not carried out; despite the fact that entry is carried out using electronic passes and all information is entered into a special database, its analysis is not carried out; in terms of protection against malware: there is no formal policy to protect against risks associated with receiving files either from or through external networks or contained on removable media; in terms of protection against malware: there are no guidelines for protecting the local network from malicious code; there is no traffic control, there is access to mail servers of external networks; all backups are stored in the server room; insecure, easy-to-remember passwords are used; receipt of passwords by users is not confirmed in any way; passwords are stored in clear text by the administrator; passwords do not change; There is no procedure for reporting information security events. Thus, based on these shortcomings, a set of regulations regarding information security policy was developed, including: policies regarding the hiring (dismissal) and granting (deprivation) of employees of the necessary authority to access system resources; policy regarding the work of network users during its operation; password protection policy; policy on the organization of physical protection; Internet policy; as well as administrative security measures. Documents containing these regulations are at the stage of consideration by the management of the organization. 3 Development of a set of measures to modernize the existing information security system As a result of the analysis of the information security system of OJSC Gazprom, significant system vulnerabilities were identified. To develop measures to eliminate identified security system deficiencies, we will highlight the following groups of information that are subject to protection: information about the private life of employees that allows them to be identified (personal data); information related to professional activities and constituting banking, auditing and communications secrecy; information related to professional activities and marked as information “for official use”; information, the destruction or modification of which will negatively affect operational efficiency, and restoration will require additional costs. From the point of view of administrative measures, the following recommendations were developed: the information security system must comply with the legislation of the Russian Federation and state standards; buildings and premises where information processing facilities are installed or stored, work is carried out with protected information, must be guarded and protected by alarm and access control means; training of personnel on information security issues (explaining the importance of password protection and password requirements, conducting training on anti-virus software, etc.) should be organized when hiring an employee; conduct trainings every 6-12 months aimed at improving the literacy of employees in the field of information security; an audit of the system and adjustments to the developed regulations should be carried out annually, on October 1, or immediately after the introduction of major changes to the structure of the enterprise; each user’s access rights to information resources must be documented (if necessary, access is requested from the manager in writing); the information security policy must be ensured by the software administrator and the hardware administrator, their actions are coordinated by the head of the group. Let's formulate a password policy: do not store them in unencrypted form (do not write them down on paper, in a regular text file, etc.); change the password if it is disclosed or suspected of disclosure; length must be at least 8 characters; The password must contain upper and lower case letters, numbers and special characters; the password must not include easily calculated sequences of characters (names, animal names, dates); change once every 6 months (an unscheduled password change must be made immediately after receiving notification of the incident that triggered the change); When changing passwords, you cannot select those that were used previously (passwords must differ by at least 6 positions). Let's formulate a policy regarding antivirus programs and virus detection: Licensed anti-virus software must be installed on each workstation; updating anti-virus databases on workstations with Internet access - once a day, without Internet access - at least once a week; set up automatic scanning of workstations for virus detection (frequency of checks - once a week: Friday, 12:00); Only the administrator can interrupt the anti-virus database update or virus scan (password protection should be set for the specified user action). Let's formulate a policy regarding physical protection: technical probing and physical examination for unauthorized devices connected to cables should be carried out every 1-2 months; network cables must be protected from unauthorized interception of data; records of all suspected and actual failures that occurred with the equipment must be stored in a log Each workstation must be equipped with an uninterruptible power supply. Let's define a policy regarding information reservation: for backup copies, a separate room should be allocated, located outside the administrative building (the room should be equipped with an electronic lock and alarm); Information reservations should be made every Friday at 16:00. The policy regarding the hiring/dismissal of employees should be as follows: any personnel changes (hiring, promotion, dismissal of an employee, etc.) must be reported to the administrator within 24 hours, who, in turn, within a period of half a working day must make appropriate changes to the system for delimiting access rights to enterprise resources ; a new employee must undergo training from the administrator, including familiarization with the security policy and all necessary instructions; the level of access to information for the new employee is assigned by the manager; When an employee leaves the system, his ID and password are deleted, the workstation is checked for viruses, and the integrity of the data to which the employee had access is analyzed. Policy regarding working with local internal network (LAN) and databases (DB): when working at his workstation and on the LAN, the employee must perform only tasks directly related to his official activities; The employee must notify the administrator about messages from anti-virus programs about the appearance of viruses; no one other than administrators is allowed to make changes to the design or configuration of workstations and other LAN nodes, install any software, leave the workstation without control or allow unauthorized persons to access it; Administrators are recommended to keep two programs running at all times: an ARP-spoofing attack detection utility and a sniffer, the use of which will allow them to see the network through the eyes of a potential intruder and identify security policy violators; You should install software that prevents the launch of programs other than those designated by the administrator, based on the principle: “Any person is granted the privileges necessary to perform specific tasks.” All unused computer ports must be disabled by hardware or software; The software should be updated regularly. Internet Policy: administrators are assigned the right to restrict access to resources, the content of which is not related to the performance of official duties, as well as to resources, the content and focus of which are prohibited by international and Russian legislation; the employee is prohibited from downloading and opening files without first checking for viruses; all information about resources visited by company employees should be stored in a log and, if necessary, can be provided to department heads, as well as management confidentiality and integrity of electronic correspondence and office documents is ensured through the use of digital signatures. In addition, we will formulate the basic requirements for creating passwords for employees of the OJSC Gazprom company. A password is like a house key, only it is the key to information. For ordinary keys, it is extremely undesirable to be lost, stolen, or handed over to a stranger. The same goes for the password. Of course, the security of information depends not only on the password; to ensure it, you need to set a number of special settings and, perhaps, even write a program that protects against hacking. But choosing a password is exactly the action where it depends only on the user how strong this link will be in the chain of measures aimed at protecting information. ) the password must be long (8-12-15 characters); ) should not be a word from a dictionary (any dictionary, even a dictionary of special terms and slang), a proper name or a word in Cyrillic alphabet typed in the Latin layout (Latin - kfnsym); ) it cannot be associated with the owner; ) it changes periodically or as needed; ) is not used in this capacity on various resources (i.e., for each resource - to log into a mailbox, operating system or database - a different password must be used); ) it is possible to remember it. Selecting words from the dictionary is undesirable, since an attacker conducting a dictionary attack will use programs capable of searching up to hundreds of thousands of words per second. Any information associated with the owner (be it date of birth, dog's name, mother's maiden name, and similar “passwords”) can be easily recognized and guessed. The use of uppercase and lowercase letters, as well as numbers, greatly complicates the attacker’s task of guessing the password. The password should be kept secret, and if you suspect that the password has become known to someone, change it. It is also very useful to change them from time to time. Conclusion The study allowed us to draw the following conclusions and formulate recommendations. It has been established that the main reason for the enterprise's problems in the field of information security is the lack of an information security policy, which would include organizational, technical, financial solutions with subsequent monitoring of their implementation and evaluation of effectiveness. The definition of information security policy is formulated as a set of documented decisions, the purpose of which is to ensure the protection of information and associated information risks. The analysis of the information security system revealed significant shortcomings, including: storage of backup copies in the server room, the backup server is located in the same room as the main servers; lack of proper rules regarding password protection (password length, rules for choosing and storing it); network administration is handled by one person. A generalization of international and Russian practice in the field of information security management of enterprises allowed us to conclude that to ensure it, it is necessary: forecasting and timely identification of security threats, causes and conditions conducive to financial, material and moral damage; creating operating conditions with the least risk of implementing security threats to information resources and causing various types of damage; creating a mechanism and conditions for effectively responding to threats to information security based on legal, organizational and technical means. The first chapter of the work discusses the main theoretical aspects. An overview of several standards in the field of information security is given. Conclusions are drawn for each and as a whole, and the most appropriate standard for forming information security policy is selected. The second chapter examines the structure of the organization and analyzes the main problems associated with information security. As a result, recommendations have been formed to ensure the proper level of information security. Measures to prevent further incidents related to information security violations are also considered. Of course, ensuring an organization's information security is a continuous process that requires constant monitoring. And a naturally formed policy is not an iron-clad guarantor of protection. In addition to the implementation of the policy, constant monitoring of its quality implementation, as well as improvement in the event of any changes in the company or precedents, is required. It was recommended for the organization to hire an employee whose activities would be directly related to these functions (security administrator). Bibliography information security financial harm 1. Belov E.B. Fundamentals of information security. E.B. Belov, V.P. Los, R.V. Meshcheryakov, A.A. Shelupanov. -M.: Hotline - Telecom, 2006. - 544s Galatenko V.A. Information security standards: a course of lectures. Educational allowance. - 2nd edition. M.: INTUIT.RU "Internet University of Information Technologies", 2009. - 264 p. Glatenko V.A. Information Security Standards / Open Systems 2006.- 264c Dolzhenko A.I. Information systems management: Training course. - Rostov-on-Don: RGEU, 2008.-125 p. Kalashnikov A. Formation of a corporate policy of internal information security #"justify">. Malyuk A.A. Information security: conceptual and methodological foundations of information protection / M.2009-280s Mayvold E., Network Security. Self-instruction manual // Ekom, 2009.-528 p. Semkin S.N., Belyakov E.V., Grebenev S.V., Kozachok V.I., Fundamentals of organizational support for information security of informatization objects // Helios ARV, 2008, 192 pp.
