System of organizational and legal support for information protection. · Remote attacks on DNS protocol. Modules and themes
The textbook outlines general theoretical and methodological approaches to the formation of legal and organizational support information security person, society and state. The main institutions of legal support for information security are covered in detail: legal regimes for the protection of information, state, official and commercial secrets, personal data, legal liability for offenses in the field of information security, as well as the structure of organizational support for information security. The problems of forming a legal regime for international information security are considered. Considerable attention is paid to the organizational aspects of information systems security management. The task of the present training course acquisition by students as general knowledge in the field of legal and organizational support for information security, as well as the study of issues related to the formation and implementation of public policy in this area, as well as the acquisition by masters of more in-depth knowledge in the field of information security, problems of international information security.
Step 1. Select books from the catalog and click the “Buy” button;
Step 2. Go to the “Cart” section;
Step 3: Specify required amount, fill in the data in the Recipient and Delivery blocks;
Step 4. Click the “Proceed to Payment” button.
On this moment buy printed books, electronic access or books as a gift to the library on the EBS website is possible only with 100% advance payment. After payment you will be given access to full text textbook within Electronic library or we begin to prepare an order for you at the printing house.
Attention! Please do not change your payment method for orders. If you have already chosen a payment method and failed to complete the payment, you must re-place your order and pay for it using another convenient method.
You can pay for your order using one of the following methods:
- Cashless method:
- Bank card: You must fill out all fields of the form. Some banks ask you to confirm the payment - for this, an SMS code will be sent to your phone number.
- Online banking: banks cooperating with the payment service will offer their own form to fill out. Please enter the data correctly in all fields.
For example, for " class="text-primary">Sberbank Online number required mobile phone and email. For " class="text-primary">Alfa Bank You will need a login to the Alfa-Click service and an email. - Online wallet: if you have a Yandex wallet or Qiwi Wallet, you can pay for your order through them. To do this, select the appropriate payment method and fill out the fields provided, then the system will redirect you to a page to confirm the invoice.
Send your good work in the knowledge base is simple. Use the form below
Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.
Posted on http://www.allbest.ru/
1. Features of information legal relations arising during production, distribution and consumption mass media
As M.A. notes in his monograph. Fedotov, “before June 12, 1990, in our country there was neither a media industry nor a legal act that would regulate public relations related to the organization and activities of the media. Absence legal regulation compensated by party norms. During this period, media legislation developed in Russia as “censorship law.”
On June 12, 1990, the USSR Law “On the Press and Other Mass Media” was adopted, and on December 27, 1991, the Russian Federation Law “On the Mass Media” was adopted. The law of the USSR declared freedom of the press, Russian law proclaims freedom of the media as the natural state of the press.
The Law of the Russian Federation “On the Mass Media” introduces the following concepts and their definitions.
Mass information means printed, audio, audiovisual and other messages and materials intended for an unlimited number of people.
Mass media means a periodical printed publication, radio, television, video production, newsreel program, or other form of periodic dissemination of mass information.
A periodical printed publication means a newspaper, almanac magazine, bulletin, or other publication that has a permanent title, current issue, and is published at least once a year. A radio, television, video, newsreel program is understood as a set of periodic audio, audiovisual messages and materials (programs), which has a permanent name and is published (broadcast) at least once a year. Mass media products mean a circulation or part of a circulation of a separate issue of a periodical printed publication, separate issue of a radio, television, newsreel program, circulation or part of the circulation of an audio or video recording of the program. Distribution of media products means the sale (subscription, delivery, distribution) of periodic printed publications, audio or video recordings of programs, broadcast of radio, television programs (broadcasting), demonstration of newsreel programs.
The following main subjects act in the production and dissemination of mass information:
editorial office of a mass media - an organization, institution, enterprise or citizen, association of citizens engaged in the production and release of mass media;
editor-in-chief - the person who heads the editorial office (regardless of the title of the position) and makes the final decisions regarding the production and release of the media;
journalist - a person engaged in editing, creating, collecting or preparing messages and materials for the editorial office of a registered mass media, bound by contractual relations or engaged in such activities under its authority;
publisher - a publishing house, other institution, enterprise (entrepreneur) that provides logistical support for the production of mass media products, as well as a legal entity or citizen equated to the publisher, for whom this activity is not the main one or does not serve as the main source of income; distributor - a person distributing mass media products under an agreement with the editors, publisher or on other legal grounds. founder of a mass media citizen, association of citizens, enterprise, institution, organization, government body.
Cannot act as a founder:
a citizen who has not reached the age of eighteen, or who is serving a sentence in prison following a court verdict, because he is mentally ill, recognized by the court as incompetent;
an association of citizens, an enterprise, an institution, an organization whose activities are prohibited by law;
a citizen of another state or a stateless person who does not regularly sell in Russian Federation. The co-founders act as founders jointly. Consumers of mass information are a wide, practically unlimited circle of people, including citizens and stateless persons, legal entities, government bodies and local government, their officials.
The main directions of legal regulation of relations in the field of mass media:
ensuring guarantees of freedom of media; organization of media activities; dissemination of mass information;
relations of the media with citizens and organizations;
Rights and responsibilities of a journalist;
Interstate cooperation in the field of mass information;
Responsibility for violation of legislation on the media.
Information legal relations developing in the sphere of mass media can be divided into “internal” and “external”. The first ones address issues of the internal organization of the media and include relations between the main subjects: founders (co-founders), editorial board, publisher, distributor and, finally, the owner. The second group includes legal relations arising in connection with the activities of the media between the above-listed entities and third parties, be they citizens, associations of citizens, legal entities, state authorities and local self-government
2. State policy in the field of information security. Information Security Doctrine
The state policy of ensuring information security of the Russian Federation is based on the following basic principles: -
compliance with the Constitution of the Russian Federation, legislation of the Russian Federation, generally recognized principles and norms of international law when carrying out activities to ensure information security of the Russian Federation; -
openness in the implementation of the functions of federal government bodies, government bodies of constituent entities of the Russian Federation and public associations, providing for informing the public about their activities, taking into account the restrictions established by the legislation of the Russian Federation; -
legal equality of all participants in the process information interaction regardless of their political, social and economic status, based on the constitutional right of citizens to freely search, receive, transmit, produce and disseminate information in any legal way;
Priority development of domestic modern information and telecommunication technologies, production of technical and software, capable of ensuring the improvement of national telecommunication networks, their connection to global information networks in order to comply with the vital interests of the Russian Federation.
The state, in the process of implementing its functions to ensure information security of the Russian Federation:
Conducts an objective and comprehensive analysis and forecasting of threats to the information security of the Russian Federation, develops measures to ensure it; -
organizes the work of legislative (representative) and executive bodies of state power of the Russian Federation to implement a set of measures aimed at preventing, repelling and neutralizing threats to the information security of the Russian Federation; -
supports the activities of public associations aimed at objectively informing the population about socially significant phenomena of public life, protecting society from distorted and reliable information; -
exercises control over the design, creation, development, use, export and import of information security tools through their certification and licensing of activities in the field of information security; -
pursues the necessary protectionist policy towards manufacturers of information technology and information protection tools on the territory of the Russian Federation and takes measures to protect domestic market from the penetration of low-quality information means and information products; -
contributes to providing individuals and legal entities with access to world information resources and global information networks; -formulates and implements the state information policy of Russia;
Organizes development federal program ensuring information security of the Russian Federation, combining the efforts of state and non-state organizations in this area;
Promotes the internationalization of global information networks and systems, as well as Russia’s entry into the global information community on terms of equal partnership.
Improving legal mechanisms for regulating social relations arising in information sphere, is a priority direction of state policy in the field of ensuring information security of the Russian Federation.
This implies:
Assessing the effectiveness of the application of current legislative and other regulatory legal acts in the information sphere and developing a program for their improvement;
Creation of organizational and legal mechanisms to ensure information security;
determining the legal status of all subjects of relations in the information sphere, including users of information and telecommunication systems, and establishing their responsibility for compliance with the legislation of the Russian Federation in this area;
creation of a system for collecting and analyzing data on the sources of threats to the information security of the Russian Federation, as well as the consequences of their implementation;
development of normative legal acts that determine the organization of the investigation and the trial procedure for facts of illegal actions in the information sphere, as well as the procedure for eliminating the consequences of these illegal actions; -
development of offenses taking into account the specifics of criminal, civil, administrative, disciplinary liability and inclusion of relevant legal norms in the Criminal, Civil, Administrative and Labor Codes, in the legislation of the Russian Federation on public service;
improvement of the personnel training system used in the field of ensuring information security of the Russian Federation. Legal support for information security in the Russian Federation should be based primarily on compliance with the principles of legality and the balance of interests of citizens, society and the state in the information sphere. Compliance with the principle of legality requires federal government bodies and government bodies of constituent entities of the Russian Federation, when resolving conflicts arising in the information sphere, to be strictly guided by legislative and other regulatory legal acts governing relations in this area.
Compliance with the principle of balancing the interests of citizens, society and the state in the information sphere presupposes legislative consolidation of the priority of these interests in various areas life of society, as well as the use of forms of public control over the activities of federal government bodies and government bodies of constituent entities of the Russian Federation.
The implementation of guarantees of constitutional rights and freedoms of man and citizen relating to activities in the information sphere is the most important task of the state in the field of information security.
The development of mechanisms for legal support of information security in the Russian Federation includes measures for informatization of the legal sphere as a whole.
In order to identify and coordinate the interests of federal government bodies, government bodies of constituent entities of the Russian Federation and other subjects of relations in the information sphere, development necessary decisions the state supports the formation of public councils, committees and commissions with broad representation of public associations and facilitates the organization of their effective work.
The information security doctrine is a system of official views on ensuring the national security of the Russian Federation in the information sphere.
The document defines the following national interests in the information sphere (essentially they have not changed since 2000):
1. Ensuring and protecting the rights and freedoms of citizens regarding the receipt and use of information, privacy, as well as the preservation of spiritual and moral values.
2. Uninterrupted operation of critical information infrastructure(KII).
3. Development of the IT and electronics industry in Russia.
4. Bringing to the Russian and international public reliable information about the state policy of the Russian Federation.
5. Promotion of international information security.
The doctrine is necessary for the formation of public policy and the development of measures to improve the information security system.
Information security (IS) is the state of protection of the individual, society and state from internal and external information threats. Moreover, the new edition of the document also states that constitutional rights and freedoms, a decent quality and standard of living for citizens, the sovereignty and territorial integrity of the Russian Federation, and its sustainable socio-economic development must be ensured. as well as state security. It’s not “security for security’s sake,” but even some kind of balance is achieved: citizens’ rights, economics, security.
The document was created on the basis of threat analysis and assessment of the state of information security of the Russian Federation and develops the provisions of the National Security Strategy of the Russian Federation (dated December 31, 2015 No. 683).
Threat to information security of the Russian Federation ( information threat) - a set of actions and factors that create a danger of causing damage to national interests in the information sphere.
The Doctrine defines the following main threats and characteristics of the information security state (I present them briefly):
Foreign countries are increasing their ability to influence IT infrastructure for military purposes.
The activities of organizations carrying out technical intelligence in relation to Russian organizations are intensifying.
Implementing IT without linking it with information security increases the likelihood of threats.
Special services use methods of information and psychological influence on citizens.
More and more foreign media are reporting biased information.
Russian media are subject to discrimination abroad.
External information impact erodes traditional Russian spiritual and moral values (especially among young people).
Terrorist and extremist organizations widely use mechanisms of information influence.
The scale of computer crime is increasing, primarily in the credit and financial sphere
Methods, methods and means of committing computer crimes are becoming more and more sophisticated.
The complexity and number of coordinated computer attacks to KII facilities.
Remains high level dependence of domestic industry on foreign IT.
Russian scientific research in the field of IT is not effective enough, and there is a shortage of personnel.
Russian citizens have low awareness of personal information security issues.
Individual states are seeking to use technological superiority to dominate the information space. Including on the Internet.
The document sets out the following areas of information security support and the main directions for them:
1. National defense:
a) strategic deterrence and prevention of military conflicts;
b) improving the information security system of the RF Armed Forces;
c) forecasting and assessment of information threats;
d) assistance in ensuring the protection of the interests of the allies of the Russian Federation;
e) neutralization of information and psychological impact.
2. State and public security:
a) countering the use of IT for propaganda;
b) countering intelligence services using IT;
c, d) increasing the security of CII;
e) increasing the operational safety of weapons, military and special equipment and automated control systems;
f) combating crimes in the IT sector;
g) protection of state secrets and other types of secrets;
h) development of domestic IT;
And) Information support state policy of the Federal Republic;
j) neutralization of information and psychological impact.
3. Economic sphere:
a-d) development and support of domestic IT.
4. Science, technology and education:
a-c) development of science;
d) development of human resources;
e) creating a personal information security culture.
5. Stability and equal strategic partnership
a) protection of the sovereignty of the Russian Federation in the information space;
b-d) participation in the formation of an international information security system;
e) development national system management of the Russian segment of the Internet.
information security doctrine state
At a closed chemical plant located within the city and close to the state border, as a result of an accident, harmful substances were released into the atmosphere. The city administration took the necessary measures to evacuate citizens from contaminated areas and prevent the leakage of unwanted information about the accident. At the same time, she prohibited the management of the enterprise from transferring foreign media and specialists information about the scale, accidents and life-related information settlements within the reach of harmful substances. At the same time, the administration, when deciding not to disseminate this information, referred to the closed production of the chemical enterprise.
Are the actions of the city administration legal from the point of view of information law?
In this situation, the actions of the city administration are not legal, since in accordance with clause 2, part 4, article 8 of the Federal Law of the Russian Federation of July 27, 2006 N 149-FZ “On information, information technologies and information protection” there cannot be limited access to status information environment. In addition, concealment or distortion of information about an event, fact or phenomenon that creates a danger to the life and health of people or the environment in accordance with Art. 237 of the Criminal Code of the Russian Federation is subject to criminal liability.
List of sources used
1. Organizational legal support information security: textbook / Streltsov Anatoly Aleksandrovich [etc.]; edited by A.A. Streltsova. - Moscow: Academy, 2008. - 256 p. - (Higher professional education). - ISBN 978-5-7695-4240-4: 240-00.
2. Tereshchenko L.K. Legal regime of information / L. K. Tereshchenko. - Moscow: Jurisprudence, 2007. - 192 p. - ISBN 978-5-9516-0329-6: 137-00.
3. Mandel Boris Ruvimovich. PR: methods of working with the media: textbook. allowance / Mandel Boris Ruvimovich. - Moscow: University textbook: INFRA-M, 2010. - 205 p. - ISBN 978-5-9558-0094-3: 189-86.
4. Mandel Boris Ruvimovich. PR: methods of working with the media: textbook. allowance / Mandel Boris Ruvimovich. - Moscow: University textbook, 2010. - 205 p. - ISBN 978-5-9558-0094-3: 308-71.
5. Rastorguev Sergey Pavlovich. Fundamentals of information security: textbook. allowance / Rastorguev Sergey Pavlovich. - 2nd ed., erased. - Moscow: Academy, 2009. - 192 p. - (Higher professional education). - ISBN 978-5-7695-6486-4: 218-90.
6. Organizational and legal support of information security: textbook. manual / ed. A.A. Streltsova. - Moscow: Academy, 2008. - 256 p. - (Higher professional education). - ISBN 978-5-7695-4240-4: 341-00.
7. Rastorguev Sergey Pavlovich. Fundamentals of information security: textbook. allowance / Rastorguev Sergey Pavlovich. - Moscow: Academy, 2007. - 192 p. - (Higher professional education). - ISBN 978-5-7695-3098-2: 225-00.
Posted on Allbest.ru
Similar documents
The concept of information security. National interests of the Russian Federation in the information sphere. Main types and sources of threats. Priority measures for the implementation of state policy to ensure information security.
thesis, added 06/14/2016
State policy in the field of information security. Legal regime of information, its distribution and provision. Basic measures to prevent the exploitation of government information systems without implementing measures to protect information.
abstract, added 12/08/2013
Regulatory legal acts regulating the protection of information systems from unauthorized access. The Information Security Doctrine of the Russian Federation, as the main document in the field of information security.
course work, added 04/25/2010
History and public policy in the field of information security. Problems of information security and the fight against terrorism. Safety standards of the State Technical Commission. European and US standards. Information security of the Russian Federation.
course work, added 01/18/2011
Information space and its effectiveness. National interests of the Russian Federation in the information sphere. Principles of state policy for ensuring information security. Regulatory acts on information security in the Russian Federation.
test, added 09.20.2009
Legislative framework for ensuring information security. Responsibility for crimes in the region information technologies. Directions of legal support for information security. The procedure for licensing information security tools.
presentation, added 07/11/2016
Concept and basic principles of information security. The most important components of the national interests of the Russian Federation in the information sphere. General methods ensuring the country's information security. The concept of information warfare.
abstract, added 05/03/2011
Regulatory and legal support of information security in the Russian Federation. Legal regime of information. Bodies ensuring information security of the Russian Federation. Services that organize information security at the enterprise level. Information security standards.
presentation, added 01/19/2014
Theoretical basis information security in the Russian Federation, the importance of the problem of information security in state and municipal government. Regulatory and legal foundations of information security, methods for improving work.
course work, added 03/10/2012
Threats of using “information weapons” against Russia’s information infrastructure. Objectives of the information security doctrine of the Russian Federation. Examples of implementation of state policy functions in the field of organization information activities abroad.
Protection issues information resources are closely connected not only with the solution of scientific and technical problems, but also with issues of legal regulation of relations in the process of informatization. The need for organizational and legal support for information protection arises from the fact that information is recognized as a commodity, a product of social production, and the legal establishment of ownership of information.
This formulation of the question takes on a special meaning and character in the conditions of democratization of society, the formation of a market economy, and the inclusion of our state in the world economic community.
Organizational and legal support is a multidimensional concept, including laws, decisions, regulations and rules. Moreover, with regard to the protection of information processed in automated system, it has a number of fundamental specific features, due to the following circumstances:
· presentation of information in an unusual and unreadable binary form for humans;
· use of storage media, records on which are not available for simple visual viewing
· the ability to copy information multiple times without leaving any traces;
· ease of changing any elements of information without leaving traces such as erasures, corrections, etc.;
· the impossibility of traditionally sealing documents with traditional signatures with all the regulatory and legal aspects of these signatures;
availability large number non-traditional destabilizing factors affecting information security.
Based on the above circumstances, a set of issues resolved by organizational and legal support can be grouped into three classes:
· organizational and legal basis for information protection in the AS;
· technical and mathematical aspects of organizational and legal support;
· legal aspects of organizational and legal support of protection.
From practical considerations it is clear that the organizational and legal basis for information protection should include:
· identification of departments and persons responsible for organizing information security;
· regulatory, guidance and teaching materials(documents) on information protection;
· penalties for violation of protection rules;
· procedure for resolving disputes and conflict situations on information security issues.
Under technical and mathematical aspects organizational and legal support is understood as a set technical means, mathematical methods, models, algorithms and programs. The main ones of these conditions are the following:
· recording on the document personal identifiers (“signatures”) of the persons who produced the document and (or) are responsible for it;
· recording (if necessary) on the document personal identifiers (signatures) of persons who have become familiar with the content of the relevant information;
· the impossibility of imperceptibly (without leaving traces) changing the content of information even by fakes who have sanctions to access it,
· i.e. recording the facts of any (both authorized and unauthorized) changes in information;
· recording the fact of any (both unauthorized and authorized) copying of protected information.
Under legal aspects organizational and legal support for information protection in the AS is understood as a set of laws and other regulations with the help of which the following goals are achieved;
· obligatory observance by all persons related to the AS of all information protection rules is established;
· sanctions for violation of protection rules are legitimized;
· legalized (acquiring! legal force) technical and mathematical solutions to issues of organizational and legal support for information protection;
· procedural procedures for resolving situations are legitimized. emerging in the process: the functioning of protection systems.
Evolution of approaches to information security. Basic concepts and definitions.
Information Security represents an independent part of security, the role and importance of which is steadily increasing every year. Its special role is explained global processes, which are characteristic of the socio-economic development of civilization. Advanced, economically and technologically developed countries have entered the stage post-industrial society, in which the main productive forces, along with the processing of matter and energy, are occupied information processes in all spheres of people's activities and lives.
Some major security aspects include:
1. environmental safety;
2. demographic security;
3. physical security;
4. economic security;
5. social security;
6. ethnocultural security;
7. information security;
8. military security;
9. technological safety.
Complete system protection information - a set of forces, means, methods and measures used to ensure at a given level of information protection at this facility.
Using the information development criterion, you can evaluate the change in information content material systems in the course of evolutionary self-organization or self-disorganization. Moreover, on the main progressive line of evolution, there is a continuous accumulation of information in systems, and thus, this criterion acts as a vector for the progressive development of material systems. Information criterion evolution expresses a fairly obvious phenomenological vector-genetic connection between the growth of the information content of evolving systems.
Depending on who acts as the subject or object of security - an individual, social group, society as a whole, a state or a community of states distinguishes the following main levels of security:
1. personal or individual safety;
2. societal (public) safety or public safety;
3. national security or state security;
4. international or collective security;
5. world or global security.
Security servers (firewalls, proxy servers)
Ensuring the information security of an organization is today one of the highest priorities facing any business. Security when employees work on the Internet and protection from malware is an integral part of any information system. How well your organization is protected directly depends on the reliability of the server, security and the quality of the Firewall system settings.
Let's consider 2 security servers: firewalls and proxy servers
Firewall
A firewall is a system or combination of systems that allows you to divide a network into two or more parts and implement a set of rules that determine the conditions for the passage of packets from one part to another (see Fig. 1). As a rule, this boundary is drawn between the enterprise local network and INTERNET, although it can also be drawn inside local network enterprises. The firewall allows all traffic to pass through it. For each packet that passes, the firewall decides whether to allow it or discard it.
Firewalls provide several types of protection:
· They can block unwanted traffic
· They can only direct incoming traffic to trusted internal systems
· They can hide vulnerable systems that cannot be otherwise secured from Internet attacks.
· They can log traffic to and from the internal network
· They can hide information such as system names, network topology, types network devices and internal user IDs, from the Internet
· They can provide more strong authentication than that presented by standard applications.
All firewalls can be divided into three types:
Packet filters
· servers application level(application gateways)
· connection level servers (circuit gateways)
All types can occur simultaneously in the same firewall.
Batch filters
Packet filter firewalls decide whether to allow or discard a packet by looking at the IP addresses, flags, or TCP port numbers in the packet's header. The IP address and port number are network and transport layer information, respectively, but packet filters also use application layer information, because All standard services in TCP/IP are associated with specific number port.
Basic information on the content of the concepts of “information security”, “ensuring information security”, “legal support of information security” and “organizational support of information security” is presented. The main approaches of the authors to structuring the problems of organizational and legal support of information security are outlined. A description of the legal mechanisms for regulating groups of social relations related to countering security threats to the interests of the main subjects of the information sphere is given.
For students studying the course "Organizational and Legal Support of Information Security", teachers, graduate students, as well as specialists interested in this issue.
Preface. Introduction
Part 1. Basic theory
Chapter 1. Fundamentals of information security
1.1. The concept of "information sphere"
1.2. Ensuring information security
Chapter 2. Legal support of information security
2.1. Law basics
2.2. Structure of legal support for information security
2.3. Content and structure of legislation in the field of information security
Chapter 3. Organizational support of information security
3.1. General provisions and principles
3.2. Organizational basis and main activities
3.3. Main functions of the Russian Federation information security system
3.4. Main directions organizational activities systems for ensuring information security of the Russian Federation
Part 2. Legal support of information security
Chapter 4. Information, information technologies and information protection
4.1. General provisions
4.2. Information
4.3. Information Technology
4.4. Data protection
4.5. Legal liability for offenses in the field of information, information technology and information protection
Chapter 5. Security of personal data
5.1. General provisions
5.2. Personal data and legal purposes
5.3. Processing of personal data
5.4. Subject of personal data and his rights
5.5. Personal data operator and his responsibilities
5.6. Control and supervision of compliance with legislation on personal data
5.7. Legal liability for violation of legislation in the field of personal data
Chapter 6. Results of intellectual activity and legal support for the safety of their use
6.1. General provisions
6.2. Intellectual rights
6.3. Disposal of intellectual rights
6.4. Legal protection of intellectual rights
6.5. Law enforcement and supervision in the field of protection of rights to objects intellectual property
Chapter 7. Copyright and related rights. Legal support for the security of using rights
7.1. General provisions
7.2. Copyright
7.3. Related rights
7.4. Collective copyright management
7.5. Legal liability for violation of copyright and related rights
Chapter 8. Industrial property rights
8.1. General provisions
8.2. Patent Law
8.3. The right to a production secret (know-how)
8.4. Right to means of individualization legal entities, goods, works, services and enterprises
8.5. The right to use the results of intellectual activity as part of a unified technology
Chapter 9. Electronic signature and legal support for the security of correspondence
9.1. General provisions
9.2. Types of electronic signatures and principles of their use
9.3. Conditions of recognition electronic documents
9.4. Electronic signature tools
9.5. Conditions for the legal use of a simple electronic signature
9.6. Conditions for the lawful use of an enhanced electronic signature
9.7. Verification Center
9.8. Accredited certification center and the procedure for its accreditation
9.9. Powers of federal executive authorities in the field of using electronic signatures
Chapter 10. Trade secret and legal regime for ensuring its security
10.1. General provisions
10.2. Trade secret regime
10.3. Legal protection of trade secrets
Chapter 11. State secrets and their legal protection
11.1. General provisions
11.2. Information constituting a state secret
11.3. Classification of information
11.4. Declassification of information constituting state secrets
11.5. Transfer of information constituting state secrets
11.6. Access to state secrets
11.7. State secret protection system
Chapter 12. Ensuring security when using communication networks and the Internet
12.1. General provisions
12.2. Communication security activities
12.3. Responsibilities of the telecom operator
12.4. Rights of users of communication services
12.5. State regulation and supervision in the field of communications
12.6. Responsibility for violation of the legislation of the Russian Federation
12.7. Ensuring the security of using Internet resources and services
Chapter 13. Technical regulation and information technology security requirements
13.1. General provisions
13.2. Agreement on technical barriers in trade
13.3. Technical regulations
13.4. Standards
13.5. Confirmation of compliance with technical regulations and standards
13.6. Information on violation of the requirements of technical regulations and standards
Chapter 14. Judicial protection of human and civil rights and freedoms in the information sphere
14.1. General provisions
14.2. Judicial system of the Russian Federation
14.3. Selecting a court for filing statement of claim(claim)
14.4. Procedure for preparing and filing a claim
14.5. Plaintiff and defendant, their rights and obligations
Chapter 15. Criminal-legal characteristics of crimes in the field computer information
15.1. General provisions
15.2. Article 272. Illegal access to computer information
15.3. Article 273. Creation, use and distribution of malicious computer programs
15.4. Article 274. Violation of the rules for operating computers, computer systems or their networks
15.5. Changes and additions to Ch. 28 of the Criminal Code of the Russian Federation
15.6. New qualifying features
Part 3. Organizational provision of information security
Chapter 16. Organizational basis of the state information security system
16.1. General structure, composition of areas of activity and delimitation of powers of government bodies
16.2. Organizational basis of the state system for protecting information from technical intelligence
16.3. Organizational basis of the state system technical protection information
16.4. Purpose, principles and priority areas state policy in the field of technical information security
Chapter 17. State system licensing. Organization and regulation of activities in the field of protection confidential information
Chapter 18. Organization of work to protect confidential information in organizations. General approaches and principles of organizing collective security of the enterprise and risk management systems
18.1. Organization of work to protect confidential information
18.2. General approaches to organizing information security at business sites (enterprises, organizations) and concepts
Federal Law of July 27, 2006 N 152-FZ (as amended on April 5, 2013) On personal data
personal data - any information relating to directly or indirectly determined or determined to an individual(to the subject of personal data);
Personal data operator (according to the law on personal data) is a state body, municipal body, legal entity or individual that organizes and (or) carries out the processing of personal data, as well as determining the purposes and content of the processing of personal data.
Personal data information system - an information system that is a set of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without the use of such tools;
Article 19. Measures to ensure the security of personal data during their processing
When processing personal data, the operator is obliged to take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions regarding personal data.
Ensuring the security of personal data is achieved, in particular:
1) identification of threats to the security of personal data during their processing in personal data information systems;
2) the application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to fulfill the requirements for the protection of personal data, the implementation of which ensures the levels of personal data security established by the Government of the Russian Federation;
3) the use of information security means that have passed the compliance assessment procedure in accordance with the established procedure;
4) assessing the effectiveness of measures taken to ensure the security of personal data before putting into operation the personal data information system;
5) taking into account computer storage media of personal data;
6) detecting facts of unauthorized access to personal data and taking measures;
7) restoration of personal data modified or destroyed due to unauthorized access to it;
8) establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;
9) control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.
For the purposes of this article
threats to the security of personal data are understood as a set of conditions and factors that create the danger of unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, provision, distribution of personal data, as well as other unlawful actions in their processing of personal data in the information system.
The level of security of personal data is understood as a complex indicator characterizing the requirements, the implementation of which ensures the neutralization of certain threats to the security of personal data during their processing in information systems personal data.
Package of documents on the protection of personal data
Regulations on the protection of personal data;
Regulations on the information protection unit;
Order on the appointment of persons responsible for processing personal data;
Information security concept;
Information security policy;
List of personal data subject to protection;
Order to conduct an internal audit;
Report on the results of the internal audit;
Act of classification of personal data information system;
Regulations on the delimitation of access rights to processed personal data;
Personal data security threat model;
Action plan for the protection of personal data;
The procedure for reserving hardware and software, databases and information security tools;
Internal audit plan;
Logbook of PD security control activities;
A log of requests from personal data subjects regarding the fulfillment of their legal rights;
Instructions for the administrator of the personal data information system;
Instructions for the user of the personal data information system;
Instructions for the security administrator of the personal data information system;
User instructions for ensuring the security of personal data processing in the event of emergency situations;
List of accounting for information security tools used, operational and technical documentation for them;
Typical Terms of Reference for the development of a system for ensuring the security of information of a computer facility;
A preliminary design for the creation of a system for ensuring the security of information of a computer facility;
Regulations on the Electronic Journal of requests from users of personal data information systems (draft order);
Stages of work. Thus, the organization of personal data protection should be carried out in several stages:
Inventory of information resources.
Restricting employee access to personal data.
Documentary regulation of work with personal data.
Formation of a model of threats to the security of personal data.
Classification of personal data information systems (PDIS) of educational institutions.
Drawing up and sending to the authorized body a notification about the processing of personal data.
Bringing the personal data protection system into compliance with regulatory requirements.
Creation of an ISPD information security subsystem and its certification (certification) for ISPD classes K1, K2.
Organization of operation and security control of ISPD.
1. Inventory of information resources
Inventory of information resources is the identification of the presence and processing of personal data in all information systems and traditional data warehouses operated in the organization.
At this stage, you should: approve the regulation on the protection of personal data, formulate a concept and define an information security policy and draw up a list of personal data to be protected.
2. Restricting employee access to personal data
Only those employees who need it to perform their official (job) duties should have permission to process personal data.
At this stage you should: to the extent necessary limit both electronic and physical access to personal data
3. Documentary regulation of work with personal data
According to Article 86 of the Labor Code of the Russian Federation, employees and their representatives must be familiarized, against signature, with those employer documents that establish the procedure for processing personal data of employees, as well as their rights and obligations in this area.
The subject of personal data independently decides the issue of transferring it to someone else, documenting his intention.
At this stage, you should: collect consent for the processing of personal data, issue an order appointing persons responsible for processing personal data and regulations on delimiting access rights to processed personal data, draw up instructions for the ISPD administrator, ISPD user and ISPD security administrator.
4. Formation of a model of threats to the security of personal data
A private model of threats to the security of personal data stored in the information system is formed on the basis of the following documents approved by the Federal Service for Technical and Export Control (FSTEC):
Basic model of threats to the security of personal data when processed in ISPD;
Methodology for identifying current threats to the security of personal data during their processing in ISPD;
At this stage, it is necessary to form a model of threats to the security of personal data processed and stored in an educational institution.
5. Classification of ISPD, see question No. 18
6. Leaving and sending notification to the authorized body
A notification about the processing of personal data is drawn up on the operator’s letterhead and sent to the territorial body of Roskomnadzor of the Ministry of Communications and Mass Communications of the Russian Federation on paper or in the form of an electronic document signed by an authorized person. The form indicates data about the processor, the purpose of processing, categories of data, categories of subjects, whose data is being processed, the legal basis for processing, the date of its start, the term (condition) for its termination, etc.
7. Bringing the system into compliance with regulatory requirements
At this stage, you should: create a list of accounting for information security tools used, operational and technical documentation for them; regulations on the information protection unit; methodological recommendations for organizing information security when processing personal data; user instructions for ensuring the security of PD processing in the event of emergency situations, as well as approve an action plan for PD protection.
8 . Certification (certification) ISPDn
To ensure the security of ISPD, it is necessary to take measures to organize and provide technical support for the protection of processed personal data. Mandatory certification (attestation) is used to assess the compliance of class 1 and 2 ISPD with the requirements for PD security.
The following informatization objects are subject to mandatory certification:
Automated systems various levels and appointments.
Communication systems, reception, processing and transmission of data.
Display and reproduction systems.
Premises intended for confidential negotiations.
9. Organization of ISPD operation and security control
Measures to ensure the security of personal data during their processing in information systems include:
control over compliance with the conditions for the use of information security tools provided for in the operational and technical documentation;
investigation and drawing up conclusions on facts of non-compliance with the storage conditions of PD media, the use of information security tools that may lead to a violation of PD confidentiality.
Responsibility for violation of Federal Law No. 152 On personal data
Administrative liability: fine or fine with confiscation of uncertified security and encryption tools. Administrative Code, art. 13.11, 13.12, 13.14
Disciplinary liability: dismissal of the offending employee. Labor Code of the Russian Federation, art. 81 and 90
Criminal liability: from correctional labor and deprivation of the right to hold certain positions to arrest. Criminal Code, Art. 137, 140, 272
