Home-Payment systems-The information is confidential. List of confidential data defined by law

The information is confidential. List of confidential data defined by law

Bibliographic description:

Nesterov A.K. Ensuring information security [Electronic resource] // Educational encyclopedia website

Simultaneously with the development of information technology and the increasing importance of information resources for organizations, the number of threats to their information security, as well as possible damage from its violations, is growing. There is an objective need to ensure the information security of the enterprise. In this regard, progress is only possible in the conditions of targeted prevention of threats to information security.

Information Security Tools

Information security is ensured using two types of means:

  • software and hardware
  • secure communication channels

Software and hardware for ensuring information security in modern conditions development of information technologies are most common in the work of domestic and foreign organizations. Let's take a closer look at the main hardware and software for information security.

Software and hardware protection against unauthorized access includes measures for identification, authentication and access control to the information system.

Identification – assigning unique identifiers to access subjects.

This includes radio frequency tags, biometric technologies, magnetic cards, universal magnetic keys, system logins, etc.

Authentication – checking that the access subject belongs to the presented identifier and confirming its authenticity.

Authentication procedures include passwords, pin codes, smart cards, USB keys, digital signatures, session keys, etc. The procedural part of identification and authentication tools is interconnected and, in fact, represents basic foundation all software and hardware for information security, since all other services are designed to serve specific entities correctly recognized by the information system. IN general view identification allows the subject to identify himself for information system, and with the help of authentication, the information system confirms that the subject is really who he claims to be. Based on the completion of this operation, an operation is performed to provide access to the information system. Access control procedures allow authorized subjects to perform actions permitted by regulations, and the information system monitors these actions for correctness and correctness of the result obtained. Access control allows the system to block data from users to which they are not authorized.

The next means of software and hardware protection is logging and auditing of information.

Logging includes the collection, accumulation and storage of information about events, actions, results that took place during the operation of the information system, individual users, processes and all software and hardware that are part of the enterprise information system.

Since each component of the information system has a predetermined set possible events in accordance with the programmed classifiers, events, actions and results are divided into:

  • external, caused by the actions of other components,
  • internal, caused by the actions of the component itself,
  • client-side, caused by the actions of users and administrators.
Information audit consists of conducting operational analysis in real time or within a given period.

Based on the results of the analysis, either a report is generated on the events that took place, or an automatic response to an emergency situation is initiated.

The implementation of logging and auditing solves the following problems:

  • holding users and administrators accountable;
  • ensuring the possibility of reconstructing the sequence of events;
  • detection of attempted information security violations;
  • providing information to identify and analyze problems.

Often, protecting information is impossible without the use of cryptographic means. They are used to provide encryption, integrity and authentication services when authentication means are stored in encrypted form for the user. There are two main encryption methods: symmetric and asymmetric.

Integrity control allows you to establish the authenticity and identity of an object, which is a data array, individual pieces of data, a data source, and also ensure that it is impossible to mark an action performed in the system with an array of information. The basis for implementing integrity control is data conversion technologies using encryption and digital certificates.

Another important aspect is the use of shielding, a technology that allows, by limiting the access of subjects to information resources, to control everything information flows between the enterprise information system and external objects, data sets, subjects and counter-subjects. Control of flows consists of filtering them and, if necessary, converting the transmitted information.

The purpose of shielding is protection internal information from potentially hostile external factors and entities. The main form of shielding implementation is firewalls or firewalls, various types and architecture.

Since one of the signs of information security is the availability of information resources, ensuring high level Availability is an important direction in the implementation of software and hardware measures. In particular, two directions are divided: ensuring fault tolerance, i.e. neutralize system failures, the ability to operate when errors occur, and ensure safe and quick recovery after failures, i.e. system serviceability.

The main requirement for information systems is that they always work with a given efficiency, minimum time inaccessibility and speed of response.

In accordance with this, the availability of information resources is ensured by:

  • application of structural architecture, which means that individual modules can be disabled or quickly replaced if necessary without damaging other elements of the information system;
  • ensuring fault tolerance through: using autonomous elements supporting infrastructure, adding excess capacity to the hardware and software configuration, reserving hardware, replicating information resources within the system, backup data, etc.
  • ensuring serviceability by reducing the time required to diagnose and eliminate failures and their consequences.

Another type of information security means are secure communication channels.

The functioning of information systems is inevitably associated with the transfer of data, therefore it is also necessary for enterprises to ensure the protection of transmitted information resources using secure communication channels. The possibility of unauthorized access to data when transmitting traffic through open communication channels is due to their general availability. Since “it is impossible to physically protect communications along their entire length, it is therefore better to initially proceed from the assumption of their vulnerability and provide protection accordingly.” For this, tunneling technologies are used, the essence of which is to encapsulate data, i.e. pack or wrap the transmitted data packets, including all service attributes, in their own envelopes. Accordingly, the tunnel is a secure connection through open channels communications through which cryptographically protected data packets are transmitted. Tunneling is used to ensure traffic confidentiality by hiding service information and ensuring the confidentiality and integrity of transmitted data when used in conjunction with cryptographic elements of an information system. Combining tunneling and encryption allows you to implement a virtual private network. At the same time endpoints tunnels that implement virtual private networks act as firewalls that serve the connection of organizations to external networks.

Firewalls as implementation points for virtual private network services

Thus, tunneling and encryption are additional transformations performed during the filtering process network traffic along with address translation. The ends of the tunnels, in addition to corporate firewalls, can be personal and mobile computers employees, or more precisely, their personal firewalls and firewalls. This approach ensures the functioning of secure communication channels.

Information security procedures

Information security procedures are usually divided into administrative and organizational levels.

  • Administrative procedures include general actions taken by the management of the organization to regulate all work, actions, operations in the field of ensuring and maintaining information security, implemented by allocating the necessary resources and monitoring the effectiveness of the measures taken.
  • The organizational level represents procedures for ensuring information security, including personnel management, physical protection, maintaining the operability of software and hardware infrastructure, prompt elimination of security violations and planning restoration work.

On the other hand, the distinction between administrative and organizational procedures is meaningless, since procedures at one level cannot exist separately from another level, thereby violating the relationship between the protection of the physical level, personal and organizational protection in the concept of information security. In practice, when ensuring information security of an organization, administrative or organizational procedures are not neglected, so it is more logical to consider them as an integrated approach, since both levels affect the physical, organizational and personal levels of information protection.

The basis of comprehensive procedures for ensuring information security is the security policy.

Information Security Policy

Information Security Policy in an organization, it is a set of documented decisions made by the organization’s management and aimed at protecting information and associated resources.

In organizational and managerial terms, the information security policy can be a single document or issued in the form of several independent documents or orders, but in any case it should cover the following aspects of protecting the organization’s information system:

  • protection of information system objects, information resources and direct operations with them;
  • protection of all operations related to information processing in the system, including software processing tools;
  • protection of communication channels, including wired, radio, infrared, hardware, etc.;
  • protection hardware complex from side electromagnetic radiation;
  • security system management, including maintenance, upgrades and administrative activities.

Each aspect must be described in detail and documented in the internal documents of the organization. Internal documents cover three levels of the security process: upper, middle and lower.

Documents top level information security policies reflect the organization's basic approach to protecting its own information and compliance with government and/or international standards. In practice, an organization has only one top-level document, entitled “Information Security Concept”, “Information Security Regulations”, etc. Formally, these documents do not represent confidential value, their distribution is not limited, but they can be released to the editors for internal use and open publication.

Mid-level documents are strictly confidential and relate to specific aspects of the organization’s information security: information security tools used, database security, communications, cryptographic tools and other information and economic processes of the organization. Documentation is implemented in the form of internal technical and organizational standards.

Lower-level documents are divided into two types: work regulations and operating instructions. Work regulations are strictly confidential and are intended only for persons carrying out administrative work as part of their duties. individual services information security. Operating instructions can be either confidential or public; they are intended for the organization’s personnel and describe the procedure for working with individual elements of the organization’s information system.

World experience shows that information security policy is always documented only in large companies, having a developed information system and placing increased demands on information security, medium-sized enterprises most often have only a partially documented information security policy, small organizations in the overwhelming majority do not care at all about documenting the security policy. Regardless of the document format, holistic or distributed, the basic aspect is the security mode.

There are two different approaches, which form the basis information security policies:

  1. "Everything that is not prohibited is permitted."
  2. "Everything that is not permitted is prohibited."

The fundamental defect of the first approach is that in practice it is impossible to foresee all dangerous cases and prohibit them. Without a doubt, only the second approach should be used.

Organizational level of information security

From the point of view of information protection, organizational procedures for ensuring information security are presented as “the regulation of production activities and relationships between performers on a legal basis that excludes or significantly complicates the unlawful acquisition of confidential information and the manifestation of internal and external threats" .

Personnel management measures aimed at organizing work with personnel to ensure information security include segregation of duties and minimization of privileges. Separation of duties prescribes such a distribution of competencies and areas of responsibility in which one person is not able to disrupt a process critical to the organization. This reduces the likelihood of errors and abuse. Least privilege requires that users be given only the level of access necessary to perform their job duties. This reduces damage from accidental or intentional incorrect actions.

Physical protection means the development and adoption of measures for the direct protection of buildings that house the organization’s information resources, adjacent areas, infrastructure elements, computer technology, storage media and hardware communication channels. These include physical access control, fire protection, protection of supporting infrastructure, protection against data interception, and protection of mobile systems.

Maintaining the functionality of the hardware and software infrastructure involves preventing stochastic errors that threaten damage to the hardware system, disruption of programs and loss of data. The main directions in this aspect are to provide user support and software, configuration management, backup, media management, documentation and maintenance.

Prompt elimination of security violations has three main goals:

  1. Localization of the incident and reduction of harm caused;
  2. Identification of the violator;
  3. Prevention of repeated violations.

Finally, recovery planning allows you to prepare for accidents, reduce damage from them and maintain the ability to function at least to a minimum extent.

The use of software and hardware and secure communication channels must be implemented in the organization on the basis of an integrated approach to the development and approval of all administrative and organizational regulatory procedures for ensuring information security. Otherwise, taking individual measures does not guarantee information protection, and often, on the contrary, provokes leaks confidential information, loss of critical data, damage to hardware infrastructure and disruption of the software components of the organization’s information system.

Information security methods

Modern enterprises are characterized by a distributed information system, which allows them to take into account the company’s distributed offices and warehouses, financial accounting and management control, information from client base, taking into account the sample by indicators, and so on. Thus, the array of data is very significant, and the vast majority is information that is of priority importance for the company in commercial and economic terms. In fact, ensuring the confidentiality of data of commercial value is one of the main objectives of information security in a company.

Ensuring information security in the enterprise must be regulated by the following documents:

  1. Information Security Regulations. Includes a statement of goals and objectives for ensuring information security, a list of internal regulations on information security tools and regulations on the administration of the company's distributed information system. Access to the regulations is limited to the management of the organization and the head of the automation department.
  2. Regulations technical support information protection. Documents are confidential, access is limited to employees of the automation department and senior management.
  3. Administration regulations distributed system information protection. Access to the regulations is limited to employees of the automation department responsible for administering the information system and senior management.

At the same time, you should not limit yourself to these documents, but also work on the lower levels. Otherwise, if the enterprise does not have other documents related to ensuring information security, this will indicate an insufficient degree of administrative support for information security, since there are no lower-level documents, in particular operating instructions individual elements information system.

Mandatory organizational procedures include:

  • main measures to differentiate personnel by level of access to information resources,
  • physical protection of company offices from direct penetration and threats of destruction, loss or interception of data,
  • maintaining the functionality of the hardware and software infrastructure is organized in the form of automated backup, remote verification of storage media, user and software support is provided upon request.

This should also include regulated measures to respond to and eliminate cases of information security violations.

In practice, it is often observed that enterprises are not attentive enough to this issue. All actions in in this direction are carried out exclusively on a routine basis, which increases the time for eliminating cases of violations and does not guarantee the prevention of repeated violations of information security. In addition, there is a complete lack of practice in planning actions to eliminate the consequences after accidents, information leaks, data loss and critical situations. All this significantly worsens the information security of the enterprise.

At the software and hardware level, a three-level information security system must be implemented.

Minimum information security criteria:

1. Access control module:

  • implemented closed entrance into the information system, it is impossible to log into the system outside of verified workplaces;
  • Access with limited functionality from mobile personal computers has been implemented for employees;
  • authorization is carried out using logins and passwords generated by administrators.

2. Encryption and integrity control module:

  • an asymmetric method of encrypting transmitted data is used;
  • arrays of critical data are stored in databases in encrypted form, which does not allow access to them even if the company’s information system is hacked;
  • integrity control is ensured by a simple digital signature of all information resources stored, processed or transmitted within the information system.

3. Shielding module:

  • a filter system has been implemented in firewalls, allowing you to control all information flows through communication channels;
  • external connections with global information resources and public communication channels can only be carried out through a limited set of verified workstations that have limited connection with a corporate information system;
  • Secure access from employee workstations to perform their official duties is implemented through a two-level proxy server system.

Finally, with the help of tunneling technologies, the enterprise must implement virtual private network in accordance with typical model construction to provide secure communication channels between various departments of the company, partners and clients of the company.

Despite the fact that communications are directly carried out over networks with potentially low level trust, tunneling technologies, thanks to the use of cryptography, make it possible to ensure reliable protection of all transmitted data.

Conclusions

The main goal of all measures taken in the field of information security is to protect the interests of the enterprise, one way or another related to the information resources that it has. Although enterprise interests are not limited to a specific area, they all center around the availability, integrity and confidentiality of information.

The problem of ensuring information security is explained by two main reasons.

  1. The information resources accumulated by the enterprise are valuable.
  2. The critical dependence on information technologies determines their widespread use.

Given the wide variety of existing threats to information security, such as destruction important information, unauthorized use of confidential data, interruptions in the operation of the enterprise due to disruptions in the operation of the information system, we can conclude that all this objectively leads to large material losses.

In ensuring information security, a significant role is played by software and hardware aimed at controlling computer entities, i.e. equipment, program elements, data, forming the last and highest priority frontier of information security. Data transmission must also be secure in terms of maintaining its confidentiality, integrity and availability. Therefore, in modern conditions, tunneling technologies in combination with cryptographic tools are used to provide secure communication channels.

Literature

  1. Galatenko V.A. Information security standards. – M.: Internet University of Information Technologies, 2006.
  2. Partyka T.L., Popov I.I. Information security. – M.: Forum, 2012.

The concept of “confidential information” has become an integral part of Russian legal vocabulary. IN present moment it is used in several hundred regulatory legal acts Russian Federation. Law enforcers are also keeping up with the legislator: increasingly, entire sections or even separate confidentiality agreements can be found in various agreements. The inclusion of provisions prohibiting the dissemination of confidential information in employment contracts has become widespread.

However, the legislation still does not contain a clear definition of the concept of “confidential information”. Previously, such a definition was contained in Art. 2 of the no longer in force Federal Law “On Information, Informatization and Information Protection”. According to this law, “confidential information is documented information, access to which is limited in accordance with the legislation of the Russian Federation.” This definition, in a slightly modified form, continues to be used in acts of state authorities of the Russian Federation.

The current Federal Law “On information, information technology and information protection” does not contain a definition of the concept “confidential information”. However this definition can be obtained based on an analysis of its norms.

According to paragraph 1 of Art. 2 of this law, information is information (messages, data) regardless of the form of its presentation.

Paragraph 7 of the same article states that confidentiality of information is a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without the consent of its owner.

Thus, confidential information is information, regardless of the form in which it is provided, that cannot be transferred by the person who has access to this information to third parties without the consent of its copyright holder.

The list of confidential information is contained in Decree of the President of the Russian Federation dated March 6, 1997 No. 188 “On approval of the list of confidential information.” According to this decree, confidential information includes:

· personal data;

· information constituting the secret of investigation and legal proceedings, as well as information about protected persons and measures of state protection carried out in accordance with Federal Law of August 20, 2004 No. 119 - Federal Law “On state protection of victims, witnesses and other participants in criminal proceedings” and other regulatory legal acts of the Russian Federation;

· official secret;

· medical, notarial, attorney-client confidentiality, confidentiality of correspondence, telephone conversations, postal items, telegraphic or other messages;

· trade secret;

· information about the essence of the invention, utility model or industrial design before the official publication of information about them.

Attention should be paid to the fact that this list cannot be considered closed. The current Federal Law “On Information” does not require the adoption of regulations of the President or the government for further development the concept of “confidential information”. Moreover, the law allows the owner of information to independently decide whether to grant it confidential status. Therefore, the list should be considered as an example.

This conclusion has very important practical significance. The ability to independently determine the status of information allows its owner to develop ways to protect it from unauthorized access, use and distribution, as well as to provide for measures of civil liability in the event of committing specified actions. The above conclusion is of particular importance for business companies. As is known, in accordance with paragraph 2 of Art. 67 Civil Code In the Russian Federation, participants in business entities are obliged not to disclose confidential information.

Unfortunately, this norm was not developed in the Federal Law “On Joint-Stock Companies”, which does not mention such a duty of shareholders at all. Therefore, there is still no consensus in science about what kind of confidential information we're talking about. A number of authors believe that the obligation not to disclose confidential information applies only to confidential information falling under the trade secret regime.

Currently, there is no clear and unified classification of types of confidential information, although the current regulations establish over 30 of its varieties. Certain attempts at such a classification have been made by scientists. A. I. Aleksentsev offers the following grounds for dividing information by type of secret:

§ owners of information (for certain types they may overlap);

§ areas (spheres) of activity in which there may be information that constitutes this type secrets;

§ who is entrusted with the protection of this type of secret (for some types of secrets, a coincidence is also possible here). (11, P.92)

A.A. Fatyanov classifies information to be protected according to three criteria: by ownership, by degree of confidentiality (degree of access restriction) and by content. (22, P.254)

According to their ownership, the owners of the protected information may be government bodies and the structures formed by them (state secrets, official secrets, etc.) certain cases commercial and banking secrets); legal entities (commercial, banking, lawyer, medical, audit secrets, etc.); citizens ( individuals) - in relation to personal and family secrets, notarial, lawyer, medical. It should be noted that the use of the concepts “owner”, “proprietor” in relation to information is contained in the Federal Law “On Information...”, the Law of the Russian Federation “On State Secrets” and a number of other regulations. This use, as well as the recognition of information as an object of real rights and, including property rights, established by the above-mentioned acts, causes great criticism among scientists and to a certain extent contradicts the Civil Code, since according to Art. 128 of the Civil Code, information does not relate to things. This problem has already been covered by the author, and it must be recognized that it is more expedient to refuse to use proprietary rights in relation to information, and therefore it is more correct to talk about the owner, as indicated in Art. 139 of the Civil Code of the Russian Federation, and not the owner, user or owner of the information. In the future, the concepts of “owner”, “user” or “owner” will be used only when citing the law or the opinion of a researcher.

At present, only information constituting a state secret can be classified according to the degree of confidentiality (degree of access restriction). According to Art. 8 of the Law of the Russian Federation “On State Secrets”, three degrees of secrecy of information constituting a state secret are established, and the secrecy stamps corresponding to these degrees for carriers of this information: “special importance”, “top secret” and “secret”. It is interesting that in the USA and a number of NATO countries the classification classifications are similar to those established by domestic legislation - “confidential”, “secret”, “top secret”. For other types of secrets, this classification basis has not yet been developed, however, according to Art. 8 of the Law of the Russian Federation “On State Secrets”, the use of these classifications to classify information not classified as state secrets is not allowed. (21, P.148)

It should be noted that the above classifications are not exhaustive and their development remains to be done by science and legislation. The lack of a clear classification of confidential information and the lack of formalization of their legal regimes in legislation leads to a significant number of contradictions and gaps. Let's consider the most significant of them.

In accordance with Art. 2 of the Law of the Russian Federation “On State Secrets”, state secret is information protected by the state in the field of its military, foreign policy, economic, intelligence, counterintelligence and operational investigative activities, the dissemination of which may harm the security of the Russian Federation. As A.I. Aleksentsev notes, the term “distribution” in in this case is too vague. (11, P.96)

Distribution may or may not be unauthorized, it may or may not cause damage. This criterion states the possible consequences of the dissemination of information, i.e., it proceeds from the opposite, whereas logically, one should rather name the advantages obtained from the fact that the information is kept secret.

Summarizing all of the above, we can state that currently the types of confidential information are state, commercial, personal and family, official and professional secrets, which, in turn, has a number of varieties. At the same time, the legal regime of most of these secrets has not been fully developed, and between separate documents there are serious contradictions that need to be resolved.

Every person at least once in his life has come across the concept of “confidential information”. It is a collection of data that is of particular value and known, as a rule, to a very narrow circle of people. Current legislation provides for punishment for the disclosure of such information, that is, a person is responsible for failure to maintain a trade secret.

It can be used at the discretion of the person possessing it, but the chosen method should not contradict legal norms. Due to limited access to data, measures are taken to protect and protect such information from third parties. People often encounter problems in the workplace when they have to use documentation that is of particular importance to the company. Many companies warn their employees that even the size wages refers to data that should not be disseminated.

In order to avoid various incidents and unpleasant situations, managers of enterprises and organizations are recommended to discuss in advance with each employee aspects that are secret. It is best to prepare a list of confidential information approved by governing bodies in advance. All personnel should be familiarized with this document and given free access to study. It is necessary to clearly classify all available data into separate groups, divided into:

  1. Absolutely accessible information. Such information is not limited and is regularly published in specialized publications. An example would be one intended for external users.
  2. Partially limited data, the opportunity to become familiar with which is available only to a specifically designated group of people.
  3. Documents at the disposal of the head of the company or a specialist with appropriate authority. This information can be fully considered confidential.

So, company documentation can be classified depending on its purpose into industrial and commercial. The first contains all the information about the equipment, the special technology for manufacturing the product, the product itself, etc. And commercial includes all agreements with counterparties, information about the presence of accounts payable and receivable and their amounts, correspondence with business partners. Accordingly, confidential information is also divided into two main groups (commercial and industrial).

Due to the continuous development of production, the emergence of new equipment and the introduction of technological innovations, security department employees are increasingly having to take measures to strengthen the security system. Currently, the majority of information is stored in electronic form, and all payments with partners are also carried out non-cash. This increases the number of different types hacker attacks sometimes leading to irreparable consequences. That is why technical protection is one of the most important tasks, the implementation of which is the responsibility of the best personnel of the company. Indeed, huge sums are spent on maximizing protection internal network firms This is especially true for large corporations, where security is included in the list of strategic goals.

Unfortunately, in the modern world, the hunt for documents representing trade secrets is carried out with particular cruelty. After all, the struggle for power is present both at the state level and at the level of individual economic entities. Confidential information is an expensive commodity that is successfully sold on the market. Thus, managers can be advised to keep up with the times and spare no expense on improving the security system, so that they do not have to deal with the financial fraud of ill-wishers later.

Confidentiality

Confidentiality.(English) confidence- trust) - the need to prevent leakage (disclosure) of any information.

In the Anglo-American tradition, there are two main types of confidentiality: voluntary (privacy) and forced (secrecy). (See Edward Shiels - The Torment of Secrecy: The Background& Consequences Of American Security Policies (Chicago: Dee) In the first case, we mean the prerogatives of the individual, in the second case we mean information for official use, accessible to a limited number of officials of a company, corporation, government agency, public or political organization. Although privacy and secrecy are similar in meaning, in practice they usually contradict each other: increasing secrecy leads to a violation and decrease in privacy. In totalitarian and authoritarian states, confidentiality usually means only secrecy.

Definitions

Confidentiality information - audit principle, which consists in the fact that auditors are obliged to ensure the safety of documents received or compiled by them in the course of auditing activities, and do not have the right to transfer these documents or their copies to any third parties, or disclose information contained in them orally without consent of the owner of the economic entity, except for cases provided for by legislative acts.

Confidentiality information - a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without the consent of its owner.

Confidential information- information, access to which is limited in accordance with the legislation of the Russian Federation and constitutes commercial, official or personal secrets protected by its owner.

Official secret- confidential information protected by law, which became known to state bodies and local self-government bodies only on legal grounds and due to the performance of their official duties by their representatives, as well as official information about activities government agencies, access to which is limited by federal law or due to business needs. There is no unambiguous definition of the concept of “official secret” in the current legislation of the Russian Federation. Official secret is one of the objects of civil rights under the civil legislation of the Russian Federation. The regime for protecting official secrets is generally similar to the regime for protecting commercial secrets. In a number of cases, the law provides for criminal liability for the disclosure of official secrets (for example, for the disclosure of the secret of adoption, or for the disclosure of information constituting a commercial, tax or banking secret by a person to whom such information became known in the service).

Official secret- information with limited access, with the exception of information classified as state secrets and personal data, contained in state (municipal) information resources, accumulated at the expense of the state (municipal) budget and being the property of the state, the protection of which is carried out in the interests of the state.

Privacy protection is one of the three tasks information security (along with protecting the integrity and availability of information).

Privacy Relevance

Since the beginning of the use of computer technology in all areas of human activity, many problems have arisen related to the protection of confidentiality. This is mainly due to the processing of documents using computer technology. Many administrative measures to protect the confidentiality of individuals and organizations have lost their force due to the transition of document flow to a completely new environment.

When receiving personal letters, when concluding contracts, during business correspondence, at telephone conversations with friends and strangers, the person used various means of authentication. Personal letters were sent indicating the existing postal address or had a stamp of exactly those post offices, where such letters were processed. When concluding contracts, forms were used produced in printing houses, on which text was printed using typewriters with unique serial numbers, which was then signed by an official and certified with the seal of the organization. When talking on the phone, it was reliably known that the conversation was being conducted with exactly the person whose voice was previously known. Many hundreds of administrative measures have been aimed at protecting the privacy of people's communications.

With the introduction of computer technology into human life, a lot has changed. When using, for example, e-mail, it became possible to specify a non-existent return address or simulate receiving a letter from a friend. In everyday communication via the Internet, many signs that identify a particular person in ordinary life(gender, age, degree of education) have ceased to be so. The so-called “virtual reality” has appeared.

Quickly and effectively solve problems related to privacy protection in computer systems impossible. There is a need for integrated approach to solving these problems. This approach should include the use of organizational, legal, and software measures that protect confidentiality, integrity, and availability.

Today, organizations have a set of standards to ensure correct work with confidential information. The head of the organization signs a list of confidential information. In the contract signed by the employee and the employer, there is a clause that states responsibility for incorrect operation with confidential information, as a result of which, if the rules for working with this information specified in the contract are not followed, legal basis to bring such employees to administrative or criminal liability. Organizations also have a set of measures aimed at ensuring the protection of confidential information. For example, such measures may be: selection of qualified personnel, forecasting possible threats and carrying out measures to prevent them, using different levels of personnel access to information with varying secrecy.

Since it is impossible to study in detail this area In a short time, a direction for training specialists in the field of information security was introduced.

With the help of software and hardware information protection tools presented various manufacturers, higher performance indicators can be achieved if they are applied comprehensively. Such means include equipment for cryptographic protection speech information, programs for cryptographic protection text or other information, authentication programs mail messages via electronic digital signature, anti-virus protection programs, network intrusion protection programs, intrusion detection programs, programs for hiding the return address of the sender of an email.

Such a list of software and hardware is usually developed by specialists in the field of information security, taking into account many factors, for example the characteristics automated system, the number of users in this system, differences in the access level of these users, etc.

Confidentiality in Russian legislation

Notes

Literature

  • Large legal dictionary. 3rd ed., add. and processed / Ed. prof. A. Ya. Sukhareva. - M.: INFRA-M, 2007. - VI, 858 pp. - (B-k of dictionaries "INFRA-M")

Links

  • Confidential information in Russian legislation

See also


Wikimedia Foundation. 2010.

Synonyms:

Antonyms:

See what “Confidentiality” is in other dictionaries:

    Secrecy, secrecy, confidentiality, secrecy. Ant. openness, glasnost Dictionary of Russian synonyms. confidentiality see secrecy Dictionary of synonyms of the Russian language. Practical guide. M.: Russian language... Dictionary of synonyms

    confidentiality- The property of information that it cannot be viewed by unauthorized users and/or processes. Keeping critical information secret; access to it is limited to a narrow circle of users (individuals... ... Technical Translator's Guide

    CONFIDENTIAL [de], aya, oe; flax, linen (book). Secret, confidential. K. conversation. Report confidentially (adv.). Dictionary Ozhegova. S.I. Ozhegov, N.Yu. Shvedova. 1949 1992 … Ozhegov's Explanatory Dictionary

    Confidentiality- An ethical requirement that applies to both experimental research and psychotherapy. Under this requirement, participants or patients have the right to have information collected during a study or treatment session not... ... Great psychological encyclopedia

    confidentiality- 2.6 confidentiality: The property of information being inaccessible and closed to an unauthorized individual, logical object or process. [ISO/IEC 7498-2] Source... Dictionary-reference book of terms of normative and technical documentation

    confidentiality- ▲ limited access to (subject), information confidentiality. confidential not subject to wide publicity; accessible to a narrow circle of people (# conversation). confidentially. trust. confidential (# tone). confidentially. trust (#… … Ideographic Dictionary of the Russian Language

Confidential information - information to which access is limited in accordance with the legislation of the country and the level of access to information resource. Confidential information is made available or disclosed only to authorized persons, entities, or processes.

Russian legislation identifies several types of confidential information - state secret, official secret, commercial secret, medical (medical) secret, notarial secret, audit secret, lawyer secret, bank secret, tax secret, personal and family secret, secret of adoption, secret of meetings of judges, secret of investigation and legal proceedings, the secrecy of insurance, etc. According to V. A. Kolomiets, currently in regulatory legal acts different levels About 50 types of confidential information are mentioned.

The importance of information in everyone’s life and activities modern man It's common knowledge. It is also known how important the role of information is for a successful decision specific task, to achieve your goals. Finding an exact answer to the question being solved and avoiding mistakes in decision-making is better achieved by those who clearly understand the information space who, if necessary, has the opportunity to easily and timely obtain the information he is interested in.

44. Becoming and modern definition the concept of “state secret”

The concept of state secret is one of the most important in the system of protecting state secrets in any country. From her correct definition The policy of the country's leadership in the field of protecting secrets also depends.

The definition of this concept is given in the Law of the Russian Federation “On State Secrets”: “State secrets are information protected by the state in the field of its military, foreign policy, economic, intelligence, counterintelligence and operational investigative activities, the dissemination of which may harm the security of the Russian Federation.”

This definition specifies the categories of information that are protected by the state, and that the dissemination of this information could harm the interests of state security.

The model for determining state secrets usually includes the following essential features:

1. Objects, phenomena, events, areas of activity that constitute state secrets.

2. The enemy (actual or potential), from whom the protection of state secrets is mainly carried out.

3. Indication in the law, list, instructions of information constituting a state secret.

4. Damage caused to defense, foreign policy, economy, scientific and technological progress of the country, etc. in case of disclosure (leakage) of information constituting a state secret.

For comparison we present brief definitions concepts of state secrets given by specialists from other countries.

The Criminal Code of the Federal Republic of Germany states that state secrets are facts, objects or knowledge that are accessible only to a limited number of persons and must be kept secret from a foreign government in order to prevent the danger of grave damage to the external security of the Federal Republic of Germany.

The Executive Order of the President of the United States of April 2, 1982 states that national security information includes certain information regarding the national defense and international issues, which is protected from unauthorized disclosure.

In some countries this concept is expressed in other terms, for example, in Japan - “Defense Secret”.

What information can be classified as a state secret is defined in Decree of the President of the Russian Federation of November 30, 1995 No. 1203. This includes information (only sections are indicated): in the military field; on foreign policy and foreign economic activity; in the field of economics, science and technology; in the field of intelligence, counterintelligence and operational investigative activities.

Information cannot be classified as a state secret:

If its leak (disclosure, etc.) does not entail damage to the national security of the country;

In violation current laws;

If concealing information would violate the constitutional and legislative rights of citizens;

To conceal activities that damage the natural environment and threaten the life and health of citizens. This list is contained in more detail in Art. 7 of the Law of the Russian Federation “On State Secrets”.

An important feature of a state secret is the degree of secrecy of the information classified as it. Accepted in our country next system designations of information constituting a state secret: “of special importance”, “top secret”, “secret”. These marks are affixed to documents or products (their packaging or accompanying documents). The information contained under these stamps is a state secret.

What criteria are used to classify information, firstly, as a state secret, and secondly, as one or another degree of secrecy?

The answer to this question is given by the Rules for classifying information constituting a state secret to various degrees of secrecy, specified in Decree of the Government of the Russian Federation No. 870 of September 4, 1995.

Information of particular importance should include information the dissemination of which could harm the interests of the Russian Federation in one or more areas.

Top secret information should include information the dissemination of which could harm the interests of a ministry (department) or sectors of the Russian economy in one or more areas.

Secret information should include all other information constituting a state secret. Damage may be caused to the interests of an enterprise, institution or organization.

From these definitions one can see a relatively high degree of uncertainty in the characteristics characterizing one or another degree of secrecy of information constituting a state secret.

Attempts have been made to equate the degree of secrecy of information with the amount of damage (for example, in monetary terms) that may occur in the event of an information leak. However, they have not received any widespread dissemination or approval.

There is no clarity on this issue in the US Presidential Decree “National Security Information”. It says in part:

1. The classification “top secret” must be applied to information, the unauthorized disclosure of which could, within reasonable limits, cause extremely serious damage to national security.

2. The classification “secret” must be applied to information, the unauthorized disclosure of which could, within reasonable limits, cause serious damage to national security.

3. Classified “confidential” - the same thing, only the amount of damage is indicated as “damage to national security.”

As can be seen from the above, the difference between the three degrees of secrecy depends on the magnitude of the damage, which is designated as “exceptionally serious”, “serious” or simply “damage”.

These qualitative features - criteria for the degree of secrecy of information containing state secrets, always leave room for the voluntary or involuntary introduction of a subjective factor in the process of classifying information.

The concept, types and amount of damage have not yet been sufficiently developed and, apparently, will be different for each specific object of protection - the content of information constituting a state secret, the essence of the facts, events, and phenomena of reality reflected in it. Depending on the type, content and

the extent of damage, we can distinguish groups of certain types of damage in the event of a leak (or possible leak) of information constituting a state secret.

Political damage can occur in the event of a leak of information of a political and foreign policy nature, about the intelligence activities of state intelligence services, etc. Political damage can be expressed in the fact that as a result of an information leak, serious changes in the international situation may occur not in favor of the Russian Federation, the country’s loss of political priorities in some areas, deterioration of relations with any country or group of countries, etc.

Economic damage can occur when information of any content is leaked: political, economic, military, scientific and technical, etc. Economic damage can be expressed primarily in monetary terms. Economic losses from information leakage can be direct and indirect.

Thus, direct losses can occur as a result of the leak of secret information about weapons systems and the country's defense, which as a result have practically lost or have lost their effectiveness and require large expenses for their replacement or readjustment. For example, A. Tolkachev, a US CIA agent, a leading engineer at the Radio Engineering Industry Research Institute, gave the Americans a lot of important and valuable information. The Americans estimated the value of the information received from him at approximately six billion dollars.

Indirect losses are most often expressed in the form of the amount of lost profits: failure of negotiations with foreign companies, with which there had previously been an agreement on profitable deals; loss of priority in scientific research, as a result of which the opponent quickly brought his research to completion and patented it, etc.

Moral damage, as a rule, of a non-property nature comes from a leak of information that caused or initiated a propaganda campaign unlawful for the state, undermining the country’s reputation, leading to the expulsion of our diplomats, intelligence officers operating under diplomatic cover, etc. from some states.



Related publications: