Organizational and legal basis for ensuring information security. The objectives of the discipline are: Modules and themes

ORGANIZATIONAL AND LEGAL SUPPORT OF INFORMATION PROTECTION

Protection issues information resources are closely connected not only with the solution of scientific and technical problems, but also with issues of legal regulation of relations in the process of informatization. The need for organizational and legal support for information protection arises from the fact that information is recognized as a commodity, a product of social production, and the legal establishment of ownership of information.

This formulation of the question takes on a special meaning and character in the conditions of democratization of society, the formation of a market economy, and the inclusion of our state in the world economic community. If the solution to the development of the production base for creating computer science tools can, to some extent, be carried out using market structures and relations, then the development and implementation of the legislative framework for informatization is impossible without an active state information policy aimed at building an organizational and legal mechanism for managing information processes according to a single plan » linked to the scientific and technical base of informatization.

Organizational and legal support is a multidimensional concept, including laws, decisions, regulations and rules. Moreover, in relation to the protection of information processed in an automated system, it has a number of fundamental specific features, due to the following circumstances:

Presentation of information in an unusual and unreadable binary form for humans;

Using storage media whose recordings are not available for simple visual viewing

The ability to copy information multiple times without leaving any traces;

The ease of changing any elements of information without leaving traces such as erasures, corrections, etc.;

The impossibility of traditionally sealing documents with traditional signatures with all the regulatory and legal aspects of these signatures;

Availability large number non-traditional destabilizing factors affecting information security.

Based on the above circumstances, the complex of issues resolved by organizational and legal support can be grouped into three classes:

Organizational and legal basis for information protection in the AS;

Technical and mathematical aspects of organizational and legal support;

Legal aspects of organizational and legal support of protection.

From practical considerations it is clear that the organizational and legal basis for information protection should include:

Identification of departments and persons responsible for organizing information security;

Regulatory, guidance and teaching materials(documents) on information protection;

Penalties for violation of protection rules;

The procedure for resolving disputes and conflict situations on information security issues.

The technical and mathematical aspects of organizational and legal support are understood as a set of technical means, mathematical methods, models, algorithms and programs with the help of which all the conditions necessary for the legal delimitation of rights and responsibilities regarding the regulations for handling protected information can be met. The main ones of these conditions are the following:

Fixing on the document personal identifiers ("signatures") of the persons who produced the document and (or) are responsible for it;

Recording (if necessary) on the document personal identifiers (signatures) of persons who have become familiar with the content of the relevant information;

The impossibility of imperceptibly (without leaving traces) changing the content of information even by liars who have sanctions to access it,

Those. recording the facts of any (both authorized and unauthorized) changes in information;

Recording the fact of any (both unauthorized and authorized) copying of protected information.

The legal aspects of organizational and legal support for information protection in the AS are understood as a set of laws and other regulations with the help of which the following goals are achieved;

It establishes the obligation for all persons related to the AS to comply with all information protection rules;

Responsibility measures for violation of protection rules are legalized;

Technical and mathematical solutions to issues of organizational and legal support for information protection are being legitimized (acquiring legal force);

Procedural procedures for resolving situations are legitimized. emerging in the process: the functioning of protection systems.

Thus, the entire set of issues that arise when solving problems of organizational and legal support can be presented in the form of a diagram shown in Fig. 1.

^ Organizational and legal support for information protection

Organizational and legal basis

Technical and mathematical aspects

Legal aspects

Divisions and persons

Responsible

for protection

Fixing a signature on a document

Legalization of information protection rules

Regulatory, guidance and methodological materials

Recording facts of familiarization with information

Legitimizing penalties for violations

Penalties for violations

Recording facts of information changes

Legalization of technical and mathematical solutions

Procedure for resolving disputes

Recording facts of information copying

Legalization of procedural procedures

^ Analysis of foreign and domestic experience in organizational and legal support for information protection

Leading foreign countries have now accumulated significant experience in solving the problems discussed here. Essential in this regard is the versatility of the measures being developed and applied, which are not limited to regulatory and legal acts alone, although their significance is predominant. From this point of view, we can highlight the following aspects of resolving issues of organizational and legal support for information protection:

Informing the general public and interested specialists about the essence of the problem of information protection, the need for and ways to solve it;

Developing uniformity in the definition and interpretation of basic concepts related to the problem of protection;

Development of technical and mathematical foundations necessary to resolve issues of organizational and legal support for information security;

Development and approval of standards in the field of information security; - creation of the legislative framework necessary to ensure the protection of information.

Let us consider in more detail the essence of the highlighted aspects.

^ Informing about the essence of the protection problem, the need and ways to solve it. In the foreign press (especially in the USA), issues of ensuring information security in information computing systems and networks have been covered for a long time, intensively and on a large scale. Suffice it to say that the first publications on the problems under consideration appeared about *0 years ago; have they already become history? their total number is currently measured in the thousands. Every year specialized conferences and seminars are held at which various theoretical and practical issues information protection. The training programs for all specialists in computer technology and its use certainly include sections related to information security -

It should be noted that foreign publications played a significant role in informing domestic specialists about the essence of the problem and ways to solve it, especially considering that until recently all work on information protection in our country was closed. Among recent foreign works, the monograph “Protection of Computers and Networks. Strategy of the 90s” stands out. In other words, this is not just another publication, but a programmatic and promising development.

Acquaintance with this book provides sufficient grounds for a number of important conclusions, namely: firstly, foreign experts consider the problem of information security in computer systems and networks to be one of the most current problems development and effective use of computer technology, secondly, foreign experts classify the problem of protection as a complex and multidimensional problem; thirdly, foreign experts are not satisfied with the current state of solving the problem under consideration, and the most important areas of work for the 90s are considered to be work on a system-organizing plan.

If we talk about domestic publications in the field of information security, they began with a series of articles in the journal “Foreign Radio Electronics” for 1975-1976. The articles were of a review nature (according to foreign press data), were combined thematically and gave a general idea of the entire range of information security problems and approaches to solving them. They caused a great resonance among specialists and played the role of a detonator, initiating a significant increase in interest in the problem, its research and development. Monographic publications and specialized journals appeared.

^ Development of uniformity in terminology on security issues.

When solving any new problem Ensuring terminological unity is of paramount importance, i.e. formation of the most complete list of terms necessary to display all the main aspects of the problem, their definition and interpretation in order to ensure an unambiguous understanding of each of the terms. The complexity and labor intensity of this problem is evidenced by the fact that in our country this work has not yet been fully completed. It is necessary to draw the attention of readers to the dictionary of terms prepared and published in the USA back in 1987. The dictionary contains 428 pp. contains about 3000 terms. The undoubted advantage of the dictionary is that the most important terms not just defined, but interpreted in sufficient detail and illustrated with diagrams and drawings.

The presence of a dictionary of terms creates the prerequisites for the targeted development of all work on information security, therefore the creation and wide dissemination of such a dictionary in Russia is one of the main organizational prerequisites for the implementation of a secure information management system.

^ Development of technical and mathematical foundations necessary to resolve issues of organizational and legal support for information security. As follows from Fig. 1, the central task of creating a technical and mathematical base is the development of effective and reliable methods for recording in computer memory such an analogue of a person’s signature, which, on the one hand, could be implemented relatively easily modern means computer technology, and on the other hand, it would perform all the basic functions of hand-painted painting. By now, almost all experts have recognized that the most promising way to solve this problem is to use special methods of cryptographic transformation of information, which are most often called digital signature systems.

Analyzing the development of these works abroad, it would be appropriate to note that in leading countries, (and especially in the USA), work in the field of cryptography, intended for general use (i.e. not for special purposes) and satisfying general interest, has been going on for a long time and very intensively. To confirm what has been said, let us cite at least the fact that the lists of references attached to journal articles on this problem often contain up to 150 titles of completely open sources. Russian readers can form a fairly objective idea of the nature and level of developments in the translation into Russian of the thematic issue of the works of the Institute of Electrical and Radio Electronics Engineers.

From the above, it clearly follows the importance and necessity of the full development of work on the creation of technical and mathematical foundations for the organizational support of information security, and today especially for systems of commercial use.

^ Development and approval of standards in the field of information security. Both abroad and in our country, more attention is paid to this issue. For example, the US national standard for cryptographic information closure DES is widely known. Moreover, here not only the encryption algorithm itself is approved as a standard, but also the means of its implementation and methods of use. A number of different organizations in the United States and European countries are involved in standardization issues in the field of data protection, and a special subcommittee TC/8C20 of the International Organization for Standardization has been created to review the developed standards.

In our country, state regulatory documents on the protection of information processed by computer technology and communications began to be created back in the 60s, but they acquired a national character with the formation of the State Technical Commission of the USSR in 1973.

To date, guidelines for the protection of computer equipment and automated systems from unauthorized access have been developed and put into effect by the State Technical Commission, a standard for a cryptographic transformation algorithm described in the fourth chapter, a standard for a digital signature and a hash function.

^ Creation of the legislative framework necessary to ensure the protection of information. The absolute need to create a legislative framework is obvious, therefore, in leading Western countries, and now in Russia, quite a lot of attention is paid to this issue.

The problem of legislative regulation of information processing processes began to be discussed for the first time abroad in the 60s and, in particular, in the United States in connection with the proposal to create a national data bank. Currently, at the international level, a stable system of views has been formed on information as the most valuable resource for the life support of society, legal regulation in the field of which should proceed in the following three directions.

^ PROTECTION OF INDIVIDUAL RIGHTS TO PRIVATE LIFE This aspect is not new to the world community. The basic principles for establishing the limits of interference in private life by the state and other entities are determined by the fundamental norms of the UN, namely the Declaration of Human Rights. By the end of the 70s, two principles were formulated, which were subsequently reflected in the national legislation on computer science in a number of Western countries:

Establishing limits on invasion of privacy using computer systems;

Introduction of administrative mechanisms to protect citizens from such interference.

Examples of documents related to this area are the European Parliament resolution “On the protection of individual rights in connection with the progress of computer science” (1979) and the EU Convention “On the protection of persons with regard to automated processing of personal data” (1980).

^ PROTECTION OF STATE INTERESTS. The problem is solved with the help of sufficiently developed national legislation that defines national priorities in this area. The integration of EU member states required coordination of efforts in this area, as a result of which general principles classification of information is reflected in the EU Convention on the Protection of Secrecy.

^ PROTECTION OF BUSINESS AND FINANCIAL ACTIVITIES. This aspect of the problem is solved by creating a legislative mechanism that defines the concept of “trade secret” and establishes the conditions for fair competition and the qualification of industrial espionage as an element of unfair competition.

This area also includes the creation of mechanisms for protecting copyright, in particular the rights of authors of software products. The latter aspect is reflected in the EU Directive on the Protection of Computer Programs and Databases (1990).

The conceptual framework and principles of information protection developed at the international level are reflected in the national legislation of leading Western countries. Below are some examples of their existing legislation:

UK - Data Surveillance Bill (1969). Data Protection Act (1984);

France - Law on Informatics, Card Indexes and Freedoms (1978);

Germany - Law on the protection of personal data against abuse of data processing (1977). Data Protection Act (1978);

USA - Secrecy Law private information(1974). Computer Abuse Act (1986), Computer Security Act (1987);

Canada Computer and Information Crimes Act (1985).

The most developed legislation in this area is in force in the United States (over a hundred different pieces of legislation). US legislation covers:

Defining and consolidating state policy in the field of informatization,

Ensuring developed production and technologies;

The fight against monopolism and stimulation of priority areas;

Organization information systems;

Protection of consumer rights, especially the rights of citizens to information, protection of information about citizens;

Regulation of the rights of computer program developers.

In most countries, legislation establishes liability for violation of the procedure for processing and using personal data; computer crimes are regarded as crimes that pose a particular danger to citizens, society and the state, and entail significantly more severe penalties than similar crimes committed without the use of computer equipment Actions that create a threat of causing damage, for example, an attempt to penetrate a system, the introduction of a virus program, etc., are also considered crimes.

Talking about domestic experience legal support for informatization and information protection, we should note that this issue was first raised in our country in the 70s in connection with the development of automated control systems at various levels. However, the regulatory framework at that time did not go beyond departmental acts, several government decrees and similar acts at the republican level. Therefore, the legislative regulation of informatization processes by the beginning of the 90s could not be called satisfactory. It was urgently necessary to create a legal basis for the informatization of Russia, to legislatively ensure the effective use of the information resource of society, to regulate legal relations at all stages and stages of informatization, to protect individual rights in the conditions of informatization, to form a mechanism for ensuring information security.

1991 can be marked as the beginning of active legislative activity in this direction. At the same time, legislators rightly focused their attention on the following most pressing problems for Russia:

The problem of the right to information;

The problem of ownership of certain types of information;

The problem of recognizing information as a commodity object.

Today, in the “Declaration of Rights and Freedoms of Man and Citizen,” adopted by the Resolution of the Supreme Council of the Russian Federation on November 22, 1991, and in the Constitution of the Russian Federation, adopted in 1993,” it is enshrined common law citizens for information. Limitations on this right may be established by law only for the purposes of

Protection of personal, family, professional, commercial and state secrets, as well as morality. The list of information constituting a state secret is established by law.

The basic law of the Russian Federation “On information, informatization and protection of information” has been adopted, as well as special laws “On state secrets”, “On legal protection computer programs and databases", "On the legal protection of topologies integrated circuits", "About international information exchange" Issues of legal support for information protection are also reflected in the Law of the Russian Federation “On Security”, adopted in March 1992.

The State Duma of the Russian Federation continues to work on legislation in the field of protecting dacha water treatment plants. A real step towards strengthening the legal basis for entrepreneurial activity will be the legislative consolidation in Russia of the institution of trade secrets. One of the goals of the Law of the Russian Federation "On Trade Secrets", the first hearing of which has already taken place in the State Duma, is to create on the part of the state the necessary guarantees for the protection of subjects by granting them the right to classify valuable information as a trade secret to protect its owner from industrial espionage and unfair competition.

^ Basic approaches to the development of organizational and legal support Organizational and legal basis for protecting information in the automated system

The central link that implements the content of the organizational and legal framework (see Fig. 1) is the information protection (security) service specially created within the AS. The organization of such services is provided for both by the Law “On Information, Informatization and Information Protection” and the Law of the Russian Federation “On Security”, where Article 27 states:

"... For practical implementation requirements and rules for information protection, maintaining information systems in a protected state, operating special software and hardware and ensuring organizational measures to protect information systems processing information with limited access information security services may be created in non-state structures.... Enterprises, organizations and institutions that process information with limited access, which is the property of the state, create information security services without fail."

Based on the above tasks of the information security service, its main functions can be formulated:

Formation of requirements for the protection system in the process of creating an NPP;

Participation in the design of the protection system;

Participation in testing and acceptance of the protection system and its constituent elements;

Planning, organizing and ensuring the functioning of the information security system during the operation of the AS;

Distribution of necessary security details among users: passwords, additional identifying information, security keys, etc.;

Organization of generation and installation of technical equipment identifier codes;

Organization and introduction into the AS memory of service arrays of the protection system;

Monitoring the functioning of the protection system and its elements;

Organization of preventive checks of the reliability of the protection system;

Training system users and personnel in the rules for processing protected information;

Monitoring compliance by users and plant personnel with the rules for handling protected information during its automated processing;

Taking measures in case of attempts of unauthorized access to information and violations of the rules of operation of the security system.

The second most important problem in creating an organizational and legal framework is the completion of a system of guidelines and methodological documents on information protection. Here, from a practical point of view, one could be guided by the following;

All documents existing in the country regulating the rules for handling information that has a restrictive stamp fully apply to information circulating during the operation of the plant;

In order to take into account the specific features of the accumulation, storage and processing of data in the AS, special guidelines and methodological materials are developed and approved, which must have legal force;

In order to interpret and detail the provisions and requirements of these materials in relation to specific conditions in each NPP, the in the prescribed manner approved

Instructions for users, AS operators, duty shifts of the data bank administration, security service, as well as technical documentation of the security system.

When deciding on liability for violation of security rules, it is first necessary to establish whether it led to a leak of protected data. In this case, the perpetrators are held accountable in accordance with existing laws. For violation of protection rules that do not result in data leakage, administrative penalties are established as provided for by labor legislation.

Resolution of controversial and conflict situations related to the distribution and use of security system details (passwords, keys, etc.) should be within the competence of the information security service, and situations related to the interpretation of security documents should be within the competence of the authorities and persons who approved the relevant documents.

^ Technical and mathematical aspects. The conducted research shows that all the problems associated with solving the fixation problems under consideration various facts interactions with protected information (both authorized and unauthorized) can be divided into two groups - general and specific. In this case, general problems are understood as such problems, the solution of which can be carried out by common means access restrictions. Specific problems include fixing a signature under a document submitted to the AC in in electronic format. This signature is called electronic or digital.

In-depth studies of this problem both in our country and abroad show that the most promising way to implement an electronic (digital) signature is to use cryptographic methods of data conversion. The scope of application of a digital signature is extremely wide - from conducting financial and banking paperless transactions to monitoring the implementation of international treaties and protecting copyrights.

The signature problem is especially important when transmitting messages over telecommunication networks. In this case, the following malicious actions are potentially possible: refusal, when the sending subscriber, after a lapse of time, refuses the transmitted message; falsification, when the recipient subscriber forges the message; change when the recipient subscriber makes changes to the message; masking, when the sending subscriber disguises himself as another subscriber. Under these conditions, ensuring the protection of each of the parties participating in the exchange is carried out by maintaining special protocols. To verify a message, the protocol must contain the following mandatory provisions:

The sender enters transmitted message your digital signature, which is additional information depending on the transmitted data, the name of the message recipient and some classified information, which only the sender has;

The recipient must be able to verify that the signature received as part of the message is the correct signature of the sender;

Obtaining the correct signature of the sender is only possible by using proprietary information that the sender has;

To exclude the possibility reuse outdated messages the signature must be time sensitive.

^ Legal aspects. Legal support for information protection covers relationships arising in the formation and use of information resources based on the creation, collection, processing, accumulation, storage, search, distribution and provision of documented information to the consumer, in the creation and use of information technologies and means of supporting them, in the protection of the rights of subjects participating in information processes and informatization. The basis for constructing the concept of legal support is the division of all information resources into categories of open and limited access, and information of limited access, according to the terms of its legal regime, is in turn divided into classified as state secret and confidential.

In the system of legal support for information security, a place is occupied by law enforcement legislation, which includes rules on liability for violations in the field of information technology and logically completes the complex of organizational, legal and technical measures and means of protecting information and its processing systems. It should be aimed not only and not so much at punishing criminal attacks on information and information systems but at preventing them.

For the purpose of an integrated approach to the formation of legislation on the problems of information and informatization in Russia, in April 1992, the “Program for the Preparation of Legislative and Regulatory Support for Work in the Field of Informatization” was approved. In accordance with this Program, it was planned to develop the basic Law of the Russian Federation “On Information, Informatization and Information Protection”, as well as special laws “On State Secrets”, “On Commercial Secrets”, “On Liability for Abuses when Working with Information”, etc. .

The Basic Law “On Information, Informatization and Information Protection” occupies a central place in the entire system of legal support for information security. The law is the first in the legislative practice of Russia.

Determines the responsibilities of the state in the field of formation of information resources and informatization, the main directions of state policy in this area;

Reinforces the rights of citizens, organizations, and the state to information;

Establishes the legal regime of information resources based on the application in this area of the procedure for documentation, ownership of documents and arrays of documents for information systems, dividing information on the basis of access into open and with limited access, the procedure for the legal protection of information;

Develops a legal regime for recognizing documents received from an automated information system as having legal force, including on the basis of confirmation by an electronic digital signature;

Defines information resources as an element of property and an object of ownership;

Establishes the basic rights and responsibilities of the state, organizations, citizens in the process of creating information systems, creating and developing scientific and technical systems. production base of informatization, formation of a market for information products and services in this area;

Distinguishes between ownership rights and authorship rights to information systems, technologies and means of supporting them;

Sets rules and General requirements liability for violation of legislation in the field of informatization and information protection in systems for processing it, guarantees of subjects in the process of exercising the right to information, guarantees of security in the field of informatization.

The Law provides a special chapter devoted to information protection. This chapter establishes that all documented information, the handling of which could cause damage to its owner, possessor, user or other person, is subject to protection. The protection mode is set:

in relation to information classified as state secret by authorized bodies on the basis of the Law of the Russian Federation “On State Secrets”;

in relation to confidential documented information by the owner of information resources or authorized person on the basis of this law;

in relation to personal data - by a separate federal law.

At the official level, the state information protection system in Russia was formed in 1973 as part of the activities of the USSR State Commission for Countering Foreign Technical Intelligence. Since 1992, the problems of information security in the new economic and legal conditions have moved beyond the scope of defense topics and thereby led to the creation of a more advanced information security system on a national scale. The creation of such a system, first of all, required the development of the necessary regulatory framework: the National Security Concept of the Russian Federation, the Information Security Doctrine of the Russian Federation and a number of other documents.

^ National Security Strategy of the Russian Federation

Presidential Decree No. 537 of May 12, 2009 approved the National Security Strategy of the Russian Federation (Strategy) until 2020.

In this regard, the previous Concept of National Security of the Russian Federation, approved in December 1997 and modified in January 2000, was declared invalid.

The National Security Strategy is a system of views on ensuring in the Russian Federation the security of the individual, society and state from external and internal threats in the economic, political, social, international, spiritual, information, military, military-industrial, environmental spheres, as well as in the field of science and education.

Russia's national interests in the information sphere lie in observing the constitutional rights and freedoms of citizens in the field of obtaining and using information, in the development of modern telecommunications technologies, and in protecting state information resources from unauthorized access.

The state of the domestic economy, the imperfection of the system of organization of state power and civil society, the socio-political polarization of society and the criminalization of public relations, the growth of organized crime and the increase in the scale of terrorism, the aggravation of interethnic and complicated international relations create a wide range of internal and external threats national security of our country.

Threats to the national security of the Russian Federation in the information sphere are manifested in the desire of a number of countries to dominate the world space, to oust them from external and internal information market; in the development by a number of states of the concept of information wars, which provides for the creation of means of dangerous influence on information spheres other countries of the world; in violation normal functioning information and telecommunication systems, as well as the safety of information resources by gaining unauthorized access to them.

In the course of implementing this Strategy, threats to information security are prevented by improving the security of the functioning of information and telecommunication systems of critical infrastructure facilities and high-risk facilities in the Russian Federation, increasing the level of security of corporate and individual information systems, creating unified system information and telecommunication support for the needs of the national security system.

The most important tasks in the field of ensuring information security of the Russian Federation are:

Implementation of the constitutional rights and freedoms of citizens of the Russian Federation in the field of information activities;

Improving and protecting the domestic information infrastructure, integrating Russia into the global information space;

Countering the threat

RUSSIAN FEDERATION

STATE EDUCATIONAL INSTITUTION

HIGHER PROFESSIONAL EDUCATION

"APPROVED"

Vice Rector for Academic Affairs

_______________/

"___" _______________ 2011

Organizational and legal support of information security

Training and metodology complex.

Working programm for full-time students
specialty 090301.65 " Computer security»,

training profile “Safety of automated systems”

" " ____________ 2011

Considered at a meeting of the Information Security Department on April 20, 2011, minutes

Meets the requirements for content, structure and design.

Volume __ pages

Head department __________________________________________//

" " ____________ 2011

Considered at a meeting of the educational committee of the Institute of Mathematics, Natural Sciences and Information Technologies on May 15, 2011, minutes

Corresponds to the Federal State Educational Standard for Higher Professional Education and the curriculum of the educational program.

"AGREED":

Chairman of the Educational Committee _____________________________________ / /

" "___________ 2011

"AGREED":

Head methodological department of UMU ______________________________//

"_____" _______________ 2011

RUSSIAN FEDERATION

MINISTRY OF EDUCATION AND SCIENCE

State educational institution

TYUMEN STATE UNIVERSITY

Institute of Mathematics, Natural Sciences and Information Technologies

Department of Information Security

LYSOV A. S.

Organizational and legal support of information security

Training and metodology complex.

Work program for full-time students,

specialty training profile: “Security of automated systems”

Tyumen State University

. Organizational and legal support of information security.

Training and metodology complex. Work program for full-time students of the specialty 090301.65 “Computer security”, training profile “Security of automated systems”. Tyumen, 2011, 13 pages.

The work program is drawn up in accordance with the requirements of the Federal State Educational Standard for Higher Professional Education, taking into account the recommendations and ProOOP of Higher Professional Education in the direction and profile of training.

Approved by the Vice-Rector for Academic Affairs of Tyumen State University

Responsible editor: , head. Department of Information Security, Doctor of Technical Sciences, Prof.

1. Explanatory note

1.1. Goals and objectives of the discipline

The discipline "Fundamentals of Information Security" implements the requirements of the federal state educational standard of higher vocational education in the direction of training 090301.65 “Computer Security”.

Purpose studying the discipline “Organizational and legal support of information security” is to familiarize students with the basics of information security. Information threats, their neutralization, issues of organizing measures to protect information resources, regulatory documents regulating information activities, cryptography, and other issues related to ensuring the security of computer networks are studied.

The objectives of the discipline are:

· Outline of the main provisions of the Information Security Doctrine of the Russian Federation.

· Provide knowledge of the basics integrated system information protection;

· Provide knowledge of the basics of organizational and legal support for information security.

· Forming the basis for further self-study issues of computer and information security

Thus, the discipline "Fundamentals of Information Security" is an integral integral part professional training in the direction of training 090301 “Computer security”. Together with other disciplines in the cycle of professional disciplines, the study of this discipline is intended to form a specialist, and in particular, to develop in him such quality, How:

· rigor in judgments,

· creative thinking,

· organization and efficiency,

· discipline,

· independence and responsibility.

1.2. Place of discipline in the structure of OOP:

The discipline belongs to the cycle of mathematical and natural sciences

disciplines.

The knowledge gained in studying the discipline "Fundamentals of Information Security" is used in the study of disciplines

Information security audit,

1.3. Requirements for the results of mastering the discipline:

The process of studying the discipline is aimed at developing the following competencies:

General cultural competencies (GC):

− the ability to act in accordance with the Constitution of the Russian Federation, to fulfill one’s civic and professional duty, guided by the principles of legality and patriotism (OK-1);

− the ability to analyze socially significant phenomena and processes, including those of a political and economic nature, ideological and philosophical problems, to apply the basic principles and methods of the humanities, social and economic sciences in solving social and professional problems (OK-3);

− the ability to understand the driving forces and patterns of the historical process, the role of the individual in history, the political organization of society, the ability to respect and take care of the historical heritage, tolerantly perceive social and cultural differences (OK-4);

Professional competencies (PC):

− ability to use basic methods of protection production personnel and population from possible consequences accidents, disasters, natural Disasters(PC-6);

As a result of studying the discipline, the student must:

Know:

· sources of threats to information security;

· methods for assessing information vulnerability;

· methods of creating, organizing and ensuring the functioning of systems comprehensive protection information;

· methods of suppressing the disclosure of confidential information;

· types and signs of computer crimes

Be able to:

· find the necessary regulatory legal acts and information legal norms in the system current legislation, including through legal information systems;

· apply the current legislative framework in the field of information security;

· develop draft regulations, instructions and other organizational and administrative documents regulating the work on information protection.

2. Structure and labor intensity of the discipline.

Table 1.

Type of occupation	Semester

Total labor intensity
Auditory lessons

Practical lessons
Independent work
Type of final control

3. Thematic plan.

Table 2.

	Subject	weeks of the semester	Types of educational work and independent work, per hour.	Total hours on topic	Of these in interactive form	Total points
Lectures	Practical lessons	Independent work

Module 1
	Information threats.

	Total
Module 2


	Total						1 4
Module 3



	Total						1 4
	Total (hours, points) for the semester:
	Of these in interactive form

Table 3.

Types and forms of assessment tools during the period of current control

	Oral survey	Written works	Information systems and technologies	Other forms of control	Total points
	interview	answer at the seminar		Home test	Calculation work on a computer
Module 1


Total
Module 2


Total
Module 3



Total
Total

Table 4.

Planning independent work students

	Modules and themes	Types of SRS	Week of the semester	Hours volume	Number of points
Mandatory	additional
Module 1
	Information threats.	Taking notes during lectures, preparing for a report
	Computer viruses.	Taking notes of material during lecture classes. preparation for the answer at the colloquium.	Working with educational literature
	Total modulo 1:
Module 2
	Legal regulation information protection	Taking notes during lectures, preparing for a report	Working with educational literature
	Organizational measures to ensure information security of computer systems	Taking notes on material in lecture classes, preparing for an answer at a colloquium, preparing for a report
	Total modulo 2:
Module 3
	Data protection using cryptographic methods		Working with educational literature, doing homework tests
	Information Security Policy	Taking notes of material during lecture classes. Doing homework, preparing for the answer at the seminar and for the interview.	Working with educational literature, performing calculation work on a computer
	Typical remote attacks using network protocol vulnerabilities.	Taking notes of material during lecture classes. Completing the test, preparing for the answer at the colloquium.	Working with educational literature, preparing a report.
	Total modulo 3:
	TOTAL:

4. Sections of the discipline and interdisciplinary connections with the provided (subsequent) disciplines

Topics of the discipline necessary for studying the provided (subsequent) disciplines

	Name of the provided (subsequent) disciplines

	Information Security Management
	Information security audit
	Protecting Confidential Information
	Protection of personal data in ISPDn

5. Contents of discipline sections

Topic 1.

Information threats. The concept of information threats. Concept of information. Information wars. The basic definitions of information, its value, and information threats are studied. Information security threats information security. Issues of construction are considered information structure in the Russian Federation, various problems arising in connection with this process, the participation of the Russian Federation in international information exchange. Types of opponents. Hackers. The socio-psychological portrait of an information security violator, his capabilities and methods of action are studied. Types of possible violations of the information system. General classification information threats. Disturbances in the operation of information systems are studied, a classification of threats to information systems is introduced, possible subjects and objects of access to information systems, and threats implemented at the level of a local (isolated) computer system are considered. Causes of computer network vulnerabilities.

Topic 2. Computer viruses. Are being studied malware, the history of their development, responsibility for the creation and distribution, types, principles of action of viruses, unmasking signs.

Topic 3. Legal regulation of information protection (analysis of articles of the Criminal Code, other regulations). Information security standards Regulatory documents regulating information activities in the Russian Federation and the world. Information Security Standards

Topic 4. Organizational measures to ensure information security of computer systems. The role of the tasks and responsibilities of the security administrator, the definition of approaches to risk management, the structuring of countermeasures, the procedure for certification for compliance with information security standards

Topic 5. Data protection using cryptographic methods. Encryption methods and algorithms, cipher requirements, most common fonts

Topic 6. Information security policy. Models of information protection in the CS Security policy and its main components, models of information protection in computer systems, technologies for protecting and restricting access to information.

Topic 7. Typical remote attacks using network protocol vulnerabilities. Classification of remote attacks. Attacks on ARP - protocol, ICMP - protocol, DNS - protocol, TCP - protocol, types of attacks.

6. Seminar classes.

Topic 1. Data protection using cryptographic methods.

l Encryption methods and algorithms.

lWriting the most common fonts.

Topic 2. Information security policy.

l Information security models in CS

l Security policy and its main components,

l Models of information security in computer systems,

l Technologies for protecting and restricting access to information.

l Reasons, types, channels of information leakage and distortion

Topic 3. Typical remote attacks using network protocol vulnerabilities.

· Remote attacks on ARP protocol,

· Remote attacks on ICMP – protocol,

· Remote attacks on DNS protocol,

· Remote attacks on TCP protocol.

7. Educational - methodological support independent work of students. Assessment tools for ongoing monitoring of progress, interim certification based on the results of mastering the discipline (module).

Checking the quality of preparation during the semester involves the following types of intermediate control:

a) conducting oral theoretical surveys (colloquia) one in each training module;

b) preparation of a report by the student.

c) conducting a test on a theoretical course

Current and intermediate control of mastering and mastering the discipline material is carried out within the framework of a rating (100-point) grading system.

Sample topics of reports:

1. Legal regulation of information protection.

2. Definition of information security policy (Definition of the governing documents and standards used. Determination of approaches to risk management).

3. Determination of the boundaries of information security management (Description of the existing structure of the AS. Placement of computer equipment and supporting infrastructure)

4. Role, tasks and responsibilities of the CS security administrator.

5. Data protection using cryptographic methods. Encryption methods.

6. Data protection using cryptographic methods. Encryption algorithms.

7. Requirements for ciphers. Comparison of DES and GOST

8. Typical remote attacks using network protocol vulnerabilities. Classification of remote attacks.

9. Models of information security in the CS.

Questions for the exam

1. The concept of information threats.

2. Information wars.

3. Information threats to the security of the Russian Federation. Doctrine of information security of the Russian Federation.

4. Types of opponents. Hackers.

5. Computer viruses. Story. Definition according to the Criminal Code of the Russian Federation.

6. Types, principles of action of viruses, unmasking signs.

7. Types of possible violations of the information system. General classification of information threats.

8. Threats to computer security resources. Threats implemented at the level of the local computer system. Human factor.

9. Threats to computer information implemented at the hardware level.

10. Remote attacks on computer systems. Causes of computer network vulnerabilities.

11. Legal regulation of information protection.

12. Role, tasks and responsibilities of the CS security administrator.

13. Data protection using cryptographic methods. Encryption methods.

14. Data protection using cryptographic methods. Encryption algorithms.

15. Requirements for ciphers. Comparison of DES and GOST

16. Typical remote attacks using network protocol vulnerabilities. Classification of remote attacks.

17. Security policy and its components.

18. Models of information security in the CS.

19. Technologies of protection and access control.

20. Information security standards.

21. FAT

8. Educational technologies

Combination provided traditional types educational activities, such as taking notes of lectures and monitoring the assimilation of theoretical material in the form of answers at a seminar, preparing thematic reports, colloquiums, conducting classroom tests, and interactive technologies, such as interviews, execution and discussion of reports and calculation work.

Students’ preparation and defense of reports on topics not included in the lecture plan allows students to expand their scientific horizons, improve their skills in working with educational and scientific domestic and foreign literature, develop language skills, improve mathematical training, strengthen interdisciplinary connections, improve programming skills, and develop systematize and freely present material on a given topic to the audience.

9. Literature

9.1. Main literature

1. Rastorguev information security: textbook. aid for students universities, educational according to special "Computer security", "Comprehensive provision of information security of automatic systems" and "Information security of telecommunication systems"/. - M.: Academy, 2с

2. Fundamentals of information security: textbook. aid for students universities / comp. . - M.: Hotline- Telecom, 2s

3. , Computer networks. Principles, technologies, protocols. - St. Petersburg: Peter, 200 p.

4. Yarochkin security.- M.: Academic project, 2003.-639 p.

5. Galatenko information security: A course of lectures. - M.: Internet - University of Information Technologies, 2003. - 239 p.

9.2. additional literature

6. and others. Methodology of information security. – M.: Exam, 200 p.

7. Introduction to information security automated systems: Textbook.- M.: Hotline - Telecom, p. 9.3. Software and Internet resources.

University electronic library systems for educational literature.

Scientific and technical information base of VINITI RAS

Access to open citation databases, including scholar. , *****

10. Technical means and material and technical equipment.

To organize independent work of students it is necessary computer class with equipment for conducting presentations of lecture material.

Federal Law of July 27, 2006 N 152-FZ (as amended on April 5, 2013) On personal data

personal data - any information relating to a directly or indirectly identified or identifiable individual (subject of personal data);

Personal data operator (according to the law on personal data) is a state body, municipal body, legal entity or individual that organizes and (or) carries out the processing of personal data, as well as determining the purposes and content of the processing of personal data.

Personal data information system - an information system that is a set of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without the use of such tools;

Article 19. Measures to ensure the security of personal data during their processing

When processing personal data, the operator is obliged to take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions regarding personal data.

Ensuring the security of personal data is achieved, in particular:

1) identification of threats to the security of personal data during their processing in personal data information systems;

2) the application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation;

3) the use of information security means that have passed the compliance assessment procedure in accordance with the established procedure;

4) assessing the effectiveness of measures taken to ensure the security of personal data before putting into operation the personal data information system;

5) taking into account computer storage media of personal data;

6) detecting facts of unauthorized access to personal data and taking measures;

7) restoration of personal data modified or destroyed due to unauthorized access to it;

8) establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;

9) control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.

For the purposes of this article

threats to the security of personal data are understood as a set of conditions and factors that create the danger of unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, provision, distribution of personal data, as well as other unlawful actions in their processing of personal data in the information system.

The level of security of personal data is understood as a complex indicator characterizing the requirements, the implementation of which ensures the neutralization of certain threats to the security of personal data during their processing in personal data information systems.

Package of documents on the protection of personal data

Regulations on the protection of personal data;

Regulations on the information protection unit;

Order on the appointment of persons responsible for processing personal data;

Information security concept;

Information security policy;

List of personal data subject to protection;

Order to conduct an internal audit;

Report on the results of the internal audit;

Act of classification of personal data information system;

Regulations on the delimitation of access rights to processed personal data;

Personal data security threat model;

Action plan for the protection of personal data;

The procedure for reserving hardware and software, databases and information security tools;

Internal audit plan;

Logbook of PD security control activities;

A log of requests from personal data subjects regarding the fulfillment of their legal rights;

Instructions for the administrator of the personal data information system;

Instructions for the user of the personal data information system;

Instructions for the security administrator of the personal data information system;

User instructions for ensuring the security of personal data processing in the event of emergency situations;

List of accounting for information security tools used, operational and technical documentation for them;

Typical Terms of Reference for the development of a system for ensuring the security of information of a computer facility;

A preliminary design for the creation of a system for ensuring the security of information of a computer facility;

Regulations on the Electronic Log of requests from users of personal data information systems (draft order);

Stages of work. Thus, the organization of personal data protection should be carried out in several stages:

Inventory of information resources.

Restricting employee access to personal data.

Documentary regulation of work with personal data.

Formation of a model of threats to the security of personal data.

Classification of personal data information systems (PDIS) of educational institutions.

Drawing up and sending to the authorized body a notification about the processing of personal data.

Bringing the personal data protection system into compliance with regulatory requirements.

Creation of an ISPD information security subsystem and its certification (certification) for ISPD classes K1, K2.

Organization of operation and security control of ISPD.

1. Inventory of information resources

Inventory of information resources is the identification of the presence and processing of personal data in all information systems and traditional data warehouses operated in the organization.

At this stage, you should: approve the regulation on the protection of personal data, formulate a concept and define an information security policy and draw up a list of personal data to be protected.

2. Restricting employee access to personal data

Only those employees who need it to perform their official (job) duties should have permission to process personal data.

At this stage you should: limit, to the extent necessary, both electronic and physical access to personal data

3. Documentary regulation of work with personal data

According to Article 86 of the Labor Code of the Russian Federation, employees and their representatives must be familiarized, against signature, with those employer documents that establish the procedure for processing personal data of employees, as well as their rights and obligations in this area.

The subject of personal data independently decides the issue of transferring it to someone else, documenting his intention.

At this stage, you should: collect consent for the processing of personal data, issue an order appointing persons responsible for processing personal data and regulations on delimiting access rights to processed personal data, draw up instructions for the ISPD administrator, ISPD user and ISPD security administrator.

4. Formation of a model of threats to the security of personal data

A private model of threats to the security of personal data stored in the information system is formed on the basis of the following documents approved by the Federal Service for Technical and Export Control (FSTEC):

Basic model of threats to the security of personal data when processed in ISPD;

Methodology for identifying current threats to the security of personal data during their processing in ISPD;

At this stage, it is necessary to form a model of threats to the security of personal data processed and stored in an educational institution.

5. Classification of ISPD, see question No. 18

6. Leaving and sending notification to the authorized body

A notification about the processing of personal data is drawn up on the operator’s letterhead and sent to the territorial body of Roskomnadzor of the Ministry of Communications and Mass Communications of the Russian Federation on paper or in the form of an electronic document signed by an authorized person. The form indicates data about the processor, the purpose of processing, categories of data, categories of subjects, whose data is being processed, the legal basis for processing, the date of its start, the term (condition) for its termination, etc.

7. Bringing the system into compliance with regulatory requirements

At this stage, you should: create a list of accounting for information security tools used, operational and technical documentation for them; regulations on the information protection unit; methodological recommendations for organizing information security when processing personal data; user instructions for ensuring the security of PD processing in the event of emergency situations, as well as approve an action plan for PD protection.

8 . Certification (certification) ISPDn

To ensure the security of ISPD, it is necessary to take measures to organize and provide technical support for the protection of processed personal data. Mandatory certification (attestation) is used to assess the compliance of class 1 and 2 ISPD with the requirements for PD security.

The following informatization objects are subject to mandatory certification:

Automated systems of various levels and purposes.

Communication systems, reception, processing and transmission of data.

Display and reproduction systems.

Premises intended for confidential negotiations.

9. Organization of ISPD operation and security control

Measures to ensure the security of personal data during their processing in information systems include:

control over compliance with the conditions for the use of information security tools provided for in the operational and technical documentation;

investigation and drawing up conclusions on facts of non-compliance with the storage conditions of PD media, the use of information security tools that may lead to a violation of PD confidentiality.

Responsibility for violation of Federal Law No. 152 On personal data

Administrative liability: fine or fine with confiscation of uncertified security and encryption tools. Administrative Code, art. 13.11, 13.12, 13.14

Disciplinary liability: dismissal of the offending employee. Labor Code of the Russian Federation, art. 81 and 90

Criminal liability: from correctional labor and deprivation of the right to hold certain positions to arrest. Criminal Code, Art. 137, 140, 272

The textbook outlines general theoretical and methodological approaches to the formation of legal and organizational support for information security of individuals, society and the state. The main institutions of legal support for information security are covered in detail: legal regimes for the protection of information, state, official and commercial secrets, personal data, legal liability for offenses in the field of information security, as well as the structure of organizational support for information security. The problems of forming a legal regime for international information security are considered. Considerable attention is paid to the organizational aspects of information systems security management. The task of the present training course acquisition by students as general knowledge in the field of legal and organizational support for information security, as well as the study of issues related to the formation and implementation of public policy in this area, as well as the acquisition by masters of more in-depth knowledge in the field of information security, problems of international information security.

Step 1. Select books from the catalog and click the “Buy” button;

Step 2. Go to the “Cart” section;

Step 3: Specify required amount, fill in the data in the Recipient and Delivery blocks;

Step 4. Click the “Proceed to Payment” button.

On this moment buy printed books, electronic access or books as a gift to the library on the EBS website is possible only with 100% advance payment. After payment you will be given access to the full text of the textbook within Electronic library or we start preparing an order for you at the printing house.

Attention! Please do not change your payment method for orders. If you have already chosen a payment method and failed to complete the payment, you must re-place your order and pay for it using another convenient method.

You can pay for your order using one of the following methods:

Cashless method:
- Bank card: You must fill out all fields of the form. Some banks ask you to confirm the payment - for this, an SMS code will be sent to your phone number.
- Online banking: banks cooperating with the payment service will offer their own form to fill out.
  Please enter the data correctly in all fields. For example, for" class="text-primary">Sberbank Online number required mobile phone and email. For
- " class="text-primary">Alfa Bank You will need a login to the Alfa-Click service and an email.