Menu
homeWindows 10

Selected issues of protecting accounting data in accounting information systems. Methods and means of protecting information in economic information Methods of protecting information in accounting

For enterprises, institutions and organizations, regardless of their form of ownership, the key issue is to ensure the protection of information resources, including accounting information and reporting. The program "1C: Public Institution Accounting 8" edition 2 meets modern information security requirements. 1C experts talk about the capabilities of the information protection program in the article.

The relevance of ensuring the protection of information resources

To ensure the information security of an organization, institution, enterprise, conditions must be created under which the use, loss or distortion of any information about the state of the organization, including accounting and financial information, by employees of the organization or external persons (users) with a high degree of probability will not lead to foreseeable future to the emergence of threats to interrupt the organization's activities.

The relevance of information security problems at the state level is confirmed by the adoption of the Information Security Doctrine in the Russian Federation (approved by the President of the Russian Federation on September 9, 2000 No. Pr-1895). One of the components of the national interests of the Russian Federation in the information sphere is the protection of information resources from unauthorized access, ensuring the security of information and telecommunication systems, both already deployed and those being created in Russia.

Ensuring the information security of the Russian Federation in the economic sphere plays a key role in ensuring the national security of the Russian Federation. The following are most susceptible to the impact of threats to information security of the Russian Federation in the economic sphere:

  • state statistics system;
  • credit and financial system;
  • information and accounting automated systems of divisions of federal executive authorities that ensure the activities of society and the state in the economic sphere;
  • accounting systems for enterprises, institutions and organizations, regardless of their form of ownership;
  • systems for collecting, processing, storing and transmitting financial, stock exchange, tax, customs information and information on foreign economic activity of the state, as well as enterprises, institutions and organizations, regardless of their form of ownership.

Threats to the information security of an enterprise, institution, organization related to accounting and reporting are the threats:

  • integrity of accounting information and reporting;
  • violation of confidentiality of accounting information and reporting;
  • violations of accessibility (blocking) of accounting information and reporting;
  • reliability of accounting information and reporting;
  • the content of accounting information and reporting caused by the actions of personnel and other persons;
  • caused by the use of poor-quality accounting information and reporting.

Information security in "1C: Public Institution Accounting 8"

The program “1C: Public Institution Accounting 8” edition 2 (hereinafter referred to as the Program) meets modern information security requirements. To increase the level of protection against unauthorized access to information stored in the Program, the following features are provided:

  • authentication;

Let's take a closer look at these features of the Program.

Authentication

The authentication mechanism is one of the administration tools. It allows you to determine which of the users listed in the list of system users is currently connecting to the Program and prevent unauthorized access to the Program.

In "1C: Public Institution Accounting 8" edition 2, three types of authentication are supported, which can be used depending on the specific tasks facing the information base administrator:

  • authentication 1C:Enterprise- authentication using the user and password created in the Program;
  • operating system authentication- in the Program one of the operating system users is selected for the user. The Program analyzes on behalf of which operating system user the connection to the Program is made, and based on this determines the appropriate user of the Program;
  • OpenID authentication- user authentication is performed by an external OpenID provider that stores a list of users.

If no type of authentication is specified for a user, such user's access to the Program is denied.

If it is necessary for the user to enter the Program with a password that will be checked, the flag should be enabled Authentication 1C:Enterprise(see Fig. 1). It is enabled by default along with the flag Login to the program is allowed.

The 1C:Enterprise authentication status is displayed under the flag.


Rice. 1

When a new user is created, the Program automatically assigns him a blank password. To change it, use the command Set password in the user card (see Fig. 1).

In the shape of Setting a password must be entered New Password to enter the Program, write it again in the field Confirmation.

A good password should be at least eight characters long, include uppercase and lowercase Latin letters, numbers, symbols (underscores, parentheses, etc.), and be vague. It is undesirable for the password to coincide with the username, consist entirely of numbers, contain understandable words, or alternating groups of characters. Examples of good passwords: "nj7(jhjibq*Gfhjkm, F5"njnGhkmNj;t(HI. Examples of bad passwords: Ivanov, qwerty, 12345678, 123123123. For more details, see the documentation "1C:Enterprise 8.3. Administrator's Guide."

The Program provides the opportunity automatic password complexity check.

By default, for security reasons, the password is not shown when entered. In order to see what characters are being entered, you should enable the flag Show new password.

To automatically generate a password, you can use the button Create a password. The password will be generated by the Program.

To save your password, click on the button Set password.

After this, the 1C:Enterprise authentication state changes to Password set. In the user card, the button changes its value to Change password.

For ease of administration and security, all users have a flag , which is needed for the user to change the password set by the administrator to his own. When this flag is enabled, the user will be required to enter his own password, which no one else will know.

If the flag Require password change upon login is not enabled, and the previously set password does not suit you for some reason, you can change it at any time in the user card.

Enabled flag The user is prohibited from changing the password prohibits a user who does not have full rights from independently setting and changing a password.

Requisites Require password change upon login And Validity can be seen in the user card and in the report User Information (Information about external users).

Program login settings

In the shape of Login Settings(chapter Administration, navigation bar command User and rights settings) separately for internal and external users of the Program you can configure the following parameters:

  • setting and controlling password complexity;
  • requirement to change the password on a schedule or manually. Password change - periodically or upon request;
  • setting up and controlling password repetition;
  • limiting the validity period of accounts.

Figure 2 shows the setup for internal users.


Rice. 2

A similar setting is provided for external users.

Password complexity control

When the flag is set The password must meet complexity requirements the program checks that the new password:

  • had at least 7 characters,
  • contained any 3 of 4 types of characters: uppercase letters, lowercase letters, numbers, special characters,
  • did not match the name (for login).

The minimum password length can be changed by checking the box next to the field of the same name and specifying the required password length (Fig. 3).


Rice. 3

Change Password

There are two settings for changing the password: periodic or at the request of the administrator.

To periodically change the password, you must limit the password expiration date using settings Minimum password validity And Maximum password validity. After the specified period has expired, the Program will prompt the user to change the password.

The maximum password validity period is the period after the first login with a new password, after which the user will need to change the password, by default 30 days.

The minimum password validity period is the period after the first login with a new password during which the user cannot change the password, by default 1 day.

To change the password upon request, the administrator must set the flag Require a password upon login in the user card. When you first enter the Program, it will require you to change the password set by the administrator to your own.

Repeatability control

To prevent users from creating duplicate passwords, you must enable the setting Prevent password repetition among recent ones and set the number of recent passwords with which the new password will be compared.

User login restrictions

To protect against unauthorized access to the Program, you can set a restriction for users who do not work in the Program for a certain period of time, for example, 45 days.

After the specified period has expired, the program will not allow the user to enter the Program. Open user sessions will automatically terminate no more than 25 minutes after login to the Program has been denied.

In the user card, which is available in the personal settings of the Program, via the hyperlink Set restrictions You can specify additional restrictions on entering the Program (Fig. 4).


Rice. 4

Using the switch, you can set a restriction on entering the Program:

  • According to general login settings- installed by default;
  • No time limit;
  • Entry allowed until(you must set a deadline - enter the date manually or select from the calendar using the button). To protect against unauthorized access to the Program, all users have a validity period that allows the user to be automatically disconnected upon reaching a specified date;
  • Deny entry if not working anymore(the number of days must be specified) - if the user does not enter the Program for more than the specified number of days, then entry into the Program will be impossible. In this case, the user will need to contact the administrator to resume work in the Program.

User Details report

Report User Information(Fig. 5) is intended for viewing information about Program users, including login settings (infobase user properties). The need for a report arises if you want to perform a group analysis of login settings (login name, authentication types, etc.).

The report opens from the list Users (External users) on command All Actions - User Information (All actions-About external users). Depending on the type of list, the Program automatically selects the desired report option.

Information about internal and external users in one report can be opened through the section action panel Administration on command User Information.

The need for a report arises if you want to perform a group analysis of login settings (login name, authentication types, etc.).


Rice. 5

Using the button Settings... You can open the list of fields and, if necessary, add the required fields to the report. For example, you can add fields to your report Require password change upon login And Validity.

Ensuring the protection of personal data

In conclusion, it should be noted that access control to the Program is only one of the data protection elements provided by the Program.

Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 approved the Requirements for the protection of personal data during their processing in personal data information systems, which define the levels of security of personal data during their processing in personal data information systems depending on the threats to the security of this data. In accordance with these requirements, by order of the FSTEC of Russia dated February 18, 2013. No. 21 details the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems.

The norms of the current legislation on personal data impose additional requirements on software products, in particular, on software that is a means of protecting information.

To ensure the protection of personal data, the protected software package (ZPK) “1C:Enterprise, version 8.3z” is designed, which is a general-purpose software certified by the FSTEC of Russia with built-in means of protecting information from unauthorized access (NSD) to information that does not contain information that constitutes state secret.

ZPK "1C:Enterprise 8.3z" allows you to block:

  • launching COM objects, external processing and reports, applications installed on the 1C:Enterprise server;
  • use of external 1C:Enterprise components;
  • access to Internet resources.

The combined use of the standard “1C: Public Institution Accounting” edition 2 and ZPK “1C: Enterprise 8.3z” allows you to create an information system of personal data of all security levels, and additional certification of this application solution is not required.

The use of ZPK "1C:Enterprise 8.3z" together with FSTEC-certified operating systems, DBMS and other certified tools allows you to fully comply with the requirements of the above regulatory documents.

Since “1C: Public Institution Accounting” ensures data exchange with the Federal Treasury authorities, Tax authorities, information systems on state and municipal payments (GIS GMP), accounting of federal property (ASUFI), registration and accrual of payments (IS RNIP), etc. via the Internet, to meet security requirements, the facility must be provided with certified firewall tools.

Of course, it is necessary to check the computers on which the Program is installed daily for the presence of malicious computer programs using anti-virus protection tools certified in the FSTEC certification system of Russia.

The differences in the organization are so significant that it is already a shame to show it, and it is better not to show it at all. It makes sense to take action and allocate resources to solve such a problem as protecting information in accounting. This article describes a specific solution for a small company or division. With a significant increase in jobs, it is worth changing the concept, although some elements can be left.

We have the right to protect our property, and the information we hold is our property. The most important thing here is also our responsibility. If a company itself does not take care of information security, it is often pointless to blame the rights violated by various services. We have to take it and do it. Take it yourself and do it, don’t outsource it – this is your safety. And it's not difficult. Where to begin? How to start? So, if we decide that we are responsible and ready to protect, then we need to make sure that this kind of information protection in accounting does not take much time, is effective and is not expensive, and preferably free. It is these criteria that we will be guided by when choosing a particular tool, as well as implementing the concept as a whole.

Let's decide on the situation.

For a clearer understanding of what we want to do, I will give a situation that can easily arise in any office (because we are in Russia). We are sitting, drinking tea - the door is knocked down, angry young people are running into the room, with the obvious intention of making us uncomfortable. So we have to take a break. People culturally ask us to put down cups of tea and move away from the computers, since their comrades were sleeping and saw how they could take our jobs, to read what they write there... And yet, since the grandmother of one of them is also interested, they naturally they want to take all our computers for reading.

It is precisely for this situation that we will try to ensure that their grandmother is content with TV. We will also make sure that at other times (when no one is there) lovers of prose and poetry and their relatives come to us only to pay for a broken door.

What are we hiding?

We need to clearly understand what exactly is valuable or a threat to us. What information do we hide and why? There's no point in hiding everything. This will extend the time frame of the same backup. Information must be clearly structured and there must be an understanding of what is where. Do all cars need to be entered into the system?

The main goal is to prevent the seizure of compromising information, to prevent the possibility of copying, and it is advisable not to have working computers in the workplace at all. Ensure the safety and accessibility of information.

We formulate the Ideal End Result (IFR).

– information is easily accessible;

– information cannot be taken with you or easily copied;

– the system also works in your absence, informing you about external conditions;

– the system is not afraid of fire and physical removal of system media;

– the system has remote control (it doesn’t work out perfectly - control will still be there).

– our auditors should see “empty” cars and a picture like this:

For the purposes of this article, we will not touch on remote servers in Malaysia or other countries. This is a good solution, but we want to consider the situation when all parts of the system are located in one (or) several rooms.

We identify contradictions:

– computers should work and should not work;
– information can be retrieved and cannot be retrieved;
– information can be taken away and cannot be taken away;
– information can and cannot be destroyed;
– we shouldn’t touch computers – and we don’t need to!


Having eliminated all five contradictions, we will form a working system for storing and using information, and also limit access to it.
For these purposes, we use the following tools that we integrate into the system:
1. TrueCrypt – a free program for encrypting: entire disks, system disks, disk areas, file containers.
2.Handy Backup – a program for backing up the file structure. You can use it over the network, set tasks - collect files and folders from various machines, archive, encrypt, etc. The cost can be found on torrents.
3. GSM sockets – for remote power on and off via SMS. Price range from 2400 rub. up to 10,000 rub. per socket or pilot. The number of outlets will depend on the goals you set (one machine or twenty; with a minimalistic approach, you can distribute power to 3 computers, but pay attention to the power of the machines; we do not connect monitors and printers to outlets). When choosing, pay attention to ease of operation and quality of reception.
4 . CC U825 – GSM controller – developed by our Tula craftsmen (there are a lot of analogues, but price/quality/reliability). I recommend this particular multi-circuit system - the younger analogue worked for us for several years without false alarms. Independent power source and price.. 7000 rubles. There is also the CCU422 - it costs less, but is greatly reduced in the number of circuits and depth of adjustment.
5 . Kn fear of panic – optional. If you don’t want hassles with an additional circuit in the CCU, purchase this too. It costs about the same as a GSM socket. The meaning is to send an SMS to several pre-programmed numbers, with a pre-prepared text.
6. Kame ry and video server – this is at your discretion. These options help to more accurately confirm intrusion remotely. We won't touch them.

We will analyze each instrument separately - from “what it looks like” to setup.

This section is under development and will be available soon

(First part);
TrueCrypt – encryption of the system disk partition (second part);
;
GSM sockets;
CCU825;
Panic button;
cameras and video server (I will not consider);
System integration.



Regulations. The most important part of the system. What should be included:


- all employees related to the system must understand what they are doing in a difficult, stressful situation (and so it is - hands will begin to tremble, the head will stop thinking, the legs will give way - this is a damn accountant, not the unforgettable and dearly respected Iron Felix Edmundovich). Understand so that you can click where you need to click and call the person you need to call. It’s even better to assign a bonus - whoever is first gets $100. Just don’t overestimate the premium, otherwise the accountant will treat it like a business process and start calling them.
– it is advisable to work out the situation once a month, for example, in the evening, every third Friday of the month. It will take minutes, maximum an hour. And the management will sleep more peacefully.
– understanding the balances on SIM cards in GSM modules. Highly depends on the selected tariff plan and the number of SMS alerts. Also from the sockets you choose (there should be a way to check the balance without removing the SIM card from the socket and without inserting it into the phone). SMS should be sent to several employees in order to have redundancy and reduce risks a la “I forgot my phone at home.” Control once a month - we report the money.
– check whether our handy backup writes backup archives in a circle in ten parts? Are there any errors in the program tasks? If there is, we fix it. Also once a month.
– send SMS, or turn off all cars with a panic button. Turn it on. Nothing works. Black screen everywhere - a fairy tale! Not everywhere? Let's figure out why - we caught this moment with monthly alarms. We figured it out. Enter passwords, mount screws. We start the backup. Everything works - a fairy tale!
– we carefully check (IMPORTANT – I’ve encountered this many times) – are all computers connected to the GSM socket, and only then to oops? How about the other way around? It won't turn off if it's the other way around. Let's fix it.
– we appoint a person responsible for the regulations, his deputy, his deputy – in general, under any external circumstances, the regulations must be followed. Otherwise it is no longer a system.

Disadvantages of the system.

– dependence of the system on rebooting; machines, after being turned on, are a collection of spare parts, not computers. You have to enter passwords manually and mount disks. So it is advisable that they do not turn off at all (at your discretion).
– the system’s dependence on GSM communications – we recommend immediately checking the quality of reception of a particular cellular operator. If there is no signal, then you need to make sure there is one - an external antenna, etc. Otherwise, you will not be able to turn off the computers and, as a result, data from them can be copied right in front of you.
– monthly costs for SMS, very little (it could even be neglected), if you choose the right tariff and operator.
– dependence on compliance with regulations (do you even have one?). The system should be checked completely about once a month, based on experience, the backup settings and the very fact of their implementation should be monitored. Because even though everything is automatic, each individual tool has its own level of trouble-free operation (Handy can freeze - although I haven’t seen it in practice, the socket starts to work unstable). It is better to encounter something like this during a routine inspection than in another situation.

The weakest link.

Employees. It would be possible not to continue, but.. here I would call the system administrator (the distribution of rights to users and who can do what is beyond the scope of this article). I will only say that I would be very thoughtful in approaching the question of who to give access to and to whom passwords - maybe just different people. The field here is too wide for generalized reasoning. I leave this to the conscience of the manager. As well as drawing up and carrying out routine maintenance.

Definition 1

Under protection of accounting information imply its protection from accidental or intentional influences with the aim of causing damage to owners or users of information.

A threat to the security of information based on accounting data may consist in a possible impact on the components of the accounting system, which will cause harm to users of the system.

Classification of threats to accounting data

The following classifications of existing threats to accounting information can be distinguished. Classification based on their occurrence: artificial or natural.

Natural, or objective threats, that is, independent of a person - force majeure, natural disasters, floods, and fire, as the most common occurrence, not for the purpose of deliberately setting fire to a “desktop with accounting documents.”

Artificial or subjective threats caused by the actions or inactions of enterprise employees. Among them are:

  • Random threats - software errors; malfunctions, failures or slow operation of the computer and information technology systems in general
  • Intentional threats - unauthorized access to information, distribution of virus programs, etc.

Based on the source of their occurrence, threats are divided into internal and external. Where the activities of the company’s employees are considered internal, and influences from outside the organization are considered external: attacks by hackers, etc.

Security of accounting information

The security of accounting data consists of the following aspects:

  • computer reliability - you should not skimp on computers used by accountants
  • safety of accounting credentials - copies of not only systems, but also primary documentation should be stored
  • protection against changes by unauthorized persons - the system for establishing and using passwords must be strictly observed; technical steps such as turning off the monitor and closing all working windows in the absence of an employee are no longer uncommon

Protection of accounting information

Protecting a company’s accounting and financial information from unauthorized access implies that the protected information has the following three main criteria:

  • confidentiality - information should be available only to those who it is intended for. The simplest and most understandable example: salary confidentiality.
  • Integrity - the information on the basis of which managers make management decisions must be reliable and accurate. An example is reports that can be obtained from different books of accounting, in different formats and sections. And it is understood that the same numbers presented in different forms should be identical
  • Availability – information must be accessible, provided on demand, when it is needed. Example: access to accounting data should not be kept in “one hand”

To prevent security threats and to build successful protection of accounting data, enterprises require compliance with the following rules.

Note 1

All financial services personnel, primarily in the accounting department, who have access to and access to systems must understand and understand their roles and competencies. In many international companies, all potential employees of financial departments, from the line, junior accountant, and ending with the financial director, are pre-screened, along with the company's senior management. Such strictness in the criteria for selecting candidates is due to the presence of negative experience, even one that took place in another country. Because the “weakest link” and “unpredictable actions” are and are people - company employees, and not machines - information technologies.

Ideally, systems should be backed up every day; in practice, database copies are created at night.

By analyzing the measures applied to control access and use of accounting data, as well as by observing the rules of work by employees of financial departments, the protection of accounting information will be ensured.

Russia's transition to market relations brings to the fore the problems of a radical restructuring of accounting. If previously the accounting function of management was reduced to direct bookkeeping and reporting, then in the new conditions the accountant is the central figure of the management staff, he is the chief consultant to the director of the company, an analyst, and a financier. To perform new functions and, above all, create accounting as a means of management and regulation, the use of a computer, as well as modern means of communication and communication, is vital.

The accountant must be directly involved in the creation of a computer accounting information system, set tasks and monitor the reliability of data, their compliance with real business transactions, analyze accounting information and correct unfavorable situations.

New information technologies in accounting based on modern personal computers, on the one hand, ensure high quality of work performed, and on the other, create many threats leading to unpredictable and even catastrophic consequences. To the number such threats include the following: penetration of unauthorized persons into credential databases, widespread spread of computer viruses, erroneous entry of credentials, errors in the design and implementation of accounting systems, etc. The possible implementation of threats can only be countered by taking adequate measures that help ensure the security of accounting information. In this regard, every accountant who uses computers and communications in their work must know what to protect information from and how to do it.

The protection of accounting information refers to the state of security of information and its supporting infrastructure (computers, communication lines, power supply systems, etc.) from accidental or intentional impacts of a natural or artificial nature that could cause damage to the owners or users of this information. *

The concept of information security of credentials in the narrow sense of the word implies:

computer reliability;

safety of valuable credentials;

protection of accounting information from changes made to it by unauthorized persons;

preservation of documented accounting information in electronic communications.

Information security objects in accounting include:

information resources containing information classified as a trade secret and confidential information presented in the form of accounting databases**;

informatization tools and systems - technical means used in information processes (computing and organizational equipment, information and physical fields of computers, system-wide and application software, generally automated enterprise accounting data systems). *

A threat to accounting information security is a potential action that, through its impact on the components of the accounting system, can lead to damage to the owners of information resources or users of the system.

The legal regime of information resources is determined by the rules establishing:

procedure for documenting information;

ownership of individual documents and individual arrays of documents, documents and arrays of documents in information systems**;

procedure for legal protection of information.

The main principle violated when implementing an information threat in accounting is the principle documenting information ***. An accounting document received from an automated accounting information system acquires legal force after it is signed by an official in the manner established by the legislation of the Russian Federation.

The entire set of potential threats in accounting, according to the nature of their occurrence, can be divided into two classes: natural (objective) And artificial.

Natural threats are caused by objective reasons, usually beyond the control of the accountant, leading to the complete or partial destruction of the accounting department along with its components. Such natural phenomena include: earthquakes, lightning strikes, fires, etc.

Man-made threats associated with human activities. They can be divided into unintentional (unintentional), caused by the ability of employees to make any mistakes due to inattention, or fatigue, illness, etc. For example, an accountant, when entering information into a computer, may press the wrong key, make unintentional errors in the program, introduce a virus, or accidentally disclose passwords.

Deliberate (intentional) threats are associated with the selfish aspirations of people - attackers who deliberately create false documents.

Security threats, in terms of their focus, can be divided into the following groups:

threats of penetration and reading of data from credential databases and computer programs for processing them;

threats to the safety of credentials, leading to either their destruction or modification, including falsification of payment documents (payment requests, orders, etc.);

data availability threats that occur when a user cannot access credentials;

Threat of refusal to carry out operations, when one user transmits a message to another and then does not confirm the transmitted data.

Depending on the source of threats, they can be divided into internal and external.

Source internal threats is the activity of the organization's personnel. External threats come from outside from employees of other organizations, from hackers and other persons.

External threats can be divided into:

local, which involve the intruder entering the organization’s territory and gaining access to a separate computer or local network;

remote threats are typical for systems connected to global networks (Internet, SWIFT international banking system, etc.).

Such dangers most often arise in electronic payment system in settlements between suppliers and buyers, and the use of Internet networks in settlements. The sources of such information attacks can be located thousands of kilometers away. Moreover, not only computers are affected, but also accounting information.

Intentional and unintentional accounting errors leading to an increase in accounting risk are the following:

errors in recording credentials;

incorrect codes;

unauthorized accounting transactions;

violation of control limits;

missed accounts;

errors in data processing or output;

errors in the formation or correction of directories;

incomplete accounts;

incorrect assignment of records to periods;

data falsification;

violation of regulatory requirements;

violation of accounting policies;

discrepancy between the quality of services and user needs.

The procedures in which errors typically occur and their types are presented in Table 8 (172).

To enhance the efficiency of the company and prevent theft, accountants must create a system of internal control. Despite the abundance of publications in this area, the problem of internal control in many sources on accounting and auditing is considered in isolation from information security.

A modern accounting system is characterized by a number of features that require the protection of accounting information:

legislative innovations entail major changes both in the accounting field itself and in the field of its computerization (transfer of accounting to a new chart of accounts, implementation of the Tax Code, etc.). Without modern hardware and software, an accountant is unlikely to be able to obtain reliable and timely accounting information. And computer technologies in accounting also give rise to new information threats;

An accounting information system belongs to the class of complex and dynamic entities built in a multi-level client-server architecture with support for communication with remote components. Dangers lurk both within and without the system;

there may be intentional or unintentional errors in the software that create security problems;

the complication of automated accounting requires an assessment of the reliability of the system, i.e. its properties to perform specified functions while ensuring the safety of information and its reliability.

Insecure credentials lead to serious flaws in the enterprise management system:

many undocumented management episodes;

management’s lack of a holistic picture of what is happening in individual structural units;

delays in obtaining information that was relevant at the time the decision was made;

disagreements between structural units and individual performers jointly performing work due to poor mutual information;

information overload;

increasing the time frame for obtaining retrospective information accumulated at the enterprise;

difficulties in obtaining information about the current state of a document or business process;

information leakage due to disorganized storage of large volumes of documents.

New information technologies in accounting based on modern personal computers, on the one hand, ensure high quality of work performed, and on the other, create many threats of unpredictable and even catastrophic consequences. Such threats include the following: penetration of unauthorized persons into credential databases, computer viruses, erroneous entry of credentials, errors in the design and implementation of accounting systems, etc. Threats can only be countered by taking adequate measures that help ensure the security of accounting information. In this regard, every accountant who uses computers and communications in their work must know what to protect information from and how to do it.

The protection of accounting information means the impossibility of accidental or intentional impacts on it of a natural or artificial nature, fraught with damage to the owners or users of this information.

The concept of “information security of credentials” in the narrow sense of the word implies:

computer reliability;

safety of valuable credentials;

protection of accounting information from changes made to it by unauthorized persons;

preservation of documented accounting information in electronic communications.

At first glance, it may seem that “information security” and “information security protection” are one and the same. However, it is not. Information security means protecting information from numerous threats, including from intentional and unintentional distortion, destruction, etc. Information security is the protection of an object, including its information systems, from any hostile influences, in particular from computer viruses, from errors, unauthorized access to databases, etc.

Before designing any security system, we will determine what is accounted for and from whom (what) needs protection.

Objects of information security in accounting include both information resources containing information classified as trade secrets and confidential information presented in the form of accounting databases, as well as information technology tools and systems - technical means used in information processes (computer and organizational equipment) , informative and physical fields of computers, system-wide and application software, generally automated enterprise accounting systems).

The threat to accounting information security lies in the potential impact on the components of the accounting system, which could cause damage to the owners of information resources or users of the system.

The legal regime of information resources is determined by the rules establishing:

procedure for documenting information;

ownership of individual documents and individual arrays of documents, documents and arrays of documents in information systems;

procedure for legal protection of information.

The main principle violated when implementing an information threat in accounting is documenting information. An accounting document received from an automated accounting information system acquires legal force after it is signed by an official in the manner established by the legislation of the Russian Federation.

The entire set of potential threats in accounting, according to the nature of their occurrence, can be divided into two classes: natural (objective) and artificial.

Natural threats are caused by objective reasons, usually beyond the control of the accountant, leading to the complete or partial destruction of the accounting department along with its components: earthquakes, fires, etc.

Man-made threats are related to human activities. They can be divided into unintentional (unintentional), caused by the ability of employees to make any mistakes due to inattention or fatigue, illness, etc. For example, when entering information into a computer, pressing the wrong key, making unintentional errors in the program, introducing a virus, or accidentally divulging passwords.

Intentional (intentional) threats are associated with the selfish aspirations of people - attackers who deliberately create false documents.

Security threats, in terms of their focus, can be divided into the following groups:

threats of penetration and reading of data from credential databases and computer programs for processing them;

threats to the safety of credentials, leading to either their destruction or modification, including falsification of payment documents (payment requests, orders, etc.);

data availability threats that occur when a user cannot access credentials;

Threats of denial of operations, when one user sends a message to another and then does not confirm the transmitted data.

Depending on the source of threats, they can be divided into internal and external.

The source of internal threats is the activities of the organization’s personnel. External threats come from outside from employees of other organizations, from hackers and other individuals.

External threats can be divided into:

to local ones, which are associated with the intruder’s penetration into the organization’s territory and gaining access to a separate computer or local network;

remote, typical for systems connected to global networks (the Internet, the SWIFT international banking settlement system, etc.).

Such dangers arise most often in the electronic payment system when making payments between suppliers and buyers, and using the Internet in payments. The sources of such information attacks can be located thousands of kilometers away. Not only computers are affected, but also accounting information.

Intentional and unintentional accounting errors leading to an increase in accounting risk are as follows:

errors in recording credentials;

incorrect codes;

unauthorized accounting transactions;

violation of control limits;

missed accounts;

errors in data processing or output;

errors in the formation or correction of directories;

incomplete accounts;

incorrect assignment of records to periods;

data falsification;

violation of regulatory requirements;

violation of accounting policies;

discrepancy between the quality of services and user needs.

In conditions of data processing on a PC, the consequences of a repeated error or incorrectly applied technique can be catastrophic.

The procedures in which errors typically occur and their types are presented in Table. 5.2.

The spread of computer technology has led to a sharp reduction in involuntary (arithmetic) errors, but has created additional conditions for the occurrence of intentional errors associated with fraud.

It is necessary to understand from whom information should be protected. Often the danger comes from company employees who act not alone, but in collusion with other attackers.

The motives and goals of computer crimes can be different: self-interest, a desire to cause harm, revenge, hooliganism, or a desire to test one’s abilities and computer skills.

Table 5.2. Place of occurrence of accounting errors Scope of transformation of accounting data Type of errors Primary Systematic accounting (collection and reduction and generalization Conclusion registration) Errors in recording accounting + data Incorrect codes + + - Unauthorized accounting + + operations Violation of control limits + + Missed accounting records + + + Errors in the processing or + + output of data Errors in the formation or correction of directories + + - nicks Incomplete records + + + Incorrect assignment of records + + + by period Falsification of data + + + Violation of the requirements of norms + + + of material acts Violation principles of accounting + + + of the new policy Inconsistency between the quality of services + + + user needs Legislative measures aimed at creating and maintaining a negative attitude in society towards violations and violators of information security include Chapter 28 “Crimes in the field of computer information” of Title IX of the Criminal Code.

Crimes in the field of computer information are: unlawful access to computer information (Article 272 of the Criminal Code); creation, use and distribution of malicious computer programs (Article 273 of the Criminal Code); violation of the rules for operating computers, computer systems or their networks (Article 274 of the Criminal Code).

Information protection in automated accounting systems is based on the following basic principles:

ensuring physical separation of areas intended for processing classified and unclassified information;

ensuring cryptographic protection of information;

ensuring authentication of subscribers and subscriber installations;

ensuring differentiation of access of subjects and their processes to information;

ensuring the establishment of the authenticity and integrity of documentary messages when they are transmitted via communication channels;

ensuring the protection of equipment and technical means of the system, the premises where they are located, from leakage of confidential information through technical channels;

ensuring the protection of encryption technology, equipment, hardware and software from information leakage through hardware and software bookmarks;

ensuring control of the integrity of the software and information part of the automated system;

using only domestic developments as protection mechanisms;

ensuring organizational and regime protection measures. It is advisable to use additional measures to ensure communication security in the system;

organizing the protection of information about the intensity, duration and traffic of information exchange;

the use of channels and methods for transmitting and processing information that make interception difficult.

Protecting information from unauthorized access is aimed at forming three main properties of the protected information:

confidentiality (classified information should be accessible only to those for whom it is intended);

integrity (information on the basis of which important decisions are made must be reliable, accurate and fully protected from possible unintentional and malicious distortions);

readiness (information and information services must be available and ready to serve stakeholders whenever they are needed).

To ensure the protection of accounting information, obstacles, access control, masking, regulation, coercion, and inducement are used.

An obstacle should be considered a method of physically blocking an attacker’s path to protected account information. This method is implemented by the enterprise’s access system, including the presence of security at the entrance to it, blocking the path of unauthorized persons to the accounting department, cash desk, etc.

Access control is a method of protecting accounting and reporting information, implemented through:

identification of information system users (each user receives his own personal identifier);

authentication - establishing the authenticity of an object or subject by the identifier presented by it (carried out by comparing the entered identifier with the one stored in the computer memory);

authority checks - checking the compliance of the requested resources and the operations performed according to the allocated resources and permitted procedures;

registration of requests to protected resources;

informing and responding to attempts of unauthorized actions.

Masking is a method of cryptographic protection (encryption) of information in an automated information system of an enterprise.

Coercion - protection of accounting information due to the threat of material, administrative or criminal liability.

The motivation is to protect information by ensuring that users comply with established moral and ethical standards within the enterprise team. In the USA, for example, moral and ethical means include, in particular, the Code of Professional Conduct for Members of the Computer Users Association.

The legal force of a document stored, processed and transmitted using automated and telecommunication systems can be confirmed by an electronic digital signature. When transmitting documents (payment orders, contracts, orders) over computer networks, it is necessary to prove the truth that the document was actually created and sent by the author, and not falsified or modified by the recipient or any third party. In addition, there is a threat of denial of authorship by the sender in order to relieve himself of responsibility for transmitting the document. To protect against such threats, the practice of exchanging financial documents uses message authentication methods when the parties lack trust in each other. The document (message) is supplemented with a digital signature and a secret cryptographic key. Forgery of a signature without knowledge of the key by unauthorized persons is excluded, and the signature irrefutably indicates authorship.

The legal force of an electronic digital signature is recognized if the automated information system contains software and hardware tools that ensure signature identification, and the established regime for their use is observed. The accountant (user) signs documents with an electronic digital signature using a personal key known only to him, transfers them in accordance with the document flow diagram, and the hardware and software system verifies the signature. Confidential documents can be encrypted using individual keys and are inaccessible to attackers. The system is based on standards and norms of office work, the practice of organizing document recording and monitoring the actions of performers in structures of any form of ownership (state and non-state).

Credential security makes it possible to:

provide user identification/authentication;

determine functional rights for each user - rights to perform certain system functions (in particular, access to certain document logs);

determine the level of confidentiality for each document, and for each user - access rights to documents of various levels of confidentiality;

ensure the confidentiality of documents by encrypting them, as well as encrypting all information transmitted via open communication channels (for example, by e-mail); encryption is performed using certified cryptographic tools;