Information security is usually understood as a set of measures aimed at implementing the required level of software and hardware security from illegal and unauthorized penetration by intruders. Today, comprehensive information protection in an enterprise is gaining maximum popularity, including all possible security techniques and tools that are available for implementation. If we consider any diploma in information security, then in it we will certainly find an analysis of each such means of protecting information in IP, namely:

• Physical means of protection, consisting of installed security cameras, various locking devices (locks), doors, bars, metal cabinets, safes, etc. Designed primarily to create a natural barrier for an attacker;
• Hardware security, which includes various devices, sensors, detectors, scanners and encryptors, which most effectively contribute to maintaining data confidentiality and the security of systems and networks (the most common area of ​​application is information protection in local networks, as well as cryptographic information protection) ;
• Software protection tools, which are primarily represented by various firewalls, anti-virus systems, firewalls, security policies, etc., i.e. various software that in one way or another expand the capabilities of standard security tools and cope with the task relatively successfully. The only nuance that is worth highlighting is that if you are pursuing a diploma in the development of a personal data protection system, then it is better to give preference to hardware protection, since they become much more effective and are not so susceptible to hacking;
• Organizational protection measures, which are represented by various charters, rules and technical regulations for working with specific categories of data. The organization and technology of information protection in this case is as follows - all employees strictly comply with the regulations and requirements that relate to work with data classified as “confidential” or “personal”. Failure to comply with requirements will result in penalties, administrative or criminal liability.

Of course, the data protection methods described above are not the only ones, but each of them plays an important role in the process of conducting an enterprise information security audit.

Let us highlight the key features that characterize almost all diplomas in information security:

• A clearly defined and justified goal of the project, the high relevance of the research being carried out and a clear desired result upon completion of all work;
• A correctly formulated main task, which contains a step-by-step list of all necessary actions, which, if successfully completed, lead to the required final result;
• Identification of several available solutions to a given problem, taking into account all the requirements and conditions of data protection, further selection of the most suitable (in terms of time and cost) possible option and justification of the choice made. The fundamental factor in this case is efficiency and compliance with all data protection requirements;
• Determining the most accessible and understandable presentation of the research result for greater clarity during the defense.

It is not difficult to guess that diplomas in information security in an enterprise are quite complex and cover a wide variety of areas, and in order to correctly develop a personal data protection system, it is important to have good theoretical and practical knowledge. But this condition is not always met.

More than once, students wondered what to do if I myself do not have time to complete the entire amount of work. The answer is quite simple - you need to contact our online store in advance, where a huge number of different information security works are presented. Just a few examples will suffice:

• Work on organizing information security;
• Thesis on information security;
• Consideration of problems of ensuring information security.

And we are absolutely sure that each of you will be able to choose a diploma from us according to your requirements, and if there is no chosen topic, you can easily order it from our specialists.

This category presents work related to ensuring the information security of enterprises, information systems and local computer networks, including:

1. document flow security;
2. security of operating systems and databases;
3. security of computing systems;
4. security of Internet resources;
5. engineering and technical information protection.

The works have been prepared for specialists in the following specialties:

090000 INFORMATION SECURITY

090100 Information security

090101 Cryptography

090102 Computer security

.

E If you have not found a suitable finished work, you can order a new one to be written, which will be completed on time and in full accordance with your requirements. Order form by .

focus (profile) “Information systems and technologies”

areas of training 09.03.02 “Information systems and technologies”

design and technological,

service and operational.

1. Virtualization of the information infrastructure of the enterprise (name of the enterprise).

2. Integration of enterprise information systems based on Linux OS and a freely distributed DBMS.

3. Modernization and administration of the corporate information system of the enterprise (name of the enterprise).

4. Modernization, administration and maintenance of the information network of the enterprise (name of the enterprise).

5. Modernization of the information and management system of the enterprise (process) (name of the enterprise or process) and development of measures to support it.

6. Development of an Intranet portal for the enterprise (name of the enterprise).

7. Design of an enterprise information network (name of enterprise).

8. Design of a corporate information system for an enterprise (name of enterprise).

9. Development and maintenance of the corporate web portal of the enterprise (name of the enterprise).

10. Development of an automated information processing system for the enterprise (name of the enterprise).

11. Development of a prototype of an enterprise information system for process management (name of the process or object).

12. Development of a web service for the information system of the enterprise (name of the enterprise).

13. Development of a reference information system for the enterprise (name of the enterprise).

14. Development of a model and design of an enterprise information management system (name of enterprise).

15. Development of technological software for system maintenance (name of system).

16. Development of software for a microprocessor device (name of device).

17. Development of a mobile client application for the information system of the enterprise (name of the enterprise).

18. Development of a simulation model to optimize production process parameters.

19. Design of virtual servers based on tools (name of virtualization tools) and data transmission channels for an enterprise (name of enterprise).

20. Development of a module (subsystem) (name of the implemented function) of the information (corporate information) system of the enterprise (name of the enterprise).

in the educational program of applied bachelor's degree

areas of training 03/09/04 “Software Engineering”

Types of professional activities:
production and technological,
organizational and managerial,
service and operational.

1. Development of an application for parsing a website, social network, portal.

2. Design and software implementation of an information (information and reference) system (purpose or function of the system).

3. Development of firmware for the device (name of the device).

4. Development of application software for the system (name of the system).

5. Development of a software information system (name of the area of ​​use or the process being implemented).

6. Development of methods for testing and debugging software (name of software).

7. Development of a software module (name of the module) for the 1C: Enterprise system (name of the enterprise).

8. Development of a web service for the enterprise information management system (name of the enterprise).

9. Development of an application to support the information-measuring system (purpose of the system).

10. Study of information security of web services of the 1C:Enterprise system.

11. Development of a module (subsystem) (name of the implemented function) of the information (corporate information) system of the enterprise (name of the enterprise).

12. Development of server (client) software for the system (name of the system).

Topics of final qualifying works

in the educational program of applied bachelor's degree

focus (profile) “Information service”

:
service,

1. Modernization, administration and maintenance of the local network of the enterprise (name of the enterprise).

2. Modernization and administration of the enterprise information system (name of the enterprise).

3. Design of an enterprise information system (name of enterprise).

4. Design and development of technology for operating a local network of an enterprise (name of enterprise).

5. Design of hardware and software protection of the information system of the enterprise (name of the enterprise).

6. Development of technology for diagnostics, repair and maintenance of the device (name of the device, group of devices, measuring equipment, computer unit, computer or microprocessor system, local network).

7. Development and administration of the company’s website (name of the company).

8. Development of the server configuration for the data transmission network of the enterprise (name of the enterprise).

9. Development and administration of the enterprise information system database (name of the enterprise).

10. Development of an Intranet portal for the enterprise (name of the enterprise).

11. Development of a subsystem for monitoring production processes on the 1C:Enterprise platform.

12. Development of a project for a distributed information system (name of the system) of the enterprise (name of the enterprise).

13. Development of an information and reference accounting system (name of the accounting object).

14. Development of a WCF service for an enterprise information system.

15. Development of a model of an enterprise information system (name or area of ​​activity of the enterprise).

16. Development of methods for testing and debugging software (name of software).

17. Development of a set of measures for the administration and maintenance of a software information system (name of the area of ​​use or the process being implemented).

18. Modeling and research of the data transmission system (name of the system).

19. Research and optimization of parameters of a distributed information system on the 1C:Enterprise platform.

20. Design of a division of the enterprise (name of the enterprise) for repair and maintenance of electronic (computer) equipment and organization of operation of technical equipment.

21. Design of virtual servers based on tools (name of virtualization tools) and data transmission channels for an enterprise (name of enterprise).

22. Development of server (client) software for the system (name of the system).

Topics of final qualifying works

in the educational program of applied bachelor's degree

directivity (profile) "Electronic equipment service"

areas of training 03.43.01 “Service”

Types of professional activities:
service,
production and technological.

1. Development of technology for diagnostics, repair and maintenance of the device (name of the electronic device, microprocessor or telecommunication system, measuring equipment, data transmission network).

2. Development of an electronic system (name of the system) of the enterprise (name of the enterprise, shopping and office center, entertainment complex).

3. Development of an information input/output device (name of the device).

4. Development of software for a microprocessor device (name of device).

5. Development of a corporate telecommunications network for an enterprise (name of enterprise).

6. Development of a digital device (module) (name of the device, module; name of the function being implemented).

7. Development of a power supply device for electronic equipment (name of equipment).

8. Development of technology for monitoring (controlling parameters) of objects (name of objects).

9. Development and research of a wireless sensor (name of the measured parameter).

10. Design of a division of the enterprise (name of the enterprise) for repair and maintenance of electronic (computer) equipment and organization of operation of technical equipment.

11. Development of a subsystem (name of the subsystem) of an integrated security system for the enterprise (name of the enterprise).

Topics of final qualifying works

in the educational program of applied bachelor's degree

directivity (profile) “Radio engineering means of transmitting, receiving and processing signals”
areas of training 03/11/01 “Radio Engineering”

Types of professional activities:
design and engineering,
service and operational.

1. Development of a device (block, module; receiving, transmitting, transceiver) system (name of the system).

2. Development of a wireless interface for electronic equipment (name of equipment).

3. Study of the virtual model of the device (specify the type of device) in the environment (name of the software environment).

4. Development of a subsystem (name of the subsystem) of an integrated enterprise security system (name of the enterprise.

Topics of final qualifying works

in the educational program of applied bachelor's degree

directivity (profile) "Mobile communication systems"

areas of training 11.03.02 “Infocommunication technologies and communication systems”

Types of professional activities:
design

1. Design of a telecommunications network for an enterprise (name of enterprise).

2. Administration and maintenance of the telecommunications network of the enterprise (name of the enterprise).

3. Development of a block (codec, vocoder, synchronization device, matching device) of a digital telecommunication system.

4. Development of a wireless interface adapter (name of interfaces).

5. Development of an information processing device (device type) system (system name).

6. Development of a device for interfacing systems (name of systems).

7. Development of a system controller (system name).

8. Development of a synchronization device for a telecommunication system (name of system).

9. Development of a technological device for testing telecommunications equipment (name of equipment).

10. Development of a wireless communication network (network segment) based on technology (name of technology).

11. Development of technology for remote monitoring of object parameters (name of parameters).

12. Development of a sensor network for monitoring the state of an object (name of the object).

13. Development of technology for diagnostics and measurement of parameters of a telecommunication device (name of device, system, network, environment).

14. Development of a transceiver device for the system (name of the system).

15. Development of telecommunication devices for remote control of an object (name of object).

16. Development of a parameter meter for telecommunications equipment components (name of components).

17. Development of a wireless information input/output device (name of device).

18. Development of hardware and software for infocommunication technology (name of technology).

19. Study of information transfer protocols in the system (name of the system).

20. Research of digital signal processing methods for the system (name of the system).

21. Development of infocommunication technology and facility management system (name of facility).

22. Development of a wireless system for measuring a parameter (name of parameter).

23. Design of virtual servers based on tools (name of virtualization tools) and data transmission channels for an enterprise (name of enterprise).

Topics of final qualifying works

according to the educational program of secondary vocational education

specialty 09.02.01 “Computer systems and complexes”

Professional modules:

PM.01 Design of digital devices,

PM.02 Application of microprocessor systems, installation and configuration of peripheral training,

PM.03 Maintenance and repair of computer systems and complexes.

1. Diagnostics of faults and monitoring of the technical condition of equipment (name of hardware and software of computer technology or computer network).

2. Assembling, configuring and setting up tools (name of computer hardware and software or computer network).

3. Development of a set of measures to ensure information security of the computer network of the enterprise (name of the enterprise).

4. Development of a contactless identification system for the enterprise (name of the enterprise).

5. Maintenance and administration of the enterprise information system (name of the enterprise).

6. Maintenance and administration of the computer network of the enterprise (name of the enterprise).

7. Hardware and software maintenance and support (name of computer hardware or computer network).

8. Installation, adaptation and maintenance of software (name of software).

9. Development and research of a digital (microprocessor) device (module) (name of device, module).

10. Development of testing technology and comprehensive debugging of software (name of software).

Topics of final qualifying works for graduates

focus (profile) “Elements and devices of computer technology and information systems”

areas of training 09.04.01 “Informatics and Computer Science”

Types of professional activities:
design,
scientific research.

1. Modeling and research of network protocols for information transfer (the type of information is indicated).

2. Research and development of computer methods for improving system parameters (parameters or parameters and type of system are indicated).

3. Computer modeling, research and optimization of information or telecommunication systems (the class of systems is indicated).

4. Research and optimization of the construction of wireless sensor networks.

5. Research and analysis of the construction of wireless Internet of Things networks.

6. Development of efficiency criteria and study of the distribution of virtual machines within the cloud infrastructure.

7. Development, research and evaluation of the effectiveness of distributed information (or information-measuring) systems (the area of ​​application or type of systems is indicated).

8. Development and research of a wireless interface for equipment (name of equipment).

9. Development and research of an object tracking device (name of objects).

10. Development and research of devices for monitoring the condition of an object (name of object).

11. Development of hardware and software diagnostic tools for devices (name of devices).

12. Development and research of a wireless sensor (name of the measured parameter).

13. Study of correction algorithms for converters of a parameter (parameter name) into code.

14. Development of algorithms and software for monitoring the parameters of the facility management system (name of the facility).

15. Development and research of wireless control devices for the object (name of the object).

16. Modeling and research of parameter converters (name of parameters).

17. Methods for assessing the quality of software (the purpose of the software is indicated).

18. Study of the functioning of devices (name of devices) under conditions (conditions are indicated) in order to improve the characteristics (characteristics are indicated).

19. Development of methods for analysis and synthesis of devices (name of devices) in order to improve characteristics (characteristics are indicated).

Topics of final qualifying works

in the academic master's program

focus (profile) “Development of software and information systems”
areas of training 09.04.04 “Software Engineering”

Types of professional activities:
research,
design

1. Development and research of a REST service for displaying schedules in higher education institutions.

2. Research and development of software testing tools for cellular operators.

3. Recognition of the physiological state of a person based on the theory of systems with a random structure.

4. Design of a sales automation information system (name of enterprise) based on the MDA approach.

5. Development and research of a software information system for assessing the quality of software (the name of the software is indicated).

6. Development of distributed software and information systems (the scope of application of the system is indicated) and research into the possibilities of their optimization based on efficiency criteria (the criteria are indicated).

7. Development of software to support input/output devices for the system (name of the system).

8. Study of the safety of components of the software information system (name of the system).

Methodological recommendations are intended for students of all forms of specialty training 10.02.01 (090905) and represent a set of requirements for the organization, implementation and defense of final qualifying works (GQR).

• Federal state educational standard for basic and advanced training in the specialty 10.02.01 (090905) Organization and technology of information security,
• Federal Law of December 29, 2012 No. 273-FZ “On Education in the Russian Federation”,
• the procedure for conducting state final certification for educational programs of secondary vocational education, approved. by order of the Ministry of Education and Science of the Russian Federation dated August 16, 2013 No. 968 (hereinafter referred to as the Procedure for conducting the State Examination),
• provisions of the State Budgetary Educational Institution “Technological College No. 34” “On the procedure for conducting state final certification for educational programs of secondary vocational education”,
• quality management systems.

1. GENERAL PROVISIONS

State final certification of a graduate of the Moscow State Budgetary Educational Institution “Technological College No. 34” in specialties 10.02.01(090905)Organization and technology of information securityincludes the preparation and defense of a final qualifying thesis.

Quality control Graduate training is carried out in two main areas:

• assessment of the level of mastery of academic disciplines, MDK and PM;
• assessment of the level of mastery of competencies.

Area of ​​professional activitygraduates. Information security specialist by specialty 10.02.01(090905) performs work related to ensuring comprehensive information protection based on developed programs and techniques. Collects and analyzes materials from institutions, organizations and industry enterprises in order to develop and make decisions and measures to ensure the protection of information and the effective use of automatic control tools, detect possible channels of leakage of information representing state, military, official and commercial secrets. Analyzes existing methods and means used to control and protect information and develops proposals for improving them and increasing the effectiveness of this protection. Participates in the inspection of protected objects, their certification and categorization. Develops and prepares for approval draft normative and methodological materials regulating work on information protection, as well as regulations, instructions and other organizational and administrative documents. Organizes the development and timely submission of proposals for inclusion in the relevant sections of long-term and current work plans and programs of measures for control and protection of information. Provides feedback and conclusions on projects of newly constructed and reconstructed buildings and structures and other developments on issues of ensuring information security. Participates in the review of technical specifications for design, preliminary, technical and detailed designs, ensures their compliance with current regulatory and methodological documents, as well as in the development of new basic diagrams of control equipment, control automation tools, models and information security systems, assessment of the technical and economic level and the effectiveness of the proposed and implemented organizational and technical solutions: organizing the collection and analysis of materials in order to develop and take measures to ensure data protection and identify possible channels of information leakage representing official, commercial, military and state secrets.

Objects of professional activitygraduates are:

• participation in the planning and organization of work to ensure the protection of the facility;
• organizing work with documentation, including confidential ones;
• use of software, hardware and technical means of information security;
• participation in the implementation of a comprehensive facility protection system;
• participation in the collection and processing of materials to develop solutions to ensure information security and the effective use of means of detecting possible channels of leakage of confidential information;
• participation in the development of programs and methods for organizing information security at the facility;
• monitoring compliance by personnel with the requirements of the information security regime;
• participation in the preparation of organizational and administrative documents regulating the work on information protection;
• organization of document flow, including electronic, taking into account the confidentiality of information.

Final qualifying workinformation security specialist has the goal of systematizing and deepening knowledge, improving the skills and abilities of the graduate in solving complex complex scientific and technical problems with elements of scientific research, as well as demonstrating the degree of professional preparedness of the graduate and its compliance with this educational standard. The research and development work for the qualification “information security specialist” is carried out in the form of a thesis or graduation project. The subject matter of the educational qualifications for the basic form of training assumes compliance with the content of one or more professional modules.

Professional cycle of specialty10.02.01(090905) Organization and technology of information securityincludes 4 professional modules:

1. Participation in the planning and organization of work to ensure the protection of the facility.
2. Organization and technology of working with confidential documents.
3. Application of software, hardware and technical means of information security.
4. Carrying out work in one or more worker professions or office positions.

The final qualifying work must meet a number of mandatory requirements:

• demonstrate the level of development of general and professional competencies;
• be relevant and practice-oriented;
• comply with the developed task;
• include an analysis of sources on the topic with generalizations and conclusions, comparisons and assessment of different points of view;
• demonstrate the graduate’s level of readiness for one/several type(s) of professional activity;
• consistency of presentation, persuasiveness of the presented factual material;
• reasoned conclusions and generalizations.

In the final qualifying work, the student must demonstrate mastery of general and professional competencies, including the ability to:

OK 1. Understand the essence and social significance of your future profession, have high motivation to perform professional activities in the field of information security.

OK 2. Organize your own activities, choose standard methods and ways of performing professional tasks, evaluate their effectiveness and quality.

OK 3. Make decisions in standard and non-standard situations and take responsibility for them.

OK 4. Search and use information necessary for the effective performance of professional tasks, professional and personal development.

OK 5.

OK 6. Work in a team and team, communicate effectively with colleagues, management, and consumers.

OK 7. Take responsibility for the work of team members (subordinates), the result of completing tasks.

OK 8. Independently determine the tasks of professional and personal development, engage in self-education, consciously plan professional development.

OK 9. To navigate the conditions of frequent changes in technology in professional activities.

OK 10.

OK 11. Apply mathematical tools to solve professional problems.

OK 12. Assess the significance of documents used in professional activities.

OK 13. Find your bearings in the structure of federal executive authorities that ensure information security.

PM 01 Participation in the planning and organization of work to ensure the protection of the facility.

PC 1.1. Participate in the collection and processing of materials to develop solutions to ensure the protection of information and the effective use of means of detecting possible channels of leakage of confidential information.

PC 1.2. Participate in the development of programs and methods for organizing information security at the facility.

PC 1.3. Plan and organize the implementation of information security measures.

PC 1.4. Participate in the implementation of developed organizational solutions at professional sites.

PC 1.5. Keep records, processing, storage, transmission, use of various media of confidential information.

PC 1.6. Ensure safety precautions during organizational and technical activities.

PC 1.7. Participate in organizing and conducting inspections of information technology objects subject to protection.

PC 1.8. Monitor staff compliance with information security regime requirements.

PC 1.9. Participate in assessing the quality of facility protection.

PM 02 Organization and technology of working with confidential documents.

PC 2.1. Participate in the preparation of organizational and administrative documents regulating the work on information protection.

PC 2.2. Participate in the organization and provide technology for record keeping, taking into account the confidentiality of information.

PC 2.3. Organize document flow, including electronic, taking into account the confidentiality of information.

PC 2.4. Organize archival storage of confidential documents.

PC 2.5. Prepare documentation for the operational management of information security tools and personnel.

PC 2.6. Keep records of work and objects to be protected.

PC 2.7. Prepare reporting documentation related to the operation of control and information security tools.

PC 2.8. Document the progress and results of the internal investigation.

PC 2.9. Use regulatory legal acts, regulatory and methodological documents on information protection.

PM 03 Application of software, hardware and technical means of information security.

PC 3.1. Apply software, hardware and technical means of protecting information on protected objects.

PC 3.2. Participate in the operation of systems and means of protecting information of protected objects.

PC 3.3. Carry out routine maintenance and record failures of protective equipment.

PC 3.4. Identify and analyze possible threats to the information security of objects.

PM 04 Performing work in one or more worker professions, employee positions.

21299 "Clerk"

OK 1.
OK 2.
OK 3.
OK 4.
OK 5.	Use information and communication technologies in professional activities.
OK 6.
OK 7.	Perform military duties, including using acquired professional knowledge (for young men).
PC 4.1	Receive and register incoming correspondence and forward it to the structural divisions of the organization.
PC 4.2	Review documents and submit them for execution, taking into account the resolution of the organization’s leaders.
PC 4.3	Prepare registration cards and create a data bank.
PC 4.4	Maintain a file of records of the passage of documentary materials.
PC 4.5	Monitor the passage of documents.
PC 4.6.	Send completed documentation to recipients using modern types of organizational technology.
PC 4.7.	Compile and execute official documents and materials using forms for specific types of documents.
PC 4.8	Form cases.
PC 4.9	Provide a quick search for documents in the scientific reference apparatus (card files) of the organization
PC 4.10	Ensure the safety of ongoing official documentation.

16199 “Operator of electronic computers and computers”

OK 1.	Understand the essence and social significance of your future profession, show sustained interest in it.
OK 2.	Organize your own activities based on the goal and methods of achieving it, determined by the leader.
OK 3.	Analyze the work situation, carry out current and final monitoring, evaluation and correction of one’s own activities, and be responsible for the results of one’s work.
OK 4.	Search for information necessary to effectively perform professional tasks.
OK 5.	Use information and communication technologies in professional activities.
OK 6.	Work in a team, communicate effectively with colleagues, management, and clients.
OK 7.	Perform military duties, including using acquired professional knowledge (for young men).
PC 4.1	Prepare and configure hardware, peripherals, personal computer operating systems, and multimedia equipment.
PC 4.2	Enter digital and analog information into a personal computer from various media.
PC 4.3	Convert files with digital information into various formats.
PC 4.4	Process audio and visual content using sound, graphic and video editors.
PC 4.5	Create and play videos and presentations. slide shows, media files and other final products from the original audio, visual and multimedia components using a personal computer and multimedia equipment.
PC 4.6	Create media libraries for structured storage and cataloging of digital information.
PC 4.7	Manage the placement of digital information on the disks of a personal computer, as well as disk storage on a local and global computer network.
PC 4.8	Replicate multimedia content on various removable storage media.
PC 4.9	Publish multimedia content on the Internet.

1. PERFORMANCE OF GRADUATE QUALIFICATION WORK

Final qualifying work (FQR) is the final work of an educational and research nature during college education.Preparation of final qualifying workis the final stage of a student’s education and at the same time a test of his ability to independently solve educational problems. The student’s independent work on the chosen topic begins during pre-graduation practice. At the same time, there is a further deepening of his theoretical knowledge, their systematization, the development of applied skills and practical skills, and an increase in general and professional erudition.

The thesis (thesis) has some similarities with course work, for example, work with theoretical sources or their design. However, the thesis (thesis) is a theoretical and (or) experimental study of one of the current problems of information security in the graduate’s specialty. Research may include the development of various methods, methods, software and hardware, models, systems, techniques, etc., which serve to achieve the goals of the thesis. The results of the thesis are presented in the form of an explanatory note with graphs, tables, drawings, maps, diagrams, etc. attached.

When performing research and development work, information about the latest domestic and foreign achievements of science and technology in the field of information security should be used. The period of preparation and defense of the thesis (thesis) is preceded by pre-graduation practice. The terms of pre-diploma practice, as well as the terms of preparation and defense of thesis are determined by the schedule for organizing the educational process, approved by the order of the college before the start of the current academic year. The graduate work must be carried out by the graduate using materials collected by him personally during the pre-graduation internship, as well as during the writing of the course work.

The topics of final qualifying works are determined during the development of the State Examination Program. When determining the topic of the WRC, it should be taken into account that its content may be based on:

• on summarizing the results of course work previously completed by students;
• using the results of previously completed practical tasks.

The assignment of topics for final qualifying works to students is formalizedno later than November 1stfinal year of study. At the same time, students are assigned to supervisors. The supervisor helps the student in developing areas of research, determining the range of theoretical issues to study, and developing the practical part of the study. Each leader can be assigned no more than 8 students.

1. STRUCTURE OF GRADUATE QUALIFICATION WORK

The structure of the theoretical part of the qualifying thesis: introduction, theoretical section, practical section, conclusion, list of references, applications.

The volume of the diploma project is 40-50 pages of printed text and includes:

1. Title page (Appendix 1).
2. Content. The content of the WRC is created automatically in the form of links for ease of work withlarge amount of text material. The use of an electronic table of contents also demonstrates the mastery of the general competence OK 5 (Use information and communication technologies in professional activities).
3. Introduction. It is necessary to substantiate the relevance and practical significance of the chosen topic, formulate the goal and objectives, the object and subject of the research project, and the range of problems under consideration.

4. Main part of the WRCincludes sections in accordance with the logical structure of the presentation. The title of the section should not duplicate the title of the topic, and the title of the paragraphs should not duplicate the title of the sections.

The main part of the proposal must contain two sections.

• Section I is devoted to the theoretical aspects of the object and subject being studied. It contains an overview of the information sources used, the regulatory framework on the topic of WRC, and can also contain statistical data in the form of tables and graphs.

Section II is devoted to the analysis of practical material obtained during industrial (pre-graduate) internship. This section contains:

analysis of specific material on the chosen topic;

• description of identified problems and development trends of the object and subject of study;
• description of ways to solve identified problems using calculations, analysis of experimental data, and the product of creative activity.

During the analysis, analytical tables, calculations, formulas, diagrams, diagrams and graphs can be used.

5. Conclusion - should contain conclusions and recommendations on the possibility of using or practical application of the research results. Should be no more than 5 pages of text.

6. Referencesdrawn up in accordance with GOST.

7. Applications are located at the end of the work and are drawn up in accordance with With

The introduction, each chapter, conclusion, and list of sources used begin on a new page.

Handout.The presentation is accompanied by a demonstration of materials from the applications.

To do this, you need to prepare an electronic presentation. But there can also be a presentation on paper - handouts for the commission in separate folders or posters hung before the speech.

During the student’s speech, the commission gets acquainted with the thesis, handouts issued by the student, and video presentation.

Electronic version of workattached to the WRC on paper. The disc must be placed in an envelope and signed.

2.2. STAGES OF PREPARATION OF GRADUATE QUALIFICATION WORK

Stage I: Involvement in activities involves:

• choosing a research topic;
• selection, study, analysis and synthesis of materials on the topic;
• development of a work plan.

Stage II: Determining the level of work involves a theoretical study of the literature and formulation of the problem.

Stage III: Construction of research logic. The data from this stage is reflected in the introduction.

The introduction can be compared to an abstract to a book: it discusses the theoretical foundations of the diploma, discusses its structure, stages and methods of work. Therefore, the introduction should be written as competently and briefly as possible (2-3 pages). The introduction should prepare the reader to perceive the main text of the work. It consists of mandatory elements that must be correctly formulated.

1. The relevance of research- an explanation of why your topic is important and who is in demand. (Answers the question: why should this be studied?) At this point it is necessary to reveal the essence of the problem being studied. It is logical to begin this point of introduction with the definition of the economic phenomenon at which the research activity is aimed. Here you can list the sources of information used for the research. (The information base of the study can be included in the first chapter). However, you need to understand that there are some objective difficulties that can be resolved by writing your thesis. These difficulties, that is, the disadvantages that exist from the outside, reflect diploma problem.
2. Research problem(answers the question: what should be studied?) A research problem shows a complication, an unsolved problem, or factors that interfere with its solution. Defined by 1 - 2 terms. (Exampleresearch problems: “...the contradiction between the organization’s need for reliable information protection and the actual organization of work to ensure information protection in the organization”).

3. Purpose of the study- this is what you should ultimately receive, that is, the final result of the diploma. (The goal presupposes an answer to the question: what result will be obtained?) The goal should be to solve the problem under study through its analysis and practical implementation. The goal is always aimed at the object. For example:

• Develop a project (recommendations)...
• Identify conditions, relationships...
• Determine the dependence of something on something...

4. Object of study(what will be studied?). Involves working with concepts. This paragraph provides a definition of the economic phenomenon that the research activity is aimed at. The object can be a person, environment, process, structure, economic activity of an enterprise (organization).

1. Subject of study(how and through what will the search go?) Here it is necessary to define the specific properties of the object planned for research or the methods of studying the economic phenomenon. The subject of the research is aimed at practice and is reflected through the results of the internship.

6. Research objectives- these are steps to achieve your goals (show how to go to the result?), ways to achieve the goal. They correspond to the hypothesis. Determined based on the goals of the work. The formulation of problems must be done as carefully as possible, since the description of their solution should form the content of the subsections and points of the work. As a rule, 3-4 tasks are formulated.

Each task must begin with an infinitive verb. Tasks are described through a system of sequential actions, For example:

• analyze...;
• study...;

• research...;
• reveal...;
• define...;
• develop...

As a rule, 5-7 tasks are distinguished in the thesis (thesis work).

Each task should be reflected in one of the subsections of the theoretical or practical part. Tasks should be reflected in the table of contents. If the task is stated in the introduction, but it is not visible in the table of contents and in the text of the thesis, this is a serious mistake.

List of required tasks:

1. “Based on a theoretical analysis of literature, develop...” (key concepts, basic concepts).
2. “Determine...” (highlight the main conditions, factors, reasons influencing the object of study).
3. “Expand...” (highlight the main conditions, factors, reasons influencing the subject of the study).
4. “Develop...” (means, conditions, forms, programs).
5. “Test (what we have developed) and make recommendations...

8. Theoretical and practical significance of the study:
“The results of the study will allow us to implement...; will contribute

development...; will allow us to improve... The presence of formulated directions for the implementation of the obtained conclusions and proposals gives the work great practical significance. It is not mandatory.

9. Research methods:A brief listing is given.Research methodology- these are the methods that the student used in the process of writing a diploma. Research methods include: theoretical methods (methods of analysis, synthesis, comparison) and empirical methods (observation, survey method, experiment).

1. Research base- this is the name of the enterprise, organization on the basis of which the research was carried out. Most often, the research base is the student’s pre-diploma internship.

The final phrase of the introduction is a description of the structure and number of pages in the thesis: “The structure of the work corresponds to the logic of the study and includes an introduction, a theoretical part, a practical part, a conclusion, a list of references, and applications.” Here it is permissible to give a more detailed structure of the WRC and briefly outline the content of the sections.

Thus, the introduction should prepare the reader to perceive the main text of the work.

Stage IV: work on the main part of the WRC.

The main part of the thesis should contain sections, subsections and paragraphs that outline the theoretical and practical aspects of the topic based on an analysis of published literature, discuss controversial issues, and formulate the position and point of view of the author; the observations and experiments carried out by the student, the research methodology, calculations, analysis of experimental data, and the results obtained are described. When dividing the text into subsections and paragraphs, it is necessary that each paragraph contains complete information.

The theoretical part involves an analysis of the object of study and should contain key concepts, the history of the issue, the level of development of the problem in theory and practice. In order to competently write a theoretical part, it is necessary to study a sufficiently large number of scientific, scientific-methodological and other sources on the topicdiploma As a rule - no less than 10.

Section 1 should be devoted to a description of the object of research, Section 2 - a description of the subject of research constitutes the main part of the research work and should be logically connected with each other.

The main part of the WRC should contain tables, diagrams, graphs with appropriate links and comments. Sections should have headings that reflect their content. In this case, section headings should not repeat the title of the work. Let us consider in more detail the content of each of the sections of the WRC.

Section 1 is of a theoretical, educational nature and is devoted to a description of the basic theoretical principles, methods, methods, approaches and hardware and software used to solve the problem or tasks similar to the problem. This section includes only what is necessary as an initial theoretical basis for understanding the nature of the research and development carried out, described in the following sections. Theoretical issues are presented: methods, methods, algorithms for solving the problem, information flows are analyzed, etc. The last of the main sections usually provides a description of the results of experimentation with the proposed (developed) methods, methods, hardware, software and systems, and a comparative analysis of the results obtained is carried out. Special attention should be paid to the discussion of the results obtained in the WRC and their illustration. When presenting the content of publications by other authors, it is necessary Necessarily provide links to them indicating the page numbers of these information sources. In the first section, it is recommended to analyze the current state of the problem and identify trends in the development of the process under study. For this purpose, current regulatory documents, official statistics, materials from analytical reviews and journal articles are used. Consequenceanalysis of regulations should contain conclusions about their impact on the problem under study and recommendations for their improvement. When preparing statistical material in the text of the work in mandatory In order, references are made to the data source.

In the first section, it is advisable to pay attention to the history (stages) of development of the process under study and analysis of foreign experience in its organization. The result of the analysis of foreign practice should be a comparison of the process under study with domestic practice and recommendations on the possibilities of its application in Russia.

This section should also provide a comparative analysis of existing approaches and methods for solving the problem. It is necessary to justify the choice of method for solving the problem under study and present it in detail. You can also suggest your own method.

In the process of studying theoretical sources, you need to highlight and mark the text that is significant for this section of the diploma. These text fragments can be placed in your thesis research as a quotation, as an illustration for your analysis and comparison. The theoretical part of the thesis cannot include entire sections and chapters from textbooks, books, and articles.

Any work must contain theoretical, methodological and practical aspects of the problem under study.

Section 2 must be of a purely applied nature. It is necessary to quantitatively describe a specific object of study, provide the results of practical calculations and directions for their use, as well as formulate directions for improving activities in the organization and technology of information security. To write the second section, as a rule, materials collected by the student during practical training are used. This section of the WRC contains a description of the practical results of the research. It can describe the experiment and the methods used to conduct it, the results obtained, and the possibilities of using the research results in practice.

Approximate structure of the practical part of the thesis

The title of the practical part, as a rule, formulates the research problem using the example of a specific organization.

1. Purpose of the study- is given in the first sentence.

Technical and economic characteristics of the enterprise,on the basis of which the research is carried out (status of the enterprise, morphological features of the organization, organizational and management structure, features of the technological process, etc.).

1. Research methods.
2. Progress of the study.After formulating the name of each method, the purpose is given his use and a description is given. Next, the application of the research method in a specific organization is revealed. All materials on the application of research methods (questionnaire forms, internal documents for ensuring the protection of data of an organization/enterprise) are placed in the Appendices. The results obtained are analyzed and a conclusion is drawn. To obtain more accurate results, use not one, butseveral research methods.
3. General conclusions. At the end of the study, general results (conclusions) are drawn on the entire topic. The methodology used should confirm or refute the research hypothesis. If the hypothesis is refuted, recommendations are given for possible improvement of organizational activities and data protection technology of the organization/enterprise in the light of the problem under study.
4. In custody A short list of the results obtained in the work should be presented. The main purpose of the conclusion is to summarize the content of the work, to summarize the results of the research. In conclusion, the conclusions obtained are presented, their relationship with the purpose of the work and the specific tasks set and formulated in the introduction is analyzed, itforms the basis of the student’s defense report and should not be more than 5 pages of text.

3. GENERAL RULES FOR REGISTRATION OF GRADUATE QUALIFICATION WORK

3.1 DESIGN OF TEXT MATERIAL

The text part of the work must be executed in a computer version on A 4 paper on one side of the sheet. Font - Times New Roman, font size - 14, style - regular, one and a half spacing, justified. Pages must have margins (recommended): bottom - 2; top - 2; left - 2; right - 1. The volume of the proposal should be 40-50 pages. The following proportion of the main listed elements in the total volume of the final qualifying work is recommended: introduction - up to 10%; sections of the main part – 80%; conclusion – up to 10%.

The entire text of the WRC must be broken down into its component parts. The text is broken down by dividing it into sections and subsections. In the content of the work, there should not be a coincidence in the wording of the title of one of the components with the title of the work itself, as well as a coincidence in the names of sections and subsections. The names of sections and subsections should reflect their main content and reveal the topic of the WRC.

Sections and subsections must have headings. As a rule, paragraphs do not have headings. Headings of sections, subsections and paragraphs should be printed with a paragraph indent of 1.25 cm, with a capital letter without a period at the end, without underlining, font No. 14 “Times New Roman”. If the title consists of two sentences, they are separated by a period. Headings should clearly and concisely reflect the content of sections and subsections.

When dividing the VKR into sections in accordance with GOST 2.105-95, the designation is made by serial numbers - Arabic numerals without a dot. If necessary, subsections can be divided into paragraphs. The item number must consist of the section, subsection and item numbers separated by dots. There is no dot at the end of the section (subsection) or paragraph (subparagraph) number. Each section must begin on a new sheet (page).

If a section or subsection consists of one paragraph, then it should not be numbered. Points, if necessary, can be divided into sub-points, which must be numbered within each point, for example:

1 Types and main sizes

Listings may be provided within clauses or subclauses. Each listing must be preceded by a hyphen or lowercase letter followed by a parenthesis. For further detail of the transfers, it is necessary to use Arabic numerals, followed by a parenthesis.

Example:

A)_____________

b)_____________

1) ________

2) ________

V) ____________

The page numbering of the main text and appendices should be continuous. The page number is placed in the center of the bottom of the sheet without a dot. The title page is included in the overall page numbering of the WRC. The page number is not indicated on the title page and contents.

The thesis work must use scientific and special terms, designations and definitions established by the relevant standards, and in their absence - generally accepted in the special and scientific literature. If specific terminology is adopted, then the list of references should be preceded by a list of accepted terms with appropriate explanations. The list is included in the content of the work.

3.2 DESIGN OF ILLUSTRATIONS

All illustrations placed in the final qualifying work must be carefully selected, clearly and precisely executed. Figures and diagrams should be directly related to the text, without unnecessary images and data that are not explained anywhere. The number of illustrations in the WRC should be sufficient to explain the text presented.

Illustrations should be placed immediately after the text in which they are first mentioned, or on the next page.

Illustrations placed in the text should be numbered in Arabic numerals, For example:

Figure 1, Figure 2

It is allowed to number illustrations within a section (chapter). In this case, the illustration number must consist of the section (chapter) number and the serial number of the illustration, separated by a dot.

Illustrations, if necessary, may have a name and explanatory data (text below the figure).

The word “Figure” and the name are placed after the explanatory data, in the middle of the line, for example:

Figure 1 – Document route

3. 3 GENERAL RULES FOR PRESENTING FORMULAS

In formulas and equations, symbols, images or signs must correspond to the designations adopted in the current state standards. In the text, before the parameter designation, an explanation is given, for example:Temporary tensile strength.

If it is necessary to use symbols, images or signs that are not established by current standards, they should be explained in the text or in the list of symbols.

Formulas and equations are separated from the text on a separate line. At least one free line must be left above and below each formula or equation.

An explanation of the meanings of symbols and numerical coefficients should be given directly below the formula in the same sequence in which they are given in the formula.

Formulas should be numbered sequentially throughout the work using Arabic numerals in parentheses at the far right position at the formula level.

For example:

If an organization is modernizing an existing system, then when calculating efficiency, the current costs of its operation are taken into account:

E r = (P1-P2)+ΔP p , (3.2)

where P1 and P2 are, respectively, operating costs before and after the implementation of the developed program;

ΔР p - savings from increased productivity of additional users.

Formulas and equations can be numbered within each section with double numbers separated by a dot, indicating the section number and the serial number of the formula or equation, for example: (2.3), (3.12) etc.

Moving parts of formulas to another line is allowed on equal signs, multiplication, addition, subtraction and ratio signs (>;), and the sign at the beginning of the next line is repeated. The order of presentation of mathematical equations is the same as that of formulas.

Numerical values ​​of quantities with the designation of units of physical quantities and units of counting should be written in numbers, and numbers without designation of units of physical quantities and units of counting from one to nine - in words, for example:test five pipes, each 5 m long.

When citing the largest or smallest values ​​of quantities, the phrase “should be no more (no less)” should be used.

3.4 DESIGN OF TABLES

Tables are used for better clarity and ease of comparison of indicators. The title of the table, if available, should reflect its content, be accurate, and concise. The title of the table should be placed above the table on the left, without indentation, on one line with its number separated by a dash.

When moving part of a table, the title is placed only above the first part of the table; the lower horizontal line limiting the table is not drawn.

The table should be placed immediately after the text in which it is mentioned for the first time, or on the next page.

A table with a large number of rows can be transferred to another sheet (page). When transferring part of a table to another sheet, the word “Table” and its number are indicated once on the right above the first part of the table, above the other parts the word “Continuation” is written and the table number is indicated, for example: “Continuation of table 1”. When transferring a table to another sheet, the heading is placed only above its first part.

If digital or other data is not given in any row of the table, then a dash is placed in it.

Example of table design:

Tables within the entire explanatory note are numbered in Arabic numerals with continuous numbering, before which the word “Table” is written.. It is allowed to number tables within a section. In this case, the table number consists of the section number and the table sequence number, separated by the dot “Table 1.2”.

The tables of each application are designated by separate numbering in Arabic numerals with the addition of the application designation before the number.

Headings of columns and table rows should be written with a capital letter in the singular, and column subheadings with a lowercase letter if they form one sentence with the heading, or with a capital letter if they have an independent meaning. There are no periods at the end of headings and subheadings of tables.

It is allowed to use a font size in the table that is smaller than in the text.

Column headings are written parallel or perpendicular to the rows of the table. In table columns, it is not allowed to draw diagonal lines with vertical chapter headings posted on both sides of the diagonal.

1. 5 DESIGN OF THE LIST OF REFERENCES

The list of references is compiled taking into account the rules of bibliography(Appendix 5). The list of references used must contain at least 20 sources (at least 10 books and 10-15 periodicals) with which the author of the thesis worked. The literature in the list is arranged by sections in the following sequence:

• Federal laws (in order from the last year of adoption to the previous ones);
• decrees of the President of the Russian Federation (in the same sequence);
• resolutions of the Government of the Russian Federation (in the same order)
• other regulatory legal acts;
• other official materials (resolutions and recommendations of international organizations and conferences, official reports, official reports, etc.)
• monographs, textbooks, teaching aids (in alphabetical order);
• foreign literature;
• Internet resources.

Sources in each section are placed in alphabetical order. Continuous numbering is used for the entire list of references.

When referring to literature in the text of the explanatory note, you should write not the title of the book (article), but the serial number assigned to it in the “List of References” index in square brackets. References to the literature are numbered in the order of their appearance in the text of the WRC. Continuous numbering or numbering by sections (chapters) is used.

The procedure for selecting literature on the topic of research and development work and preparing a list of used literature

IN the list of used literature includes sources studied by the student in the process of preparing the thesis, including those to which he refers.

The writing of the thesis is preceded by an in-depth study of literary sources on the topic of the work. To do this, you must first contact the college library. Here the library's reference and search apparatus comes to the student's aid, the main part of which is catalogs and card indexes.

A catalog is a list of documentary sources of information (books) available in the library collections.

If the student knows exactly the names of the required books or at least the names of their authors, it is necessary to use the alphabetical catalog.

If it is necessary to find out which books on a specific issue (topic) are available in a given library, the student must also consult the systematic catalogue.

A systematic catalog reveals the library collection by content. For ease of use of the systematic catalog, it has an alphabetical subject index (ASU). In the listed catalogues, a student can only find the titles of books, while in order to write a thesis, he also needs material published in magazines, newspapers and various collections. For this purpose, libraries organize bibliographic files where descriptions of magazine and newspaper articles and materials from collections are placed.

When writing a research paper, the student widely uses reference literature to clarify and clarify various options, facts, concepts, and terms. Reference literature includes various encyclopedias, dictionaries, reference books, and statistical collections.

Registration of bibliographic references

When writing a thesis, a student often has to refer to the works of various authors and use statistical material. In this case, it is necessary to provide a link to one or another source.

In addition to observing the basic rules of citation (you cannot tear out phrases from the text, distort it with arbitrary abbreviations, quotes must be placed in quotation marks, etc.), you should also pay attention to the exact indication of the sources of quotes.

1. IN footnoteslinks (footnotes) are placed at the bottom of the page on which the cited material is located. To do this, a number is placed at the end of the quotation, which indicates the serial number of the quotation on this page. At the bottom of the page, under the line separating the footnote (link) from the text, this number is repeated, and it is followed by the name of the book from which the quotation is taken, with the obligatory indication of the number of the cited page. For example:

"Shipunov M.Z. Fundamentals of management activities. - M.: INFRA - M, 2012, p. 39.

1. In-text linksare used in cases where information about the source being analyzed is an organic part of the main text. They are convenient because they do not take attention away from the text. The description in such links begins with the initials and surname of the author, the title of the book or article is indicated in quotation marks, and the output data is given in parentheses.
2. Beyond text links- these are indications of the sources of quotes with a reference to the numbered list of references placed at the end of the thesis. A reference to a literary source is made at the end of the phrase by putting the serial number of the document used in straight brackets, indicating the page.

For example: “Currently, the main document regulating the privatization of state and municipal property on the territory of the Russian Federation is the Law “On the Privatization of State and Municipal Property” dated December 21, 2001 No. 178-FZ (as amended on December 31, 2005, as amended 01/05/2006).

At the end of the work (on a separate page) an alphabetical list of the literature actually used should be provided.

3.6 DESIGN OF APPLICATIONS

Applications are issued if necessary. Applications to the work may consist of additional reference materials of auxiliary value, for example: copies of documents, excerpts from reporting materials, statistical data, diagrams, tables, charts, programs, regulations, etc.

The appendices also include those materials that can specify the practical or theoretical parts of the diploma. For example, the application may include: texts of questionnaires, questionnaires and other methods that were used in the research process, examples of respondents’ answers, photographic materials, diagrams and tables not related to the theoretical conclusions in the thesis.

All applications must be referenced in the main text.

For example: Derived units of the SI system (Appendices 1, 2, 5).

Applications are arranged in a sequence of links to them in the text. Each application must begin on a new sheet (page) with the words Application in the upper right corner of the page.and its designations in Arabic numerals, excluding the number 0.

4. DEFENSE OF THE GRADUATE WORK

4.1 MONITORING THE READINESS OF SCR

Each student is assigned a reviewer of the final qualifying work from among external specialists who are well versed in issues related to this topic.

On approved topics, scientific supervisors of final qualifying work developindividual assignmentsfor students who are considered by the PCC “Information Technologies” are signed by the academic supervisor and the chairman of the PCC.

Assignments for final qualifying works are approved by the Deputy Director for Academic Affairs and are issued to students no later than two weeks before the start of pre-graduation practice.

On approved topics, scientific supervisors draw up individual consultation schedules,according to which the process of completing final qualifying works is controlled.

Monitoring the degree of readiness of the WRC is carried out according to the following schedule:

Table 3

No.	readiness		Term	Note
	Level readiness VKR, in%	It is indicated which component of the WRC, which structural element of it should be ready at a given moment.	Control period	The form of control is indicated
			Control period

Upon completion of the preparation of the work, the manager checks the quality of the work, signs it and, together with the task and his written feedback, passes it on to the deputy manager in the area of ​​activity.

In order to determine the degree of readiness of the final qualifying work and identify existing shortcomings, teachers of special disciplines conduct a preliminary defense in the last week of preparation for the State Examination. The results of preliminary protection are recorded.

4.2 SCR PROTECTION REQUIREMENTS

The defense of the final qualifying work is carried out at an open meeting of the State Certification Commission for the specialty, which is created on the basis of the Regulations on the final state certification of graduates of educational institutions of secondary vocational education in the Russian Federation (Resolution of the State Committee for Higher Education of Russia dated December 27, 1995 No. 10).

During the defense, the following requirements are imposed on the VRC:

• deep theoretical study of the problems under study based on literature analysis;
• skillful systematization of digital data in the form of tables and graphs with the necessary analysis, generalization and identification of development trends;
• a critical approach to the factual materials being studied in order to find areas for improving activities;
• reasoned conclusions, validity of proposals and recommendations;

• logically consistent and independent presentation of the material;
• design of material in accordance with established requirements;

• It is mandatory to have a supervisor’s review of the thesis and a review by a practical worker representing a third-party organization.

When drawing up abstracts, it is necessary to take into account the approximate time of the presentation at the defense, which is 8-10 minutes.It is advisable to build a reportnot by presenting the contents of the work in chapters, but by task, - revealing the logic behind obtaining meaningful results. The report must contain reference to illustrative material that will be used during the defense of the work. The volume of the report should be 7-8 pages of text in Word format, font size 14, one and a half spacing.

Table 4

	Structure of the report	Volume	Time
	Presentation of the topic of work.	Up to 1.5 pages	Up to 2 minutes
	Relevance of the topic.
	Goal of the work.
	Statement of the problem, the results of its solution and the conclusions drawn (for each of the tasks that were set to achieve the goal of the thesis).	Up to 6 pages	Up to 7 minutes
	Prospects and directions for further research on this topic.	Up to 0.5 pages	Up to 1 minute

To speak at the defense, students must independently prepare and agree with the supervisor the abstracts of the report and illustrative material.

Illustrations should reflect the main results achieved in the work and be consistent with the theses of the report.

Forms of presentation of illustrative material:

1. Printed material for each member of the State Examination Committee(at the discretion of the scientific supervisor of the research and development project). Printed material for SAC members may include:

• empirical data;
• excerpts from regulatory documents on the basis of which the research was conducted;

• excerpts from the wishes of employers formulated in contracts;

• other data not included in the slide presentation, but confirming the correctness of the calculations.

1. Slide - presentations(for demonstration on a projector).

Accompanying the presentation of work results with presentation materials is a mandatory condition for the defense of the work.

The supervisor writes a review of the final qualifying work completed by the student.

The defense of final qualifying works is carried out at an open meeting of the State Attestation Commission in a specially designated audience, equipped with the necessary equipment for demonstrating presentations. Up to 20 minutes are allotted to defend the qualifying work. The defense procedure includes a student’s report (no more than 10 minutes), reading a review and review, questions from committee members, and student answers. The speech of the head of the final qualifying work, as well as the reviewer, if they are present at the meeting of the State Examination Committee, can be heard.

Decisions of the State Executive Committee are made at closed meetings by a simple majority of votes of the commission members participating in the meeting. In case of an equal number of votes, the chairman's vote is decisive. The results are announced to students on the day of the thesis defense.

4.3 CRITERIA FOR EVALUATING WRC

The defense of the final qualifying work ends with the assignment of grades.

"Excellent" rating awarded for the thesis if the thesis is of a research nature, has a well-presented theoretical chapter, a deep theoretical analysis, a critical review of practice, a logical, consistent presentation of the material with appropriate conclusions and reasonable proposals; has positive reviews from the supervisor and reviewer.

When defending a thesis with “excellence,” a student-graduate demonstrates deep knowledge of the topic, freely operates with research data, makes informed proposals, and during the report uses visual aids (Power Point presentation, tables, diagrams, graphs, etc.) or handouts material, easily answers the questions posed.

Rating "Good" The thesis is awarded if the thesis is of a research nature, has a well-presented theoretical chapter, it presents a sufficiently detailed analysis and critical analysis of practical activities, a consistent presentation of the material with appropriate conclusions, but the student’s proposals are not sufficiently substantiated. The thesis has a positive review from the supervisor and reviewer. When defending it, the student-graduate shows knowledge of the issues of the topic, operates with research data, makes proposals on the research topic, and during the report uses visual aids (Power Point presentation, tables, diagrams, graphs, etc.) or handouts, without much difficulty answers the questions asked.

Grade "Satisfactorily"It is awarded for the thesis if the thesis is of a research nature, has a theoretical chapter, is based on practical material, but has a superficial analysis and insufficient critical analysis, there is an inconsistency in the presentation of the material, and unfounded proposals are presented. The reviewers' reviews contain comments on the content of the work and the analysis methodology. When defending such a thesis, the student-graduate shows uncertainty, shows poor knowledge of the issues on the topic, and does not always give comprehensive, reasoned answers to the questions asked.

Grade "Unsatisfactory"The thesis is awarded if the thesis is not of a research nature, does not have an analysis, and does not meet the requirements set out in these guidelines. There are no conclusions in the work, or they are declarative in nature. There are critical comments in the reviews of the supervisor and the reviewer. When defending a thesis, a graduate student finds it difficult to answer the questions posed on the topic, does not know the theory of the question, and makes significant mistakes when answering. Visual aids and handouts are not prepared for the defense.

Thus, when determining the final assessment for the examination, members of the State Examination Committee take into account:

• quality of graduate report;
• the illustrative material presented by him;
• mobility of the graduate and his literacy in answering questions;
• assessment of the thesis by the reviewer;
• review from the head of the research and development team.

ANNEX 1

(Example of title page design)

MOSCOW DEPARTMENT OF EDUCATION

STATE BUDGETARY PROFESSIONAL EDUCATIONAL INSTITUTION

"TECHNOLOGICAL COLLEGE No. 34"

GRADUATE WORK

Subject:

Group student / /

Speciality

Supervisor / /

Allow for protection:

Deputy Director for Management and Development/ _ /

Rating Date

Chairman of the State

certification commission/ /

Moscow 2016

APPENDIX 2

Agreed

Chairman of the PCC "Information Technologies"

Dzyuba T.S.

Exercise

to complete a thesis

student(s)________________________________________________________________________________

(full name)

Topic of the thesis ______________________________________________________________

_______________________________________________________________________________

Deadline for submitting the thesis for defense (date)______________________________

1. Introduction

Relevance of the chosen topic;

The purpose and objectives of writing a thesis;

Name of the enterprise, organization, sources of writing the work.

2. - Section I (theoretical part)

Section II (practical part)

(deadline for submission for review) __________________________________________

Conclusion ______________________________________________________________

Manager ___________________ __________ “___” _______ 20__

Full name Signature

Student ____________________ __________ “____” ________20___

Full name Signature

APPENDIX 3

(reference form for the thesis supervisor)

GBPOU "Technological College No. 34"

Review

For the student’s thesis (full name)

1. Relevance of the topic.

2. Scientific novelty and practical significance.

3. Characteristics of the student’s business qualities.

4. Positive aspects of work.

5. Disadvantages, comments.

Supervisor _______________________________________

"_____" __________ 2016

APPENDIX 4

(review form)

Review

For the student’s thesis (full name) ____________________________

Completed on the topic _________________________________________________

1. Relevance, novelty
2. Job content assessment

1. Distinctive, positive aspects of the work
2. Practical significance of the work
3. Disadvantages, comments

1. Recommended assessment of work performed ____________________________

_________________________________________________________________________

Reviewer (full name, academic title, position, place of work)

APPENDIX 5

(Example of a list of used literature)

List of used literature

Regulatory materials

1. "Constitution of the Russian Federation" (adopted by popular vote on December 12, 1993) (taking into account amendments made by the Laws of the Russian Federation on amendments to the Constitution of the Russian Federation dated December 30, 2008 N 6-FKZ, dated December 30, 2008 N 7-FKZ)
2. Federal Law "On Information, Information Technologies and Information Protection" dated July 27, 2006 N 149-FZ (as amended on December 28, 2013)

Scientific, technical and educational publications

1. Automated workplaces and computer systems in internal affairs activities. M., 2010.
2. Andreev B.V., Bushuev G.I. Modeling in solving criminal law and criminological problems. M., 2012.
3. Office work in educational institutions (using information technologies): textbook. manual for universities MO Rep. Belarus / E.M. Kravchenya, T.A. Tsesarskaya. - Minsk: TetraSystems, 2013
4. Information security and information protection: textbook. manual / Stepanov E.A., Korneev I.K. - M.: INFRA-M, 2011. -
5. Information systems in economics: textbook. for universities, educational according to special economics and management (060000) rec. RF Ministry of Defense / G.A. Titorenko, B.E. Odintsov, V.V. Braga et al.; edited by G.A. Titorenko. - 2nd ed., revised. and additional - M.: UNITY, 2011. - 463 p.
6. Information systems and their security: textbook. allowance d / Vasilkov A.V. Vasilkov A.A., Vasilkov I.A.. - M: FORUM, 2010.
7. Information technologies of management: textbook. manual for universities RF Ministry of Defense / G.A. Titorenko, I.A. Konopleva, G.L. Makarova and others; edited by G.A. Titorenko. - 2nd ed., add. - M.: UNITY, 2009.
8. Corporate document management. Principles, technologies, implementation methodologies. Michael J. D. Sutton. Azbuka Publishing House, St. Petersburg, 2012
9. Ostreykovsky V.A. Informatics: Textbook. For universities. – M.: Higher. school, 2008.
10. Electronic documents in corporate networks Klimenko S.V., Krokhin I.V., Kushch V.M., Lagutin Yu.L.M.: Radio and Communication, ITC Eco-Trends, 2011

Internet resources

http://www.security.ru/ - Means of cryptographic information protection: website of the Moscow branch of PNIEI;

www.fstec.ru – official website of FSTEC of Russia

APPENDIX 6

Approximate structure of a report to defend a thesis

Requirements for the presentation of the thesis defense

1. Relevance of the problem.
2. Purpose, object, subject of research.
3. Research objectives (3 main ones).
4. Research algorithm (sequence of research).
5. Brief economic characteristics of the enterprise (organization, institution, etc.).
6. Brief results of the analysis of the problem under study.
7. Deficiencies identified during the analysis.
8. Directions (paths) for solving the identified shortcomings of the problem under study.
9. Economic assessment, effectiveness, practical significance of the proposed activities.

APPENDIX 6

(Calendar form for writing a thesis)

I approve

Thesis supervisor

"_____" _____________20 __g.

SCHEDULE

writing a thesis on the topic __________________________________________

Drawing up the content of the thesis and agreeing it with the supervisor.

supervisor

Introduction with justification of the relevance of the chosen topic, goals and objectives of the work.

supervisor

Completing the theoretical section and submitting it for testing.

Consultant

Complete the practical section and submit it for review.

Consultant

Coordination of conclusions and proposals with the manager

supervisor

Preparation of the thesis

supervisor

Receiving feedback from your manager

supervisor

Getting a review

reviewer

10.

Pre-defense of the thesis

Manager, consultant

11.

Defense of the thesis

supervisor

Student-(graduate) _________________________________________________

(signature, date, transcript of signature)

Thesis supervisor_________________________________________________________________

APPENDIX 8

(Example of formatting the content of a thesis)

Content

Introduction…………………………………………………………………………………..3

1. Technical and economic characteristics of the subject area and enterprise......5

1. General characteristics of the subject area…………………...5
2. Organizational and functional structure of the enterprise……………………6
3. Information security risk analysis……………………………...8

2. Justification of the need to improve the system for ensuring information security and information protection at the enterprise………..25

1. Selecting a set of information security tasks………29
2. Determining the place of the projected set of tasks in the complex of enterprise tasks, detailing the tasks of information security and information protection…………………………………………………………………………………35
3. Selection of protective measures……………………………………………………….39

3. A set of organizational measures to ensure information security and protection of enterprise information……………………………………………..43

1. A set of designed software and hardware tools for ensuring information security and protecting enterprise information…….…48
2. Structure of the software and hardware complex of information security and information protection of the enterprise……………………………51
3. An example of project implementation and its description…………………………………...54
4. Calculation of project economic efficiency indicators…………………57

4. Conclusion…………………………………………………………………………………...62
5. List of references………………………………………………………………..65

Introduction

Chapter 1. Theoretical aspects of adoption and information security

1.1The concept of information security

3 Information security methods

Chapter 2. Analysis of the information security system

1 Scope of activity of the company and analysis of financial indicators

2 Description of the company’s information security system

3 Development of a set of measures to modernize the existing information security system

Conclusion

Bibliography

Application

Appendix 1. Balance sheet for 2010

Appendix 1. Balance sheet for 2010

Introduction

The relevance of the topic of the thesis is determined by the increased level of information security problems, even in the context of the rapid growth of technologies and tools for data protection. It is impossible to ensure a 100% level of protection for corporate information systems while correctly prioritizing data protection tasks given the limited share of the budget allocated to information technology.

Reliable protection of the computing and network corporate infrastructure is a basic information security task for any company. With the growth of an enterprise's business and the transition to a geographically distributed organization, it begins to go beyond the confines of a single building.

Effective protection of IT infrastructure and corporate application systems today is impossible without the introduction of modern network access control technologies. Increasing cases of theft of media containing valuable business information increasingly force organizational measures to be taken.

The purpose of this work will be to evaluate the existing information security system in the organization and develop measures to improve it.

This goal determines the following objectives of the thesis:

) consider the concept of information security;

) consider the types of possible threats to information systems and options for protection against possible threats of information leakage in the organization.

) identify a list of information resources, violation of the integrity or confidentiality of which will lead to the greatest damage to the enterprise;

) develop on their basis a set of measures to improve the existing information security system.

The work consists of an introduction, two chapters, a conclusion, a list of sources used and applications.

The introduction substantiates the relevance of the research topic and formulates the purpose and objectives of the work.

The first chapter discusses the theoretical aspects of the concepts of information security in an organization.

The second chapter provides a brief description of the company’s activities, key performance indicators, describes the current state of the information security system and proposes measures to improve it.

In conclusion, the main results and conclusions of the work are formulated.

The methodological and theoretical basis of the thesis was the works of domestic and foreign experts in the field of information security. During the work on the thesis, information was used that reflected the content of laws, legislative acts and regulations, decrees of the Government of the Russian Federation regulating information security, international standards for information security .

The theoretical significance of the thesis research lies in the implementation of an integrated approach when developing an information security policy.

The practical significance of the work is determined by the fact that its results make it possible to increase the degree of information protection in an enterprise through the competent design of an information security policy.

Chapter 1. Theoretical aspects of adoption and information security

1.1 Concept of information security

Information security refers to the security of information and its supporting infrastructure from any accidental or malicious influences that may result in damage to the information itself, its owners or supporting infrastructure. The objectives of information security come down to minimizing damage, as well as predicting and preventing such impacts.

Parameters of information systems that need protection can be divided into the following categories: ensuring the integrity, availability and confidentiality of information resources.

accessibility is the ability to obtain, in a short period of time, the required information service;

integrity is the relevance and consistency of information, its protection from destruction and unauthorized changes;

confidentiality - protection from unauthorized access to information.

Information systems are primarily created to obtain certain information services. If obtaining information for any reason becomes impossible, this causes damage to all subjects of information relations. From this we can determine that the availability of information comes first.

Integrity is the main aspect of information security when accuracy and truthfulness are the main parameters of information. For example, prescriptions for medical drugs or a set and characteristics of components.

The most developed component of information security in our country is confidentiality. But the practical implementation of measures to ensure the confidentiality of modern information systems faces great difficulties in Russia. Firstly, information about technical channels of information leakage is closed, so most users are unable to get an idea of ​​the potential risks. Second, there are numerous legislative obstacles and technical challenges standing in the way of custom cryptography as a primary means of ensuring privacy.

Actions that can cause damage to an information system can be divided into several categories.

targeted theft or destruction of data on a workstation or server;

Damage to data by the user as a result of careless actions.

. "Electronic" methods of influence carried out by hackers.

Hackers are understood as people who engage in computer crimes both professionally (including as part of competition) and simply out of curiosity. These methods include:

unauthorized entry into computer networks;

The purpose of unauthorized entry into an enterprise network from the outside may be to cause harm (destruction of data), steal confidential information and use it for illegal purposes, use the network infrastructure to organize attacks on third-party nodes, steal funds from accounts, etc.

A DOS attack (abbreviated from Denial of Service) is an external attack on enterprise network nodes responsible for its safe and efficient operation (file, mail servers). Attackers organize massive sending of data packets to these nodes in order to overload them and, as a result, put them out of action for some time. This, as a rule, entails disruptions in the business processes of the victim company, loss of customers, damage to reputation, etc.

Computer viruses. A separate category of electronic methods of influence are computer viruses and other malicious programs. They pose a real danger to modern businesses that widely use computer networks, the Internet and e-mail. The penetration of a virus into corporate network nodes can lead to disruption of their functioning, loss of working time, loss of data, theft of confidential information and even direct theft of financial resources. A virus program that has penetrated a corporate network can give attackers partial or complete control over the company's activities.

Spam. In just a few years, spam has grown from a minor irritation to one of the most serious security threats:

email has recently become the main channel for the spread of malware;

spam takes a lot of time to view and subsequently delete messages, causing employees a feeling of psychological discomfort;

both individuals and organizations become victims of fraudulent schemes carried out by spammers (victims often try not to disclose such events);

important correspondence is often deleted along with spam, which can lead to the loss of customers, broken contracts and other unpleasant consequences; the danger of losing correspondence especially increases when using RBL blacklists and other “crude” spam filtering methods.

"Natural" threats. A company’s information security can be affected by a variety of external factors: data loss can be caused by improper storage, theft of computers and media, force majeure, etc.

An information security management system (ISMS or Information Security Management System) allows you to manage a set of measures that implement a certain intended strategy, in this case in relation to information security. Note that we are talking not only about managing an existing system, but also about building a new one/redesigning an old one.

The set of measures includes organizational, technical, physical and others. Information security management is a complex process, which allows for the most effective and comprehensive information security management in a company to be implemented.

The goal of information security management is to maintain the confidentiality, integrity and availability of information. The only question is what kind of information needs to be protected and what efforts should be made to ensure its safety.

Any management is based on awareness of the situation in which it occurs. In terms of risk analysis, awareness of the situation is expressed in the inventory and assessment of the organization's assets and their environment, that is, everything that ensures the conduct of business activities. From the point of view of information security risk analysis, the main assets include information, infrastructure, personnel, image and reputation of the company. Without an inventory of assets at the business activity level, it is impossible to answer the question of what exactly needs to be protected. It is important to understand what information is processed within an organization and where it is processed.

In a large modern organization, the number of information assets can be very large. If the activities of an organization are automated using an ERP system, then we can say that almost any material object used in this activity corresponds to some kind of information object. Therefore, the primary task of risk management is to identify the most significant assets.

It is impossible to solve this problem without the involvement of managers of the main activity of the organization, both middle and senior levels. The optimal situation is when the top management of the organization personally sets the most critical areas of activity, for which it is extremely important to ensure information security. The opinion of senior management regarding priorities in ensuring information security is very important and valuable in the risk analysis process, but in any case it should be clarified by collecting information about the criticality of assets at the average level of company management. At the same time, it is advisable to carry out further analysis precisely in the areas of business activity designated by top management. The information received is processed, aggregated and transmitted to senior management for a comprehensive assessment of the situation.

Information can be identified and localized based on a description of business processes in which information is considered as one of the types of resources. The task is somewhat simplified if the organization has adopted an approach to regulating business activities (for example, for the purposes of quality management and optimization of business processes). Formalized descriptions of business processes are a good starting point for asset inventory. If there are no descriptions, you can identify assets based on information received from the organization's employees. Once assets have been identified, their value must be determined.

The work of determining the value of information assets across the entire organization is both the most significant and complex. It is the assessment of information assets that will allow the head of the information security department to choose the main areas of activity to ensure information security.

But the economic efficiency of the information security management process largely depends on the awareness of what needs to be protected and what efforts this will require, since in most cases the amount of effort applied is directly proportional to the amount of money spent and operating expenses. Risk management allows you to answer the question of where you can take risks and where you can’t. In the case of information security, the term “risk” means that in a certain area it is possible not to make significant efforts to protect information assets, and at the same time, in the event of a security breach, the organization will not suffer significant losses. Here we can draw an analogy with the protection classes of automated systems: the more significant the risks, the more stringent the protection requirements should be.

To determine the consequences of a security breach, you must either have information about recorded incidents of a similar nature, or conduct a scenario analysis. Scenario analysis examines the cause-and-effect relationships between asset security events and the consequences of these events on the organization's business activities. The consequences of scenarios should be assessed by several people, iteratively or deliberatively. It should be noted that the development and evaluation of such scenarios cannot be completely divorced from reality. You must always remember that the scenario must be probable. The criteria and scales for determining value are individual for each organization. Based on the results of scenario analysis, information about the value of assets can be obtained.

If assets are identified and their value is determined, we can say that the goals of providing information security are partially established: the objects of protection and the importance of maintaining them in a state of information security for the organization are determined. Perhaps all that remains is to determine who needs to be protected from.

After determining the goals of information security management, you should analyze the problems that prevent you from approaching the target state. At this level, the risk analysis process descends to the information infrastructure and traditional information security concepts - intruders, threats and vulnerabilities.

To assess risks, it is not enough to introduce a standard violator model that divides all violators by type of access to the asset and knowledge of the asset structure. This division helps determine what threats can be directed at an asset, but does not answer the question of whether these threats can, in principle, be realized.

In the process of risk analysis, it is necessary to assess the motivation of violators in implementing threats. In this case, the violator does not mean an abstract external hacker or insider, but a party interested in obtaining benefits by violating the security of an asset.

It is advisable to obtain initial information about the offender’s model, as in the case of choosing the initial directions of information security activities, from top management, who understands the organization’s position in the market, has information about competitors and what methods of influence can be expected from them. The information necessary to develop a model of an intruder can also be obtained from specialized research on computer security violations in the business area for which the risk analysis is being carried out. A properly developed intruder model complements the information security objectives determined when assessing the organization's assets.

The development of a threat model and the identification of vulnerabilities are inextricably linked with an inventory of the environment of the organization’s information assets. The information itself is not stored or processed. Access to it is provided using an information infrastructure that automates the organization’s business processes. It is important to understand how an organization's information infrastructure and information assets are related to each other. From the perspective of information security management, the importance of information infrastructure can be established only after determining the relationship between information assets and infrastructure. If the processes for maintaining and operating the information infrastructure in an organization are regulated and transparent, the collection of information necessary to identify threats and assess vulnerabilities is greatly simplified.

Developing a threat model is a job for information security professionals who have a good understanding of how an attacker can gain unauthorized access to information by breaching the security perimeter or using social engineering methods. When developing a threat model, you can also talk about scenarios as sequential steps according to which threats can be realized. It very rarely happens that threats are implemented in one step by exploiting a single vulnerable point in the system.

The threat model should include all threats identified through related information security management processes, such as vulnerability and incident management. It must be remembered that threats will need to be ranked relative to each other according to the level of likelihood of their implementation. To do this, in the process of developing a threat model for each threat, it is necessary to indicate the most significant factors, the existence of which influences its implementation.

The security policy is based on an analysis of risks that are recognized as real for the organization’s information system. Once the risks have been analyzed and the protection strategy has been determined, an information security program is drawn up. Resources are allocated for this program, responsible persons are appointed, the procedure for monitoring the implementation of the program is determined, etc.

In a broad sense, security policy is defined as a system of documented management decisions to ensure the security of an organization. In a narrow sense, a security policy is usually understood as a local regulatory document that defines security requirements, a system of measures or a procedure, as well as the responsibilities of the organization’s employees and control mechanisms for a certain area of ​​security.

Before we begin to formulate the information security policy itself, it is necessary to understand the basic concepts with which we will operate.

Information - information (messages, data) regardless of the form of their presentation.

Confidentiality of information is a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without the consent of its owner.

Information security (IS) is the state of security of the information environment of society, ensuring its formation, use and development in the interests of citizens, organizations, and states.

The concept of “information” today is used quite widely and versatilely.

Ensuring information security cannot be a one-time act. This is a continuous process consisting of justification and implementation of the most rational methods, methods and ways of improving and developing the security system, continuous monitoring of its condition, identifying its weaknesses and illegal actions.

Information security can be ensured only through the integrated use of the entire range of available security means in all structural elements of the production system and at all stages of the information processing technological cycle. The greatest effect is achieved when all the means, methods and measures used are combined into a single integral mechanism - an information security system. At the same time, the functioning of the system must be monitored, updated and supplemented depending on changes in external and internal conditions.

According to the GOST R ISO/IEC 15408:2005 standard, the following types of safety requirements can be distinguished:

functional, corresponding to the active aspect of protection, requirements for security functions and the mechanisms that implement them;

trust requirements corresponding to the passive aspect imposed on the technology and the development and operation process.

It is very important that security in this standard is not considered statically, but in relation to the life cycle of the object being assessed. The following stages are distinguished:

determination of purpose, conditions of use, goals and safety requirements;

design and development;

testing, evaluation and certification;

implementation and operation.

So, let’s take a closer look at the functional security requirements. They include:

user data protection;

protection of security functions (requirements relate to the integrity and control of these security services and the mechanisms that implement them);

security management (the requirements of this class relate to the management of security attributes and parameters);

security audit (identification, registration, storage, analysis of data affecting the security of the object being assessed, response to a possible security violation);

privacy (protecting the user from disclosure and unauthorized use of his identification data);

use of resources (requirements for information availability);

communication (authentication of parties involved in data exchange);

trusted route/channel (for communication with security services).

In accordance with these requirements, it is necessary to formulate an organization’s information security system.

The organization's information security system includes the following areas:

regulatory;

organizational (administrative);

technical;

software;

To fully assess the situation at an enterprise in all areas of security, it is necessary to develop an information security concept that would establish a systematic approach to the problem of security of information resources and represent a systematic statement of goals, objectives, design principles and a set of measures to ensure information security in an enterprise.

The corporate network management system should be based on the following principles (tasks):

ensuring the protection of the existing information infrastructure of the enterprise from intruders;

providing conditions for localizing and minimizing possible damage;

eliminating the emergence of sources of threats at the initial stage;

ensuring the protection of information against three main types of emerging threats (availability, integrity, confidentiality);

The solution to the above problems is achieved by;

regulation of user actions when working with the information system;

regulation of user actions when working with the database;

uniform requirements for the reliability of hardware and software;

procedures for monitoring the operation of the information system (logging events, analyzing protocols, analyzing network traffic, analyzing the operation of technical equipment);

The information security policy includes:

the main document is the “Security Policy”. It generally describes the organization’s security policy, general provisions, and also indicates the relevant documents for all aspects of the policy;

instructions for regulating the work of users;

job description for local network administrator;

job description of the database administrator;

instructions for working with Internet resources;

instructions for organizing password protection;

instructions for organizing anti-virus protection.

The Security Policy document contains the main provisions. On the basis of it, an information security program is built, job descriptions and recommendations are built.

Instructions for regulating the work of users of an organization's local network regulate the procedure for allowing users to work in the organization's local computer network, as well as the rules for handling protected information processed, stored and transmitted in the organization.

The job description of a local network administrator describes the responsibilities of a local network administrator regarding information security.

The job description of a database administrator defines the main responsibilities, functions and rights of a database administrator. It describes in great detail all the job responsibilities and functions of a database administrator, as well as rights and responsibilities.

Instructions for working with Internet resources reflect the basic rules for safe work with the Internet, and also contain a list of acceptable and unacceptable actions when working with Internet resources.

The instructions for organizing anti-virus protection define the basic provisions, requirements for organizing anti-virus protection of an organization's information system, all aspects related to the operation of anti-virus software, as well as responsibility in the event of a violation of anti-virus protection.

The instructions for organizing password protection regulate the organizational and technical support for the processes of generating, changing and terminating passwords (deleting user accounts). The actions of users and maintenance personnel when working with the system are also regulated.

Thus, the basis for organizing the information protection process is the security policy, formulated in order to determine from what threats and how the information in the information system is protected.

Security policy refers to a set of legal, organizational and technical measures to protect information adopted in a specific organization. That is, the security policy contains many conditions under which users gain access to system resources without losing the information security properties of this system.

The problem of ensuring information security must be solved systematically. This means that various protections (hardware, software, physical, organizational, etc.) must be applied simultaneously and under centralized control.

Today there is a large arsenal of methods for ensuring information security:

means of identification and authentication of users;

means of encrypting information stored on computers and transmitted over networks;

firewalls;

virtual private networks;

content filtering tools;

tools for checking the integrity of disk contents;

antivirus protection tools;

network vulnerability detection systems and network attack analyzers.

Each of the listed tools can be used either independently or in integration with others. This makes it possible to create information security systems for networks of any complexity and configuration, independent of the platforms used.

System of authentication (or identification), authorization and administration. Identification and authorization are key elements of information security. The authorization function is responsible for which resources a specific user has access to. The administration function is to provide the user with certain identification characteristics within a given network and determine the scope of actions allowed for him.

Encryption systems make it possible to minimize losses in the event of unauthorized access to data stored on a hard drive or other media, as well as interception of information when sent by email or transmitted via network protocols. The purpose of this protection tool is to ensure confidentiality. The main requirements for encryption systems are a high level of cryptographic strength and legality of use on the territory of Russia (or other states).

A firewall is a system or combination of systems that forms a protective barrier between two or more networks to prevent unauthorized data packets from entering or leaving the network.

The basic operating principle of firewalls is to check each data packet for compliance of the incoming and outgoing IP addresses with a database of allowed addresses. Thus, firewalls significantly expand the capabilities of segmenting information networks and controlling the circulation of data.

When talking about cryptography and firewalls, we should mention secure virtual private networks (VPN). Their use makes it possible to solve problems of confidentiality and integrity of data when transmitted over open communication channels. Using a VPN can be reduced to solving three main problems:

protection of information flows between different offices of the company (information is encrypted only at the exit to the external network);

secure access of remote network users to the company’s information resources, usually carried out via the Internet;

protection of information flows between individual applications within corporate networks (this aspect is also very important, since most attacks are carried out from internal networks).

An effective means of protecting against the loss of confidential information is filtering the contents of incoming and outgoing email. Screening the email messages themselves and their attachments based on the rules established by the organization also helps protect companies from liability in lawsuits and protects their employees from spam. Content filtering tools allow you to scan files of all common formats, including compressed and graphic files. At the same time, the network throughput remains virtually unchanged.

All changes on a workstation or server can be monitored by the network administrator or other authorized user thanks to the technology of checking the integrity of the contents of the hard drive (integrity checking). This allows you to detect any actions with files (change, deletion or simply opening) and identify virus activity, unauthorized access or data theft by authorized users. Control is carried out based on the analysis of file checksums (CRC sums).

Modern anti-virus technologies make it possible to identify almost all already known virus programs by comparing the code of a suspicious file with samples stored in the anti-virus database. In addition, behavior modeling technologies have been developed that make it possible to detect newly created virus programs. Detected objects can be treated, isolated (quarantined), or deleted. Virus protection can be installed on workstations, file and mail servers, firewalls running under almost any common operating system (Windows, Unix and Linux systems, Novell) on various types of processors.

Spam filters significantly reduce unproductive labor costs associated with parsing spam, reduce traffic and server load, improve the psychological background in the team and reduce the risk of company employees being involved in fraudulent transactions. In addition, spam filters reduce the risk of infection with new viruses, since messages containing viruses (even those not yet included in the databases of anti-virus programs) often have signs of spam and are filtered out. True, the positive effect of spam filtering can be negated if the filter, along with junk messages, removes or marks as spam and useful messages, business or personal.

The enormous damage caused to companies by viruses and hacker attacks is largely a consequence of weaknesses in the software used. They can be identified in advance, without waiting for a real attack, using computer network vulnerability detection systems and network attack analyzers. Such software securely simulates common attacks and intrusion methods and determines what a hacker can see on the network and how he can exploit its resources.

To counter natural threats to information security, the company must develop and implement a set of procedures to prevent emergency situations (for example, to ensure physical protection of data from fire) and to minimize damage if such a situation does arise. One of the main methods of protecting against data loss is backup with strict adherence to established procedures (regularity, types of media, methods of storing copies, etc.).

The information security policy is a package of documents regulating the work of employees, describing the basic rules for working with information, information systems, databases, local networks and Internet resources. It is important to understand what place information security policy occupies in the overall management system of an organization. The following are general organizational measures related to security policies.

At the procedural level, the following classes of measures can be distinguished:

personnel Management;

physical protection;

maintaining performance;

responding to security violations;

planning of restoration work.

Human resource management begins with hiring, but even before that, you should determine the computer privileges associated with the position. There are two general principles to keep in mind:

segregation of duties;

minimization of privileges.

The principle of separation of duties prescribes how to distribute roles and responsibilities so that one person cannot disrupt a process critical to the organization. For example, it is undesirable for one person to make large payments on behalf of an organization. It is safer to instruct one employee to process applications for such payments, and another to certify these applications. Another example is procedural restrictions on superuser actions. You can artificially “split” the superuser password by sharing the first part of it with one employee and the second part with another. Then they can perform critical actions to administer the information system only together, which reduces the likelihood of errors and abuses.

The principle of least privilege requires that users be given only those access rights that they need to perform their job responsibilities. The purpose of this principle is obvious - to reduce damage from accidental or deliberate incorrect actions.

Preliminary preparation of a job description allows you to assess its criticality and plan the procedure for screening and selecting candidates. The more responsible the position, the more carefully you need to check the candidates: make inquiries about them, perhaps talk with former colleagues, etc. Such a procedure can be lengthy and expensive, so there is no point in complicating it further. At the same time, it is unreasonable to completely refuse pre-screening in order to avoid accidentally hiring someone with a criminal record or mental illness.

Once a candidate has been identified, he or she will likely need to undergo training; at the very least, he should be thoroughly familiarized with job responsibilities and information security regulations and procedures. It is advisable that he understand the security measures before taking office and before establishing his system account with login name, password and privileges.

The security of an information system depends on the environment in which it operates. It is necessary to take measures to protect buildings and surrounding areas, supporting infrastructure, computer equipment, and storage media.

Let's consider the following areas of physical protection:

physical access control;

protection of supporting infrastructure;

protection of mobile systems.

Physical access control measures allow you to control and, if necessary, restrict the entry and exit of employees and visitors. The entire building of an organization can be controlled, as well as individual premises, for example, those where servers, communication equipment, etc. are located.

Supporting infrastructure includes electrical, water and heat supply systems, air conditioning and communications. In principle, the same integrity and availability requirements apply to them as to information systems. To ensure integrity, equipment must be protected from theft and damage. To maintain availability, you should select equipment with the maximum MTBF, duplicate critical components, and always have spare parts on hand.

Generally speaking, a risk analysis should be performed when selecting physical protective equipment. Thus, when deciding to purchase an uninterruptible power supply, it is necessary to take into account the quality of the power supply in the building occupied by the organization (however, it will almost certainly turn out to be poor), the nature and duration of power failures, the cost of available sources and possible losses from accidents (breakdown of equipment, suspension of the organization’s work and so on.)

Let's consider a number of measures aimed at maintaining the functionality of information systems. It is in this area that the greatest danger lurks. Unintentional mistakes of system administrators and users can lead to loss of performance, namely damage to equipment, destruction of programs and data. This is the worst case scenario. At best, they create security holes that enable system security threats to occur.

The main problem of many organizations is the underestimation of safety factors in everyday work. Expensive security features are meaningless if they are poorly documented, conflict with other software, and the system administrator password has not been changed since installation.

For daily activities aimed at maintaining the functionality of the information system, the following actions can be distinguished:

user support;

software support;

configuration management;

backup;

media management;

documentation;

routine maintenance.

User support implies, first of all, consultation and assistance in solving various kinds of problems. It is very important to be able to identify problems related to information security in a stream of questions. Thus, many difficulties for users working on personal computers may be the result of virus infection. It is advisable to record user questions in order to identify their common mistakes and issue reminders with recommendations for common situations.

Software support is one of the most important means of ensuring information integrity. First of all, you need to keep track of what software is installed on your computers. If users install programs at their own discretion, this can lead to infection with viruses, as well as the emergence of utilities that bypass protection measures. It is also likely that the “independent activities” of users will gradually lead to chaos on their computers, and the system administrator will have to correct the situation.

The second aspect of software support is control over the absence of unauthorized changes to programs and access rights to them. This also includes support for reference copies of software systems. Control is typically achieved through a combination of physical and logical access controls, as well as the use of verification and integrity utilities.

Configuration management allows you to control and record changes made to the software configuration. First of all, you need to insure yourself against accidental or ill-conceived modifications, and be able to at least return to a previous, working version. Committing changes will make it easy to restore the current version after a disaster.

The best way to reduce errors in routine work is to automate it as much as possible. Automation and security depend on each other, because the one who cares primarily about making his task easier is actually the one who optimally shapes the information security regime.

Backup is necessary to restore programs and data after disasters. And here it is advisable to automate the work, at a minimum, by creating a computer schedule for creating full and incremental copies, and, at a maximum, by using the appropriate software products. It is also necessary to arrange for the placement of copies in a safe place, protected from unauthorized access, fires, leaks, that is, from anything that could lead to theft or damage to the media. It is advisable to have several copies of backup copies and store some of them off-site, thus protecting against major accidents and similar incidents. From time to time, for test purposes, you should check the possibility of restoring information from copies.

Media management is necessary to provide physical security and accounting for floppy disks, tapes, printed output, etc. Media management must ensure the confidentiality, integrity, and availability of information stored outside computer systems. Physical protection here means not only repelling unauthorized access attempts, but also protection from harmful environmental influences (heat, cold, moisture, magnetism). Media management must cover the entire lifecycle, from procurement to decommissioning.

Documentation is an integral part of information security. Almost everything is documented in the form of documents - from the security policy to the media log. It is important that the documentation is up-to-date and reflects the current state of affairs, and in a consistent manner.

Confidentiality requirements apply to the storage of some documents (containing, for example, an analysis of system vulnerabilities and threats), while others, such as a disaster recovery plan, are subject to integrity and availability requirements (in a critical situation, the plan must be found and read).

Routine work is a very serious safety hazard. An employee performing routine maintenance receives exclusive access to the system, and in practice it is very difficult to control exactly what actions he performs. This is where the degree of trust in those doing the work comes to the fore.

The security policy adopted by the organization must provide for a set of operational measures aimed at detecting and neutralizing violations of the information security regime. It is important that in such cases the sequence of actions is planned in advance, since measures need to be taken urgently and in a coordinated manner.

Response to security breaches has three main goals:

localizing the incident and reducing harm;

prevention of repeated violations.

Often the requirement to localize an incident and reduce harm comes into conflict with the desire to identify the offender. The organization's security policy must be prioritized early. Since, as practice shows, it is very difficult to identify an attacker, in our opinion, first of all, care should be taken to reduce the damage.

No organization is immune from serious accidents caused by natural causes, malicious actions, negligence or incompetence. At the same time, every organization has functions that management considers critical and must be performed no matter what. Planning restoration work allows you to prepare for accidents, reduce damage from them and maintain the ability to function at least to a minimum extent.

Note that information security measures can be divided into three groups, depending on whether they are aimed at preventing, detecting or eliminating the consequences of attacks. Most measures are precautionary in nature.

The restoration planning process can be divided into the following stages:

identifying critical functions of the organization, setting priorities;

identification of resources needed to perform critical functions;

determination of the list of possible accidents;

development of a restoration strategy;

preparation for the implementation of the chosen strategy;

checking the strategy.

When planning restoration work, you should be aware that it is not always possible to fully maintain the functioning of the organization. It is necessary to identify critical functions, without which the organization loses its face, and even prioritize among critical functions in order to resume work after an accident as quickly as possible and at minimal cost.

When identifying the resources needed to perform critical functions, remember that many of them are non-computer in nature. At this stage, it is advisable to involve specialists of different profiles in the work.

Thus, there are a large number of different methods for ensuring information security. The most effective is to use all these methods in a single complex. Today, the modern security market is saturated with information security tools. Constantly studying existing security market offerings, many companies see the inadequacy of previously invested funds in information security systems, for example, due to obsolescence of equipment and software. Therefore, they are looking for solutions to this problem. There may be two such options: on the one hand, a complete replacement of the corporate information protection system, which will require large investments, and on the other, the modernization of existing security systems. The last option for solving this problem is the least expensive, but it brings new problems, for example, it requires an answer to the following questions: how to ensure compatibility of old, retained from existing hardware and software security tools, and new elements of the information security system; how to provide centralized management of heterogeneous security tools; how to assess and, if necessary, reassess the company’s information risks.

Chapter 2. Analysis of the information security system

1 Scope of activity of the company and analysis of financial indicators

OJSC Gazprom is a global energy company. The main activities are geological exploration, production, transportation, storage, processing and sales of gas, gas condensate and oil, as well as the production and sale of heat and electricity.

Gazprom sees its mission in reliable, efficient and balanced provision of consumers with natural gas, other types of energy resources and their processed products.

Gazprom has the world's richest natural gas reserves. Its share in world gas reserves is 18%, in Russian - 70%. Gazprom accounts for 15% of global and 78% of Russian gas production. Currently, the company is actively implementing large-scale projects for the development of gas resources of the Yamal Peninsula, the Arctic shelf, Eastern Siberia and the Far East, as well as a number of projects for the exploration and production of hydrocarbons abroad.

Gazprom is a reliable gas supplier to Russian and foreign consumers. The company owns the world's largest gas transportation network - the Unified Gas Supply System of Russia, the length of which exceeds 161 thousand km. Gazprom sells more than half of the gas it sells on the domestic market. In addition, the company supplies gas to 30 countries of the near and far abroad.

Gazprom is Russia's only producer and exporter of liquefied natural gas and provides about 5% of global LNG production.

The company is one of the five largest oil producers in the Russian Federation, and is also the largest owner of generating assets on its territory. Their total installed capacity is 17% of the total installed capacity of the Russian energy system.

The strategic goal is to establish OAO Gazprom as a leader among global energy companies through the development of new markets, diversification of activities, and ensuring reliability of supplies.

Let's consider the financial performance of the company over the past two years. The company's operating results are presented in Appendix 1.

As of December 31, 2010, sales revenue amounted to 2,495,557 million rubles, this figure is much lower compared to 2011 data, that is, 3,296,656 million rubles.

Sales revenue (net of excise tax, VAT and customs duties) increased by RUB 801,099 million, or 32%, for the nine months ended September 30, 2011 compared to the same period last year, amounting to RUB 3,296 656 million rubles.

Based on the results of 2011, net revenue from gas sales accounted for 60% of total net sales revenue (60% for the same period last year).

Net revenue from gas sales increased from RUB 1,495,335 million. for the year up to 1,987,330 million rubles. for the same period in 2011, or by 33%.

Net revenue from gas sales to Europe and other countries increased by RUB 258,596 million, or 34%, compared to the same period last year, and amounted to RUB 1,026,451 million. The overall increase in gas sales to Europe and other countries was due to an increase in average prices. The average price in rubles (including customs duties) increased by 21% for the nine months ended September 30, 2011 compared to the same period in 2010. In addition, gas sales volumes increased by 8% compared to the same period last year.

Net revenue from gas sales to the countries of the former Soviet Union increased over the same period in 2010 by 168,538 million rubles, or 58%, and amounted to 458,608 million rubles. The change was primarily driven by a 33% increase in gas sales to the former Soviet Union for the nine months ended September 30, 2011 compared to the same period last year. In addition, the average price in rubles (including customs duties, less VAT) increased by 15% compared to the same period last year.

Net revenue from gas sales in the Russian Federation increased by RUB 64,861 million, or 15%, compared to the same period last year, and amounted to RUB 502,271 million. This is mainly due to an increase in the average price of gas by 13% compared to the same period last year, which is associated with an increase in tariffs set by the Federal Tariff Service (FTS).

Net revenue from the sale of oil and gas products (less excise tax, VAT and customs duties) increased by 213,012 million rubles, or 42%, and amounted to 717,723 million rubles. compared to the same period last year. This increase is mainly explained by an increase in world prices for oil and gas products and an increase in sales volumes compared to the same period last year. Gazprom Neft Group's revenue amounted to 85% and 84% of the total net revenue from the sale of oil and gas products, respectively.

Net revenue from the sale of electrical and thermal energy (excluding VAT) increased by RUB 38,097 million, or 19%, and amounted to RUB 237,545 million. The increase in revenue from the sale of electrical and thermal energy is mainly due to an increase in tariffs for electrical and thermal energy, as well as an increase in the volume of sales of electrical and thermal energy.

Net revenue from the sale of crude oil and gas condensate (less excise tax, VAT and customs duties) increased by RUB 23,072 million, or 16%, and amounted to RUB 164,438 million. compared to RUB 141,366 million. for the same period last year. The change is mainly caused by rising prices for oil and gas condensate. In addition, the change was caused by an increase in gas condensate sales. Revenue from the sale of crude oil amounted to RUB 133,368 million. and 121,675 million rubles. in net proceeds from the sale of crude oil and gas condensate (less excise tax, VAT and customs duties) in 2011 and 2010, respectively.

Net revenue from the sale of gas transportation services (net of VAT) increased by RUB 15,306 million, or 23%, and amounted to RUB 82,501 million, compared to RUB 67,195 million. for the same period last year. This growth is mainly due to an increase in gas transportation tariffs for independent suppliers, as well as an increase in gas volumes. ѐ mov of gas transportation for independent suppliers compared to the same period last year.

Other revenue increased by RUB 19,617 million, or 22%, and amounted to RUB 107,119 million. compared to RUB 87,502 million. for the same period last year.

Expenses for trade operations without actual delivery amounted to RUB 837 million. compared to income of RUB 5,786 million. for the same period last year.

As for operating expenses, they increased by 23% and amounted to RUB 2,119,289 million. compared to RUB 1,726,604 million. for the same period last year. The share of operating expenses in sales revenue decreased from 69% to 64%.

Labor costs increased by 18% and amounted to RUB 267,377 million. compared to RUB 227,500 million. for the same period last year. The increase is mainly due to an increase in average wages.

Depreciation for the analyzed period increased by 9% or by 17,026 million rubles, and amounted to 201,636 million rubles, compared to 184,610 million rubles. for the same period last year. The increase was mainly due to the expansion of the fixed asset base.

As a result of the above factors, sales profit increased by RUB 401,791 million, or 52%, and amounted to RUB 1,176,530 million. compared to RUB 774,739 million. for the same period last year. Sales profit margin increased from 31% to 36% for the nine months ended September 30, 2011.

Thus, OJSC Gazprom is a global energy company. The main activities are geological exploration, production, transportation, storage, processing and sales of gas, gas condensate and oil, as well as the production and sale of heat and electricity. The financial condition of the company is stable. Performance indicators are showing positive dynamics.

2 Description of the company’s information security system

Let's consider the main areas of activity of the divisions of the Corporate Protection Service of OJSC Gazprom:

development of targeted programs for the development of systems and complexes of engineering and technical security equipment (ITSE), information security systems (IS) of OAO Gazprom and its subsidiaries and organizations, participation in the formation of an investment program aimed at ensuring information and technical security;

implementation of the powers of the customer for the development of information security systems, as well as ITSO systems and complexes;

consideration and approval of budget requests and budgets for the implementation of measures for the development of information security systems, ITSO systems and complexes, as well as for the creation of IT in terms of information security systems;

review and approval of design and pre-project documentation for the development of information security systems, ITSO systems and complexes, as well as technical specifications for the creation (modernization) of information systems, communication and telecommunications systems in terms of information security requirements;

organization of work to assess the compliance of ITSO systems and complexes, information security systems (as well as works and services for their creation) with the established requirements;

coordination and control of work on technical information security.

Gazprom has created a system to ensure the protection of personal data. However, the adoption by federal executive authorities of a number of regulatory legal acts in development of existing laws and government regulations necessitates the need to improve the current system of personal data protection. In the interests of solving this problem, a number of documents have been developed and are being approved within the framework of research work. First of all, these are draft standards of the Gazprom Development Organization:

"Methodology for classifying information systems of personal data of OAO Gazprom, its subsidiaries and organizations";

"Model of threats to personal data during their processing in personal data information systems of OAO Gazprom, its subsidiaries and organizations."

These documents were developed taking into account the requirements of the Decree of the Government of the Russian Federation of November 17, 2007 No. 781 "On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems" in relation to the class of special systems, which include most of the OJSC ISPDn " Gazprom".

In addition, the development of “Regulations on the organization and technical support of the security of personal data processed in personal data information systems of OAO Gazprom, its subsidiaries and organizations” is currently underway.

It should be noted that within the framework of the standardization system of OJSC Gazprom, standards for the information security system have been developed, which will also make it possible to solve the problems of protecting personal data processed in the information systems of OJSC Gazprom.

Seven standards related to the information security system have been approved and are being put into effect this year.

The standards define the basic requirements for building information security systems for OAO Gazprom and its subsidiaries.

The results of the work done will make it possible to more rationally use material, financial and intellectual resources, create the necessary regulatory and methodological support, introduce effective means of protection and, as a result, ensure the security of personal data processed in the information systems of OAO Gazprom.

As a result of the analysis of information security of OJSC Gazprom, the following shortcomings in ensuring information security were identified:

the organization does not have a single document regulating a comprehensive security policy;

Considering the size of the network and the number of users (more than 100), it should be noted that one person is responsible for system administration, information security and technical support;

there is no classification of information assets by degree of importance;

information security roles and responsibilities are not included in job descriptions;

in the employment contract concluded with the employee there is no clause on the information security responsibilities of both those employed and the organization itself;

personnel training in the field of information security is not provided;

from the point of view of protection from external threats: no typical behavior procedures have been developed for data recovery after accidents that occurred as a result of external and environmental threats;

the server room is not a separate room, the room is assigned the status of two departments (one more person, in addition to the system administrator, has access to the server room);

technical probing and physical examination for unauthorized devices connected to cables are not carried out;

despite the fact that entry is carried out using electronic passes and all information is entered into a special database, its analysis is not carried out;

in terms of protection against malware: there is no formal policy to protect against risks associated with receiving files either from or through external networks or contained on removable media;

in terms of protection against malware: there are no guidelines for protecting the local network from malicious code;

there is no traffic control, there is access to mail servers of external networks;

all backups are stored in the server room;

insecure, easy-to-remember passwords are used;

receipt of passwords by users is not confirmed in any way;

passwords are stored in clear text by the administrator;

passwords do not change;

There is no procedure for reporting information security events.

Thus, based on these shortcomings, a set of regulations regarding information security policy was developed, including:

policies regarding the hiring (dismissal) and granting (deprivation) of employees of the necessary authority to access system resources;

policy regarding the work of network users during its operation;

password protection policy;

policy on the organization of physical protection;

Internet policy;

as well as administrative security measures.

Documents containing these regulations are at the stage of consideration by the management of the organization.

3 Development of a set of measures to modernize the existing information security system

As a result of the analysis of the information security system of OJSC Gazprom, significant system vulnerabilities were identified. To develop measures to eliminate identified security system deficiencies, we will highlight the following groups of information that are subject to protection:

information about the private life of employees that allows them to be identified (personal data);

information related to professional activities and constituting banking, auditing and communications secrecy;

information related to professional activities and marked as information “for official use”;

information, the destruction or modification of which will negatively affect operational efficiency, and restoration will require additional costs.

From the point of view of administrative measures, the following recommendations were developed:

the information security system must comply with the legislation of the Russian Federation and state standards;

buildings and premises where information processing facilities are installed or stored, work is carried out with protected information, must be guarded and protected by alarm and access control means;

training of personnel on information security issues (explaining the importance of password protection and password requirements, conducting training on anti-virus software, etc.) should be organized when hiring an employee;

conduct trainings every 6-12 months aimed at improving the literacy of employees in the field of information security;

an audit of the system and adjustments to the developed regulations should be carried out annually, on October 1, or immediately after the introduction of major changes to the structure of the enterprise;

each user’s access rights to information resources must be documented (if necessary, access is requested from the manager in writing);

the information security policy must be ensured by the software administrator and the hardware administrator, their actions are coordinated by the head of the group.

Let's formulate a password policy:

do not store them in unencrypted form (do not write them down on paper, in a regular text file, etc.);

change the password if it is disclosed or suspected of disclosure;

length must be at least 8 characters;

The password must contain upper and lower case letters, numbers and special characters; the password must not include easily calculated sequences of characters (names, animal names, dates);

change once every 6 months (an unscheduled password change must be made immediately after receiving notification of the incident that triggered the change);

When changing passwords, you cannot select those that were used previously (passwords must differ by at least 6 positions).

Let's formulate a policy regarding antivirus programs and virus detection:

Licensed anti-virus software must be installed on each workstation;

updating anti-virus databases on workstations with Internet access - once a day, without Internet access - at least once a week;

set up automatic scanning of workstations for virus detection (frequency of checks - once a week: Friday, 12:00);

Only the administrator can interrupt the anti-virus database update or virus scan (password protection should be set for the specified user action).

Let's formulate a policy regarding physical protection:

technical probing and physical examination for unauthorized devices connected to cables should be carried out every 1-2 months;

network cables must be protected from unauthorized interception of data;

records of all suspected and actual failures that occurred with the equipment must be stored in a log

Each workstation must be equipped with an uninterruptible power supply.

Let's define a policy regarding information reservation:

for backup copies, a separate room should be allocated, located outside the administrative building (the room should be equipped with an electronic lock and alarm);

Information reservations should be made every Friday at 16:00.

The policy regarding the hiring/dismissal of employees should be as follows:

any personnel changes (hiring, promotion, dismissal of an employee, etc.) must be reported to the administrator within 24 hours, who, in turn, within a period of half a working day must make appropriate changes to the system for delimiting access rights to enterprise resources ;

a new employee must undergo training from the administrator, including familiarization with the security policy and all necessary instructions; the level of access to information for the new employee is assigned by the manager;

When an employee leaves the system, his ID and password are deleted, the workstation is checked for viruses, and the integrity of the data to which the employee had access is analyzed.

Policy regarding working with local internal network (LAN) and databases (DB):

when working at his workstation and on the LAN, the employee must perform only tasks directly related to his official activities;

The employee must notify the administrator about messages from anti-virus programs about the appearance of viruses;

no one other than administrators is allowed to make changes to the design or configuration of workstations and other LAN nodes, install any software, leave the workstation without control or allow unauthorized persons to access it;

Administrators are recommended to keep two programs running at all times: an ARP-spoofing attack detection utility and a sniffer, the use of which will allow them to see the network through the eyes of a potential intruder and identify security policy violators;

You should install software that prevents the launch of programs other than those designated by the administrator, based on the principle: “Any person is granted the privileges necessary to perform specific tasks.” All unused computer ports must be disabled by hardware or software;

The software should be updated regularly.

Internet Policy:

administrators are assigned the right to restrict access to resources, the content of which is not related to the performance of official duties, as well as to resources, the content and focus of which are prohibited by international and Russian legislation;

the employee is prohibited from downloading and opening files without first checking for viruses;

all information about resources visited by company employees should be stored in a log and, if necessary, can be provided to department heads, as well as management

confidentiality and integrity of electronic correspondence and office documents is ensured through the use of digital signatures.

In addition, we will formulate the basic requirements for creating passwords for employees of the OJSC Gazprom company.

A password is like a house key, only it is the key to information. For ordinary keys, it is extremely undesirable to be lost, stolen, or handed over to a stranger. The same goes for the password. Of course, the security of information depends not only on the password; to ensure it, you need to set a number of special settings and, perhaps, even write a program that protects against hacking. But choosing a password is exactly the action where it depends only on the user how strong this link will be in the chain of measures aimed at protecting information.

) the password must be long (8-12-15 characters);

) should not be a word from a dictionary (any dictionary, even a dictionary of special terms and slang), a proper name or a word in Cyrillic alphabet typed in the Latin layout (Latin - kfnsym);

) it cannot be associated with the owner;

) it changes periodically or as needed;

) is not used in this capacity on various resources (i.e., for each resource - to log into a mailbox, operating system or database - a different password must be used);

) it is possible to remember it.

Selecting words from the dictionary is undesirable, since an attacker conducting a dictionary attack will use programs capable of searching up to hundreds of thousands of words per second.

Any information associated with the owner (be it date of birth, dog's name, mother's maiden name, and similar “passwords”) can be easily recognized and guessed.

The use of uppercase and lowercase letters, as well as numbers, greatly complicates the attacker’s task of guessing the password.

The password should be kept secret, and if you suspect that the password has become known to someone, change it. It is also very useful to change them from time to time.

Conclusion

The study allowed us to draw the following conclusions and formulate recommendations.

It has been established that the main reason for the enterprise's problems in the field of information security is the lack of an information security policy, which would include organizational, technical, financial solutions with subsequent monitoring of their implementation and evaluation of effectiveness.

The definition of information security policy is formulated as a set of documented decisions, the purpose of which is to ensure the protection of information and associated information risks.

The analysis of the information security system revealed significant shortcomings, including:

storage of backup copies in the server room, the backup server is located in the same room as the main servers;

lack of proper rules regarding password protection (password length, rules for choosing and storing it);

network administration is handled by one person.

A generalization of international and Russian practice in the field of information security management of enterprises allowed us to conclude that to ensure it, it is necessary:

forecasting and timely identification of security threats, causes and conditions conducive to financial, material and moral damage;

creating operating conditions with the least risk of implementing security threats to information resources and causing various types of damage;

creating a mechanism and conditions for effectively responding to threats to information security based on legal, organizational and technical means.

The first chapter of the work discusses the main theoretical aspects. An overview of several standards in the field of information security is given. Conclusions are drawn for each and as a whole, and the most appropriate standard for forming information security policy is selected.

The second chapter examines the structure of the organization and analyzes the main problems associated with information security. As a result, recommendations have been formed to ensure the proper level of information security. Measures to prevent further incidents related to information security violations are also considered.

Of course, ensuring an organization's information security is a continuous process that requires constant monitoring. And a naturally formed policy is not an iron-clad guarantor of protection. In addition to the implementation of the policy, constant monitoring of its quality implementation, as well as improvement in the event of any changes in the company or precedents, is required. It was recommended for the organization to hire an employee whose activities would be directly related to these functions (security administrator).

Bibliography

information security financial harm

1. Belov E.B. Fundamentals of information security. E.B. Belov, V.P. Los, R.V. Meshcheryakov, A.A. Shelupanov. -M.: Hotline - Telecom, 2006. - 544s

Galatenko V.A. Information security standards: a course of lectures. Educational

allowance. - 2nd edition. M.: INTUIT.RU "Internet University of Information Technologies", 2009. - 264 p.

Glatenko V.A. Information Security Standards / Open Systems 2006.- 264c

Dolzhenko A.I. Information systems management: Training course. - Rostov-on-Don: RGEU, 2008.-125 p.

Kalashnikov A. Formation of a corporate policy of internal information security #"justify">. Malyuk A.A. Information security: conceptual and methodological foundations of information protection / M.2009-280s

Mayvold E., Network Security. Self-instruction manual // Ekom, 2009.-528 p.

Semkin S.N., Belyakov E.V., Grebenev S.V., Kozachok V.I., Fundamentals of organizational support for information security of informatization objects // Helios ARV, 2008, 192 pp.

How to choose a relevant topic for a thesis in the specialty of information security systems. The relevance of the diploma topic on information security systems, expert recommendations, examples of thesis topics.

Themes diploma in the specialty of information security systems are devoted to solving various research and practical problems aimed at ensuring the information security of the object under study. The problems of such work are due to the growing number of information security attacks on information systems of various types and their components.

The object of study can be a computer system, a system component, a business process, an enterprise, a premises, or circulating data.

The subject of research can be information protection methods, threat analysis methods, or assessing the effectiveness of an information security system.

As a goal diploma work in the specialty of information security systems You can highlight the construction or study of the possibility of using risk models and a protection algorithm (more on this).

Tasks of work related to thesis topics in the specialty of information security systems, can be determined by the following list:

1. Selection and research of statistical data, including the formulation of hypotheses and their proof regarding random variables.

2. Justification of types and functions of damage, development of an analytical risk model.

3. Formation of a dynamic risk model based on sensitivity coefficients.

The following main provisions may be submitted for defense: diploma theses in the specialty of information security systems:

1. The reliability of the evidence of the hypotheses put forward about the areas of effective application of the law for information security tasks.

2. Analytical risk models for system components in which damages have a given distribution.

3. Analytical risk models for systems whose components are exposed to joint or non-joint effects of identified attacks.

4. Dynamic models, system sensitivity functions.

5. Algorithms for managing system risks.

The scientific novelty of research into theses on similar topics can be formalized in the following list.

1. For the first time, areas of effective application of the law for information security tasks have been studied.

2. Previously unstudied analytical risk models of components in which damages have a given distribution are considered.

3. Analytical risk models of distributed systems subject to identified information security attacks have been studied.

4. For the first time, an algorithm for risk management of systems for dedicated distribution and information security attacks was carried out.

Practical value may include the following:

1. Proof of the put forward hypotheses allows us to reasonably apply the research results to solve information security problems.

2. The resulting analytical risk models will in the future make it possible to develop complex models capable of analyzing the entire range of information security attacks.

3. Dynamic models and sensitivity functions of computer systems allow solving information security problems with varying risk levels.

The most relevant topics for final qualifying works (GQR) and scientific research works (R&D), as well as Diploma topics in information security systems can be given in the following table.

1. Protection of information regarding control channels of the airport automated system	2. Implementation of an intrusion detection system using the example of false information systems
3. Design and development of information security systems	4. Protection against DDOS attacks
5. Protecting enterprise information at the email level	6. Information security of a geographically distributed enterprise
7. Comprehensive information protection at an industrial enterprise	8. Information security of a computer system in the event of threats of unauthorized access
9. Development of a risk model for an information security management system under conditions of uncertainty	10. Modernization of the security system for information and telecommunication networks
11. Ensuring information security of mobile automated workstations	12. Organization of personal data protection in the context of virus attacks
13. Organization of counteraction to threats to the security of an organization based on Petri nets	14. Main directions, principles and methods of ensuring information security in computer networks
15. Construction of a typical model of actions of an attacker who implements remote attacks	16. Problems of information security of banks based on discretionary models
17. Development of an algorithm to counter the use of hidden communication channels	18. Development of a set of security measures for the safety of information during the interaction of M2M components
19. Development of an information security system for a sensitive strategic enterprise	20. Development of a system for protecting confidential information in banking systems
21. VKR: Automation and ensuring information security of the workplace of the company’s customer service manager	22. Thesis: Organization of information security of the electronic archive of the real estate register in the BTI
23. Bachelor's thesis: Development of an information security policy in a trading and manufacturing company	24. Thesis: Development of a company’s information security policy
25. Diploma: Ensuring information security in an investment company	26. Diploma: Information security audit in the bank’s information security system
27. Bachelor's thesis: Development and provision of information security for an automated secretary workstation	28. Thesis: Development of a set of information security and security measures in government departments. institutions
29. Thesis: Implementation of a comprehensive information security system in a company	30. Thesis: Modernization of the information security system in the company
31. Master's thesis: Modernization of the existing information security system in order to increase its security	32. Diploma: Modernization of an existing system to improve information security
33. Diploma: Ensuring information security during the implementation and operation of electronic payment processing systems	34. Master's thesis: Increasing the level of information security of an enterprise through the implementation of access control systems
35. Diploma: Development of information security policy in a company	36. Diploma: Ensuring information security in a commercial organization