Regulations on the protection of personal data of clients. Thesis on the topic: Development of a system for protecting personal data in the enterprise PJSC Citibank Modern products for protecting personal data of the bank

Dzhabrail Matiev, head of personal data protection for the commercial part of the companyReignVox

Constant work with huge amounts of client data requires a bank of any format to constantly work in the field of protecting this data.

That is why the topic of information security, and with it the topic of trust, is especially relevant in the financial sector. Moreover, the requirement to protect any personal data included in the structure of the information system of a modern financial company is also legally justified - Federal Law No. 152 “On Personal Data” clearly obliges every company processing this data to protect it within a strictly defined time frame. Both new and existing Information Systems processing personal data must be brought into compliance with legal requirements by January 1, 2011. With such strict time frames, organizations processing such information have less and less time to comply with legal requirements.

Where should you start working to protect personal data? What time frame can you expect for work? Who should be entrusted with the work? What is the average cost of a project and how to minimize costs? All these questions are relevant today for any company doing business in the financial sector. ReignVox's extensive experience in the field of personal data protection in financial institutions allows us to provide expert answers to them.

Life is in countdown mode

Federal Law No. 152 “On Personal Data” comes into full force on January 1, 2011 - more than six months ahead of the deadline set by legislators. But don’t give in to the misleading impression of having too much time.

Firstly, the implementation of a project aimed at meeting the requirements for the protection of personal data requires from four to six months, depending on its complexity. But this figure is not final either - terms may increase to six to eight months due to the period that the bank will spend selecting a worthy integrator for developing and maintaining the project. Carrying out this type of work on its own is fraught for the bank with a loss of objectivity at the stage of examination and analysis, the means of protection existing in it, as well as the need to find separate labor resources for this work. In this case, you should also remember such factors as the availability of specialists trained in the field of personal data protection, the required amount of regulatory and methodological support, and free resources for the very task of protecting personal data. Practice shows that usually it is third-party integrators who fully meet all these requirements.

Secondly, returning to the topic of the deadlines set by the Law “On Personal Data” for data operators (and the fact that banks are precisely such operators is no longer an issue in principle), no matter what they say about their “transfer ", the first regulatory checks are already taking place. The conclusion is quite logical: the relevance of the problem has not only remained, it has increased significantly, and its solution is becoming an urgent need.

“And the casket just opened...”

The task of bringing the ISPD into compliance with the provisions of the Law “On Personal Data” has recently been the subject of active discussions, the result of which basically boils down to one thing: solving this problem is very problematic due to the combination of its organizational and legal features. This conclusion is not entirely correct: the practice of applying requirements for the protection of personal data, which emerged during the first quarter of 2010 (including in the banking sector), confirms the understandability and interpretability of the requirements for ISPD. Their formulation, implementation and documentary confirmation of the latter with a minimal risk of any errors is not so much difficult in its implementation as it is important from the point of view of the security of the banking business. The task is further simplified by the ability to delegate it to a third-party integrator, whose specialists will complete the project to protect personal data as quickly and professionally as possible, taking into account the individual characteristics of the banking business.

Thus, the first priority becomes the choice of an integrator company, which will be entrusted with the management of the project.

"Standard" = "Exclusive"?

Such an equal sign between these mutually exclusive concepts has a right to exist. This statement is supported by the practical experience of successful personal data protection projects already completed by ReignVox.

On the one hand, each such project includes a standard number of stages: the stage of surveying personal data information systems, the stage of designing a personal data protection system, the stage of implementing the PDSDN, the stage of assessing the compliance of the PDSDN with the requirements of the law, and the stage of supporting the created system. Moreover, the assessment of compliance with ISPD, as a stage, is optional and is carried out at the discretion of the customer company. As well as the stage of supporting the created system.

Typicality usually ends at the first stage (the stage of surveying information systems), since it is this stage that makes it possible to identify and describe those requirements that will be presented in the future to systems. And these parameters are already individual and focused on each specific customer, optimized in accordance with his needs.

During this survey, information resources are analyzed, standard solutions, used in the construction of IT infrastructure, information flows of personal data, existing systems and means of information protection.

At the same stage, a model of threats and a PD security violator is developed, and the need to ensure PD security in the ISPD using crypto-techniques is assessed.

The classic scheme for the second stage includes an audit of the regulatory framework and assessment of its compliance with regulatory requirements. Its result is the development of missing internal documents, as well as the development terms of reference for the development of SZPDn. At the same stage, the integrator begins the direct development of a set of measures to protect information.

At the end of this stage, the bank is quite capable of successfully passing inspection by one of the regulators.

The essence of the third stage comes down to the implementation of systems and configuration of existing security measures. After testing, if necessary, the complex of technical and software.

At each of the described stages, ReignVox, as an integrator, faces various additional tasks determined by the specifics of the business conducted by the customer company, its size, infrastructure, activity of business processes and many other points. And from many such components each time a new, individually adapted project concept for the protection of personal data is formed.

“...and the sheep are safe”

Minimizing expenses, optimizing the budget, saving - no matter what phrase you choose, the essence will remain the same - a rational approach to the use of monetary resources - this is the second cornerstone of the success of a financial structure (after trust, of course). Therefore, the desire to reduce costs as much as possible without compromising information security is natural and quite achievable.

The cost of an average standard project to create a personal data protection system for a banking structure is about 1.5 million rubles. When calculating this amount, a number of principles are taken into account, following which allows one to reduce the budget for creating a personal data protection system.

First of all, we strive to preserve as much as possible the IT infrastructure already existing in the organization. Usually they talk about two polar scenarios for personal data protection. The first is a radical reworking of all ISPD, and the second is formal, consisting only of issuing internal regulatory documents, without making any changes to the ISPD. We consider the third option to be optimal, which consists precisely in maintaining the current IT infrastructure of the bank, accompanied by modifying some of its elements and adding new ones necessary to ensure compliance with the law.

In this case we are talking about the first principle, based on maximum use of existing information security tools when designing information security systems. Protection means in any company are used regardless of the need to protect personal data, these are anti-virus protection systems, built-in operating system access controls, firewalls and many other means. That's why maximum amount requirements are covered by existing security measures. And only if some requirements are not met by current means of protection, it is necessary to purchase and implement additional ones.

The second principle is the principle economical logical structuring of information systems personal data. Following this principle, as part of the implementation of a project to protect personal data in a bank, it becomes economically feasible to combine several systems located in the same room into one, in combination with downgrading non-critical segments. Thus, an ISPD “Data Processing Center” is created, in which protection is provided along the perimeter. This allows you to significantly minimize the cost of separating streams within different systems.

Principle three - protect only from current threats. At the same time, the updating of threats is described in the mandatory special systems document called the Threat Model. When updating threats, those whose probability is low and the damage upon implementation is small are discarded.

Provided that already proven methods are used, the task of bringing the ISPD of any bank into compliance with the requirements of the law by January 1, 2011 is fully achievable. For maximum success in implementing such technologies in the banking sector, it is still necessary to remember an integrated approach to working on the project. In this case, we mean the organization of joint work of specialists from various departments - specialists in IT technologies, information security and project management, financiers, lawyers - guaranteeing compliance with the necessary balance of the overall approach to protecting critical data within the financial structure.

Reference: ReignVox is a Russian company specializing in innovative projects and developments in the field of information technology and ensuring their information security.

The purpose of creating the company is to provide services to ensure the protection of personal data in accordance with the requirements of the Law “On Personal Data” Federal Law No. 152 of July 27, 2006 and to build comprehensive information security systems.

ReignVox is a member of the interregional public organization “Association for Information Security” (IPO “AZI”), an associated member of the “Infocommunication Union”, and also a member of the Association of Regional Banks of Russia.

ReignVox has significant experience in successfully implementing personal data protection projects in large commercial banks. Among its clients are NOTA-Bank, Vnesheconombank, CentroCredit, Tempbank, Alta-Bank, etc.

Estimate:

It has become especially popular for Russian divisions of foreign companies due to the addition of Part 5 of Article 18 to 152-FZ “On Personal Data”: “... the operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval personal data citizens of the Russian Federation using databases located on the territory of the Russian Federation" . There are a number of exceptions in the law, but you must admit that in case of inspection by the regulator, you want to have stronger trump cards than “but this does not concern us.”

The penalties for violators are very serious. Online stores, social networks, information sites, other businesses related to Internet in case of claims from supervisory authorities, they may actually be closed. It is possible that during the first inspection the regulator will be given time to eliminate the shortcomings, but the period is usually limited. If the problem is not resolved very quickly (which is difficult to do without prior preparation), the losses cannot be compensated in any way. Blocking sites not only leads to a pause in sales, it means a loss of market share.

The appearance of violators of the personal data law on the “black list” for offline companies is less dramatic. But this entails reputational risks, which is a significant factor for foreign companies. In addition, there are now almost no types of activity left that are not at all affected by the protection of personal data. Banks, trade, even manufacturing - all maintain client databases, which means they are subject to the relevant laws.

It is important to understand here that the issue cannot be considered in isolation within companies either. Personal data protection cannot be limited to installing certified security measures on servers and locking paper cards in safes. Personal data has many entry points into the company - sales departments, HR, customer service, sometimes also training centers, purchasing commissions and other departments. Managing personal data protection is a complex process that affects IT, document flow, regulations, legal registration.

Let's look at what it would take to run and maintain such a process.

What data is considered personal

Strictly speaking, any information that relates directly or indirectly to a specific individual is his personal data. Please note that we are talking about people, not legal entities Oh. It turns out that it is enough to indicate your full name and residential address to initiate the protection of this (as well as related) data. However, receiving email with someone’s personal data in the form of a signature and phone number this is not a reason to defend them. Key term: “The concept of collecting personal data.” To clarify the context, I would like to highlight several articles of the Law “On Personal Data”.

Article 5. Principles for processing personal data. There should be clear objectives that make it clear why the information is being collected. Otherwise, even with full compliance with all other rules and regulations, sanctions are likely.

Article 10. Special categories of personal data. For example, the HR department may record restrictions on business travel, including pregnancy of employees. Of course, such additional information is also subject to protection. This greatly expands the understanding of personal data, as well as the list of departments and information repositories of the company in which attention needs to be paid to protection.

Article 12. Cross-border transfer of personal data. If an information system with data on citizens of the Russian Federation is located in a country that has not ratified the Convention on the Protection of Personal Data (for example, in Israel), the provisions of Russian legislation should be adhered to.

Article 22. Notification about the processing of personal data. A prerequisite in order not to attract undue attention from the regulator. If you are conducting business activities related to personal data, report it yourself without waiting for inspections.

Where personal data may be located

Technically, PD can be located anywhere, from printed media (paper files) to machine media ( hard disks, flash drives, CDs, etc.). That is, the focus is on any data storage that falls under the definition of ISPD (personal data information systems).

Geography of location is a separate big issue. On the one hand, personal data of Russians (individuals who are citizens of the Russian Federation) must be stored on the territory of the Russian Federation. On the other hand, at the moment this is more a vector of development of the situation than a fait accompli. Many international and export companies, various holdings, and joint ventures have historically had a distributed infrastructure - and this will not change overnight. In contrast to methods of storing and protecting personal data, which must be adjusted almost now, immediately.

Minimum list of departments involved in recording, systematization, accumulation, storage, clarification (updating, changing), retrieving personal data:

• Personnel service.
• Sales department.
• Legal department.

Since there is rarely perfect order, in reality, the most unpredictable units can often be added to this “expected” list. For example, a warehouse may record personalized information about suppliers, or a security service may keep its own detailed records of everyone entering the premises. Thus, by the way, the composition of personal data for employees can be supplemented with data on clients, partners, contractors, as well as random and even other people’s visitors - whose personal data becomes a “crime” when photographed for a pass, scanning an ID card, and in some other cases. ACS (access control and management systems) can easily become a source of problems in the context of personal data protection. Therefore, the answer to the question “Where?” from the point of view of compliance with the Law, it sounds like this: everywhere in the reporting territory. A more precise answer can only be given by conducting an appropriate audit. This is the first stage project on the protection of personal data. Full list its key phases:

1) Audit of the current situation in the company.

2) Design of a technical solution.

3) Preparation of the process for the protection of personal data.

4) Checking the technical solution and process for protecting personal data for compliance with the legislation of the Russian Federation and company regulations.

5) Implementation of a technical solution.

6) Launching the process to protect personal data.

1. Audit of the current situation in the company

First of all, check with the HR department and other departments that use paper media with personal data:

• Are there consent forms for the processing of personal data? Are they filled out and signed?
• Is the “Regulation on the specifics of the processing of personal data carried out without the use of automation tools” dated September 15, 2008 No. 687 observed?

Determine the geographic location of the ISPD:

• In what countries are they located?
• On what basis?
• Are there agreements for their use?
• What technological protection is used to prevent personal data leakage?
• What organizational measures are taken to protect personal data?

Ideally, an information system with personal data of Russians should comply with all the requirements of Law 152-FZ “On Personal Data”, even if it is located abroad.

Finally, pay attention to the impressive list of documents that are required in case of verification (this is not all, just the main list):

• Notification about PD processing.
• A document identifying the person responsible for organizing the processing of personal data.
• List of employees authorized to process personal data.
• A document defining the storage location of PD.
• Certificate on the processing of special and biometric categories of personal data.
• Certificate of cross-border transfer of personal data.
• Standard forms of documents with personal data.
• Standard form of consent for personal data processing.
• Procedure for transferring PD to third parties.
• The procedure for recording requests from PD subjects.
• List of personal data information systems (ISPD).
• Documents regulating data backup in ISPD.
• List of information security tools used.
• The procedure for destroying personal data.
• Access matrix.
• Threat model.
• Logbook for recording machine media PDn.
• A document defining the security levels for each ISPD in accordance with PP-1119 dated November 1, 2012 “On approval of requirements for the protection of personal data during their processing in personal data information systems.”

2. Design of technical solution

A description of the organizational and technical measures that must be taken to protect personal data is given in Chapter 4. “Responsibilities of the operator” of Law 152-FZ “On Personal Data”. The technical solution must be based on the provisions of Article 2 of Law 242-FZ of July 21, 2014.

But how to comply with the law and process the personal data of citizens of the Russian Federation on the territory of Russia in the case when the data source is still located abroad? There are several options here:

• Physical transfer of the information system and database to the territory of the Russian Federation. If it is technically feasible, this will be the easiest.
• We leave the PD data abroad, but in Russia we create a copy of it and set up one-way replication of the PD data of Russian citizens from the Russian copy to the foreign one. At the same time, in a foreign system, it is necessary to exclude the possibility of modifying the personal data of citizens of the Russian Federation; all changes must be made only through the Russian ISPD.
• There are several ISPDs and they are all abroad. The transfer can be expensive or technically infeasible (for example, it is impossible to select part of the database with personal data of citizens of the Russian Federation and move it to Russia). In this case, the solution may be to create a new ISPD for any accessible platform on a server in Russia, from where one-way replication will be carried out to each foreign ISPD. I note that the choice of platform remains with the company.

If the PDn is not completely and exclusively transferred to Russia, do not forget to indicate in the certificate of cross-border data transfer to whom and what specific set of PD is sent. The processing notice must indicate the purpose of the transfer of personal data. Again, this goal must be legitimate and clearly justified.

3. Preparation of the process for the protection of personal data

The personal data protection process should determine at least the following points:

• List of those responsible for processing personal data in the company.
• The procedure for providing access to ISPD. Ideally, this is an access matrix with an access level for each position or specific employee (read/read-write/modify). Or a list of available personal data for each position. It all depends on the implementation of the IP and the requirements of the company.
• Audit of access to personal data and analysis of access attempts in violation of access levels.
• Analysis of the reasons for the unavailability of personal data.
• The procedure for responding to requests from PD subjects regarding their PD.
• Revision of the list of personal data that is transferred outside the company.
• Review of recipients of personal data, including abroad.
• Periodic review of the threat model for personal data, as well as changes in the level of protection of personal data in connection with changes in the threat model.
• Keeping company documents up to date (the list is above, and it can be supplemented if necessary).

Each point can be detailed here, but Special attention I want to draw attention to the level of security. It is determined based on the following documents (read sequentially):

1. “Methodology for identifying current threats security personal data when processed in personal data information systems" (FSTEC RF February 14, 2008).

2. Decree of the Government of the Russian Federation No. 1119 of November 1, 2012 “On approval of requirements for the protection of personal data during their processing in personal data information systems.”

3. FSTEC Order No. 21 of February 18, 2013 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems.”

Also, do not forget to consider the need to have such expense categories as:

• Organization project team and project management.
• Developers for each of the ISPDn platforms.
• Server capacity (own or rented in a data center).

By the end of the second and third stages of the project you should have:

• Cost calculation.
• Quality requirements.
• Project deadlines and schedule.
• Technical and organizational risks of the project.

4. Checking the technical solution and process for protecting personal data for compliance with the legislation of the Russian Federation and company regulations

A short but important stage, during which you need to make sure that all planned actions do not contradict the legislation of the Russian Federation and company rules (for example, security policies). If this is not done, a bomb will be placed in the foundation of the project, which can “explode” in the future, destroying the benefits of the results achieved.

5. Implementation of a technical solution

Everything here is more or less obvious. The specifics depend on the initial situation and decisions. But in general the picture should look something like this:

• Server capacity has been allocated.
• Network engineers have provided sufficient channel capacity between the PDn receiver and transmitter.
• The developers have established replication between ISPDn databases.
• Administrators prevented changes to ISPDs located abroad.

The person responsible for protecting personal data or the “process owner” may be the same person or different. The very fact is that the “process owner” must prepare all the documentation and organize the entire process of protecting personal data. To do this, all interested parties must be notified, employees must be instructed, and the IT service must facilitate the implementation of technical measures to protect data.

6. Launching the process to protect personal data

This is an important step, and in a sense the goal of the entire project is to bring control to the flow. In addition to technical solutions and regulatory documentation, the role of the process owner is critical here. He must monitor changes not only in legislation, but also in IT infrastructure. This means that appropriate skills and competencies are required.

In addition, which is critically important in real work conditions, the owner of the process for protecting personal data needs all the necessary powers and administrative support from the company’s management. Otherwise, he will be an eternal “supplicant” to whom no one pays attention, and after some time the project can be restarted, starting again with the audit.

Nuances

A few points that are easy to overlook:

• If you work with a data center, you need a service agreement for the provision of server capacity, according to which your company stores data legally and controls it.
• You need licenses for the software that is used to collect, store and process personal data, or lease agreements.
• If the ISPD is located abroad, an agreement is required with the company that owns the system there - to guarantee compliance with the legislation of the Russian Federation in relation to the personal data of Russians.
• If personal data is transferred to a contractor of your company (for example, an IT outsourcing partner), then in the event of a personal data leak from the outsourcer, you will be liable for claims. In turn, your company may file claims against the outsourcer. Perhaps this factor may influence the very fact of outsourcing work.

And once again, the most important thing is that the protection of personal data cannot be simply ensured. It's a process. An ongoing iterative process that will be highly dependent on further changes in legislation, as well as on the format and rigor of applying these rules in practice.

Marina Prokhorova, editor of the magazine "Personal Data"

Natalya Samoilova, lawyer of the company "InfoTechnoProject"

The regulatory framework that has developed to date in the field of personal data processing, documents that have yet to be adopted for a more effective organization of work on the protection of personal data in organizations, technical aspects of preparing information systems for personal data operators - these are the topics that have recently been touched upon in many newspapers and journal publications devoted to the issue of personal data. In this article I would like to dwell on such an aspect of organizing the work of banking and credit institutions as the “non-technical” protection of personal data processed in these organizations

Let's start with a specific example

We are talking about a judicial review of a case on the protection of personal data, initiated against Sberbank in June 2008. The essence of the trial was as follows. A guarantee agreement was concluded between the citizen and the bank, according to which the citizen accepted the obligation to answer to the bank for the borrower’s fulfillment of obligations under the loan agreement. The latter did not fulfill his obligations within the period established by the loan agreement; information about the guarantor as an unreliable client was entered into the bank's automated information system "Stop List", which, in turn, was the basis for refusing to provide him with a loan. Moreover, the bank did not even notify the citizen about the borrower’s improper fulfillment of his obligations under the loan agreement. In addition, the guarantee agreement did not indicate that in the event of improper fulfillment by the borrower of its obligations, the bank has the right to enter information about the guarantor into the Stop List information system. Thus, the bank processed the citizen’s personal data by including information about him in the Stop List information system without his consent, which violates the requirements of Part 1 of Art. 9 of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”, according to which the subject of personal data decides to provide his personal data and consents to their processing of his own will and in his own interest. In addition, in the manner provided for in Part 1 of Art. 14 of the same law, a citizen contacted the bank with a demand to provide him with the opportunity to familiarize himself with the information entered about him in the Stop List information system, as well as to block this information and destroy it. The bank refused to satisfy the citizen's demands.

Based on the results of the consideration of the case, the Leninsky District Court of Vladivostok satisfied the claims of the Office of Roskomnadzor for the Primorsky Territory against Sberbank of Russia to protect the violated rights of a citizen and ordered the bank to destroy information about the citizen from the Stop List information system.

How is this example significant? Banks, storing personal data of a significant number of their clients, without hesitation, move them from one database to another, and most often without informing the subject of personal data about this, let alone obtaining his consent to such actions with his personal data. Of course, banking activity has a number of features, and often personal data of clients is used not only to fulfill agreements concluded by the bank, but also to control the bank over the client’s fulfillment of its obligations, but this means that any manipulation with personal data already requires the consent of its subject .

Difficulties in interpreting provisions

Why not make any operations with personal data legal? Of course, this will most likely require the involvement of third-party specialists, since even lawyers from the legal departments of large banks are first-class professionals only in specific area, and they have to become familiar with the specifics of working in the field of personal data almost from scratch. So the best way out is to involve companies specializing in the provision of services for organizing work with personal data, including those capable of conducting an audit to ensure that the non-technical protection measures you are taking comply with the requirements of the legislator.

The results of analytical studies allow us to draw conclusions that the interpretation of which provisions of Federal Law No. 152-FZ “On Personal Data” causes the greatest difficulties.

In accordance with Part 1 of Article 22 of this regulatory document, the operator is obliged to notify the authorized body about the processing of personal data. Among the exceptions is the case when the processed personal data was received in connection with the conclusion of an agreement to which the subject of personal data is a party... and is used by the operator solely for the execution of the said agreement on the basis of clause 2 of part 2 of Article 22 of Federal Law No. 152-FZ "On personal data." Operating precisely with this provision, some banks do not submit a notification about the processing of personal data, and many do not consider themselves operators, which is fundamentally wrong.

Also, another common mistake of banks as operators of personal data related to the contract is the following. According to Art. 6 of the above law, the processing of personal data can be carried out by the operator with the consent of the subjects of personal data, with the exception of cases including the implementation of processing for the purpose of fulfilling a contract, one of the parties to which is the subject of personal data. Therefore, many banking institutions explain their lack of consent from the subject of personal data precisely by the fact of concluding such an agreement.

But let's think about it, doesn't the bank, being an operator, use the personal data of the subject received when concluding an agreement, for example, to send out notifications about new services, to maintain “Stop lists”? This means that the processing of personal data is carried out not only for the purpose of fulfilling the contract, but also for other purposes, the achievement of which is of commercial interest to banks, therefore:

• banks are required to submit a notification about the processing of personal data to the authorized body;
• banks must process personal data only with the consent of the subject.

This means that banks must organize a system for working with the personal data of their clients, that is, ensure non-technical protection of such data.

Written consent to the processing of personal data

As for the consent of the subject of personal data to the processing of personal data, Federal Law No. 152-FZ “On Personal Data” obliges operators to obtain written consent to process personal data only in cases specified by law. At the same time, in accordance with Part 3 of Art. 9, the obligation to prove receipt of the subject’s consent to the processing of his personal data rests with the operator. In order not to waste time collecting such evidence if necessary (for example, searching for witnesses), in our opinion, it is better in any case to obtain consent from the subjects in writing.

Let us give one more argument for written form processing of personal data. Often, the activities of banks involve the transfer of data (including personal data) to the territory of a foreign state. On this occasion, Part 1 of Art. 12 of Federal Law No. 152-FZ “On Personal Data” states that before the start of cross-border transfer of personal data, the operator is obliged to ensure that the foreign state to whose territory the personal data is transferred provides adequate protection of the rights of personal data subjects. If such protection is not provided, cross-border transfer of personal data is possible only with the written consent of the subject of personal data. It can be assumed that it is easier for a bank employee to obtain the client’s written consent to process personal data than to establish the degree of adequacy of their protection in a foreign country.

Please note that the information that must be contained in the written consent is listed in Part 4 of Art. 9 of the above-mentioned Federal Law, and this list is exhaustive. And a signature under the phrase, for example, in a loan agreement: “I agree to the use of my personal data,” according to Federal Law No. 152-FZ “On Personal Data,” is not consent to their processing!

It would seem that there are only a few points of law, but how many complications, even litigation, can be caused by their incorrect interpretation. Moreover, today, when personal data of subjects often becomes a commodity in the competition of various structures, successful resolution of issues of their protection, ensuring the security of information systems of banking and credit institutions becomes the key to maintaining the reputation and good name of any organization.

Every day, citizens' awareness of the possible negative consequences of the dissemination of their personal data is increasing, which is facilitated by the emergence of specialized publications. There are also information resources various companies. Some of them generally cover the entire wide range of issues related to the concept of “information security”, others are devoted to reviews of measures and means of technical protection, while others, on the contrary, focus on problems associated with non-technical protection. In other words, information on issues of personal data protection is becoming more accessible, which means citizens will be more savvy in protecting their rights.

1. THEORETICAL FOUNDATIONS OF PERSONAL DATA SECURITY

1.1 Legislative framework for the protection of personal data in the Russian Federation

1.3.1 general characteristics sources of threats of unauthorized access in the personal data information system.

1.3.2 General characteristics of threats of direct access to the operating environment of the personal data information system

1.3.3 General characteristics of threats to the security of personal data implemented using internetworking protocols

1.4 Characteristics of the Bank and its activities

1.5 Personal data databases

1.5.1 Information system of personal data of employees of the organization

1.5.2 Personal data information system of access control and management system

1.5.3 Personal data information system of the automated banking system

1.6 Design and threats of the Bank’s local computer network

1.7 Information security measures

2.2 Software and hardware protection

2.3 Basic security policy

2.3.1 System for raising employee awareness of information security issues

2.3.4 Procedure for employees to use email

2.3.5 Password policy of the Bank

3. ECONOMIC JUSTIFICATION OF THE PROJECT

CONCLUSION

Applications.

INTRODUCTION

Widespread computerization, which began at the end of the 20th century, continues to this day. Automation of processes in enterprises increases worker productivity. Users of information systems can quickly obtain the data necessary to perform their job duties. At the same time, along with facilitating access to data, there are problems with the safety of this data. Having access to various information systems, attackers can use them for personal gain: collecting data for selling on the black market, stealing Money from clients of the organization, theft of trade secrets of the organization.

Therefore the problem of protection is critical important information for organizations it is very acute. Increasingly, it is becoming known from the media about various techniques or methods for stealing funds through hacking the information systems of financial organizations. Having gained access to personal data information systems, an attacker can steal data from clients of financial organizations and distribute information about their financial transactions, causing both financial and reputational harm to the bank client. In addition, having learned information about the client, fraudsters can call the client directly, posing as bank employees and fraudulently, using social engineering techniques, obtain passwords from remote control systems. banking services and withdraw money from the client's account.

In our country, the problem of theft and illegal distribution of personal data is very acute. There are a large number of resources on the Internet that contain stolen personal data bases, with the help of which, for example, using a mobile phone number, you can find very detailed information about a person, including his passport details, residential addresses, photographs and much more.

In this thesis project, I explore the process of creating a personal data protection system at PJSC Citibank.

1. BASICS OF PERSONAL DATA SECURITY

1.1 Legislative framework for the protection of personal data

Today in Russia there is state regulation in the field of ensuring the security of personal data. The main legal acts regulating the system of personal data protection in the Russian Federation are the Constitution of the Russian Federation and the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ. These two main legal acts establish the main theses about personal data in the Russian Federation:

Every citizen has the right to privacy, personal and family secrets, protection of his honor and good name;

Everyone has the right to privacy of correspondence, telephone conversations, postal, telegraph and other messages. Restriction of this right is permitted only on the basis of a court decision;

Collection, storage, use and dissemination of information about the private life of a person without his consent is not permitted;

The processing of personal data must be carried out on a lawful and fair basis;

The processing of personal data must be limited to the achievement of specific, pre-defined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted.

It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.

Only personal data that meets the purposes of their processing are subject to processing.

When processing personal data, the accuracy of personal data, their sufficiency, and, where necessary, relevance in relation to the purposes of processing personal data must be ensured. The operator must take the necessary measures or ensure that they are taken to delete or clarify incomplete or inaccurate data.

The storage of personal data must be carried out in a form that makes it possible to identify the subject of personal data, no longer than required by the purposes of processing personal data, unless the period for storing personal data is established by federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor. The processed personal data is subject to destruction or depersonalization upon achievement of the processing goals or in the event of the loss of the need to achieve these goals, unless otherwise provided by federal law.

Other regulations that have a legal impact in the field of personal data protection in organizations in the banking sector of the Russian Federation are:

Federal Law of the Russian Federation dated July 27, 2006 No. 149 FZ “On information, information technologies and information protection”;

Labor Code of the Russian Federation (Chapter 14);

Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems”;

Order FSTEC of Russia dated 02/18/2013 No. 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems.”

Let's consider the main definitions used in legislation.

Personal data - any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).

Personal data operator - state body, municipal body, legal or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;

Processing of personal data - any action (operation) or set of actions (operations) performed using automation tools or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;

Automated processing of personal data - processing of personal data using computer technology;

Dissemination of personal data - actions aimed at disclosing personal data to an indefinite number of persons;

Providing personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons;

Blocking of personal data - temporary cessation of processing of personal data (except for cases where processing is necessary to clarify personal data);

Destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material media of personal data are destroyed;

Depersonalization of personal data - actions as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without the use of additional information;

Information system of personal data - a set of personal data contained in databases and information technologies and technical means that ensure their processing;

Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.

Biometric personal data - information that characterizes the physiological and biological characteristics of a person, on the basis of which one can establish his identity (biometric personal data) and which is used by the operator to establish the identity of the subject of personal data.

Security of personal data is the state of security of personal data, characterized by the ability of users, technical means and information technologies to ensure the confidentiality, integrity and availability of personal data when processed in personal data information systems

1.2 Classification of threats to information security of personal data.

An information security threat is understood as a threat of violation of information security properties - the availability, integrity or confidentiality of an organization's information assets.

The list of threats, an assessment of the likelihood of their implementation, as well as the model of the intruder serve as the basis for analyzing the risk of the threat’s implementation and formulating requirements for the automated system’s protection system. In addition to identifying possible threats, it is necessary to analyze the identified threats based on their classification according to a number of characteristics. Threats corresponding to each classification attribute allow us to detail the requirement reflected by this attribute.

Since the information stored and processed in modern automated systems is exposed to an extremely large number of factors, it becomes impossible to formalize the task of describing the complete set of threats. Therefore, for the protected system, not a list of threats is usually determined, but a list of threat classes.

The classification of possible threats to NPP information security can be carried out according to the following basic criteria:

By nature of occurrence:

Onatural threats caused by impacts on the NPP of objective physical processes or natural phenomena;

Artificial threats to NPP safety caused by human activity.

According to the degree of intentionality of manifestation:

Threats caused by errors or negligence of personnel, for example, incorrect use of protective equipment, negligence when working with data;

Threats of deliberate action, for example, hacking of an automated system by attackers, destruction of data by employees of an organization for the purpose of revenge on the employer.

By direct source of threats:

Onatural hazards, such as natural disasters, man-made disasters;

Human threats, for example: destruction of information, disclosure of confidential data;

Permitted hardware and software, such as physical hardware failure, errors software,software conflicts;

Unauthorized software and hardware, for example, the introduction of hardware bookmarks, software bookmarks.

By position of the threat source:

Outside the controlled area, for example, interception of data transmitted via communication channels;

O within the controlled area, for example, unauthorized copying of information, unauthorized access to the protected area;

Directly in an automated system, for example, incorrect use of AS resources.

According to the degree of dependence on AS activity:

Regardless of the activity of the AS, for example, physical theft of storage media;

Oonly during data processing, such as malware infection.

According to the degree of impact on the speakers:

Passive threats that, when implemented, do not change anything in the structure and content of the AS, for example, the threat of copying secret data;

Active threats that, when exposed, make changes to the structure and content of the AS, for example, deleting data or modifying them.

By stages of user or program access to resources:

Threats that appear at the stage of access to AS resources, for example: threats of unauthorized access to AS;

Threats that appear after permission to access AS resources, for example, incorrect use of AS resources.

By method of accessing AS resources:

Threats carried out using the standard access path to AS resources

Threats carried out using a hidden non-standard path to access AS resources, for example: unauthorized access to AS resources by using undocumented capabilities of installed software.

According to the current location of information stored and processed in the AS:

Threats to access information located on external storage devices, for example: copying confidential information from storage media;

Threats to access information located in RAM, for example: reading residual information from RAM, access to the system area of ​​RAM from application programs;

Threats of access to information circulating in communication lines, for example: illegal connection to communication lines for the purpose of removing information, sending modified data;

Dangerous impacts on an automated system are divided into accidental and intentional.

The causes of accidental impacts during NPP operation may be:

Emergency situations due to natural disasters and power outages;

Service failures;

Software errors;

Errors in the work of maintenance personnel and users;

Interference in communication lines due to environmental influences.

The use of software errors is the most common way to violate the information security of information systems. Depending on the complexity of the software, the number of errors increases. Attackers can find these vulnerabilities and through them gain access to an organization's information system. To minimize these threats, it is necessary to constantly keep software versions up to date.

Intentional threats involve targeted actions by attackers. Attackers are divided into two types: internal attacker and external attacker. An internal attacker commits illegal actions while being within the controlled area of ​​the automated system and can use official authority for authorized access to the automated system. An external attacker does not have access to the controlled area, but can act simultaneously with an internal attacker to achieve his goals.

There are three main threats to information security aimed directly at protected information:

Violation of confidentiality - confidential information is not changed, but becomes available to third parties who are not authorized to have access to this information. If this threat is implemented, there is a high probability that the attacker will disclose stolen information, which may result in financial or reputational damage. Violation of the integrity of protected information - distortion, modification or destruction of information. The integrity of information may be violated not intentionally, but as a result of the incompetence or negligence of an enterprise employee. Integrity can also be violated by an attacker to achieve his own goals. For example, changing account details in an automated banking system in order to transfer funds to an attacker’s account or replacing the personal data of an organization’s client in order to obtain information about the client’s cooperation with the organization.

Violation of the availability of protected information or denial of service - actions in which an authorized user cannot access protected information due to reasons such as: failure of hardware, software, failure of the local computer network.

After considering the threats automated systems You can proceed to the analysis of threats to the personal data information system.

Personal data information system is a set of personal data contained in databases and information technologies and technical means that ensure their processing.

Personal data information systems are a set of information, software and hardware elements, as well as information technologies used in the processing of personal data.

The main elements of ISPD are:

Personal data contained in databases;

Information technologies used in the processing of personal data;

Technical means that process personal data (computer equipment, information and computing complexes and networks, means and systems for transmitting, receiving and processing personal data, means and systems for sound recording, sound amplification, sound reproduction, means for producing, replicating documents and other technical means processing of speech, graphic, video and alphanumeric information);

Software (operating systems, database management systems, etc.);

ISPD information security tools;

Auxiliary technical means and systems - technical means and systems, their communications, not intended for processing personal data, but located in the premises in which the ISPD is located.

Threats to the security of personal data - a set of conditions and factors that create the danger of unauthorized, including accidental, access to personal data, which may result in destruction, modification, blocking, copying, distribution of personal data, as well as other unauthorized actions during their processing in information personal data system.

The characteristics of the personal data information system that determine the emergence of UBPD include the category and volume of personal data processed in the personal data information system, the structure of the personal data information system, the presence of UPPD connections to communication networks common use and (or) international information exchange networks, characteristics of the security subsystem of personal data processed in the ISPD, personal data processing modes, modes for delimiting access rights of ISPD users, location and conditions for placing ISPD technical means.

The properties of the distribution medium of informative signals containing protected information are characterized by the type of physical environment in which the PD is distributed and are determined when assessing the possibility of implementing UBPD. The capabilities of UBPD sources are determined by a combination of methods of unauthorized and (or) accidental access to personal data, which may result in a violation of confidentiality (copying, unauthorized distribution), integrity (destruction, modification) and availability (blocking) of personal data.

A threat to the security of personal data is realized as a result of the formation of a UBPD implementation channel between the source of the threat and the carrier (source) of PD, which creates conditions for a violation of PD security.

The main elements of the UBPDn implementation channel (Figure 1) are:

Source UBPDn - subject, material object or physical phenomenon creating UBPDn;

The environment for the distribution of personal data or impacts, in which a physical field, signal, data or programs can spread and affect the protected properties of personal data;

The carrier of personal data is an individual or a material object, including a physical field in which personal data are reflected in the form of symbols, images, signals, technical solutions and processes, quantitative characteristics of physical quantities.

Figure 1. Generalized diagram of the channel for implementing threats to the security of personal data

PD media may contain information presented in the following forms:

Acoustic (speech) information contained directly in the spoken speech of the ISPD user when he performs the function of voice input of PD in the personal data information system, or reproduced by acoustic means of ISPD (if such functions are provided for by the PD processing technology), as well as contained in electromagnetic fields and electrical signals, which arise due to transformations of acoustic information;

View information (VI), presented in the form of text and images various devices displaying information from computer equipment, information and computing systems, technical means for processing graphic, video and alphanumeric information included in the ISPD;

Information processed (circulating) in the ISPD in the form of electrical, electromagnetic, optical signals;

Information processed in ISPD, presented in the form of bits, bytes, files and other logical structures.

In order to form a systematized list of UBPDn when processing them in ISPD and developing private models based on them in relation to a specific type of ISPD, threats are classified in accordance with the following criteria (Figure 2):

According to the type of information containing PD protected from UBPD;

By types of possible sources of UBPDn;

By type of ISPD, which the implementation of UBPD is aimed at;

According to the method of implementation of UBPD;

By the type of information property being violated (type of unauthorized actions carried out with personal data);

By vulnerability used;

By object of influence.

According to the types of possible sources of UBPDn, the following are distinguished:

Threat classes:

Threats associated with intentional or unintentional actions of persons with access to the ISPD, including users of the personal data information system who implement threats directly in the ISPD (internal violator);

Threats associated with intentional or unintentional actions of persons who do not have access to ISPD, implementing threats from external public communication networks and (or) international information exchange networks (external intruder).

In addition, threats can arise as a result of the introduction of hardware and malware.

Based on the type of ISPD that the implementation of UBPD is aimed at, the following classes of threats are distinguished:

UBPDn processed in ISPDn based on an autonomous automated workstation (AWS);

UBPDn processed in ISPDn based on an automated workplace connected to the public network (to the international information exchange network);

UBPDn processed in ISPDn on the basis of local information systems without connection to the public network (to the international information exchange network);

UBPDn processed in ISPDn based on local information systems with a connection to the public network (to the international information exchange network);

UBPDn processed in ISPDn based on distributed information systems without connecting to a public network (international information exchange network);

UBPDn processed in ISPDn based on distributed information systems with connection to a public network (to the international information exchange network).

Based on the methods of implementing UBPD, the following classes of threats are distinguished:

Threats associated with unauthorized access to personal data (including threats of introducing malware);

Threats of personal data leakage through technical channels of information leakage;

Threats of special influences on ISPD.

Based on the type of unauthorized actions carried out with personal data, the following classes of threats are distinguished:

Threats leading to violation of confidentiality of personal data (copying or unauthorized distribution), the implementation of which does not directly affect the content of information;

Threats leading to unauthorized, including accidental, influence on the content of information, as a result of which PD is changed or destroyed;

Threats leading to unauthorized, including accidental, impact on software or hardware and software elements of the information system, resulting in blocking of personal information.

Based on the vulnerability used, the following threat classes are distinguished:

Threats implemented using system software vulnerabilities;

Threats implemented using application software vulnerabilities;

Threats arising from the exploitation of a vulnerability caused by the presence of a hardware bug in the system;

Threats implemented using vulnerabilities in network communication protocols and data transmission channels;

Threats arising from the exploitation of vulnerabilities caused by shortcomings in the organization of technical information from non-distributive information;

Threats implemented using vulnerabilities that create technical channels for information leakage;

Threats implemented using information security vulnerabilities.

The following classes of threats are distinguished by the object of influence:

Threats to the security of personal data processed on automated workstations;

Threats to the security of personal data processed in dedicated processing tools (printers, plotters, plotters, remote monitors, video projectors, sound reproduction facilities, etc.);

Threats to the security of personal data transmitted over communication networks;

Threats to application programs that process personal data;

Threats to the system software that ensures the functioning of the ISPD.

The implementation of one of the UBPDs of the listed classes or their combination can lead to the following types of consequences for PD subjects:

Significant negative consequences for personal data subjects;

Negative consequences for personal data subjects;

Minor negative consequences for personal data subjects.

Threats of personal data leakage through technical channels are unambiguously described by the characteristics of the source of information, the distribution medium and the receiver of the information signal, that is, they are determined by the characteristics of the technical channel of personal data leakage.

Threats associated with unauthorized access (UNA) are presented in the form of a set of generalized classes of possible sources of AMA threats, vulnerabilities of software and hardware of ISPD, methods of implementing threats, objects of influence (carriers of protected information, directories, directories, files with PD or the PD) and possible destructive actions. This representation is described by the following formalized notation (Fig. 2).

1.3 General characteristics of sources of threats in personal data information systems

Threats to digital access data in ISPD with the use of software and hardware are implemented when unauthorized, including accidental, access is carried out, resulting in a violation of the confidentiality, integrity and availability of personal data, and include:

Threats of unauthorized access to the computer operating environment using standard software (operating system tools or general application programs);

Threats of creating abnormal operating modes of software (hardware and software) due to deliberate changes in service data, ignoring the restrictions on the composition and characteristics of the processed information provided for in standard conditions, distortion (modification) of the data themselves, etc.;

Figure 2 Classification of UBPD processed in personal data information systems

Threats of introduction of malicious programs (software and mathematical influence).

The composition of the elements for describing threats to information in the information management system in the ISPD is shown in Figure 3.

In addition, combined threats are possible, representing a combination of these threats. For example, through the introduction of malicious programs, conditions can be created for unauthorized access into the computer operating environment, including through the formation of non-traditional information access channels.

Threats of unauthorized access to the ISPD operating environment using standard software are divided into threats of direct and remote access. Direct access threats are carried out using computer software and hardware input/output tools. Remote access threats are implemented using network communication protocols.

Such threats are realized in relation to ISPD both on the basis of an automated workstation that is not included in the public communication network, and in relation to all ISPD that are connected to public communication networks and international information exchange networks.

Figure 3 Classification of UBPD processed in personal data information systems

1.3.1 General characteristics of sources of threats of unauthorized access in the personal data information system.

Sources of threats in the personal data information system can be:

Intruder;

Malicious program carrier;

Hardware bookmark.

Threats to the security of personal data associated with the implementation of hardware bookmarks are determined in accordance with the regulatory documents of the Federal Security Service of the Russian Federation in the manner established by it.

Based on the right of permanent or one-time access to the controlled area of ​​the ISPD, violators are divided into two types:

Violators who do not have access to ISPD and implement threats from external public communication networks and (or) international information exchange networks are external violators;

Violators who have access to the ISPD, including ISPD users who implement threats directly in the ISPD, are internal violators.

External intruders can be:

Competing organizations;

Unfair partners;

External entities (individuals).

An external intruder has the following capabilities:

Provide unauthorized access to communication channels outside the premises;

Carry out unauthorized access through automated workstations connected to public communication networks and (or) international information exchange networks;

Provide unauthorized access to information using special software influences through software viruses, malware, algorithmic or software bookmarks;

Execute unauthorized access through elements of the information infrastructure of the personal data information system, which in the process of its life cycle(upgrades, maintenance, repairs, disposal) end up outside the controlled area;

Carry out unauthorized access through the information systems of interacting departments, organizations and institutions when they are connected to the ISPD.

Internal potential violators are divided into eight categories depending on the method of access and access authority to personal data.

The first category includes persons who have authorized access to ISPD, but do not have access to PD. This type of violator includes officials who ensure the normal functioning of the ISPD.

Have access to fragments of information containing personal data and distributed through internal communication channels of the ISPD;

Have fragments of information about the topology of the ISPD and the communication protocols used and their services;

Have names and identify passwords of registered users;

Change the configuration of ISPD technical means, add hardware and software bookmarks to it and ensure information retrieval using a direct connection to ISPD technical means.

Has all the capabilities of persons of the first category;

Knows at least one legal access name;

Has all the necessary attributes that provide access to a certain subset of personal data;

Has confidential data to which he has access.

His access, authentication and rights to access a certain subset of personal data must be regulated by the appropriate access control rules.

Has all the capabilities of persons of the first and second categories;

Has information about the topology of the ISPD based on the local and (or) distributed information system through which access is provided, and about the composition of the technical means of the ISPD;

Has the ability to direct (physical) access to fragments of ISPD technical means.

Has complete information about the system and application software used in the ISPD segment (fragment);

Has complete information about the technical means and configuration of the ISPD segment (fragment);

Has access to information security and logging tools, as well as to individual elements used in a segment (fragment) of an ISPD;

Has access to all technical means of the segment (fragment) of the ISPD;

Has the rights to configure and administratively set up a certain subset of technical means of a segment (fragment) of an ISPD.

The powers of the ISPD system administrator.

Has all the capabilities of persons of the previous categories;

Has complete information about the system and application software of ISPD;

Has complete information about the technical means and configuration of ISPD;

Has access to all technical means of information processing and ISPD data;

Has the rights to configure and administratively set up ISPD technical means.

The system administrator configures and manages software and hardware, including equipment responsible for the security of the protected object: tools cryptographic protection information, monitoring, registration, archiving, protection against unauthorized access.

Has all the capabilities of persons of the previous categories;

Has complete information about ISPD;

Has access to information security and logging tools and to some of the key elements of the ISPD;

Does not have access rights to configure network technical equipment with the exception of control (inspection) ones.

Has information about algorithms and programs for processing information on ISPD;

Has the ability to introduce errors, undeclared capabilities, software bookmarks, malware into ISPD software at the stage of its development, implementation and maintenance;

May have any pieces of information about the topology of the ISPD and the technical means of processing and protecting the PD processed in the ISPD.

Has the ability to add bookmarks to ISPD technical tools at the stage of their development, implementation and maintenance;

May have any pieces of information about the topology of the ISPD and the technical means of processing and protecting information in the ISPD.

The malware carrier can be a computer hardware element or a software container. If the malicious program is not associated with any application program, then the following are considered as its carrier:

Transferable media, i.e. floppy disk, optical disk, flash memory;

Built-in storage media (hard drives, RAM chips, processor, motherboard chips, chips for devices built into system unit, - video adapter, network card, sound card, modem, input/output devices of magnetic hard and optical disks, power supply, etc., direct memory access chips, data buses, input/output ports);

Microcircuits of external devices (monitor, keyboard, printer, modem, scanner, etc.).

If a malicious program is associated with any application program, with files with certain extensions or other attributes, with messages transmitted over the network, then its carriers are:

Packets of messages transmitted over a computer network;

Files (text, graphic, executable, etc.).

1.3.2 General characteristics of threats of direct access to the operating environment of the personal data information system

The threats of unauthorized access to the computer operating environment and unauthorized access to personal data are associated with access to:

To information and commands stored in the basic I/O system of ISPD, with the ability to intercept control of loading the operating system and obtain the rights of a trusted user;

Into the operating environment, that is, into the operating environment of the local operating system of a separate ISDN technical tool with the ability to perform unauthorized access by calling standard operating system programs or launching specially designed programs that implement such actions;

In the operating environment of application programs (for example, to a local database management system);

Directly to user information (files, text, audio and graphic information, fields and records in electronic databases) and are due to the possibility of violating its confidentiality, integrity and availability.

These threats can be realized if physical access to the ISPD is obtained, or at least to the means of entering information into the ISPD. They can be combined according to the conditions of implementation into three groups.

The first group includes threats that are implemented during the loading of the operating system. These threats to information security are aimed at intercepting passwords or identifiers, modifying the software of the basic input/output system, intercepting loading control with changing the necessary technological information to receive the data sheet into the ISPD operating environment. Most often, such threats are implemented using alienated media.

The second group consists of threats that are implemented after the operating environment is loaded, regardless of which application program is launched by the user. These threats are usually aimed at directly unauthorized access to information. When gaining access to the operating environment, the attacker can use both standard features operating system or any general application program (for example, a database management system), as well as programs specially created to perform unauthorized access, for example:

Programs for viewing and modifying the registry;

Programs for searching texts in text files by keywords and copying;

Special programs for viewing and copying records in databases;

Programs for quickly viewing graphic files, editing or copying them;

Programs to support the ability to reconfigure the software environment (ISPD settings in the interests of the offender).

Finally, the third group includes threats, the implementation of which is determined by which of the application programs is launched by the user, or the fact of launching any of the application programs. Most of these threats are malware threats.

1.3.3 General characteristics of threats to the security of personal data implemented using internetworking protocols

If an ISPD is implemented on the basis of a local or distributed information system, then threats to information security can be implemented in it through the use of internetworking protocols. In this case, the NSD to the PD can be provided or the threat of denial of service can be realized. Threats are especially dangerous when the ISPD is a distributed information system connected to public networks and (or) international information exchange networks. The classification scheme of threats implemented over the network is shown in Figure 4. It is based on the following seven primary classification criteria.

Figure 4 Classification scheme of threats using internetworking protocols

1. Nature of the threat. According to this criterion, threats can be passive or active. A passive threat is a threat, the implementation of which does not directly affect the operation of the information system, but may violate the established rules for restricting access to personal data or network resources. An example of such threats is the “Network Traffic Analysis” threat, aimed at listening to communication channels and intercepting transmitted information. An active threat is a threat associated with an impact on PDIS resources, the implementation of which has a direct impact on the operation of the system (configuration changes, disruption, etc.), and with a violation of the established rules for restricting access to PD or network resources. An example of such threats is the Denial of Service threat, implemented as a “TCP request storm.”

2. The purpose of implementing the threat. According to this criterion, threats can be aimed at violating the confidentiality, integrity and availability of information (including disrupting the performance of the ISPD or its elements).

3. Condition for starting the process of implementing the threat. Based on this feature, a threat can be realized:

Upon request from the object against which the threat is being implemented. In this case, the intruder expects the transmission of a request of a certain type, which will be the condition for the initiation of unauthorized access;

Upon the occurrence of an expected event at the facility in relation to which the threat is being implemented. In this case, the intruder constantly monitors the state of the ISPD operating system and, when a certain event occurs in this system, begins unauthorized access;

Unconditional impact. In this case, the beginning of unauthorized access is unconditional in relation to the purpose of access, that is, the threat is realized immediately and regardless of the state of the system.

4. Availability feedback with ISPDn. According to this feature, the process of implementing a threat can be with or without feedback. The threat, carried out in the presence of feedback from the personal data information system, is characterized by the fact that the offender needs to receive a response to some requests transmitted to the ISPD. Consequently, there is a feedback between the violator and the personal data information system, which allows the violator to adequately respond to all changes occurring in the ISPD. Unlike threats implemented in the presence of feedback from the personal data information system, when threats are implemented without feedback, it is not necessary to respond to any changes occurring in the information system.

5. The location of the offender relative to the ISPD. In accordance with this feature, the threat is implemented both intrasegmentally and intersegmentally.

A network segment is a physical association of hosts (ISPD hardware or communication elements with a network address). For example, a personal data information system segment forms a set of hosts connected to the server using a “common bus” scheme. In the case where there is an intra-segment threat, the intruder has physical access to the hardware elements of the ISPD. If there is an inter-segment threat, then the intruder is located outside the ISPD, implementing the threat from another network or from another segment with a personal data information system.

6. The Open Systems Interconnection (ISO/OSI) reference model level at which the threat is implemented. According to this feature, the threat can be implemented at the physical, channel, network, transport, session, presentation and application levels of the ISO/OSI model.

7. The ratio of the number of violators and ISPD elements against which the threat is realized. Based on this criterion, the threat can be classified as a threat implemented by one violator against one technical means of information systems (a “one-to-one” threat), against several technical means of information systems at once (a “one-to-many” threat), or by several violators from different computers against one or several technical means of ISPD (distributed or combined threats).

Taking into account the classification carried out, we will highlight the main types of attacks on the personal data information system:

1. Network traffic analysis.

This threat is implemented using special packet sniffer software that intercepts all packets transmitted over a network segment and identifies among them those that contain a user ID and password. During the implementation of the threat, the intruder studies the logic of the network - that is, he strives to obtain a one-to-one correspondence between the events occurring in the system and the commands sent by the hosts at the moment these events occur. In the future, this allows an attacker, based on the assignment of appropriate commands, to obtain privileged rights to act in the system or expand their powers in it, to intercept the flow of transmitted data exchanged between components of a network operating system in order to extract confidential or identification information, its substitution and modification.

2. Network scanning.

The essence of the threat implementation process is to transmit requests to the network services of the ISDN hosts and analyze the responses from them. The goal is to identify the protocols used, available ports of network services, laws for the formation of connection identifiers, determination of active network services, selection of user identifiers and passwords.

3. Threat of password revelation.

The goal of the threat is to obtain unauthorized access data by overcoming password protection. An attacker can implement a threat using a number of methods, such as brute force, brute force using special dictionaries, installing malicious software to intercept passwords, spoofing a trusted network object, and packet interception. Threats are mainly used to implement special programs, which try to gain access to the host by sequentially guessing passwords. If successful, the attacker can create an entry point for future access that will remain valid even if the access password is changed on the host.

4. Substitution of a trusted network object and transmission of messages via communication channels on its behalf with the assignment of its access rights.

This threat is effectively implemented in systems that use weak algorithms for identifying and authenticating hosts and users. A trusted object is a network object (computer, firewall, router, etc.) legally connected to the server. Two types of the process of implementing this threat can be distinguished: with and without establishing a virtual connection. The implementation process with the establishment of a virtual connection consists of assigning the rights of a trusted subject of interaction, which allows an intruder to conduct a session with a network object on behalf of a trusted subject. Realization of the threat of this type requires overcoming the message identification and authentication system. The process of implementing a threat without establishing a virtual connection can take place in networks that identify transmitted messages only by the sender’s network address. The essence is the transmission of service messages on behalf of network control devices (for example, on behalf of routers) about changes in routing address data.

As a result of the threat being implemented, the intruder receives the access rights set by the user for the trusted subscriber to the ISPD technical tool.

5.Imposing a false network route.

This threat is realized in one of two ways: through intra-segment or inter-segment imposition. The possibility of imposing a false route is due to the shortcomings inherent in routing algorithms (in particular, due to the problem of identifying network control devices), as a result of which you can get, for example, to the host or network of an attacker, where you can enter the operating environment of a technical device as part of an ISPD . The threat is based on the unauthorized use of routing and network management protocols to make changes to routing and address tables. In this case, the attacker needs to send a control message on behalf of the network control device (for example, a router).

6.Introduction of a false network object.

This threat is based on exploiting flaws in remote search algorithms. If network objects initially do not have address information about each other, various remote search protocols are used, which consist of transmitting special requests over the network and receiving responses with the required information. In this case, it is possible for an attacker to intercept a search request and issue a false response to it, the use of which will lead to the required change in the routing and address data. In the future, the entire flow of information associated with the victim object will pass through the false network object

7. Denial of service.

These threats are based on flaws in network software, its vulnerabilities that allow an attacker to create conditions when the operating system is unable to process incoming packets. Several types of such threats can be distinguished:

Hidden denial of service caused by using part of the ISPD resources to process packets transmitted by an attacker with reduced bandwidth communication channels, network device performance, violation of request processing time requirements. Examples of the implementation of threats of this kind include: a directed storm of echo requests via the ICMP protocol, a storm of requests to establish TCP connections, a storm of requests to an FTP server;

An obvious denial of service caused by the exhaustion of ISDN resources when processing packets transmitted by an attacker (occupying the entire bandwidth of communication channels, overflowing service request queues), in which legitimate requests cannot be transmitted through the network due to the unavailability of the transmission medium or are denied maintenance due to overflow of request queues, disk space, etc. Examples of threats of this type include a storm of broadcast ICMP echo requests, a directed storm, a storm of messages to a mail server;

Explicit denial of service caused by a violation of logical connectivity between ISDN technical means when the offender transmits control messages on behalf of network devices, leading to changes in routing and address data or identification and authentication information;

An obvious denial of service caused by an attacker transmitting packets with non-standard attributes or having a length exceeding the maximum allowable size, which can lead to the failure of network devices involved in processing requests, provided that there are errors in programs that implement network communication protocols. The result of the implementation of this threat may be a disruption of the functionality of the corresponding service for providing remote access to personal data in the ISPD, the transmission from one address of such a number of requests for connection to a technical means as part of the ISPD, which can process the traffic as much as possible, which entails an overflow of the request queue and the failure of one from network services or a complete computer stop due to the inability of the system to do anything other than process requests.

8.Remote launch of applications.

The threat lies in the desire to run various pre-installed malicious software on the ISPD host: bookmark programs, viruses, “network spies”, the main purpose of which is to violate the confidentiality, integrity, availability of information and complete control over the operation of the host. In addition, unauthorized launch of user application programs is possible for unauthorized obtaining of data necessary for the intruder, for launching processes controlled by the application program, etc. There are three subclasses of these threats:

Distribution of files containing unauthorized executable code;

Remote application launch by buffer overflow of application servers;

Remote application launch by using remote system control capabilities provided by hidden software and hardware bookmarks or standard tools.

Typical threats of the first of these subclasses are based on the activation of distributed files when they are accidentally accessed. Examples of such files include: files containing executable code in the form of macro commands ( Microsoft documents Word, Excel), HTML documents containing executable code in the form of ActiveX elements, Java applets, interpreted scripts (for example, JavaScript malware); files containing executable program codes.

Email, file transfer, and network file system services can be used to distribute files.

Threats of the second subclass take advantage of shortcomings in programs that implement network services (in particular, the lack of buffer overflow control). By adjusting system registers, it is sometimes possible to switch the processor after an interrupt caused by a buffer overflow to execute code contained outside the buffer boundary.

For threats of the third subclass, the attacker uses remote system control capabilities provided by hidden components or standard management and administration tools computer networks. As a result of their use, it is possible to achieve remote control over a station on the network. Schematically, the main stages of operation of these programs are as follows: installation in memory; waiting for a request from a remote host on which the client program is running and exchanging readiness messages with it; transferring intercepted information to the client or giving him control over the attacked computer. Possible consequences from the implementation of threats of various classes are shown in Table 1

Table 1. Possible consequences of the implementation of threats of various classes

№ p/p	Attack type		Possible consequences
1	Network traffic analysis		Research of network traffic characteristics, interception of transmitted data, including user IDs and passwords
2	Network Scan		Determination of protocols, available ports of network services, laws for the formation of connection identifiers, active network services, user IDs and passwords
3	"Password" attack		Execution of any destructive action associated with gaining unauthorized access
4	Substitution of a trusted network object		Changing the route of messages, unauthorized changing of routing and address data. Unauthorized access to network resources, imposition of false information
5	Imposing a false route		Unauthorized change routing and address data, analysis and modification of transmitted data, imposition of false messages
6	False Network Object Injection		Interception and viewing of traffic. Unauthorized access to network resources, imposition of false information
7	Denial of service	Partial exhaustion of resources	Reduced communication channel capacity and network device performance. Reduced performance of server applications.
		Complete exhaustion of resources	Inability to transmit messages due to lack of access to the transmission medium, refusal to establish a connection. Refusal to provide service.
		Violation of logical connection between attributes, data, objects	Inability to transmit messages due to lack of correct routing and address data. Inability to receive services due to unauthorized modification of identifiers, passwords, etc.
		Using errors in programs	Malfunction of network devices.
8	Remote application launch	By sending files containing destructive executable code, virus infection.	Violation of confidentiality, integrity, and availability of information.
		By overflowing the server application buffer
		By using the capabilities of remote system control provided by hidden software and hardware bookmarks or standard tools used	Hidden system control.

The threat implementation process generally consists of four stages:

Collection of information;

Intrusions (penetrations into the operating environment);

Implementation of unauthorized access;

Eliminating traces of unauthorized access.

At the stage of collecting information, the offender may be interested in various information about the ISPD, including:

About the topology of the network in which the system operates. In this case, the area around the network can be examined (for example, the attacker may be interested in the addresses of trusted, but less secure hosts). There are utilities that perform parallel determination of host availability, which are capable of scanning a large area of ​​the address space for host availability in a short period of time.;

About the type of operating system (OS) in ISPDn. The method for determining the OS type can be noted as the simplest request to establish a connection using the Telnet remote access protocol, as a result of which “ appearance" response, you can determine the type of host OS. The presence of certain services can also serve as an additional sign to determine the type of host OS;

About services running on hosts. Determining the services running on a host is based on a method of identifying “open ports” aimed at collecting information about the availability of the host.

At the invasion stage, the presence of typical vulnerabilities in system services or errors in system administration is investigated. Successful exploitation of vulnerabilities typically results in the attacker process gaining privileged execution mode (access to the processor's privileged execution mode), introducing an illegal user account into the system, obtaining a password file, or disrupting the functionality of the attacked host.

This stage of threat development is usually multiphase. The phases of the threat implementation process may include, for example: establishing communication with the host against which the threat is being implemented; vulnerability identification; introduction of a malicious program in the interests of expanding rights, etc.

Threats implemented at the intrusion stage are divided into levels of the TCP/IP protocol stack, since they are formed at the network, transport or application level, depending on the intrusion mechanism used. Typical threats implemented on the network and transport levels, include the following:

A threat aimed at replacing a trusted object;

A threat aimed at creating a false route in the network;

Threats aimed at creating a false object using shortcomings of remote search algorithms;

Denial of service threats.

Typical threats implemented at the application level include threats aimed at unauthorized launch of applications, threats whose implementation is associated with the introduction of software bookmarks, with the identification of access passwords to a network or a specific host, etc. If the implementation of a threat does not give the intruder the highest access rights in the system, attempts may be made to expand these rights to the highest possible level. For this purpose, vulnerabilities not only of network services, but also vulnerabilities of the system software of ISDN hosts can be used.

At the stage of implementing unauthorized access, the goal of implementing the threat is achieved:

Violation of confidentiality (copying, unauthorized distribution);

Violation of integrity (destruction, change);

Availability violation (blocking).

At the same stage, after these actions, as a rule, a so-called “back door” is formed in the form of one of the services that serves a certain port and executes the intruder’s commands. The “backdoor” is left in the system in the interests of ensuring: the ability to gain access to the host, even if the administrator eliminates the vulnerability used to successfully implement the threat; the ability to gain access to the host as secretly as possible; the ability to gain access to the host quickly (without repeating the process of implementing the threat again). A “backdoor” allows an attacker to introduce a malicious program into a network or on a specific host, for example, a “password analyzer” - a program that extracts user IDs and passwords from network traffic when high-level protocols are running). The objects of malware injection can be authentication and identification programs, network services, operating system kernel, file system, libraries, etc.

Finally, at the stage of eliminating traces of the threat, an attempt is made to destroy traces of the intruder’s actions. In this case, the corresponding entries are deleted from all possible audit logs, including entries about the fact of collecting information.

1.4 Characteristics of the Bank and its activities

PJSC Citibank is a financial and credit organization of the Banking system of the Russian Federation, carrying out financial transactions with money and securities. The bank provides financial services to individuals and legal entities.

The main areas of activity are lending to legal entities and individuals, servicing accounts of corporate clients, attracting public funds into deposits, operations in the foreign exchange and interbank markets, investments in bonds and bills.

The Bank has been carrying out its financial activities since August 1, 1990, on the basis of the General License of the Bank of Russia for banking activities No. 356.

The Bank has three personal data information systems:

Information system for personal data of Bank employees - allows you to identify 243 subjects of personal data;

Information system of personal data of the access control and management system - allows you to identify 243 subjects of personal data;

Personal data information system of the automated banking system - allows you to identify 9681 personal data subjects.

1.5 Personal data databases

The Bank needs to protect several personal information data at once, namely:

Information system of personal data of Bank employees;

Personal data information system, access control and management system;

Information system of personal data of the automated banking system.

1.5.1 Information system of personal data of employees of the organization

The ISPD of Bank employees is used to pay salaries to Bank employees, automate the work of HR department employees, automate the work of Bank accounting employees and resolve other personnel and accounting issues. It consists of the 1C “Salary and Personnel Management” database, located on a separate automated workstation with the ability to connect to the workstation via the network. The workstation is located in the office of the HR department. An operating system is installed on the automated workstation Microsoft Windows XP. There is no connection to the Internet on the workstation.

Full Name;

Date of Birth;

Passport series and number;

Phone number;

The following have the right to work with 1C “Salary and Personnel Management” software and the personal data database:

Chief Accountant;

Chief accountant's assistant;

Head of HR Department;

An employee responsible for calculating wages for Bank employees.

Manual change data;

1.5.2 Personal data information system of access control and management system

The personal data information system of the access control and management system is used to store personal data of employees and visitors of the Bank who have access to various premises of the Bank. The access control and management system ISDN is used by the Bank's security department. The ISPD database is installed on an automated workstation located in the security room of the security department. The Microsoft Windows 7 operating system is installed on the ISPD workstation, and a DBMS is used as a database management system Microsoft SQL Server 2012. The ISPD workstation does not have access to the local network, and also does not have access to the Internet.

The following personal data is stored in the ISPD:

Full Name;

Employee photo.

The following have the right to work with ISPD access control and management systems:

Head of the Bank's Security Department;

Deputy Head of the Bank's Security Department;

Employees of the Bank's security department.

Access to the automated workstation of the access control and management system is available to:

System administrators, for administering the automated workstation and 1C software “Salary and Personnel Management” and the personal data database;

Employees of the department responsible for information security of the Bank to administer the automated workplace information security system.

In the ISPD of bank employees the following functions can be performed:

Automated deletion of personal data;

Manual deletion of personal data;

Manual data modification;

Manually adding personal data;

Automated search of personal data.

The personal data information system stores data that allows the identification of 243 Bank employees.

After achieving the goals of processing the employee’s personal data, his personal data is deleted from the ISPD.

1.5.3 Personal data information system of the automated banking system

The personal data information system of the automated banking system is designed to automate the work of the majority of bank employees. It allows you to increase employee productivity. The complex of software products “CFT-Bank”, produced by the group of companies “Center for Financial Technologies”, is used as an automated banking system. Oracle software is used as a database management system. The ISPD is deployed on the Bank's server, the operating system installed on the server is Microsoft Windows Server 2008 R2. The ISPD of the automated banking system is connected to the bank's local computer network, but does not have access to the Internet. Users are connected to the ISPD database using CFT-Bank software products from dedicated virtual terminals. Each user has his own login and password in the ISPD.

Personal data processed in ISPDn:

Full Name;

Date of Birth;

Passport series and number;

Phone number;

The following have the right to work with the CFT-Bank software and the personal data database:

Accounting staff;

Credit department employees;

Risk management department employees;

Collateral Department employees;

Personal managers;

Client managers;

Security department staff.

Access to the automated workstation is available to:

System administrators, for administering the server, personal data database and CFT-Bank software;

Employees of the department responsible for information security of the Bank for administering the server, personal data database and CFT-Bank software.

In the ISPD of bank employees the following functions can be performed:

Automated deletion of personal data;

Manual deletion of personal data;

Manually adding personal data;

Manual data modification;

Automated search of personal data.

The personal data information system stores data that allows the identification of 243 Bank employees and 9,438 Bank clients.

After achieving the goals of processing the employee’s personal data, his personal data is deleted from the ISPD.

1.6 Design and threats of the Bank’s local computer network

The bank has deployed a client-server network. The name of the domain containing user workstations is vitabank.ru. In total, the bank has 243 automated user workstations, as well as 10 virtual servers and 15 virtual workstations. The system administration department monitors the performance of the network. The network is built primarily on Cisco network equipment. Communication with additional offices is maintained using VPN channels using the Internet through the current and backup channels of the Internet provider. The exchange of information with the Central Bank occurs through a dedicated channel, as well as through regular communication channels.

All users have access to the Internet on local workstations, but work with documents and information systems of the Bank is carried out only using virtual workstations, where Internet access is limited and only local Bank resources are loaded.

Access to the Internet from local workstations is delimited by access groups:

Minimum access - access only to the resources of federal services, to the website of the Bank of Russia;

Regular access - all resources are allowed except entertainment ones, social networks, viewing videos and downloading files is prohibited.

Full access - all resources and file uploads are allowed;

Filtering of resources by access groups is implemented by a proxy server.

Below is a diagram of the network of PJSC Citibank (Fig. 5).

1.7 Information security measures

Information security means are a set of engineering, electrical, electronic, optical and other devices and devices, instruments and technical systems, as well as other elements used to solve various problems of information protection, including preventing leaks and ensuring the security of protected information .

Information security measures in terms of preventing intentional actions, depending on the method of implementation, can be divided into groups:

Technical (hardware) means. These are devices of various types (mechanical, electromechanical, electronic, etc.), which use hardware to solve information security problems. They prevent access to information, including by masking it. Hardware includes: noise generators, surge protectors, scanning radios and many other devices that “block” potential information leakage channels or allow them to be detected. The advantages of technical means are associated with their reliability, independence from subjective factors, and high resistance to modification. Weak sides- insufficient flexibility, relatively large volume and weight, high cost.

Figure 5 Network diagram of PJSC Citibank

Software tools include programs for user identification, access control, information encryption, removal of residual (working) information such as temporary files, test control of the security system, etc. The advantages of software tools are versatility, flexibility, reliability, ease of installation, ability to modify and develop. Disadvantages - limited network functionality, use of part of the resources of the file server and workstations, high sensitivity to accidental or intentional changes, possible dependence on the types of computers (their hardware).

Mixed hardware and software implement the same functions as hardware and software separately, and have intermediate properties.

All office premises of the Bank are controlled by the security service using an access management and control system, as well as a video surveillance system. Entry to the bank's office premises is subject to the appropriate permissions in the access control and management system. An employee, when applying for a job, or a visitor to the Bank, if necessary, access to the Bank's office premises, is issued contactless Proximity cards, on which a user identifier is recorded and when attempting to access the office premises, this identifier is transferred to the access control and management system. The system compares the list of premises into which the card user is allowed to enter with the premises he wants to enter and allows or restricts entry into the premises.

The Bank's workstations are equipped with anti-virus software Kaspersky Endpoint Security 10, which has a certificate of compliance with FSTEC of Russia No. 3025, valid until November 25, 2019; the virus signature database is updated centrally by the server part of the anti-virus installed on a server located in the Bank.

To organize electronic document flow with the Central Bank, authorities in the Bank have established a dedicated communication line.

To organize electronic document flow with federal services (Federal Tax Service, Pension Fund of Russia, Financial Monitoring Service, etc.), an electronic signature is used. To work with electronic signatures, specialized software is installed on the local workstations of performers responsible for document flow with federal services:

Crypto-Pro CSP;

Crypto-ARM;

CIPF Verba-OW;

CIPF Validata;

Signal-COM CSP.

The use of certain software by the contractor depends on the requirements of a certain Federal authority.

On the border local network The bank has a Cisco ASA 5512 firewall, manufactured by Cisco Corporation. Also, critical banking systems (Workstation of the Client of the Bank of Russia, SWIFT, ISPDn of the Bank) are additionally separated from the Bank’s local network by Cisco firewalls. VPN tunnels for communication with the additional office are organized using Cisco firewalls.

1.8 Organizational protection measures

According to a study conducted by the British auditing and consulting company Ernst&Yong in 2014, 69 percent of companies participating in the study consider company employees to be the main source of information security threats.

Company employees may, out of ignorance or their incompetence in the field of information security, disclose critical information necessary to carry out targeted attacks on the organization. Attackers also send phishing messages with embedded malicious software, which allows attackers to gain control of an employee’s workplace and from this workplace launch an attack on the Bank’s information systems.

Therefore, in the Bank, the information security department is obliged to carry out work to train Bank employees in the fundamental principles of information security, monitor compliance with security requirements when working in the workplace, and inform Bank employees about new information security threats that they may encounter.

At PJSC Citibank, all employees undergo induction training upon employment. Also new employees, employees transferred from other structural divisions undergo initial training in the information security department, during which employees are explained the basic information security rules when working with the Bank’s information systems, security rules when working on the Internet, security rules when working with the Bank’s e-mail, and the Bank’s password policy.

Employees of the Bank's information security department participate in the development and implementation of new information systems of the Bank at all levels of system development.

At the stage of system design and drawing up technical specifications for the development of an information system, the information security department sets security requirements for the system.

At the information system development stage, information security department employees study current documentation and test the software for possible vulnerabilities in the program code.

At the stage of testing and commissioning of an information system, the information security department actively participates in testing the information system, conducts penetration tests into the information system and denial of service tests, and also distributes access rights to the information system.

At the stage of operation of an information system that has already been put into operation, the information security department conducts monitoring and identifies suspicious activity.

At the stage of finalizing the information system, the information security department, based on the data obtained during the operation of the information system, builds new requirements for the information system.

The Information Security Department at PJSC Citibank coordinates all requests for access to resources on the Internet, as well as to the Bank’s internal resources.

1.9 Personal data processing cycle

Personal data stored in the Bank is obtained only legally.

The received personal data of a Bank employee is processed only for the Bank to fulfill its obligations under the agreement concluded with the employee. Personal data of the Bank employee was obtained from the employee himself. All Bank employees are familiarized, against signature, with the Bank documents establishing the procedure for processing personal data of Bank employees, as well as their rights and obligations in this area.

Personal data of bank employees stored in the access control and management system ISPD are intended for the employee’s access to workplace.

Personal data of the Bank's clients stored in the information system of the automated banking system is processed there only for the Bank to fulfill its obligations under the agreement concluded with the Bank's client. Also, the ISPD of the automated banking system processes personal data of persons who have not entered into an agreement with the Bank, but obtained legally, for example, personal data received and processed at the request of Federal Law No. 115-FZ of August 7, 2001 “On Combating the Legalization (Laundering) of Income obtained by criminal means and the financing of terrorism.”

After achieving the purposes of processing personal data, they are destroyed or anonymized.

2. DEVELOPMENT OF MEASURES FOR PROTECTING PERSONAL DATA IN THE BANK

At Citibank PJSC, the personal data protection system is regulated both by state-level laws and local regulations (for example, “Rules for remote banking services for legal entities and individual entrepreneurs in Citibank PJSC” in Appendix 1).

PJSC Citibank’s personal data protection system is sufficiently developed to avoid simple attacks such as phishing and infection of workstations with ransomware viruses, but it is not able to withstand targeted attacks aimed at stealing personal data.

I carried out work to rebuild and modernize the personal data protection system.

2.1 Measures to protect the bank’s local computer network and personal data information system

The network of PJSC Citibank has pronounced weaknesses, using which attackers can obtain full access to the bank’s network and seize control over it, after which they will be able to freely steal, change or delete personal data of clients or Bank employees.

Since the Bank’s network represents one single segment, to minimize the risk of intruders penetrating the Bank’s network, it must be divided into several segments using virtual network technology.

The concept of virtual network technology (VLAN) is that the network administrator can create logical groups of users in it, regardless of what part of the network they are connected to. You can unite users into logical work groups, for example, based on the commonality of the work being performed or the task being solved together. In this case, groups of users can interact with each other or be completely invisible to each other. Group membership can be changed, and a user can be a member of multiple logical groups. Virtual networks form logical broadcast domains, restricting the passage of broadcast packets across the network, much like routers isolate broadcast traffic between network segments. In this way, the virtual network prevents broadcast storms from occurring because broadcast messages are limited to members of the virtual network and cannot be received by members of other virtual networks. Virtual networks can allow access to members of another virtual network in cases where this is necessary to access shared resources, such as file servers or application servers, or where a common task requires the interaction of different services, such as credit and payment departments. Virtual networks can be created based on switch ports, physical addresses of devices included in the network, and logical addresses of layer 3 protocols of the OSI model. The advantage of virtual networks is high speed operation of switches, since modern switches contain a specialized set of integrated circuits specifically designed to solve switching problems at the second level of the OSI model. Third-level virtual networks are the most simple to install, unless reconfiguration of network clients is required, and the most difficult to administer, because any action with a network client requires either reconfiguration of the client itself or the router, and is the least flexible, since routing is required to connect virtual networks, which increases the cost of the system and reduces its performance.

Thus, the creation of virtual networks in the Bank will prevent ARP-spoofing attacks. Attackers will not be able to intercept information passing between the server and client. When infiltrating the network, attackers will not be able to scan the entire Bank network, but only the network segment to which they gained access.

When infiltrating the Bank's network, attackers will first scan the network to find critical network nodes. These nodes are:

Domain controller;

Proxy server;

Mail server;

File server;

Applications server.

Since the Bank's local network will be organized using virtual network technology, attackers will not be able to detect these nodes without additional actions. In order to make it difficult for attackers to find critical nodes of the local network and confuse them, and in the future to study the strategy of attackers when carrying out an attack on the network, it is necessary to use false objects that will attract attackers. These objects are called Honeypots.

The task of a Honeypot is to be subject to an attack or unauthorized research, which will subsequently make it possible to study the strategy of attackers and determine a list of means by which attacks can be made on real-life security objects. A Honeypot implementation can be either a special dedicated server or a single network service whose task is to attract the attention of hackers.

A honeypot is a resource that does nothing without being acted upon. Honeypot collects a small amount of information, after analysis of which it builds statistics on the methods used by hackers, and also determines the presence of any new solutions that will subsequently be used in the fight against them.

For example, a web server that has no name and is virtually unknown to anyone should therefore not have guests accessing it, so all people who try to break into it are potential attackers. Honeypot collects information about the behavior of these attackers and their methods of influencing the server. After that, information security department specialists collect information about the attack by attackers on the resource and develop strategies to repel attacks in the future.

To control information incoming from the Internet and detect threats to information security at the stage of their transmission over the network, as well as detect the activity of intruders who have penetrated the Bank’s local network, it is necessary to install an intrusion prevention system at the edge of the network.

An intrusion prevention system is a software or hardware network and computer security system that detects intrusions or security breaches and automatically protects against them.

Intrusion Prevention Systems can be considered an extension of Intrusion Detection Systems, since the task of tracking attacks remains the same. However, they differ in that the intrusion prevention system monitors activity in real time and quickly implements actions to prevent attacks.

Intrusion detection and prevention systems are divided into:

Network intrusion prevention systems - analyze traffic directed to the organization’s network, passing through the network itself or directed to a specific computer. Intrusion detection and prevention systems can be implemented by software or hardware-software methods, installed on the perimeter of the corporate network and sometimes inside it.

Personal intrusion prevention systems are software that is installed on workstations or servers and allows you to monitor application activity, as well as monitor network activity for possible attacks.

A network intrusion prevention system was selected for deployment in the Bank's network.

Network intrusion systems from IBM, Check Point, Fortinet, and Palo Alto were considered, since the declared functionality of the manufacturers of these systems met the requirements of the Bank’s information security department.

After deploying test benches and testing intrusion prevention systems, a system manufactured by Check Point was chosen, as it showed the best performance, the best subsystem for detecting virus software transmitted over a local network, the best tools for logging and logging important events and the purchase price.

IBM's intrusion prevention system was rejected because the cost of the devices exceeded the information security department's budget for purchasing the intrusion prevention system.

Fortinet's intrusion prevention system was rejected due to incomplete response when information security department employees performed tests to transfer infected files and insufficiently informative tools for logging important events.

Palo Alto's intrusion prevention system was rejected because it lacked meaningful event logging, was too complex to use, and acted more like a router.

The Check Point intrusion prevention system was chosen for implementation into the local network. This system has demonstrated a high level of detection of information security threats, flexible settings, the ability to expand functionality by purchasing additional software modules, has a powerful logging system for important events and powerful tools for providing incident reports, with the help of which it is much easier to investigate information security incidents that have occurred.

A diagram of the Citibank PJSC network with a modified architecture is presented in Figure 6.

2.2 Software and hardware protection

Since the security of personal data cannot be ensured only by network protection, because attackers, despite all measures taken to protect the network, can gain access to the Bank’s network.

Figure 6 Network diagram of Citibank PJSC with additional protection systems

For more attack-resistant protection, it is necessary to add to the devices designed to protect the network, software and hardware devices for protecting local workstations, virtual workstations, virtual and regular servers.

As you know, antivirus programs do not provide complete protection against malicious software, since they work on the principle of signature analysis. An antivirus software development company employs experts who monitor virus activity on the Internet, study the behavior of virus software at test stations, and create signatures that are subsequently sent to users' computers by updating antivirus software signature databases. The antivirus, having received an updated database of antivirus software signatures, checks the files on the user's workstation and looks for signs of malicious software; if such signs are detected during the scanning process, the antivirus signals this and acts in accordance with the settings set by the user or the antivirus administrator. Thus, if the malicious software is not detected and analyzed by the experts of the antivirus software company, then the antivirus will not be able to detect the malicious software and will not take any action, considering the scanned file to be safe. Therefore, in order to reduce the likelihood of malicious software being accessed into the network and launched, the Bank installed a second circuit of anti-virus protection. Since antivirus software companies mostly work separately from each other, malicious software that has not yet been detected by one antivirus software company may be detected by another development company and signatures may already be created for the detected threat.

To implement such a scheme, a virtual workstation was created on which the Doctor WEB Enterprise security suit antivirus was installed, which has a certificate of conformity of FSTEC of Russia No. 2446, valid until September 20, 2017. All files that bank employees downloaded during their work go to this station and are scanned by the antivirus. If malicious software is detected, the antivirus sends a letter to information security department employees with the name of the threat and the path where the infected file is stored. Information security department employees are taking measures to remove malicious software. If files downloaded by users pass the anti-virus software scan, the user who downloaded the file makes a request to the information security department and department employees transfer the downloaded file to the user.

Also, a large amount of malicious software is sent to Bank employees by email. These can be regular encryption viruses or malicious software that allows attackers to penetrate the infected computer of a Bank employee using a remote connection.

To minimize the risks of such threats, ClamAW anti-virus software was installed on the Bank's mail server, designed to protect mail servers.

To protect against unauthorized access by internal attackers who somehow learned the password of a user of a local station that has access to personal data information systems, it is necessary to install an information protection system against unauthorized access on the local workstations of users working with personal data information systems.

.

Training of Bank employees is carried out by a specialist from the information security department.

An employee of the information security department conducts training in a designated division of the Bank. After the training, department employees pass tests in which they confirm the knowledge acquired during the training.

The basic security policy regulates training in each department at least four times a year.

Also, in parallel with employee training, employees of the information security department are required to send information letters to all Bank employees at least once a month, which describe the basic security rules and new threats to the Bank’s information security, if any are detected.

2.3.2 Procedure for employee access to Internet resources

The Bank has created 3 Internet access groups, but this division of access is ineffective, since an employee, in order to perform his job duties, may need to obtain information from a network resource that is part of a full access group, then he will have to be given full access to the Internet , which is unsafe.

Group 6: downloading archives - the group does not provide any access to Internet resources;

Group 7: downloading executable files - the group does not provide any access to Internet resources;

Group 8: full access to the Internet - full access to Internet resources, downloading any files.

To gain access to Internet resources, an employee creates a request through the ServiceDesk system and, after approval by the head of the department or department and an employee of the information security department, the employee is granted access to Internet resources according to the requested group.

2.3.3 Procedure for employees’ access to internal bank resources

The main documents related to the employee’s work are located at the local workplace or in the automated system in which he works. Also, each division of the Bank has a section on the Bank’s file server in which information is stored that is necessary for several employees of the division and which is large in size for transmission by email to the Bank.

When a new employee gets a job at the Bank, his direct supervisor sends an application through the ServiceDesk system to the system administration department for access to an internal bank resource, and after approval of the application by an employee of the information security department, the employee of the system administration department gives the new employee access to the requested resource.

Situations often arise in which the work of several divisions of the Bank intersects and in order to exchange information these divisions need a separate one on the Bank’s file server.

To create this section, the project manager, the head of one of the departments involved in the process of working on the project, creates a request through the ServiceDesk system for the creation of a shared resource and access to this resource for certain employees of his department working on a joint project and the head of the department with whom he collaborates within the project . After approval by the Information Department employee, the System Administration Department employee creates the requested resource and grants access to it to the requested employees. Each head of a department participating in the project requests access only for those employees who are subordinate to him.

2.3.4 Procedure for employees to use email

Previously, before the creation of a basic security policy, each employee himself determined the degree of danger of letters and files received by e-mail from external mail servers.

After creating a basic security policy, each user is required to send every file received by email from external mail servers to the information security department to check it for malicious software; the employee determines the degree of danger of the letters independently. If a Bank employee suspects that incoming message contains spam or phishing, he is obliged to send the letter in full, that is, containing all the official information about the sender, his mailbox and IP address, to the information security department. After analyzing a suspicious letter and confirming the threat of this letter, the information security department forwards the address of the sender of the letter to the system administration department, and an employee of the system administration department blacklists the address of the sender of the letter.

Always block the workplace when leaving it.

2.3.6 Rules for employee access to personal data

According to Article 89 of Chapter 14 of the Labor Code of the Russian Federation, a Bank employee has the right to access his personal data, but is allowed to process the personal data of other Bank employees or Bank clients only to perform his official duties.

To ensure control over access to personal data information systems, the bank has established the following rules for access to personal data information systems:

Only employees whose job responsibilities includes the processing of personal data; have access to ISPD;

Access to the ISPD is permitted only from the local workplace of the employee working with personal data;

The Bank has created a document identifying by name the employees who are allowed access to the personal data of the Bank’s employees and clients, indicating the Personal Data Information System and a list of personal data permitted for processing by the employee.

3. ECONOMIC JUSTIFICATION OF THE PROJECT

To implement a personal data protection system, it is necessary to purchase:

Equipment to protect the Bank's network;

Hardware information security;

Information security software.

To rebuild the organization's network, it is necessary to purchase Cisco Catalyst 2960 switches in the amount of 3 copies. One switch is required to operate at the core level of the Bank's network, 2 others to operate at the distribution level. Network equipment that worked in the bank before the network restructuring will also be used.

Total cost (RUB) 9389159 613

Doctor WEB Enterprise security suit155005500

Total cost1,371,615

CONCLUSION

In my graduation project, I reviewed the legal framework for the protection of personal data. I reviewed the main sources of threats to the security of personal data.

Based on the considered threats to personal data, I analyzed the existing personal data protection system at PJSC Citibank and came to the conclusion that it needs serious improvement.

During the thesis project, weaknesses were discovered in the Bank's local network. Taking into account the identified weaknesses in the Bank’s local network, measures were determined to minimize the information security risks of the Bank’s network.

Devices and software were also reviewed and selected to protect local workplaces of employees processing personal data of Bank employees and clients.

With my participation, a system was created to increase employee awareness of information security issues.

The procedure for accessing the Bank's employees to the Internet has been thoroughly revised, and Internet access groups have been redesigned. New Internet access groups make it possible to significantly minimize information security risks due to the limited ability of users to download files and access untrusted resources.

Calculations of the cost of rebuilding the network and creating a viable personal data protection system capable of repelling most information security threats are provided.

LIST OF REFERENCES USED

1. “Constitution of the Russian Federation” (adopted by popular vote on December 12, 1993) (as amended, introduced by Laws of the Russian Federation on amendments to the Constitution of the Russian Federation dated December 30, 2008 N 6-FKZ, dated December 30, 2008 N 7-FKZ, dated February 5, 2014 N 2-FKZ, dated July 21, 2014 N 11-FKZ) // Official text of the Constitution of the Russian Federation with amendments as amended on July 21, 2014, published on the Official Internet Portal of Legal Information http://www.pravo.gov.ru, August 1, 2014

2. “Basic model of threats to the security of personal data during their processing in personal data information systems” (Extract) (approved by the FSTEC of the Russian Federation on February 15, 2008)

3. Federal Law of July 27, 2006 N 149-FZ (as amended on July 6, 2016) “On information, information technologies and information protection” // The document was not published in this form. The original text of the document was published in Rossiyskaya Gazeta, No. 165, 07/29/2006

4. “Labor Code of the Russian Federation” dated December 30, 2001 N 197-FZ (as amended on July 3, 2016) (with amendments and additions, entered into force on October 3, 2016) // The document was not published in this form , the original text of the document was published in Rossiyskaya Gazeta, N 256, 12/31/2001

5. Decree of the Government of the Russian Federation of November 1, 2012 N 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems” // “Rossiyskaya Gazeta”, N 256, 11/07/2012

6.Order of the FSTEC of Russia dated February 18, 2013 N 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems” (Registered with the Ministry of Justice of Russia on May 14, 2013 N 28375) // “Russian newspaper", N 107, 05/22/2013

7. “Standard of the Bank of Russia “Ensuring information security of organizations of the banking system of the Russian Federation. General provisions "STO BR IBBS-1.0-2014" (adopted and put into effect by Order of the Bank of Russia dated May 17, 2014 N R-399) // "Bulletin of the Bank of Russia", N 48-49, 05.30.2014

8. “Regulations on the requirements for ensuring the protection of information when making money transfers and on the procedure for the Bank of Russia to monitor compliance with the requirements for ensuring the protection of information when making money transfers” (approved by the Bank of Russia on 06/09/2012 N 382-P) (as amended dated 08/14/2014) (Registered with the Ministry of Justice of Russia on 06/14/2012 N 24575) // The document was not published in this form, the original text of the document was published in “Bulletin of the Bank of Russia”, N 32, 06/22/2012

9. “Regulations on the procedure for credit institutions to submit to the authorized body the information provided for by the Federal Law “On Combating the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism” (approved by the Bank of Russia on August 29, 2008 N 321-P) (as amended. dated 10/15/2015) (together with the “Procedure for ensuring information security during the transmission and reception of ECO”, “Rules for the formation of ECO and filling out individual fields of ECO records”) (Registered with the Ministry of Justice of Russia on September 16, 2008 N 12296) // The document was published in this form was not, The original text of the document was published in “Bulletin of the Bank of Russia”, N 54, 09/26/2008

10. Order of the FSTEC of Russia dated February 18, 2013 N 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems” (Registered with the Ministry of Justice of Russia on May 14, 2013 N 28375) // “Russian newspaper", N 107, 05/22/2013

11.Averchenkov V.I., Rytov M.Yu., Gainulin T.R. Protection of personal data in organizations. M.: Flinta, 2018

12. Agapov A. B. Fundamentals of public administration in the field of informatization in the Russian Federation. M.: Yurist, 2012

13. Kostin A. A., Kostina A. A., Latyshev D. M., Moldovyan A. A. “AURA” series software systems for protecting personal data information systems // Izv. universities instrument making. 2012. T. 55, No. 11

14.Moldovyan A. A. Cryptography for protecting computer information (part 1) // Integral. 2014. No. 4 (18)

15. Romanov O.A., Babin S.A., Zhdanov S.G. Organizational provision of information security. - M.: Academy, 2016

16. Shultz V.L., Rudchenko A.D., Yurchenko A.V. Business safety. M.: Publishing house "Urayt", 2017

Applications (available in the archive with the work).

INTRODUCTION

Relevance. IN modern world information becomes a strategic resource, one of the main wealth of an economically developed state. The rapid improvement of informatization in Russia, its penetration into all spheres of vital interests of the individual, society and state, has caused, in addition to undoubted advantages, the emergence of a number of significant problems. One of them was the need to protect information. Considering that currently the economic potential is increasingly determined by the level of development of the information structure, the potential vulnerability of the economy from information influences is growing proportionally.

The spread of computer systems and their integration into communication networks enhances the possibility of electronic penetration into them. The problem of computer crime in all countries of the world, regardless of their geographical location, necessitates attracting more and more public attention and efforts to organize the fight against this type of crime. Crimes in automated banking systems and e-commerce have become especially widespread. According to foreign data, bank losses as a result of computer crimes annually amount to many billions of dollars. Although the level of implementation of the latest information technologies into practice in Russia is not so significant, computer crimes are making themselves felt more and more every day, and protecting the state and society from them has become a super task for the competent authorities.

No one doubts the relevance of the issue of personal data protection. This is primarily due to the deadline set for bringing personal data information systems (PDIS) into compliance with Federal Law No. 152-FZ of July 27, 2006 “On Personal Data.” This deadline is inexorably approaching, and at the same time the obvious difficulty of fulfilling the requirements of regulatory guidance documents provokes a lot of controversy and ambiguous interpretations. At the same time, the secrecy of some governing documents, their uncertain legal status, as well as a number of other issues, do not contribute to solving the problem. All this creates a situation where the regulatory framework has not been finalized, and it is necessary to comply with legal requirements now.

May 2009 the first meeting was held working group on the issue of personal data in the ARB. At the event, during an open discussion, problem areas of concern to the banking community were quite clearly identified. They mainly concerned the technical protection of personal data and future interaction between financial institutions and FSTEC. Representatives of the Bank of Russia announced in their speech developments in organizing the implementation of the law “On Personal Data”. The attempts of the Bank of Russia to find a compromise with regulators regarding the formulation of technical requirements for the banking community can be called fundamentally new and important. I would especially like to note the activity of the Central Bank of the Russian Federation in working with the FSTEC of Russia. Taking into account the huge number of difficulties in fulfilling the requirements of the governing documents of the FSTEC, the Bank of Russia decided to prepare its own documents (draft documents), which are currently consistent with the FSTEC. It can be assumed that there is a high probability of the emergence of a new industry standard for financial institutions on personal data.

Purpose course work is a study of ways to protect personal data in online banking systems.

To achieve the goal, the following tasks were solved:

studying approaches and basic principles of ensuring security;

determination of methods and means of ensuring security;

identifying features of ensuring the security of personal data in online banking systems;

development of measures to ensure the security of personal data in online banking systems.

The object of study is banking information systems.

The subject of the study is the security of personal information in online banking systems.

The theoretical and methodological basis of the study was based on theoretical principles, the work of scientists, and research by specialists on information provision issues.

The methodological basis of the course work was a systematic approach to the study of security problems.

Logical, comparative legal, and systemic analysis were used. In addition, the method of structural analysis used allows us to study with the necessary thoroughness individual components the phenomenon under study and analyze the relationship of these elements with each other, as well as with the overall whole.

1. Theoretical aspects of personal data protection in online banking systems

1.1 Approaches, principles of security

Ensuring the security of information systems means measures that protect an information system from accidental or intentional interference in its operating modes.

There are two fundamental approaches to ensuring computer security.

The first of them is fragmented, within its framework there is a focus on countering strictly defined threats under certain conditions (for example, specialized anti-virus tools, stand-alone encryption tools, etc.). The approach has both advantages - suggesting a high level of selectivity in relation to a strictly defined problem, and disadvantages - suggesting fragmentation of protection - i.e. strictly defined elements.

The information security management process includes the components shown in Fig. 1.

The second approach is systemic, its peculiarity is that within its framework information protection is treated on a larger scale - a secure environment for processing, storing and transmitting information is created that combines heterogeneous methods and means of countering threats: software and hardware, legal, organizational and economic. Through the specified secure environment, a certain level of security of the automated information system can be guaranteed.

A systematic approach to information protection is based on the following methodological principles:

final goal - the absolute priority of the final (global) goal;

unity - joint consideration of the system as a whole" and as a collection of parts (elements);

connectivity - consideration of any part of the system together with its connections with the environment;

modular construction - identifying modules in the system and considering it as a set of modules;

hierarchy - introducing a hierarchy of parts (elements) and their ranking;

functionality - joint consideration of structure and function with priority of function over structure;

development - taking into account the variability of the system, its ability to develop, expand, replace parts, accumulate information;

decentralization - combinations of centralization and decentralization in decisions made and management;

uncertainty - taking into account uncertainties and contingencies in the system.

Modern researchers identify the following methodological ones:

organizational and implementation principles of information (including computer) security.

The principle of legality. Consists of following current legislation in the field of information security.

The principle of uncertainty. Arises due to the ambiguity of the subject’s behavior, i.e. who, when, where and how can violate the security of the protected object.

The principle of the impossibility of creating an ideal protection system. It follows from the principle of uncertainty and limited resources of these funds.

The principles of minimal risk and minimal damage stem from the impossibility of creating an ideal protection system. In accordance with it, it is necessary to take into account the specific conditions of existence of the object of protection for any moment in time.

The principle of safe time. It involves taking into account absolute time, i.e. during which it is necessary to preserve the objects of protection; and relative time, i.e. the period of time from the moment malicious actions are detected until the attacker achieves his goal.

The principle of “protecting everyone from everyone.” It involves the organization of protective measures against all forms of threats to the objects of protection, which is a consequence of the principle of uncertainty.

Principles of personal responsibility. Assumes the personal responsibility of each employee of an enterprise, institution and organization for compliance with the security regime within the framework of their powers, functional responsibilities and current instructions.

The principle of limitation of powers. It involves limiting the powers of a subject to familiarize himself with information to which access is not required for the normal performance of his functional duties, as well as the introduction of a ban on access to objects and areas in which stay is not required by the nature of his activity.

The principle of interaction and cooperation. Internally, it involves cultivating trusting relationships between employees responsible for security (including information security) and personnel. In external manifestation - establishing cooperation with all interested organizations and individuals (for example, law enforcement agencies).

The principle of complexity and individuality. It implies the impossibility of ensuring the security of the object of protection by any one measure, but only by a set of complex, interconnected and overlapping measures, implemented with individual reference to specific conditions.

The principle of successive safety lines. Involves the earliest possible notification of an encroachment on the security of a particular protected object or other adverse incident in order to increase the likelihood that an early alarm signal of protective equipment will provide employees responsible for safety with the opportunity to timely determine the cause of the alarm and organize effective countermeasures.

Principles of equal strength and equal power of protection lines. Equal strength implies the absence of unprotected areas within the protection lines. Equivalence presupposes a relatively equal amount of protection of the protection lines in accordance with the degree of threats to the protected object.

Methods for ensuring information security at an enterprise are the following:

An obstacle is a method of physically blocking an attacker’s path to protected information (equipment, storage media, etc.).

Access control is a method of protecting information by regulating the use of all resources of an enterprise's automated information system. Access control includes the following security features:

identification of users, personnel and resources of the information system (assigning a personal identifier to each object);

authentication (establishing the authenticity) of an object or subject using the identifier presented by it;

verification of authority (checking compliance of the day of the week, time of day, requested resources and procedures with the established regulations);

registration of requests to protected resources;

response (alarm, shutdown, delay of work, refusal of a request when attempting unauthorized actions).

Masking is a method of protecting information in an enterprise's automated information system by cryptographicly closing it.

Regulation is a method of information protection that creates conditions for automated processing, storage and transmission of information under which the possibility of unauthorized access to it would be minimized.

Coercion is a method of protecting information in which users and system personnel are forced to comply with the rules for the processing, transfer and use of protected information under the threat of material, administrative and criminal liability.

Incentive is a method of information security that encourages users and system personnel not to violate established rules by complying with established moral and ethical standards.

The above methods of ensuring information security are implemented using the following basic means: physical, hardware, software, hardware-software, cryptographic, organizational, legislative and moral and ethical.

Physical means of protection are intended for external protection of the territory of objects, protection of components of an automated information system of an enterprise and are implemented in the form of autonomous devices and systems.

Hardware protection means are electronic, electromechanical and other devices directly built into blocks of an automated information system or designed as independent devices and interfaced with these blocks. They are designed for internal protection of structural elements of computer equipment and systems: terminals, processors, peripheral equipment, communication lines, etc.

Software protection tools are designed to perform logical and intellectual protection functions and are included either in the software of an automated information system, or in the composition of tools, complexes and control equipment systems.

Information security software is the most common type of protection, having the following positive properties: versatility, flexibility, ease of implementation, possibility of change and development. This circumstance makes them at the same time the most vulnerable elements of protecting an enterprise’s information system.

Hardware-software protection means are means in which the software (firmware) and hardware parts are completely interconnected and inseparable.

Cryptographic means are means of protection by transforming information (encryption).

Organizational means - organizational, technical and organizational and legal measures to regulate the behavior of personnel.

Legislative means are legal acts of the country that regulate the rules for the use, processing and transmission of restricted access information and that establish penalties for violating these rules.

Moral and ethical means - norms, traditions in society, for example: Code of Professional Conduct for Members of the Computer Users Association in the USA.

1.2 Security methods and means

Various encryption mechanisms are used to implement security measures. What are these methods used for? Initially, when sending data (text, speech or drawing), it is unprotected, or, as experts call it, open. Open data can easily be intercepted by other users (intentionally or not). If there is a goal to prevent certain information from reaching third parties, such data is encrypted. The user to whom the specified information is intended then decrypts it using the inverse transformation of the cryptogram, receiving the data in the form he needs.

Encryption can be symmetric (one secret key is used for encryption) and asymmetric (one public key is used for encryption, and another for decryption, not interrelated - i.e., if you know one of them, you cannot determine the other).

Security mechanisms include:

) Digital electronic signature mechanisms are based on asymmetric encryption algorithms and include two procedures: the formation of a signature by the sender and its recognition by the recipient. Formation of a signature by the sender ensures that the data block is encrypted or supplemented with a cryptographic checksum, and in both cases the sender's secret key is used. A public key is used for identification.

) Access control mechanisms check the authority of programs and users to access network resources. When a resource is accessed over a connection, control is performed at both the origination point and intermediate points, as well as at the end point.

) Data integrity mechanisms apply to the individual block and to the data stream. The sender completes the transmitted block with a cryptographic amount, and the recipient compares it with the cryptographic value corresponding to the received block. A discrepancy indicates distortion of information in the block.

) Mechanisms for setting up traffic. They are based on the generation of blocks by AIS objects, their encryption and organization of transmission over network channels. This neutralizes the possibility of obtaining information by observing the external characteristics of flows circulating through communication channels.

) Routing control mechanisms ensure the selection of routes for the movement of information through the communication network in such a way as to exclude the transfer of secret information through unsafe, physically unreliable channels.

) Arbitration mechanisms provide confirmation of the characteristics of data transferred between entities by a third party. To do this, the information sent or received by objects passes through the arbiter, which allows him to subsequently confirm the mentioned characteristics.

The main disadvantages of the security system of economic facilities are:

-a narrow, unsystematic understanding of the problem of facility safety;

-neglecting the prevention of threats, working according to the principle “If a threat has appeared, we begin to eliminate it”;

-incompetence in the economics of security, inability to compare costs and results;

-“technocratism” of management and security specialists, interpretation of all tasks in the language of an area familiar to them.

As a conclusion from the first chapter of the work, we determine the following. Ensuring the security of information systems refers to certain measures by which an information system is protected from accidental or intentional interference in its operating modes. To ensure security, there are two main approaches: 1) fragmented, within which certain threats are countered under certain conditions; and 2) systemic, within which a secure environment for processing, storing and transmitting information is created, combining various types of methods and means of countering threats. Various means and mechanisms are used to protect information. The means include: encryption, digital electronic recording, access control, traffic staging, etc.

bank online system safety

2. Features of ensuring the security of personal data in online banking systems

2.1. General conditions for ensuring the security of personal data in online banking systems

Protection personal information- this is the state of security of information and its supporting infrastructure (computers, communication lines, power supply systems, etc.) from accidental or intentional impacts that could cause damage to the owners or users of this information.

Information security of credentials also means: ensured reliability of the computer; safety of valuable credentials; protection of personal information from changes to it by unauthorized persons; preservation of documented credentials in electronic communications.

Objects of information security in accounting are information resources containing information classified as a trade secret and confidential information; as well as information technology tools and systems.

Owner information resources, information systems, technologies and means of supporting them is a subject that carries out the ownership and use of these objects and exercises the powers of disposal within the limits established by law.

An information user is a subject who turns to an information system or intermediary to obtain the information he needs and uses it.

Information resources are individual documents and individual arrays of documents, documents and arrays of documents in information systems.

An information security threat consists of a potential action that, through its impact on components personal system may lead to damage to owners of information resources or users of the system.

The legal regime of information resources is determined by the rules establishing:

procedure for documenting information;

ownership of individual documents and individual files

documents, documents and arrays of documents in information systems; category of information according to the level of access to it; order legal protection information.

The main principle violated when implementing an information threat in accounting is the principle of documenting information. An accounting document received from an automated accounting information system acquires legal force after it is signed by an official in the manner established by the legislation of the Russian Federation.

The entire set of potential threats in accounting, according to the nature of their occurrence, can be divided into two classes: natural (objective) and artificial.

Natural threats are caused by objective reasons, usually beyond the control of the accountant, leading to the complete or partial destruction of the accounting department along with its components. Such natural phenomena include: earthquakes, lightning strikes, fires, etc.

Man-made threats are related to human activities. They can be divided into unintentional (unintentional), caused by the ability of employees to make any mistakes due to inattention, or fatigue, illness, etc. For example, an accountant, when entering information into a computer, may press the wrong key, make unintentional errors in the program, introduce a virus, or accidentally disclose passwords.

Intentional (intentional) threats are associated with the selfish aspirations of people - attackers who deliberately create false documents.

Security threats in terms of their focus can be divided into the following groups:

threats of penetration and reading of data from credential databases and computer programs for processing them;

threats to the safety of credentials, leading to either their destruction or modification, including falsification of payment documents (payment requests, orders, etc.);

data availability threats that occur when a user cannot access credentials;

Threat of refusal to carry out operations, when one user transmits a message to another and then does not confirm the transmitted data.

Information processes are the processes of collecting, processing, accumulating, storing, searching and distributing information.

Information system is an organizationally ordered set of documents (arrays of documents and information technologies, including the use of computer technology and communications, implementing information processes).

Documentation of information is carried out in the manner established by government bodies responsible for organizing office work, standardizing documents and their arrays, and security of the Russian Federation.

Depending on the source of threats, they can be divided into internal and external.

The source of internal threats is the activities of the organization’s personnel. External threats come from outside from employees of other organizations, from hackers and other individuals.

External threats can be divided into:

local, which involve the intruder entering the organization’s territory and gaining access to a separate computer or local network;

remote threats are typical for systems connected to global networks (Internet, SWIFT international banking system, etc.).

Such dangers arise most often in the electronic payment system when making payments between suppliers and buyers, and using Internet networks in payments. The sources of such information attacks can be located thousands of kilometers away. Moreover, not only computers are affected, but also accounting information.

Intentional and unintentional errors in accounting leading to an increase in accounting risk are the following: errors in recording accounting data; incorrect codes; unauthorized accounting transactions; violation of control limits; missed Accounts; errors in data processing or output; errors in the formation or correction of directories; incomplete accounts; incorrect assignment of records to periods; data falsification; violation of regulatory requirements; violation of personal policy principles; discrepancy between the quality of services and user needs.

Particularly dangerous are information that constitutes a trade secret and relates to personal and reporting information (data about partners, clients, banks, analytical information about market activities). In order for this and similar information to be protected, it is necessary to draw up agreements with employees of accounting, financial services and other economic departments indicating a list of information that is not subject to public disclosure.

Information protection in automated accounting systems is based on the following basic principles.

Ensuring physical separation of areas intended for processing classified and unclassified information.

Ensuring cryptographic protection of information. Ensuring authentication of subscribers and subscriber installations. Ensuring differentiation of access of subjects and their processes to information. Ensuring the establishment of the authenticity and integrity of documentary messages when they are transmitted over communication channels.

Ensuring the protection of equipment and technical means of the system, the premises where they are located, from leakage of confidential information through technical channels.

Ensuring the protection of encryption technology, equipment, hardware and software from information leakage through hardware and software bookmarks.

Ensuring control of the integrity of the software and information part of the automated system.

Using only domestic ones as protection mechanisms

State information resources of the Russian Federation are open and publicly available. The exception is documented information classified by law as restricted access. Documented information with limited access, according to the terms of its legal regime, is divided into information classified as state secret and confidential. The list of confidential information, in particular information related to commercial activities, is established by Decree of the President of the Russian Federation of March 6, 1997 No. 188 (Appendix No.) developments.

Ensuring organizational and regime protection measures. It is advisable to use additional measures to ensure communication security in the system.

Organizing the protection of information about the intensity, duration and traffic of information exchange.

Using channels and methods to transmit and process information that make interception difficult.

Protecting information from unauthorized access is aimed at forming three main properties of the protected information:

confidentiality (classified information should be accessible only to those for whom it is intended);

integrity (information on the basis of which important decisions are made must be reliable, accurate and fully protected from possible unintentional and malicious distortions);

readiness (information and related information services must be available, ready to serve stakeholders whenever they are needed).

Methods for ensuring the protection of personal information are: obstacles; access control, camouflage, regulation, coercion, inducement.

An obstacle should be considered a method of physically blocking an attacker’s path to protected personal information. This method is implemented by the enterprise’s access system, including the presence of security at the entrance to it, blocking the path of unauthorized persons to the accounting department, cash desk, etc.

Access control is a method of protecting personal and reporting information, implemented through:

authentication - establishing the authenticity of an object or subject by the identifier presented by them (carried out by comparing the entered identifier with the one stored in the computer memory);

authority checks - checking the compliance of the requested resources and the operations performed according to the allocated resources and permitted procedures; registration of requests to protected resources;

informing and responding to attempts of unauthorized actions. (Cryptography is a method of protection by transforming information (encryption)).

In the BEST-4 complex, access to information is restricted at the level of individual subsystems and is ensured by setting separate access passwords. During initial setup or at any time while working with the program, the system administrator can set or change one or more passwords. The password is requested each time you log into the subsystem.

In addition, some modules have their own system for restricting access to information. It provides the ability to protect each menu item with special passwords. Passwords can also protect access to individual subsets of primary documents: for example, in the automated workplace “Inventory accounting in a warehouse” and “Accounting for goods and products” it is possible to set access passwords for each warehouse separately, in the automated workplace “Cash transactions accounting” - access passwords for each cash register, in the automated workplace “Accounting for settlements with the bank” - access passwords to each bank account.

Particularly noteworthy is the fact that in order to effectively restrict access to information, it is necessary, first of all, to protect with passwords the very modes for determining passwords for access to certain blocks.

1C.Enterprise, version 7.7 has its own information protection - access rights. In order to integrate and separate user access to information when working with the 1C.Enterprise system on a network of personal computers, the system configurator allows you to set for each user the rights to work with information processed system. Rights can be set within a fairly wide range - from the ability to only view certain types of documents to a full set of rights to enter, view, correct and delete any types of data.

Assigning access rights to a user is carried out in 2 stages. At the first stage, standard sets of rights to work with information are created, differing, as a rule, in the breadth of access capabilities provided. At the second stage, the user is assigned one of these standard sets of rights.

All work on creating standard sets of rights is done on the “Rights” tab of the “Configuration” window. This window is called up by selecting the “open configuration” item from the “Configuration” menu of the program’s main menu

2.2 A set of measures to ensure the security of personal data in online banking systems

The justification for a set of measures to ensure the security of personal data in the ISPD is carried out taking into account the results of assessing the danger of threats and determining the class of ISPD based on the “Basic measures for the organization and technical support of the security of personal data processed in personal data information systems.”

In this case, measures should be determined for:

identifying and closing technical channels of personal data leakage in the information system;

protection of personal data from unauthorized access and unlawful actions;

installation, configuration and use of protective equipment.

Measures to identify and close technical channels of personal data leakage in the information system are formulated based on the analysis and assessment of threats to personal data security.

Measures to protect personal data during their processing in ISPD from unauthorized access and unlawful actions include:

access control;

registration and accounting;

ensuring integrity;

control of the absence of undeclared capabilities;

antivirus protection;

ensuring secure internetwork interaction of ISPD;

security analysis;

intrusion detection.

It is recommended to implement the access control, registration and accounting subsystem on the basis of software tools for blocking unauthorized actions, signaling and registration. These are special software and hardware and software that are not included in the core of any operating system for protecting the operating systems themselves, electronic personal data databases and application programs. They perform protection functions independently or in combination with other means of protection and are aimed at eliminating or complicating the execution of actions of a user or violator that are dangerous for the ISPD. These include special utilities and security software systems that implement diagnostic, registration, destruction, alarm and simulation functions.

Diagnostic tools carry out testing of the file system and personal data databases, constantly collecting information about the functioning of the elements of the information security subsystem.

Destruction tools are designed to destroy residual data and may provide for emergency data destruction in the event of an unauthorized access threat that cannot be blocked by the system.

Signaling means are designed to warn operators when they access protected PD and to warn the administrator when detecting the fact of unauthorized access to PD and other facts of violation of the normal operating mode of the ISPD.

Simulation tools simulate working with violators when an attempt to tamper with protected personal data or software is detected. Imitation allows you to increase the time to determine the location and nature of non-directional activities, which is especially important in territorial distributed networks, and misinform the offender about the location of the protected personal data.

The integrity subsystem is implemented primarily by operating systems and database management systems. Means for increasing reliability and ensuring the integrity of transmitted data and transaction reliability, built into operating systems and database management systems, are based on the calculation of checksums, notification of failure in the transmission of a message package, and retransmission of an unaccepted package.

The subsystem for monitoring the absence of undeclared capabilities is implemented in most cases on the basis of database management systems, information security tools, and anti-virus information security tools.

To ensure the security of PD and the software and hardware environment of the ISPD that processes this information, it is recommended to use special means anti-virus protection that performs:

detection and (or) blocking of destructive viral effects on system-wide and application software that processes personal data, as well as on personal data;

detection and removal of unknown viruses;

ensuring self-monitoring (prevention of infection) of this antivirus product when it is launched.

When choosing antivirus protection tools, it is advisable to consider the following factors:

compatibility of these tools with standard ISPD software;

the degree of decrease in the performance of the ISPD for its main purpose;

availability of means for centralized management of the functioning of anti-virus protection tools from the information security administrator’s workplace in the ISPD;

the ability to promptly notify the information security administrator in the ISPD about all events and facts of manifestation of software and mathematical influences (PMI);

availability of detailed documentation on the operation of the anti-virus protection tool;

the ability to periodically test or self-test the anti-virus protection tool;

the ability to expand the composition of means of protection against WWII with new additional means without significant restrictions on the performance of ISPD and “conflict” with other types of means of protection.

A description of the procedure for installing, configuring, configuring and administering anti-virus protection tools, as well as the procedure for action in case of detection of a virus attack or other violations of the requirements for protection against program-mathematical influences should be included in the information security administrator’s manual in the ISPD.

To restrict access to ISDN resources during internetwork interaction, firewalling is used, which is implemented by software and hardware-software firewalls (FW). A firewall is installed between the protected network, called the internal network, and the external network. The firewall is part of the protected network. For it, through settings, rules are separately set that restrict access from the internal network to the external one and vice versa.

To ensure secure internetworking in class 3 and 4 ISPD, it is recommended to use ME at least the fifth security level.

To ensure secure internetworking in Class 2 ISPD, it is recommended to use ME at least the fourth security level.

To ensure secure internetworking in Class 1 ISPD, it is recommended to use ME at least the third level of security.

The security analysis subsystem is implemented based on the use of testing (security analysis) and information security control (audit) tools.

Security analysis tools are used to monitor the security settings of operating systems on workstations and servers and allow assessing the possibility of attackers carrying out attacks on network equipment and monitoring software security. To do this, they examine the network topology, looking for unprotected or unauthorized network connections, check the firewall settings. Such analysis is carried out based on detailed descriptions of vulnerabilities in security settings (for example, switches, routers, firewalls) or vulnerabilities in operating systems or application software. The result of the security analysis tool is a report that summarizes information about detected vulnerabilities.

Vulnerability detection tools can operate on network level(in this case they are called “network-based”), operating system level (“host-based”) and application level (“application-based”). Using scanning software, you can quickly create a map of all available ISDN nodes, identify the services and protocols used on each of them, determine their basic settings and make assumptions regarding the likelihood of implementing the NSD.

Based on the scanning results, the systems develop recommendations and measures to eliminate the identified deficiencies.

In the interests of identifying NSD threats through internetworking, intrusion detection systems are used. Such systems are built taking into account the specifics of the implementation of attacks, the stages of their development, and are based on a number of attack detection methods.

There are three groups of attack detection methods:

signature methods;

anomaly detection methods;

combined methods (using together algorithms defined in signature methods and anomaly detection methods).

To detect intrusions into class 3 and 4 ISPDs, it is recommended to use network attack detection systems that use signature analysis methods.

To detect intrusions into class 1 and class 2 ISPDs, it is recommended to use network attack detection systems that use anomaly detection methods along with signature analysis methods.

To protect personal data from leakage through technical channels, organizational and technical measures are used aimed at eliminating the leakage of acoustic (speech), type information, as well as information leakage due to side effects. electromagnetic radiation and tips.

As a conclusion to the second chapter of the work, we draw the following conclusions. Protection of personal information is the state of security of information and its supporting infrastructure from accidental or intentional impacts of a natural or artificial nature, fraught with damage to the owners or users of this information. The objects of information security in accounting are defined as: information resources containing information classified as trade secrets and tools and systems informatization. The main methods used within the framework of information protection are: detecting and directly protecting.

CONCLUSION

The problem of information security of economic objects is multifaceted and needs further study.

In the modern world, informatization is becoming a strategic national resource, one of the main assets of an economically developed state. The rapid improvement of informatization in Russia, its penetration into all spheres of vital interests of the individual, society and the state, have entailed, in addition to undoubted advantages, the emergence of a number of significant problems. One of them was the need to protect information. Considering that currently the economic potential is increasingly determined by the level of development of the information infrastructure, the potential vulnerability of the economy in relation to information influences is growing proportionally.

The implementation of information security threats consists of violating the confidentiality, integrity and availability of information. From the standpoint of a systematic approach to information protection, it is necessary to use the entire arsenal of available security means in all structural elements of an economic entity and at all stages of the technological cycle of information processing. Methods and means of protection must reliably cover possible ways unauthorized access to protected secrets. The effectiveness of information security means that the costs of its implementation should not be greater than the possible losses from the implementation of information threats. Information security planning is carried out by each department developing detailed information security plans. There is a need for clarity in the exercise of powers and rights of users to access certain types of information, in ensuring control over security measures and immediate response to their failure.

BIBLIOGRAPHY

1.Automated information technologies in banking / ed. prof. G.A. Titorenko. - M.: Finstatinform, 2007

2.Automated information technologies in economics / Ed. prof. G.A. Titorenko. - M.: UNITY, 2010

.Ageev A. S. Organization and modern methods information protection. - M.: Concern "Bank. Business Center", 2009

.Adzhiev, V. Myths about software security: lessons from famous disasters. - Open systems, 199. №6

.Alekseev, V.I. Information Security municipalities. - Voronezh: VSTU Publishing House, 2008.

.Alekseev, V.M. International criteria for assessing the security of information technologies and their practical application: Textbook. - Penza: Penz Publishing House. state University, 2002

.Alekseev, V.M. Regulatory provision of information protection from unauthorized access. - Penza: Penz Publishing House. state University, 2007

.Alekseev, V.M. Ensuring information security during software development. - Penza: Penz Publishing House. state University, 2008

.Aleshin, L.I. Information protection and information security: Course of lectures L. I. Aleshin; Moscow state University of Culture. - M.: Moscow. state University of Culture, 2010

.Akhramenka, N.F. and others. Crime and punishment in payment system with electronic documents // Information security management, 1998

.Banks and banking operations. Textbook / Ed. E.F. Zhukova. - M.: Banks and exchanges, UNITY, 2008

.Barsukov, V.S. Security: technologies, tools, services. - M.: Kudits - Image, 2007

.Baturin, Yu.M. Problems of computer law. - M.: Legal. lit., 1991

.Baturin, Yu.M. Computer crime and computer security. M.: Yur.lit., 2009

.Bezrukov, N.N. Introduction to computer virology. General principles functioning, classification and catalog of the most common viruses in M5-005. K., 2005

.Bykov, V.A. Electronic business and security / V. A. Bykov. - M.: Radio and communication, 2000

.Varfolomeev, A.A. Information Security. Mathematical foundations of cryptology. Part 1. - M.: MEPhI, 1995

.Vekhov, V.B. Computer crimes: Methods of commission and detection. - M.: Law and Law, 1996

.Volobuev, S.V. Introduction to information security. - Obninsk: Obn. Institute of Atomic Energy, 2001

.Volobuev, S.V. Information security of automated systems. - Obninsk: Obn. Institute of Atomic Energy, 2001

.All-Russian scientific-practical conference"Information security in the higher education system", November 28-29. 2000, NSTU, Novosibirsk, Russia: IBVSh 2000. - Novosibirsk, 2001

23.Galatenko, V.A. Information security: a practical approach V. A. Galatenko; Ed. V. B. Betelina; Ross. acad. Sciences, Research Institute of Systems. research - M.: Science, 1998

.Galatenko, V.A.. Fundamentals of information security: A course of lectures. - M.: Internet University of Information. technologies, 2003

.Gennadieva, E.G. Theoretical foundations of computer science and information security. - M.: Radio and communication, 2000

.Ghika, Sebastian Narchis. Hiding information in graphic files BMR format Dis. ...cand. tech. Sciences: 05.13.19 - St. Petersburg, 2001

.Ghika, S.N. Hiding information in graphic files of the BMP format: Author's abstract. dis. ...cand. tech. Sciences: 05.13.19 St. Petersburg. state int. point mechanics and optics. - St. Petersburg, 2001

.Golubev, V.V. Security management. - St. Petersburg: Peter, 2004

.Gorbatov, V.S. Information Security. Fundamentals of legal protection. - M.: MEPhI (TU), 1995

.Gorlova, I.I., ed. Information freedom and information security: Materials of the international. scientific Conf., Krasnodar, October 30-31. 2001 - Krasnodar, 2001

.Greensberg, A.S. and others. Protection of information resources of public administration. - M.: UNITY, 2003

.Information security of Russia in the context of the global information society "INFOFORUM-5": Coll. materials 5th All-Russian. Conf., Moscow, February 4-5. 2003 - M.: LLC Ed. magazine Business and Security of Russia, 2003

.Information security: Sat. method. materials Ministry of Education Russian Federation. Federation [and others]. - M.: TSNIIATOMINFORM, 2003

34.Information technologies // Economics and life. No. 25, 2001

35.Information technologies in marketing: Textbook for universities. - M.: 2003

.Information technologies in economics and management: Textbook / Kozyrev A.A. - M.: Publishing house Mikhailov V.A., 2005

.Lopatin, V.N. Information security of Russia Dis. ... Doctor of Law. Sciences: 12.00.01

.Lukashin, V.I. Information Security. - M.: Moscow. state University of Economics, Statistics and Informatics

.Luchin, I.N., Zheldakov A.A., Kuznetsov N.A. Hacking password protection // Informatization of law enforcement systems. M., 1996

.McClure, Stuart. Hacking on the Web. Attacks and defense Stuart McClar, Saumil Shah, Sriraj Shah. - M.: Williams, 2003

.Malyuk, A.A. Theoretical foundations for formalizing predictive assessment of the level of information security in data processing systems. - M.: MEPhI, 1998SPb., 2000

.Economic efficiency of information security systems. Chebotar P.P. - Moldavian Economic Academy, 2003

.Yakovlev, V.V. Information security and information protection in corporate networks of railway transport. - M., 2002

.Yarochkin, V.I. Information Security. - M.: Mir, 2003

.Yarochkin, V.I. Information Security. - M.: Foundation "Mir", 2003: Acad. Project

.Yasenev, V.N. Automated information systems in the economy and ensuring their security: Tutorial. - N. Novgorod, 2002

Similar works to - Personal data protection in online banking systems