EntranceModern products for the protection of personal data of the bank. Improving the personal data protection system of JSC Alfa Bank
POSITION
on the protection of personal data
Clients (subscribers)
at Ortes-Finance LLC
Terms and Definitions
1.1. Personal Information— any information relating to an individual identified or determined on the basis of such information (the subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, e-mail address, telephone number, family , social, property status, education, profession, income, other information.
1.2. Processing of personal data- actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking.
1.3. Confidentiality of personal data— a mandatory requirement for the appointed responsible person who has gained access to personal data to prevent their distribution without the consent of the subject or other legal grounds.
1.4. Dissemination of personal data- actions aimed at the transfer of personal data to a certain circle of persons (transfer of personal data) or to familiarization with personal data of an unlimited number of persons, including the disclosure of personal data in the media, placement in information and telecommunication networks or providing access to personal data to any or in any other way.
1.5. Use of personal data- actions (operations) with personal data performed for the purpose of making decisions or performing other actions that give rise to legal consequences in relation to the subjects of personal data or otherwise affect their rights and freedoms or the rights and freedoms of other persons.
1.6. Blocking personal data- temporary suspension of the collection, systematization, accumulation, use, distribution of personal data, including their transfer.
1.7. Destruction of personal data— actions as a result of which it is impossible to restore the content of personal data in the information system of personal data or as a result of which material carriers of personal data are destroyed.
1.8. Depersonalization of personal data- actions, as a result of which it is impossible without the use of additional information determine the ownership of personal data by a specific subject.
1.9. Public personal data- personal data, access of an unlimited number of persons to which is granted with the consent of the subject or which, in accordance with federal laws, is not subject to the requirement of confidentiality.
1.10. Information- information (messages, data) regardless of the form of their presentation.
1.11. Client (subject of personal data)- an individual consumer of the services of Ortes-Finance LLC, hereinafter referred to as the "Organization".
1.12. Operator- a state body, a municipal body, a legal entity or an individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data. Within the framework of these Regulations, the Operator is the Limited Liability Company "Ortes-Finance";
2.1. This Regulation on the processing of personal data (hereinafter referred to as the Regulation) has been developed in accordance with the Constitution Russian Federation, the Civil Code of the Russian Federation, the Federal Law "On Information, Information Technologies and Information Protection", Federal Law 152-FZ "On Personal Data", other federal laws.
2.2. The purpose of developing the Regulation is to determine the procedure for processing and protecting personal data of all Clients of the Organization, whose data is subject to processing, based on the authority of the operator; ensuring the protection of the rights and freedoms of a person and citizen in the processing of his personal data, including the protection of the rights to privacy, personal and family secrets, as well as establishing the responsibility of officials who have access to personal data for failure to comply with the requirements of the rules governing the processing and protection of personal data.
2.3. The procedure for putting into effect and changing the Regulations.
2.3.1. This Regulation shall enter into force from the moment of its approval by the General Director of the Organization and shall be valid indefinitely, until it is replaced by a new Regulation.
2.3.2. Changes to the Regulations are made on the basis of the Orders of the General Director of the Organization.
3. Composition of personal data.
3.1. The composition of the personal data of the Clients includes:
3.1.1. Full Name.
3.1.2. Year of birth.
3.1.3. Month of birth.
3.1.4. Date of Birth.
3.1.5. Place of Birth.
3.1.6. Passport data
3.1.7. E-mail address.
3.1.8. Phone number (home, cell).
3.2. The Organization may create (create, collect) and store the following documents and information, including in electronic form, containing data about Clients:
3.2.1. Application for a survey on the possibility of connecting an individual.
3.2.2. Agreement (public offer).
3.2.3. Confirmation of accession to the contract.
3.2.5. Copies of identity documents, as well as other documents provided by the Client and containing personal data.
3.2.6. Data on payments for orders (goods/services), containing payment and other details of the Client.
4. Purpose of personal data processing.
4.1. The purpose of personal data processing is the implementation of a set of actions aimed at achieving the goal, including:
4.1.1. Provision of consulting and information services.
4.1.2. Other transactions not prohibited by law, as well as a set of actions with personal data necessary for the execution of the above transactions.
4.1.3. In order to comply with the requirements of the legislation of the Russian Federation.
4.2. The condition for terminating the processing of personal data is the liquidation of the Organization, as well as the corresponding requirement of the Client.
5. Collection, processing and protection of personal data.
5.1. The procedure for obtaining (collecting) personal data:
5.1.1. All personal data of the Client should be obtained from him personally with his written consent, except for the cases specified in paragraphs 5.1.4 and 5.1.6 of these Regulations and other cases provided for by the laws of the Russian Federation.
5.1.2. The Client's consent to the use of his personal data is stored in the Organization in paper and / or electronic form.
5.1.3. The consent of the subject to the processing of personal data is valid for the entire duration of the contract, as well as within 5 years from the date of termination of the contractual relationship between the Client and the Organization. After the expiration of the specified period, the consent is considered to be extended for each subsequent five years in the absence of information about its withdrawal.
5.1.4. If the Client's personal data can only be obtained from a third party, the Client must be notified of this in advance and written consent must be obtained from him. A third party providing the personal data of the Client must have the consent of the subject to the transfer of personal data to the Organization. The Organization is obliged to obtain confirmation from a third party transferring the Client's personal data that personal data is transferred with his consent. The Organization is obliged, when interacting with third parties, to conclude an agreement with them on the confidentiality of information relating to the personal data of Clients.
5.1.5. The Organization is obliged to inform the Client about the purposes, alleged sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the Client's refusal to give personal data to give written consent to receive them.
5.1.6. The processing of personal data of Clients without their consent is carried out in the following cases:
5.1.6.1. Personal data is public.
5.1.6.2. At the request of authorized state bodies in cases provided for by federal law.
5.1.6.3. The processing of personal data is carried out on the basis of a federal law that establishes its purpose, the conditions for obtaining personal data and the circle of subjects whose personal data is subject to processing, as well as determining the authority of the operator.
5.1.6.4. The processing of personal data is carried out for the purpose of concluding and executing an agreement, one of the parties to which is the subject of personal data - the Client.
5.1.6.5. The processing of personal data is carried out for statistical purposes, subject to mandatory depersonalization of personal data.
5.1.6.6. In other cases provided by law.
5.1.7. The Organization does not have the right to receive and process the Client's personal data about his race, nationality, political views, religious or philosophical beliefs, health status, intimate life.
5.2. The procedure for processing personal data:
5.2.1. The subject of personal data provides the Organization with reliable information about himself.
5.2.2. Only employees of the Organization who are allowed to work with the personal data of the Client and have signed the Non-Disclosure Agreement of the Client's personal data can have access to the processing of personal data of the Clients.
5.2.3. The following persons have the right to access the Client's personal data in the Organization:
General Director of the Organization;
Employees responsible for financial settlements (manager, accountant).
Employees of the Customer Relations Department (head of sales department, manager).
IT employees (technical director, system administrator).
The client as a subject of personal data.
5.2.3.1. The list of names of the Organization's employees who have access to the personal data of the Clients is determined by the order of the General Director of the Organization.
5.2.4. The processing of the Client's personal data may be carried out solely for the purposes established by the Regulation and compliance with the laws and other regulatory legal acts of the Russian Federation.
5.2.5. When determining the scope and content of processed personal data, the Organization is guided by the Constitution of the Russian Federation, the law on personal data, and other federal laws.
5.3. Protection of personal information:
5.3.1. The protection of the Client's personal data is understood as a set of measures (organizational, administrative, technical, legal) aimed at preventing unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of personal data of subjects, as well as other illegal actions.
5.3.2. The protection of the Client's personal data is carried out at the expense of the Organization in the manner prescribed by the federal law of the Russian Federation.
5.3.3. When protecting personal data of Clients, the Organization takes all necessary organizational, administrative, legal and technical measures, including:
Antivirus protection.
Security analysis.
Intrusion detection and prevention.
Access control.
Registration and accounting.
Ensuring integrity.
Organization of regulatory and methodological local acts regulating the protection of personal data.
5.3.4. The general organization of the protection of personal data of Clients is carried out by the General Director of the Organization.
5.3.5. Employees of the Organization who need personal data in connection with the performance of their labor duties have access to the personal data of the Client.
5.3.6. All employees involved in the receipt, processing and protection of personal data of Clients are required to sign a non-disclosure agreement for personal data of Clients.
5.3.7. The procedure for obtaining access to the Client's personal data includes:
Familiarization of the employee with this Regulation against signature. If there are other regulatory acts (orders, instructions, instructions, etc.) regulating the processing and protection of the Client's personal data, these acts are also reviewed against signature.
Requiring from an employee (except for the General Director) a written obligation to maintain the confidentiality of the Clients' personal data and comply with the rules for their processing in accordance with the internal local acts of the Organization that regulate the issues of ensuring the security of confidential information.
5.3.8. An employee of the Organization who has access to personal data of Clients in connection with the performance of labor duties:
Ensures the storage of information containing the personal data of the Client, excluding access to them by third parties.
In the absence of an employee, there should be no documents containing personal data of Clients at his workplace.
When going on vacation, during a business trip and in other cases of a long absence of an employee at his workplace, he is obliged to transfer documents and other media containing personal data of Clients to a person who, by a local act of the Company (order, order), will be entrusted with the execution of his labor duties.
If such a person is not appointed, then documents and other media containing the personal data of the Clients are transferred to another employee who has access to the personal data of the Clients at the direction of the General Director of the Organization.
Upon dismissal of an employee who has access to the personal data of the Clients, documents and other media containing the personal data of the Clients are transferred to another employee who has access to the personal data of the Clients at the direction of the General Director.
In order to fulfill the assigned task and on the basis of a memo with a positive resolution of the General Director, access to the Client's personal data may be provided to another employee. Access to the personal data of the Client by other employees of the Organization who do not have a properly formalized access is prohibited.
5.3.9. The Human Resources Manager provides:
Familiarization of employees with this Regulation against signature.
Demanding from employees a written obligation to maintain the confidentiality of the Client's personal data (Non-Disclosure Agreement) and comply with the rules for their processing.
General control over compliance by employees with measures to protect the Client's personal data.
5.3.10. The protection of personal data of Clients stored in the electronic databases of the Organization from unauthorized access, distortion and destruction of information, as well as from other illegal actions, is provided by the System Administrator.
5.4. Storage of personal data:
5.4.1. Personal data of Clients on paper is stored in safes.
5.4.2. Personal data of Clients is stored electronically in the local computer network of the Organization, in electronic folders and files in personal computers General Director and employees authorized to process personal data of Clients.
5.4.3. Documents containing personal data of Clients are stored in lockable cabinets (safes) that provide protection against unauthorized access. At the end of the working day, all documents containing personal data of Clients are placed in cabinets (safes) that provide protection from unauthorized access.
5.4.4. Protection of access to electronic databases containing personal data of Clients is ensured by:
The use of licensed anti-virus and anti-hacker programs that do not allow unauthorized access to the Organization's local network.
Differentiation of access rights using account.
A two-stage system of passwords: at the level of the local computer network and at the level of databases. Passwords are set by the System Administrator of the Organization and communicated individually to employees who have access to the personal data of the Clients.
5.4.4.1. Unauthorized access to the PC, which contains the personal data of the Clients, is blocked by a password that is set by the System Administrator and is not subject to disclosure.
5.4.4.2. All electronic folders and files containing personal data of Clients are protected by a password, which is set by the employee of the Organization responsible for the PC and reported to the System Administrator.
5.4.4.3. Passwords are changed by the System Administrator at least once every 3 months.
5.4.5. Copying and making extracts of the Client's personal data is allowed solely for official purposes with the written permission of the General Director of the Organization.
5.4.6. Answers to written requests from other organizations and institutions about the personal data of Clients are given only with the written consent of the Client himself, unless otherwise provided by law. Answers are made in writing, on the Organization's letterhead, and to the extent that allows not to disclose the excessive amount of the Client's personal data.
6. Blocking, depersonalization, destruction of personal data
6.1. The procedure for blocking and unblocking personal data:
6.1.1. Blocking of personal data of Clients is carried out with a written application of the Client.
6.1.2. Blocking personal data implies:
6.1.2.2. Prohibition of dissemination of personal data by any means (e-mail, cellular, material carriers).
6.1.2.4. Withdrawal of paper documents relating to the Client and containing his personal data from the Organization's internal workflow and prohibition of their use.
6.1.3. The blocking of the Client's personal data can be temporarily removed if it is required to comply with the legislation of the Russian Federation.
6.1.4. Unblocking of the Client's personal data is carried out with his written consent (if there is a need to obtain consent) or the Client's application.
6.1.5. The repeated consent of the Client to the processing of his personal data (if necessary, obtaining it) entails the unblocking of his personal data.
6.2. The procedure for depersonalization and destruction of personal data:
6.2.1. Depersonalization of the Client's personal data occurs at the written request of the Client, provided that all contractual relations are completed and at least 5 years have passed from the date of expiration of the last contract.
6.2.2. When depersonalizing personal data in information systems ah are replaced by a set of characters by which it is impossible to determine whether personal data belongs to a particular Client.
6.2.3. Paper carriers of documents are destroyed when depersonalizing personal data.
6.2.4. The organization is obliged to ensure confidentiality in relation to personal data if it is necessary to test information systems on the territory of the developer and to depersonalize personal data in the information systems transferred to the developer.
6.2.5. The destruction of the Client's personal data implies the termination of any access to the Client's personal data.
6.2.6. When the personal data of the Client is destroyed, the employees of the Organization cannot access the personal data of the subject in information systems.
6.2.7. When destroying personal data, paper carriers of documents are destroyed, personal data in information systems are depersonalized. Personal data cannot be recovered.
6.2.8. The operation of destruction of personal data is irreversible.
6.2.9. The period after which the operation of destruction of the Client's personal data is possible is determined by the end of the period specified in paragraph 7.3 of these Regulations.
7. Transfer and storage of personal data
7.1. Transfer of personal data:
7.1.1. The transfer of personal data of the subject is understood as the dissemination of information through communication channels and on material media.
7.1.2. When transferring personal data, employees of the Organization must comply with the following requirements:
7.1.2.1. Do not disclose the Client's personal data for commercial purposes.
7.1.2.2. Do not disclose the Client's personal data to a third party without the written consent of the Client, except as otherwise provided by federal law of the Russian Federation.
7.1.2.3. Warn persons receiving personal data of the Client that these data can be used only for the purposes for which they are reported, and require these persons to confirm that this rule has been observed;
7.1.2.4. Allow access to personal data of Clients only to specially authorized persons, while these persons should have the right to receive only those personal data of Clients that are necessary to perform specific functions.
7.1.2.5. Transfer the Client's personal data within the Organization in accordance with these Regulations, regulatory and technological documentation and job descriptions.
7.1.2.6. Provide the Client with access to their personal data when contacting or upon receiving a request from the Client. The Organization is obliged to provide the Client with information about the availability of personal data about him, as well as provide an opportunity to familiarize himself with them within ten working days from the date of the request.
7.1.2.7. Transfer the Client's personal data to the Client's representatives in the manner prescribed by law and regulatory and technological documentation and limit this information only to those personal data of the subject that are necessary for the specified representatives to perform their functions.
7.2. Storage and use of personal data:
7.2.1. The storage of personal data refers to the existence of records in information systems and on physical media.
7.2.2. Personal data of Clients are processed and stored in information systems, as well as on paper in the Organization. Personal data of Clients is also stored in electronic form: in the local computer network of the Organization, in electronic folders and files in the PC of the General Director and employees authorized to process personal data of Clients.
7.2.3. The storage of the Client's personal data may be carried out no longer than required by the purposes of processing, unless otherwise provided by the federal laws of the Russian Federation.
7.3. Terms of storage of personal data:
7.3.1. The terms of storage of civil law contracts containing personal data of Clients, as well as documents accompanying their conclusion, execution - 5 years from the date of expiration of the contracts.
7.3.2. During the storage period, personal data cannot be depersonalized or destroyed.
7.3.3. After the expiration of the storage period, personal data can be depersonalized in information systems and destroyed on paper in the manner prescribed by the Regulations and the current legislation of the Russian Federation. (Appendix Act on the destruction of personal data)
8. Rights of the personal data operator
The organization has the right:
8.1. Defend your interests in court.
8.2. Provide personal data of Clients to third parties, if this is provided for by applicable law (tax, law enforcement agencies, etc.).
8.3. Refuse to provide personal data in cases provided for by law.
8.4. Use the personal data of the Client without his consent, in cases provided for by the legislation of the Russian Federation.
9. Rights of the Client
The client has the right:
9.1. Require clarification of their personal data, their blocking or destruction if personal data is incomplete, outdated, unreliable, illegally obtained or not necessary for the stated purpose of processing, as well as take legal measures to protect their rights;
9.2. Require a list of processed personal data available in the Organization and the source of their receipt.
9.3. Receive information about the terms of processing of personal data, including the terms of their storage.
9.4. Require notification of all persons who were previously informed of incorrect or incomplete personal data of all exceptions, corrections or additions made to them.
9.5. Appeal to the authorized body for the protection of the rights of personal data subjects or in court against illegal actions or omissions in the processing of his personal data.
10. Responsibility for violation of the rules governing the processing and protection of personal data
10.1. Employees of the Organization guilty of violating the rules governing the receipt, processing and protection of personal data bear disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the Russian Federation and internal local acts of the Organization.
1. THEORETICAL FOUNDATIONS FOR THE SECURITY OF PERSONAL DATA
1.1 Legislative framework for the protection of personal data in the Russian Federation
1.3.1 general characteristics sources of threats of unauthorized access in the information system of personal data.
1.3.2 General characteristics of threats of direct access to the operating environment of the personal data information system
1.3.3 General characteristics of personal data security threats implemented using internetworking protocols
1.4 Characteristics of the Bank and its activities
1.5 Personal data bases
1.5.1 Information system of personal data of employees of the organization
1.5.2 Personal data information system of the access control and management system
1.5.3 Personal data information system of the automated banking system
1.6 Device and threats to local computer network Jar
1.7 Information security tools
2.2 Software and hardware protections
2.3 Basic security policy
2.3.1 Information security awareness system for employees
2.3.4 How employees work with e-mail
2.3.5 Password policy of the Bank
3. ECONOMIC JUSTIFICATION OF THE PROJECT
CONCLUSION
Applications.
INTRODUCTION
The widespread computerization that began at the end of the 20th century continues to this day. Automation of processes in enterprises increases the productivity of workers. Users of information systems can quickly obtain the data necessary to perform their duties. At the same time, along with facilitating access to data, there are problems with the safety of these data. Having access to various information systems, attackers can use them for personal gain: collecting data to sell it on the black market, stealing Money from the organization's clients, stealing the organization's trade secrets.
Therefore, the problem of protection is critical important information for organizations is very acute. Increasingly, it becomes known from the media about various techniques or methods of stealing money by hacking the information systems of financial organizations. Having gained access to information systems of personal data, an attacker can steal the data of clients of financial organizations, disseminate information about their financial transactions, causing both financial and reputational harm to a bank client. In addition, having learned data about the client, fraudsters can directly call the client, posing as bank employees and fraudulently, using social engineering techniques, find out passwords from remote banking systems and withdraw money from the client's account.
In our country, the problem of theft and illegal distribution of personal data is very acute. There are a large number of resources on the Internet that contain stolen personal data bases, with the help of which, for example, by number mobile phone, can be found very detailed information by person, including their passport details, residential addresses, photographs and much more.
In this graduation project, I explore the process of creating a personal data protection system at PJSC Citibank.
1. BASICS OF SECURITY OF PERSONAL DATA
1.1 Legal basis for the protection of personal data
Today in Russia, state regulation is carried out in the field of ensuring the security of personal data. The main legal acts regulating the personal data protection system in the Russian Federation are the Constitution of the Russian Federation and the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ. These two main legal acts establish the main theses about personal data in the Russian Federation:
Every citizen has the right to privacy, personal and family secrets, protection of his honor and good name;
Everyone has the right to privacy of correspondence, telephone conversations, postal, telegraphic and other communications. Restriction of this right is allowed only on the basis of a court decision;
Collection, storage, use and dissemination of information about the private life of a person without his consent is not allowed;
The processing of personal data must be carried out on a lawful and fair basis;
The processing of personal data should be limited to the achievement of specific, predetermined and legitimate purposes. It is not allowed to process personal data that is incompatible with the purposes of collecting personal data.
It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.
Only personal data that meet the purposes of their processing are subject to processing.
When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, their relevance in relation to the purposes of processing personal data, must be ensured. The operator must take the necessary measures or ensure that they are taken to remove or clarify incomplete or inaccurate data.
The storage of personal data should be carried out in a form that allows determining the subject of personal data, no longer than required by the purposes of processing personal data, unless the period for storing personal data is established by federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor. The processed personal data is subject to destruction or depersonalization upon reaching the goals of processing or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.
Other regulations that have a legal impact in the field of personal data protection in organizations banking Russian Federation are:
Federal Law of the Russian Federation dated July 27, 2006 No. 149 FZ “On Information, Information Technologies and Information Protection”;
Labor Code of the Russian Federation (Chapter 14);
Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems”;
Order FSTEC of Russia dated February 18, 2013 No. 21 “On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems”.
Consider the main definitions used in the legislation.
Personal data - any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data).
Personal data operator - a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
Processing of personal data - any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
Automated processing of personal data - processing of personal data using computer technology;
Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;
Providing personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons;
Blocking of personal data - temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);
Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed;
Depersonalization of personal data - actions, as a result of which it becomes impossible, without the use of additional information, to determine the ownership of personal data by a specific subject of personal data;
Information system of personal data - a set of personal data contained in databases and information technologies that ensure their processing and technical means;
Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.
Biometric personal data - information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity (biometric personal data) and which is used by the operator to identify the subject of personal data.
Security of personal data - the state of protection of personal data, characterized by the ability of users, technical means and information technologies to ensure the confidentiality, integrity and availability of personal data during their processing in personal data information systems
1.2 Classification of threats to information security of personal data.
An information security threat is understood as a threat of violation of information security properties - the availability, integrity or confidentiality of an organization's information assets.
The list of threats, the assessment of the probability of their implementation, as well as the intruder model serve as the basis for analyzing the risk of threats and formulating requirements for the automated system protection system. In addition to identifying possible threats, it is necessary to analyze the identified threats based on their classification according to a number of characteristics. Threats corresponding to each classification feature allow you to refine the requirement reflected by this feature.
Since the information stored and processed in modern AS is exposed to an extremely large number of factors, it becomes impossible to formalize the task of describing the full set of threats. Therefore, for a protected system, it is usually not a list of threats that is determined, but a list of threat classes.
The classification of possible threats to the information security of the AS can be carried out according to the following basic features:
By the nature of occurrence:
Natural threats caused by the impact on the NPP of objective physical processes or natural disasters;
Artificial threats to NPP safety caused by human activities.
According to the degree of intentionality of manifestation:
Threats caused by human error or negligence, such as misuse of protective equipment, negligence in handling data;
Threats of deliberate action, such as hacking an automated system by intruders, destruction of data by employees of the organization in order to retaliate against the employer.
According to the immediate source of threats:
Natural hazards, such as natural disasters, man-made disasters;
Human threats, for example: destruction of information, disclosure of confidential data;
Allowed firmware, such as physical hardware failure, software errors, software conflicts;
Unauthorized software and hardware, for example, the introduction of hardware bugs, software bugs.
By the position of the threat source:
Outside the controlled area, for example, interception of data transmitted over communication channels;
O within the controlled area, for example, unauthorized copying of information, unauthorized access to the protected area;
Directly in an automated system, for example, incorrect use of AS resources.
According to the degree of dependence on AS activity:
Regardless of the activity of the AU, for example, the physical theft of storage media;
Only during data processing, such as malware infection.
By the degree of impact on the AC:
Dangerous threats that, when implemented, do not change anything in the structure and content of the AS, for example, the threat of copying secret data;
Active threats that, when exposed, make changes to the structure and content of the AS, for example, deletion of data, their modification.
By stages of access of users or programs to resources:
Threats that manifest themselves at the stage of access to AS resources, for example: threats of unauthorized access to AS;
Threats that appear after allowing access to AS resources, for example, incorrect use of AS resources.
By way of access to AS resources:
Threats carried out using the standard access path to AS resources
Threats carried out using a hidden non-standard path to access AS resources, for example: unauthorized access to AS resources by using undocumented features installed software.
According to the current location of information stored and processed in the AS:
Threats of access to information located on external storage devices, for example: copying confidential information from storage media;
Threats of access to information located in random access memory, for example: reading residual information from RAM, access to the system area of RAM by application programs;
Threats of access to information circulating in communication lines, for example: illegal connection to communication lines in order to remove information, sending modified data;
Hazardous impacts on an automated system are divided into accidental and intentional.
The causes of accidental impacts during NPP operation can be:
Emergencies due to natural disasters and power outages;
Service denials;
Software bugs;
Errors in the work of service personnel and users;
Interference in communication lines due to environmental influences.
The use of errors in software is the most common way of violating the information security of information systems. Depending on the complexity of the software, the number of errors increases. Attackers can find these vulnerabilities and through them gain access to the organization's information system. To minimize these threats, it is necessary to keep software versions up-to-date at all times.
Deliberate threats are associated with targeted actions of intruders. Attackers are divided into two types: internal attacker and external attacker. An internal intruder commits illegal actions while being within the controlled zone of the automated system and can use official authority for authorized access to the automated system. An external attacker does not have access to the controlled zone, but can act simultaneously with an internal attacker to achieve their goals.
There are three main information security threats directed directly at the protected information:
Violation of confidentiality - confidential information is not changed, but becomes available to third parties who are not allowed to access this information. When this threat is realized, there is a high probability of the attacker disclosing the stolen information, which can lead to financial or reputational damage. Violation of the integrity of protected information - distortion, change or destruction of information. The integrity of information can be violated not intentionally, but as a result of incompetence or negligence of an employee of the enterprise. Integrity can also be violated by an attacker to achieve their own goals. For example, changing account details in an automated banking system in order to transfer funds to an attacker's account or replacing the personal data of an organization's client in order to obtain information about the client's cooperation with the organization.
Violation of the availability of protected information or denial of service - actions in which an authorized user cannot access protected information due to such reasons as: failure of hardware, software, failure of the local area network.
After considering the threats of automated systems, you can proceed to the analysis of threats to the personal data information system.
Personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing.
Personal data information systems are a set of information and software and hardware elements, as well as information technologies used in the processing of personal data.
The main elements of ISPD are:
Personal data contained in databases;
Information technologies used in the processing of PD;
Technical means that process personal data (computer equipment, information and computer systems and networks, means and systems for transmitting, receiving and processing personal data, means and systems for sound recording, sound amplification, sound reproduction, means for manufacturing, replicating documents and other technical means processing of speech, graphic, video and alphanumeric information);
Software(operating systems, database management systems, etc.);
Means of information protection ISPDn;
Auxiliary technical means and systems - technical means and systems, their communications, not intended for the processing of personal data, but located in the premises in which the ISPD is located.
Threats to the security of personal data - a set of conditions and factors that create the danger of unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, distribution of personal data, as well as other unauthorized actions during their processing in information personal data system.
The characteristics of the personal data information system that cause the emergence of UBPD include the category and volume of personal data processed in the information system of personal data, the structure of the personal data information system, the presence of ISPD connections to public communication networks and (or) international information exchange networks, the characteristics of the subsystem security of personal data processed in ISPD, modes of processing personal data, modes of differentiation of access rights of ISPD users, location and conditions for placement of ISPD technical means.
The properties of the propagation environment of informative signals containing protected information are characterized by the type of physical environment in which PD is distributed and are determined when assessing the possibility of implementing UBPD. The capabilities of UBPD sources are determined by a combination of methods of unauthorized and (or) accidental access to PD, as a result of which confidentiality (copying, illegal distribution), integrity (destruction, modification) and availability (blocking) of PD can be violated.
The threat to the security of personal data is realized as a result of the formation of a channel for the implementation of the UBPD between the source of the threat and the carrier (source) of the PD, which creates conditions for violating the security of the PD.
The main elements of the UBPD implementation channel (Figure 1) are:
Source of UBPD - a subject, material object or physical phenomenon that creates UBPD;
PD distribution environment or influences in which a physical field, signal, data or programs can spread and affect the protected properties of personal data;
Personal data carrier - an individual or a material object, including a physical field in which PD are reflected in the form of symbols, images, signals, technical solutions and processes, quantitative characteristics of physical quantities.
Figure 1. Generalized scheme of the channel for the implementation of threats to the security of personal data
PD carriers may contain information presented in the following forms:
Acoustic (speech) information contained directly in the spoken speech of the ISPD user when he performs the function voice input PD in the personal data information system, or reproduced by ISPD acoustic means (if such functions are provided by the PD processing technology), as well as contained in electromagnetic fields and electrical signals that arise due to the transformation of acoustic information;
View information (VI), presented in the form of text and images various devices displaying information from computer equipment, information and computer systems, technical means for processing graphic, video and alphanumeric information that are part of the ISPD;
Information processed (circulating) in ISPD, in the form of electrical, electromagnetic, optical signals;
Information processed in ISPD, presented in the form of bits, bytes, files and other logical structures.
In order to form a systematic list of UBPDs during their processing in ISPDs and the development of private models on their basis in relation to a specific type of ISPDs, threats are classified according to the following features (Figure 2):
By the type of information protected from UBPD, containing PD;
By types of possible sources of UBPD;
By type of ISPD, to which the implementation of UBPD is directed;
According to the method of implementation of UBPD;
By the type of property of information being violated (type of unauthorized actions carried out with PD);
By exploited vulnerability;
According to the object of influence.
According to the types of possible sources of UBPD, the following are distinguished
Threat classes:
Threats associated with intentional or unintentional actions of persons having access to the ISPD, including users of the personal data information system, implementing threats directly in the ISPD (internal violator);
Threats associated with intentional or unintentional actions of persons who do not have access to ISPD, implementing threats from external networks public communications and (or) networks of international information exchange (external intruder).
In addition, threats can arise from the introduction of hardware bugs and malware.
According to the type of ISPD, which the implementation of the UBPD is aimed at, the following classes of threats are distinguished:
UBPD processed in ISPD on the basis of an autonomous workstation (AWP);
UBPD processed in ISPD on the basis of an automated workplace connected to the public network (to the network of international information exchange);
UBPD processed in ISPD on the basis of local information systems without connection to the public network (to the network of international information exchange);
UBPD processed in ISPD based on local information systems with connection to the public network (to the network of international information exchange);
UBPD processed in ISPD on the basis of distributed information systems without connection to the public network (to the network of international information exchange);
UBPD processed in ISPD based on distributed information systems connected to a public network (to a network of international information exchange).
The following classes of threats are distinguished according to the methods of UBPD implementation:
Threats associated with UA to PD (including threats of introducing malware);
Threats of leakage of personal data through technical channels of information leakage;
Threats of special impacts on ISPD.
According to the type of unauthorized actions carried out with PD, the following classes of threats are distinguished:
Threats that lead to a violation of the confidentiality of PD (copying or unauthorized distribution), the implementation of which does not directly affect the content of information;
Threats that lead to unauthorized, including accidental, impact on the content of information, as a result of which PD is changed or destroyed;
Threats that lead to unauthorized, including accidental, impact on software or hardware-software elements of the ISPD, as a result of which PD is blocked.
The following threat classes are distinguished by the exploited vulnerability:
Threats implemented using system software vulnerabilities;
Threats implemented using application software vulnerabilities;
Threats resulting from the use of a vulnerability caused by the presence of a hardware tab in the AS;
Threats implemented using vulnerabilities in network communication protocols and data transmission channels;
Threats resulting from the exploitation of a vulnerability caused by deficiencies in the organization of VBI from NSD;
Threats implemented using vulnerabilities that cause the presence of technical channels for information leakage;
Threats implemented using information security vulnerabilities.
According to the object of influence, the following classes of threats are distinguished:
Threats to the security of PD processed at the workstation;
Threats to the security of PD processed in dedicated processing tools (printers, plotters, plotters, remote monitors, video projectors, sound reproduction tools, etc.);
Threats to the security of PD transmitted over communication networks;
Threats to application programs that process PD;
Threats to system software that ensures the functioning of ISPD.
The implementation of one of the UBPDs of the listed classes or their combination can lead to the following types of consequences for PD subjects:
Significant negative consequences for PD subjects;
Negative consequences for PD subjects;
Insignificant negative consequences for PD subjects.
Threats of leakage of personal data through technical channels are unambiguously described by the characteristics of the source of information, the medium of distribution and the receiver of the informative signal, that is, they are determined by the characteristics technical channel PD leaks.
Unauthorized access threats (UAH) are presented as a set of generalized classes of possible sources of UA threats, software and software vulnerabilities. hardware ISPD, ways of implementing threats, objects of influence (carriers of protected information, directories, directories, files with PD or PD themselves) and possible destructive actions. Such a representation is described by the following formalized notation (Fig. 2).
1.3 General characteristics of threat sources in personal data information systems
Threats to UA in ISPD with the use of software and software and hardware are implemented when unauthorized, including accidental, access is carried out, as a result of which the confidentiality, integrity and availability of PD are violated, and include:
Threats of unauthorized access to the operating environment of a computer using standard software (tools operating system or general application programs);
Threats of creating abnormal modes of operation of software (software and hardware) means due to deliberate changes in service data, ignoring the restrictions on the composition and characteristics of the processed information provided for in regular conditions, distortion (modification) of the data itself, etc.;
Figure 2 Classification of UBPD processed in personal data information systems
Threats of introducing malicious programs (software-mathematical impact).
The composition of the elements of the description of UA threats to information in the ISPD is shown in Figure 3.
In addition, combined threats are possible, which are a combination of these threats. For example, due to the introduction of malicious programs, conditions can be created for UA into the operating environment of a computer, including by forming non-traditional information channels access.
Threats of unauthorized access to the ISPD operating environment using standard software are divided into threats of direct and remote access. Threats of direct access are carried out using software and firmware I / O of the computer. Remote access threats are implemented using network communication protocols.
Such threats are implemented in relation to ISPD both on the basis of an automated workplace that is not included in the public communication network, and in relation to all ISPD that are connected to public communication networks and international information exchange networks.
Figure 3 Classification of UBPD processed in personal data information systems
1.3.1 General description of the sources of threats of unauthorized access in the information system of personal data.
Sources of threats in the personal data information system can be:
Intruder;
Carrier of a malicious program;
Hardware bookmark.
PD security threats associated with the introduction of hardware bugs are determined in accordance with the regulatory documents of the Federal Security Service of the Russian Federation in the manner established by it.
According to the presence of the right of permanent or one-time access to the controlled zone of the ISPD, violators are divided into two types:
Violators who do not have access to ISPD, realizing threats from external public communication networks and (or) international information exchange networks, are external violators;
Violators who have access to ISPD, including ISPD users who implement threats directly in ISPD, are internal violators.
External intruders can be:
Competing organizations;
unscrupulous partners;
External subjects (individuals).
An external intruder has the following capabilities:
To carry out unauthorized access to communication channels that go beyond the office premises;
Carry out unauthorized access through workstations connected to public communication networks and (or) international information exchange networks;
Perform unauthorized access to information using special software actions through software viruses, malware, algorithmic or software bookmarks;
Perform unauthorized access through elements information infrastructure information system of personal data, which in the course of their life cycle (modernization, maintenance, repair, disposal) are outside the controlled area;
To carry out unauthorized access through the information systems of interacting departments, organizations and institutions when they are connected to ISPD.
Internal potential violators are divided into eight categories depending on the method of access and authority to access PD.
The first category includes persons who have authorized access to ISPD, but do not have access to PD. This type of perpetrators includes officials who provide normal functioning ISPDn.
Have access to fragments of information containing PD and distributed via internal ISPD communication channels;
To have fragments of information about the topology of the ISPD and about the communication protocols used and their services;
Have the names and conduct the identification of passwords of registered users;
Change the configuration of the ISPD hardware, enter software and hardware bookmarks into it and provide information retrieval using a direct connection to the ISPD hardware.
Possesses all the capabilities of persons of the first category;
Knows at least one legal access name;
It has all the necessary attributes that provide access to a certain subset of PD;
Has confidential data to which he has access.
Its access, authentication and access rights to a certain subset of PD should be regulated by the relevant access control rules.
Has all the capabilities of persons of the first and second categories;
Has information about the ISPD topology based on a local and (or) distributed information system through which access is provided, and about the composition of the ISPD technical means;
It has the possibility of direct (physical) access to fragments of ISPD technical means.
Possesses complete information about the system and application software used in the segment (fragment) of ISPD;
Possesses complete information about the technical means and configuration of the ISPD segment (fragment);
Has access to information security and logging tools, as well as to individual elements used in the segment (fragment) of ISPD;
Has access to all technical means of the ISPD segment (fragment);
It has the rights to configure and administer some subset of the technical means of the ISPD segment (fragment).
The powers of the ISPD system administrator.
Has all the capabilities of persons of the previous categories;
Possesses complete information about the system and application software of ISPD;
Possesses complete information about technical means and configuration of ISPD;
Has access to all technical means of information processing and ISPD data;
Possesses the rights of configuring and administrative setting of ISPD technical means.
The system administrator configures and manages the software and hardware, including the hardware responsible for the security of the protected object: tools cryptographic protection information, monitoring, registration, archiving, protection against unauthorized access.
Has all the capabilities of persons of the previous categories;
Possesses full information about ISPD;
Has access to information security and logging tools and to some of the key elements of ISPD;
Has no access rights to configuring network hardware, except for control (inspection) ones.
Possesses information about algorithms and programs for processing information on ISPD;
It has the ability to introduce errors, undeclared features, software bookmarks, malware into software ISPD at the stage of its development, implementation and maintenance;
It can have any fragments of information about the topology of the ISPD and the technical means of processing and protecting the PD processed in the ISPD.
Has the ability to make bookmarks in the technical means of ISPD at the stage of their development, implementation and maintenance;
It can have any fragments of information about the topology of the ISPD and the technical means of processing and protecting information in the ISPD.
The carrier of a malicious program can be a hardware element of a computer or a software container. If the malware is not associated with any application program, then as its carrier are considered:
Alienable media, that is, a diskette, optical disc, flash memory;
Built-in storage media ( hard disks, RAM chips, processor, chips system board, microchips of devices embedded in system unit, - video adapter, network card, sound card, modem, input / output devices magnetic hard And optical discs, power supply, etc., direct memory access chips, data buses, input / output ports);
Chips of external devices (monitor, keyboard, printer, modem, scanner, etc.).
If the malware is associated with any application program, files that have certain extensions or other attributes, with messages transmitted over the network, then its carriers are:
Packets of messages transmitted over a computer network;
Files (text, graphic, executable, etc.).
1.3.2 General characteristics of threats of direct access to the operating environment of the personal data information system
Threats of unauthorized access to the computer operating environment and unauthorized access to PD are associated with access to:
To information and commands stored in the basic I/O system of ISPD, with the possibility of intercepting the control of loading the operating system and obtaining the rights of a trusted user;
In the operating environment, that is, in the environment of the functioning of the local operating system of a separate technical means of ISPD with the possibility of performing unauthorized access by calling regular programs of the operating system or launching specially designed programs that implement such actions;
To the environment for the functioning of application programs (for example, to a local database management system);
Directly to user information (to files, text, audio and graphic information, fields and records in electronic databases) and are due to the possibility of violation of its confidentiality, integrity and availability.
These threats can be implemented in the case of obtaining physical access to the ISPD or, at least, to the means of entering information into the ISPD. They can be grouped according to the terms of implementation into three groups.
The first group includes threats implemented during the loading of the operating system. These information security threats are aimed at intercepting passwords or identifiers, modifying the software of the basic input/output system, intercepting the download control with changing the necessary technological information to receive UA in the ISPD operating environment. Most often, such threats are implemented using alienated media.
The second group is threats that are implemented after loading the operating environment, regardless of which application program is launched by the user. These threats are usually aimed at performing directly unauthorized access to information. When gaining access to the operating environment, an intruder can use both the standard functions of the operating system or some public application program (for example, database management systems), and programs specially created to perform unauthorized access, for example:
Registry viewers and modifications;
Search programs for texts in text files keywords and copying;
Special programs for viewing and copying records in databases;
Programs for quickly viewing graphic files, editing or copying them;
Reconfiguration capability support programs software environment(ISPD settings in the interests of the offender).
Finally, the third group includes threats, the implementation of which is determined by which of the application programs is launched by the user, or by the fact that any of the application programs is launched. Most of these threats are malware injection threats.
1.3.3 General characteristics of personal data security threats implemented using internetworking protocols
If ISPD is implemented on the basis of a local or distributed information system, then information security threats can be implemented in it by using internetworking protocols. At the same time, NSD to PD can be provided or the threat of denial of service can be realized. Threats are especially dangerous when ISPD is a distributed information system connected to public networks and (or) networks of international information exchange. The classification scheme of threats implemented over the network is shown in Figure 4. It is based on the following seven primary classification features.
Figure 4 Classification scheme of threats using internetworking protocols
1. The nature of the threat. On this basis, threats can be passive and active. A passive threat is a threat, the implementation of which does not directly affect the operation of the ISPD, but the established rules for restricting access to PD or network resources may be violated. An example of such threats is the "Network traffic analysis" threat, which is aimed at listening to communication channels and intercepting transmitted information. An active threat is a threat associated with an impact on ISPD resources, the implementation of which directly affects the operation of the system (configuration change, disruption of performance, etc.), and in violation of the established rules for restricting access to PD or network resources. An example of such threats is the Denial of Service threat, marketed as a "TCP request storm".
2. The purpose of the implementation of the threat. On this basis, threats can be aimed at violating the confidentiality, integrity, and availability of information (including violating the operability of the ISPD or its elements).
3. The condition for the start of the process of implementing the threat. On this basis, a threat can be realized:
Upon request from the object against which the threat is being implemented. In this case, the intruder is waiting for the transmission of a request of a certain type, which will be the condition for the start of unauthorized access;
Upon the occurrence of an expected event at the facility against which the threat is being implemented. In this case, the intruder constantly monitors the state of the ISPD operating system and, if a certain event occurs in this system, unauthorized access begins;
Unconditional impact. In this case, the beginning of the implementation of unauthorized access is unconditional in relation to the purpose of access, that is, the threat is realized immediately and regardless of the state of the system.
4. Availability feedback with ISPD. On this basis, the process of implementing a threat can be with or without feedback. The threat, carried out in the presence of feedback from the personal data information system, is characterized by the fact that some requests transmitted to the ISPD require the violator to receive a response. Consequently, there is a feedback between the violator and the personal data information system, which allows the violator to adequately respond to all changes occurring in the ISPD. Unlike threats implemented in the presence of feedback from the personal data information system, when implementing threats without feedback, it is not required to respond to any changes occurring in the ISPD.
5. The location of the intruder relative to ISPD. In accordance with this sign, the threat is realized both intra-segment and inter-segment.
Network segment - a physical association of hosts (ISPD hardware or communication elements having a network address). For example, a segment of the personal data information system forms a set of hosts connected to the server according to the “common bus” scheme. In the case when there is an intra-segment threat, the intruder has physical access to the ISPD hardware elements. If there is an inter-segment threat, then the offender is located outside the ISPD, realizing the threat from another network or from another segment of the personal data information system.
6. Level reference model Open Systems Interconnection (ISO/OSI) on which the threat is implemented. On this basis, a threat can be implemented at the physical, channel, network, transport, session, presentation, and application levels of the ISO/OSI model.
7. The ratio of the number of violators and ISPD elements against which the threat is being implemented. On this basis, a threat can be classified as a threat implemented by one intruder against one ISPD technical tool (“one-to-one” threat), against several ISPD technical means at once (“one-to-many” threat) or by several intruders from different computers relative to one or several technical means of ISPD (distributed or combined threats).
Taking into account the classification carried out, we single out the main types of attacks on the information system of personal data:
1. Analysis of network traffic.
This threat is implemented using special packet sniffer software that intercepts all packets transmitted over a network segment and singles out among them those in which the user ID and password are transmitted. During the implementation of the threat, the intruder studies the logic of the network - that is, seeks to obtain a one-to-one correspondence between the events occurring in the system and the commands sent by the hosts at the time of the occurrence of these events. In the future, this allows the attacker, based on the assignment of appropriate commands, to obtain privileged rights to act in the system or expand his powers in it, intercept the stream of transmitted data exchanged between the components of the network operating system in order to extract confidential or identification information, its substitution and modification.
2.Scanning the network.
The essence of the threat implementation process is to send requests to the network services of ISPD hosts and analyze the responses from them. The goal is to identify the protocols used, available ports network services, the laws of formation of connection identifiers, the definition of active network services, the selection of user identifiers and passwords.
3. The threat of password exposure.
The purpose of the implementation of the threat is to obtain UA by overcoming password protection. An attacker can implement a threat using a variety of methods, such as simple brute force, brute force using special dictionaries, installing malware to intercept the password, spoofing a trusted network object, and packet sniffing. Mainly for the implementation of the threat are used special programs that try to gain access to the host by brute-forcing passwords. If successful, the attacker can create an entry point for himself for future access, which will remain in effect even if the access password is changed on the host.
4.Substitution of a trusted network object and transmission of messages through communication channels on its behalf with the assignment of its access rights.
Such a threat is effectively implemented in systems where weak algorithms for identifying and authenticating hosts and users are used. A trusted object is a network object (computer, firewall, router, etc.) legally connected to the server. Two varieties of the process of implementing this threat can be distinguished: with and without establishing a virtual connection. The implementation process with the establishment of a virtual connection consists in assigning the rights of a trusted subject of interaction, which allows an intruder to conduct a session with a network object on behalf of a trusted subject. Implementation of this type of threat requires overcoming the system of message identification and authentication. The process of implementing a threat without establishing a virtual connection can take place in networks that identify transmitted messages only by network address sender. The essence lies in the transmission of service messages on behalf of network control devices (for example, on behalf of routers) about changing routing and address data.
As a result of the implementation of the threat, the violator receives access rights, user-installed for a trusted subscriber, to the ISPD technical tool.
5. Imposing a false network route.
This threat is realized in one of two ways: by intra-segment or inter-segment imposition. The possibility of imposing a false route is due to the shortcomings inherent in routing algorithms (in particular, due to the problem of identifying network control devices), as a result of which you can get, for example, to a host or an attacker's network, where you can enter the operating environment of a technical tool as part of an ISPD . The implementation of the threat is based on the unauthorized use of routing and network control protocols to make changes to the routing tables. In this case, the intruder needs to send a control message on behalf of the network control device (for example, a router).
6. Introduction of a false network object.
This threat is based on exploiting weaknesses in remote search algorithms. If network objects initially do not have address information about each other, various remote search protocols are used, which consist in transmitting special requests over the network and receiving answers to them with the required information. In this case, there is the possibility of interception by the intruder search query and issuing a false response to it, the use of which will lead to the required change in the routing and address data. In the future, the entire flow of information associated with the victim object will pass through the false network object
7. Denial of service.
These threats are based on flaws in network software, its vulnerabilities that allow the intruder to create conditions when the operating system is unable to process incoming packets. Several types of such threats can be distinguished:
A latent denial of service caused by the involvement of part of the ISPD resources for processing packets transmitted by an attacker with a decrease in the bandwidth of communication channels, performance network devices, violation of the requirements for the processing time of requests. Examples of the implementation of threats of this kind are: a directed storm of echo requests via the ICMP protocol, a storm of requests to establish TCP connections, a storm of requests to an FTP server;
An explicit denial of service caused by the exhaustion of ISPD resources when processing packets transmitted by an attacker (occupation of the entire bandwidth of communication channels, overflow of service request queues), in which legal requests cannot be transmitted through the network due to the unavailability of the transmission medium or are denied in maintenance due to overflowing request queues, memory disk space, etc. Examples of threats of this type are ICMP broadcast echo request storm, directed storm, mail server message storm;
Explicit denial of service caused by a violation of the logical connectivity between the technical means of ISPD when the offender sends control messages on behalf of network devices, leading to a change in routing and address data or identification and authentication information;
An explicit denial of service caused by an attacker transmitting packets with non-standard attributes or having a length exceeding the maximum allowable size, which can lead to failure of network devices involved in processing requests, provided there are errors in programs that implement network exchange protocols. The result of the implementation of this threat may be a disruption in the performance of the corresponding service for providing remote access to PD in the ISPD, the transfer from one address of as many requests for connection to the technical facility as part of the ISPD, which can process the traffic as much as possible, which entails an overflow of the request queue and the failure of one from network services or a complete shutdown of the computer due to the inability of the system to do anything other than process requests.
8.Remote launch of applications.
The threat lies in the desire to run various previously embedded malicious software on the ISPD host: bookmarks, viruses, "network spies", the main purpose of which is to violate the confidentiality, integrity, availability of information and complete control over the operation of the host. In addition, unauthorized launch of user application programs is possible for unauthorized obtaining of the data necessary for the offender, for launching processes controlled by the application program, etc. There are three subclasses of these threats:
Distribution of files containing unauthorized executable code;
Remote launch of the application by overflowing the buffer of application servers;
Remote launch of the application by using the remote system management capabilities provided by hidden software and hardware tabs or used regular means.
Typical threats of the first of these subclasses are based on the activation of distributed files when they are accidentally accessed. Examples of such files are: files containing executable code in the form of macros (documents Microsoft Word, Excel), html documents containing executable code in the form ActiveX controls, Java applets, interpreted scripts (for example, JavaScript malware); files containing executable program codes.
For distribution of files, e-mail, file transfer, network file system services can be used.
The threats of the second subclass use the shortcomings of programs that implement network services (in particular, the lack of buffer overflow control). By adjusting system registers, it is sometimes possible to switch the processor, after a buffer overflow interrupt, to the execution of code contained outside the buffer boundary.
With threats of the third subclass, the intruder uses the remote system management capabilities provided by hidden components or standard management and administration tools. computer networks. As a result of their use, it is possible to achieve remote control over the station in the network. Schematically, the main stages of the work of these programs are as follows: installation in memory; waiting for a request from a remote host running a client program and exchanging readiness messages with it; transfer of intercepted information to the client or giving him control over the attacked computer. Possible consequences from the implementation of threats of various classes are shown in Table 1
Table 1. Possible consequences of the implementation of threats of various classes
|
№
p/n |
Attack type | Possible consequences | |
| 1 | Network traffic analysis | Study of network traffic characteristics, interception of transmitted data, including user IDs and passwords | |
| 2 | Network Scan | Definition of protocols, available ports of network services, rules for generating connection identifiers, active network services, user IDs and passwords | |
| 3 | "Password" attack | Performing any destructive action related to gaining unauthorized access | |
| 4 | Spoofing a trusted network object | Changing the route of messages, unauthorized change of routing and address data. Unauthorized access to network resources, imposition of false information | |
| 5 | Imposing a false route | Unauthorized change of routing and address data, analysis and modification of transmitted data, imposition false messages̆ | |
| 6 | Injection of a mock network object | Interception and viewing of traffic. Unauthorized access to network resources, imposition of false information | |
| 7 | Denial of Service | Partial resource exhaustion | Decreased bandwidth of communication channels, performance of network devices. Decreased performance of server applications. |
| Complete exhaustion of resources | The impossibility of transmitting messages due to lack of access to the transmission medium, refusal to establish a connection. Denial of service. | ||
| Violation of logical connectivity between attributes, data, objects | Inability to send messages due to the lack of correct routing and address data. Inability to receive services due to unauthorized modification of identifiers, passwords, etc. | ||
| Using bugs in programs | Failure of network devices. | ||
| 8 | Remote application launch | By sending files containing destructive executable code, virus infection. | Violation of confidentiality, integrity, availability of information. |
| By buffer overflow of the server application | |||
| By seizing opportunities remote control system, provided by hidden software and hardware tabs or used standard tools | Hidden system management. | ||
The threat realization process generally consists of four stages:
Collection of information;
Intrusions (penetration into the operating environment);
Implementation of unauthorized access;
Elimination of traces of unauthorized access.
At the stage of collecting information, the violator may be interested in various information about ISPD, including:
About the topology of the network in which the system operates. This can explore the area around the network (for example, the intruder may be interested in the addresses of trusted, but less secure hosts). There are parallel host availability tools that can scan a large area of the address space for host availability in a short amount of time.;
About the type of operating system (OS) in ISPD. You can note the method of determining the type of OS, as simple query to establish a connection via the Telnet remote access protocol, as a result of which, by the “appearance” of the response, you can determine the host OS type. The presence of certain services can also serve as an additional indication of the host OS type;
About services functioning on hosts. The definition of services running on a host is based on the "open ports" method to collect information about the availability of a host.
At the invasion stage, the presence of typical vulnerabilities in system services or errors in system administration is investigated. Successful exploitation of vulnerabilities typically results in an attacker's process gaining privileged execution mode (access to the processor's privileged execution mode), injecting an illegal user account into the system, obtaining a password file, or disrupting the attacked host.
This stage of development of the threat, as a rule, is multi-phase. The phases of the threat implementation process may include, for example: establishing a connection with the host against which the threat is being implemented; vulnerability identification; the introduction of a malicious program in the interests of empowerment, etc.
Threats implemented at the intrusion stage are divided into layers of the TCP / IP protocol stack, since they are formed at the network, transport or application level, depending on the intrusion mechanism used. Typical threats implemented at the network and transport levels include the following:
A threat aimed at replacing a trusted object;
A threat aimed at creating a false route in the network;
Threats aimed at creating a false object using the shortcomings of remote search algorithms;
Denial of service threats.
Typical threats implemented at the application level include threats aimed at the unauthorized launch of applications, threats, the implementation of which is associated with the introduction of software bugs, with the detection of access passwords to a network or to a specific host, etc. If the implementation of the threat did not bring the violator the highest access rights in the system, attempts to extend these rights to the maximum possible level are possible. For this, vulnerabilities of not only network services, but also vulnerabilities of the system software of ISPDN hosts can be used.
At the stage of implementation of unauthorized access, the goal of implementing the threat is achieved:
Violation of confidentiality (copying, illegal distribution);
Violation of integrity (destruction, change);
Violation of availability (blocking).
At the same stage, after these actions, as a rule, the so-called "back door" is formed in the form of one of the services serving a certain port and executing the intruder's commands. The "back door" is left in the system in the interests of ensuring: the ability to gain access to the host, even if the administrator eliminates the vulnerability used to successfully implement the threat; the ability to access the host as discreetly as possible; the ability to gain access to the host quickly (without repeating the process of implementing the threat). "Back door" allows an attacker to inject a malicious program into a network or onto a specific host, for example, a "password analyzer" - a program that extracts user IDs and passwords from network traffic when high-level protocols are running). The objects of malware injection can be authentication and identification programs, network services, the operating system kernel, file system, libraries, etc.
Finally, at the stage of elimination of traces of the implementation of the threat, an attempt is made to destroy the traces of the intruder's actions. This removes the corresponding entries from all possible audit logs, including records about the fact that information was collected.
1.4 Characteristics of the Bank and its activities
PJSC Citibank is a financial and credit organization of the Banking System of the Russian Federation that conducts financial transactions with money and securities. The Bank provides financial services to individuals and legal entities.
The main activities are lending to legal entities and individuals, servicing accounts of corporate clients, attracting funds from the population in deposits, operations in the foreign exchange and interbank markets, investments in bonds and bills.
The Bank has been carrying out its financial activities since August 1, 1990, on the basis of the General License of the Bank of Russia for banking activities No. 356.
The Bank has three personal data information systems:
Information system of personal data of the Bank's employees - allows to identify 243 subjects of personal data;
Personal data information system of the access control and management system - allows you to identify 243 subjects of personal data;
Information system of personal data of the automated banking system - allows you to identify 9681 subjects of personal data.
1.5 Personal databases
The Bank needs to protect several informational personal data at once, namely:
Information system of personal data of the Bank's employees;
Information system of personal data of the access control and management system;
Information system of personal data of the automated banking system.
1.5.1 Information system of personal data of employees of the organization
ISPD for the Bank's employees is used to accrue to the Bank's employees wages, automating the work of employees of the HR department, automating the work of employees of the Bank's accounting department and solving other personnel and accounting issues. Consists of a database 1C "Salary and personnel management", is located on a separate workstation with the ability to connect to the workplace over the network. The workstation is located in the office of the HR department. An operating room is installed on the workstation Microsoft system Windows XP. There is no Internet connection at the workstation.
Full Name;
Date of Birth;
Series and number of the passport;
Phone number;
The right to work with the software 1C "Salary and personnel management" and the database of personal data have:
Chief Accountant;
Chief accountant's assistant;
Head of Human Resources Department;
An employee responsible for payroll for the Bank's employees.
Manual data change;
1.5.2 Personal data information system of the access control and management system
The personal data information system of the access control and management system is used to store personal data of employees and visitors of the Bank who have access to various premises of the Bank. ISDN of the access control and management system is used by the Bank's security department. The ISPD database is installed on the workstation located in the security room of the security department. Microsoft Windows 7 operating system is installed on the workstation ISPD, Microsoft DBMS is used as a database management system SQL Server 2012. AWP ISPD does not have access to the local network, and also does not have access to the Internet.
The ISPD stores the following personal data:
Full Name;
Photo of an employee.
The right to work with ISPDn access control and management systems have:
Head of the Security Department of the Bank;
Deputy Head of the Security Department of the Bank;
Employees of the security department of the Bank.
Access to the automated workplace of the access control and management system has:
System administrators, to administer the workstation and software 1C "Salary and personnel management" and personal data database;
Employees of the division responsible for the information security of the Bank to administer the AWP information protection system.
The following functions can be performed in the ISPD for bank employees:
Automated deletion of personal data;
Manual removal personal data;
Manual data change;
Manual addition personal data;
Automated search for personal data.
The personal data information system stores data that makes it possible to identify 243 employees of the Bank.
After achieving the goals of processing the employee's personal data, his personal data is deleted from the ISPD.
1.5.3 Personal data information system of the automated banking system
The personal data information system of the automated banking system is designed to automate the work of most bank employees. It improves the productivity of employees. The complex is used as an automated banking system software products"CFT-Bank", produced by the group of companies "Center of Financial Technologies". Oracle software is used as a database management system. ISPD is deployed on the Bank's server, the operating system installed on the server is Microsoft Windows Server 2008R2. The ISPD of the automated banking system is connected to the local computer network of the bank, but does not have access to the Internet. Users are connected to the ISPD database using CFT-Bank software products from dedicated virtual terminals. Each user has his own login and password in the ISPD.
Personal data processed in ISPD:
Full Name;
Date of Birth;
Series and number of the passport;
Phone number;
The following persons have the right to work with CFT-Bank software and personal data database:
accounting staff;
Loan officers;
Employees of the risk management department;
Employees of the collateral department;
Personal managers;
Client managers;
Security staff.
Access to the workstation is available to:
System administrators to administer the server, personal data database and CFT-Bank software;
Employees of the division responsible for information security of the Bank to administer the server, personal data database and CFT-Bank software.
The following functions can be performed in the ISPD for bank employees:
Automated deletion of personal data;
Manual deletion of personal data;
Manual addition of personal data;
Manual data change;
Automated search for personal data.
The personal data information system stores data that makes it possible to identify 243 employees of the Bank and 9,438 customers of the Bank.
After achieving the goals of processing the employee's personal data, his personal data is deleted from the ISPD.
1.6 Structure and threats of the Bank's local area network
The bank has a client-server network. The name of the domain in which the users' workstations are located is vitabank.ru. In total, the bank has 243 automated user workstations, as well as 10 virtual servers and 15 virtual workstations. The system administration department monitors the network performance. The network is built mainly on Cisco network equipment. Communication with additional offices is maintained using VPN channels using the Internet through the active and backup channels of the Internet provider. The exchange of information with the Central Bank takes place through a dedicated channel, as well as through conventional communication channels.
All users have access to the Internet on local workstations, but work with documents and information systems of the Bank is carried out only using virtual workstations, on which access to the Internet is limited and only local resources of the Bank are loaded.
Access to the Internet from local workstations is delimited by access groups:
Minimum access - access only to the resources of federal services, to the website of the Bank of Russia;
Normal access - all resources are allowed except for entertainment, social networks, watching videos and downloading files is prohibited.
Full access - all resources and file uploads are allowed;
Resource filtering by access groups is implemented by the proxy server.
Below is a diagram of PJSC Citibank's network (Fig. 5).
1.7 Information security tools
Information security means is a set of engineering, technical, electrical, electronic, optical and other devices and devices, instruments and technical systems, as well as other elements used to solve various problems of information protection, including preventing leakage and ensuring the security of protected information.
Information security tools in terms of preventing intentional actions, depending on the method of implementation, can be divided into groups:
Technical (hardware) means. These are devices of various types (mechanical, electromechanical, electronic, etc.), which solve the problems of information protection with hardware. They prevent access to information, including by masking it. Hardware includes: noise generators, network filters, scanning radios, and many other devices that “block” potential information leakage channels or allow them to be detected. The advantages of technical means are related to their reliability, independence from subjective factors, and high resistance to modification. Weaknesses - lack of flexibility, relatively large volume and weight, high cost.
Figure 5 PJSC Citibank network diagram
Software tools include programs for user identification, access control, information encryption, deletion of residual (working) information such as temporary files, test control of the protection system, etc. The advantages of software tools are versatility, flexibility, reliability, ease of installation, ability to modify and develop. Disadvantages - limited functionality of the network, the use of part of the resources of the file server and workstations, high sensitivity to accidental or deliberate changes, possible dependence on the types of computers (their hardware).
Mixed hardware and software implement the same functions as hardware and software separately, and have intermediate properties.
All office premises of the Bank are monitored by the security service using an access control and management system, as well as a video surveillance system. Entrance to the office premises of the bank is carried out with the appropriate permissions in the access control and management system. An employee, when applying for a job, or a visitor of the Bank, if it is necessary to access the office premises of the Bank, is issued contactless Proximity-cards on which the user identifier is recorded and when trying to access the office, this identifier is transmitted to the access control and management system. The system compares the list of rooms that the card user is allowed to enter with the room he wants to enter and allows or restricts access to the room.
Anti-virus software is installed on the Bank's workstations Kaspersky Endpoint Security 10, which has a certificate of compliance of the FSTEC of Russia No. 3025, valid until November 25, 2019, virus signature databases are updated centrally server part anti-virus installed on the server located in the Bank.
To organize electronic document management with the Central Bank, the authorities in the Bank held a dedicated communication line.
To organize electronic document management with federal services (Federal Tax Service, Pension Fund Russia, Financial Monitoring Service, etc.) an electronic signature is used. To work with electronic signature specialized software is installed on local workstations of performers responsible for document circulation with federal services:
Crypto-Pro CSP;
Crypto-ARM;
CIPF Verba-OW;
CIPF Validat;
Signal-COM CSP.
The use of certain software by the contractor depends on the requirements of a particular Federal agency.
A Cisco ASA 5512 firewall manufactured by Cisco Corporation is installed at the edge of the Bank's local network. Also, critical banking systems (Workstation of the Bank of Russia Client, SWIFT, Bank's ISPD) are additionally separated from the Bank's local network by Cisco firewalls. VPN tunnels for communication with an additional office are organized using Cisco firewalls.
1.8 Organizational safeguards
According to a study conducted by the British audit and consulting company Ernst & Yong in 2014, 69 percent of the companies participating in the study consider company employees to be the main source of information security threats.
Employees of the company may, out of ignorance or their incompetence in the field of information security, disclose critical information necessary to carry out targeted attacks on the organization. The attackers also send phishing messages with embedded malicious software that allows the attackers to gain control over the employee's workplace and attack the Bank's information systems from this workplace.
Therefore, in the Bank, the information security department is obliged to train the Bank's employees in the fundamental principles of information security, monitor compliance with security requirements when working in the workplace, and inform the Bank's employees about new information security threats that they may face.
At PJSC Citibank, all employees undergo an introductory briefing upon employment. Also, new employees, employees transferred from other structural divisions undergo an initial briefing in the information security department, during which the employees are explained the basic information security rules when working with the Bank's information systems, security rules when working on the Internet, security rules when working with e-mail Bank, password policy of the Bank.
Employees of the information security department of the Bank are involved in the development and implementation of new information systems of the Bank at all levels of system development.
At the stage of system design and preparation of terms of reference for the development of an information system, the information security department imposes security requirements on the system.
At the stage of developing an information system, employees of the information security department study the current documentation, test the software for possible vulnerabilities in the program code.
At the stage of testing and commissioning the information system, the information security department actively participates in testing the information system, conducts penetration tests into the information system and denial of service tests, and also distributes access rights to the information system.
At the stage of operation of the information system already put into operation, the information security department monitors and detects suspicious activity.
At the stage of finalizing the information system, the information security department, based on the data obtained during the operation of the information system, builds new requirements for the information system.
The Information Security Department at PJSC Citibank approves all requests for access to resources on the Internet, as well as to the internal resources of the Bank.
1.9 Personal data processing cycle
Personal data stored in the Bank was obtained only legally.
The received personal data of an employee of the Bank are processed only for the Bank to fulfill its obligations under the contract concluded with the employee. The personal data of the Bank's employee is obtained from the employee himself. All employees of the Bank are familiarized against signature with the documents of the Bank that establish the procedure for processing personal data of employees of the Bank, as well as their rights and obligations in this area.
The personal data of bank employees stored in the ISPD of the access control and management system are intended to allow the employee to enter the workplace.
The personal data of the Bank's clients stored in the ISPD of the automated banking system are processed there only for the Bank to fulfill its obligations under the agreement concluded with the Bank's client. Also, in the ISPD of the automated banking system, personal data of persons who did not enter into an agreement with the Bank, but obtained legally, are processed, for example, personal data received and processed at the request of Federal Law No. obtained by criminal means and financing of terrorism”.
After achieving the goals of processing personal data, they are destroyed or depersonalized.
2. DEVELOPMENT OF MEASURES TO PROTECT PERSONAL DATA IN THE BANK
At PJSC Citibank, the personal data protection system is regulated by both state-level laws and local regulations (for example, the Rules for Remote Banking Services for Legal Entities and individual entrepreneurs in PJSC CITIBANK” in Appendix 1).
PJSC Citibank's personal data protection system has been enough, to avoid simple attacks such as phishing and infection of workstations with ransomware viruses, but it is not able to withstand targeted attacks aimed at stealing personal data.
I carried out work on the restructuring and modernization of the personal data protection system.
2.1 Measures to protect the local computer network of the bank and the personal data information system
There are pronounced weaknesses in the Citibank network, using which attackers can gain full access to the bank's network and take control of it, after which they can freely steal, change or delete the personal data of customers or Bank employees.
Since the Bank's network is one single segment, in order to minimize the risks of intruders entering the Bank's network, it must be divided into several segments using technology virtual networks.
The concept of virtual networking technology (VLAN) is that the network administrator can create logical groups of users in it, regardless of which part of the network they are connected to. You can combine users into logical working groups, for example, on the basis of the commonality of the work performed or the jointly solved task. At the same time, user groups can interact with each other or be completely invisible to each other. Group membership is changeable and a user can be a member of multiple logical groups. Virtual networks form logical broadcast domains, limiting the passage of broadcast packets through the network, just like routers, which isolate broadcast traffic between network segments. In this way, the virtual network prevents broadcast storms from occurring because broadcast messages are restricted to members of the virtual network and cannot be received by members of other virtual networks. Virtual networks can allow access to members of another virtual network in cases where it is necessary to access shared resources, such as file servers or application servers, or where a common task requires the interaction of various services, such as credit and settlement departments. Virtual networks can be created on the basis of switch ports, physical addresses of devices included in the network, and logical addresses of protocols of the third level of the OSI model. The advantage of virtual networks lies in the high speed of the switches, since modern switches contain a specialized set of integrated circuits specially designed to solve switching problems at the second level of the OSI model. Virtual networks of the third level are the most easy to install if no reconfiguration of network clients is required, the most difficult to administer, because any action with a network client requires either a reconfiguration of the client itself or the router, and is the least flexible, since routing is required to communicate virtual networks, which increases the cost of the system and reduces its performance.
Thus, the creation of virtual networks in the Bank will prevent ARP-spoofing attacks. Malefactors will not be able to intercept the information passing between the server and the client. When penetrating the network, attackers will not be able to scan the entire network of the Bank, but only the network segment to which they gained access.
When infiltrating the Bank's network, attackers will first of all scan the network to find critical network nodes. These nodes are:
domain controller;
Mail server;
File server;
Applications server.
Since the local network in the Bank will be organized using virtual network technology, attackers will not be able to detect these nodes without additional steps. In order to make it more difficult for attackers to find critical nodes on the local network and confuse them, and in the future to study the strategy of attackers when conducting an attack on the network, it is necessary to use false objects that will attract attackers. These objects are called Honeypots.
The task of the Honeypot is to be attacked or unauthorized research, which will subsequently allow you to study the attackers' strategy and determine the list of means by which real-life security objects can be struck. A honeypot implementation can be either a dedicated dedicated server or a single network service whose task is to attract the attention of hackers.
A honeypot is a resource that does nothing without any impact on it. Honeypot collects a small amount of information, after analyzing which statistics are built on the methods used by crackers, as well as the presence of any new solutions that will subsequently be used in the fight against them.
For example, a web server that has no name and is virtually unknown to anyone should therefore not have guests accessing it, so anyone who tries to break into it is a potential attacker. Honeypot collects information about the behavior of these crackers and how they affect the server. After that, the specialists of the information security department collect information about the attack of intruders on the resource and develop strategies to repel attacks in the future.
To control information incoming from the Internet and detect threats to information security at the stage of their transmission over the network, as well as to detect the activity of intruders who have penetrated the Bank's local network, it is necessary to install an intrusion prevention system at the edge of the network.
An intrusion prevention system is a software or hardware networked and computer security, which detects intrusions or security breaches and automatically protects against them.
Intrusion Prevention Systems can be seen as an extension of Intrusion Detection Systems, as the task of tracking attacks remains the same. However, they differ in that the intrusion prevention system monitors activity in real time and quickly implements attack prevention actions.
Intrusion detection and prevention systems are divided into:
Network intrusion prevention systems - analyze traffic directed to the organization's network, passing through the network itself or directed to a specific computer. Intrusion detection and prevention systems can be implemented by software or hardware-software methods, installed on the perimeter corporate network and sometimes within it.
Personal intrusion prevention systems are software that is installed on workstations or servers and allows you to control the activity of applications, as well as monitor network activity for possible attacks.
A network intrusion prevention system was chosen for deployment in the Bank's network.
Considered network systems intrusions by IBM, Check Point, Fortinet, Palo Alto, since the declared functionality of the manufacturers of these systems met the requirements of the Bank's information security department.
After deploying test benches and testing intrusion prevention systems, the Check Point system was chosen as it showed the best performance, the best virus detection subsystem transmitted over a local network, the best tools for logging and logging important events and the acquisition price.
IBM's intrusion prevention system was rejected because the cost of the devices exceeded the information security department's budget for the purchase of an intrusion prevention system.
Fortinet's intrusion prevention system was rejected due to incomplete response when the information security department performed tests for transferring infected files and insufficiently informative tools for logging important events.
Palo Alto's intrusion prevention system was rejected due to insufficiently informative tools for logging important events, excessive complexity of working with the system, and acting more like a router.
The Check Point intrusion prevention system was chosen for implementation in the local network. This system showed a high level of detection of information security threats, flexible settings, the ability to expand the functionality by purchasing additional software modules, it has a powerful system for logging important events and a powerful toolkit for providing incident reports, which can be used to investigate information security incidents much easier.
The network diagram of PJSC Citibank with a changed architecture is shown in Figure 6.
2.2 Software and hardware protections
Since the security of personal data cannot be ensured only by network protection, because intruders, despite all the measures taken to protect the network, can gain access to the Bank's network.
Figure 6 PJSC Citibank network diagram with additional security systems
For more resilient protection against attacks, it is necessary to add software and hardware protection devices for local workstations, virtual workstations, virtual and regular servers to the devices designed to protect the network.
As you know, anti-virus programs do not provide complete protection against malicious software, as they work on the principle of signature analysis. An anti-virus software company has experts on its staff who monitor virus activity on the Internet, study the behavior of virus software on test stations, and create signatures that are subsequently sent to users' computers by updating anti-virus software signature databases. Having received an updated database of anti-virus software signatures, the anti-virus scans files on the user's workstation and looks for signs of malicious software; if such signs are found during the scan, the anti-virus signals this and acts in accordance with the settings that are set by the user or the anti-virus administrator. Thus, if the malware is not detected and analyzed by the experts of the antivirus software company, then the antivirus will not be able to detect the malware and will not take any action, considering the scanned file to be safe. Therefore, in order to reduce the likelihood of access to the network and the launch of malicious software, a second circuit was installed in the Bank antivirus protection. Since most antivirus software companies work separately from each other, malware that has not yet been detected by one antivirus software company can be detected by another developer and signatures can already be created for the detected threat.
To implement such a scheme, a virtual workstation was created, on which the Doctor WEB Enterprise security suite antivirus was installed, which has a certificate of compliance of the FSTEC of Russia No. 2446, valid until September 20, 2017. All files downloaded by bank employees during their work are sent to this station and scanned by antivirus. If malicious software is detected, the antivirus sends an email to the information security department with the name of the threat and the path where the infected file is stored. The information security department takes steps to remove malicious software. If the files uploaded by users pass the anti-virus software check, the user who uploaded the file makes a request to the information security department and the department employees transfer the downloaded file to the user.
Also, a large amount of malicious software comes to the Bank's employees via e-mail. These can be both ordinary encryption viruses and malicious software that allows attackers to penetrate the infected computer of a Bank employee using a remote connection.
To minimize the risks of such threats, ClamAW anti-virus software was installed on the Bank's mail server, designed to protect mail servers.
To protect against unauthorized access by internal intruders who somehow learned the password of a user of a local station that has access to personal data information systems, it is necessary to install an information protection system from unauthorized access on the local workstations of users working with personal data information systems.
.Training of the Bank's employees is carried out by a specialist of the information security department.
An employee of the information security department conducts training in a division of the Bank determined by the plan. After the training, the employees of the unit pass tests in which they confirm the knowledge gained during the training.
The basic security policy regulates the conduct of training in each unit at least four times a year.
Also, in parallel with the training of employees, employees of the information security department are required to send at least once a month to all employees of the Bank information letters that describe the basic security rules, new threats to the information security of the Bank, if any are detected.
2.3.2 The order of employees' access to Internet resources
The Bank has 3 groups of access to the Internet, but such division of access is inefficient, since an employee, in order to perform his duties, may need to obtain information from a network resource included in the full access group, then he will have to give full access to the Internet , which is unsafe.
Group 6: downloading archives - the group does not provide any access to Internet resources;Group 7: download executable files- the group does not provide any access to Internet resources;
Group 8: full access to the Internet - full access to Internet resources, downloading any files.
To gain access to Internet resources, an employee creates an application through the ServiceDesk system and, after approval by the head of the department or management and an employee of the information security department, the employee is granted access to Internet resources according to the requested group.
2.3.3 Procedure for employee access to intrabank resources
The main documents on the work of an employee are located at the local workplace or in the automated system in which he works. Also, each division of the Bank has a section on the file server of the Bank, which stores information necessary for several employees of the division and which is large in size for transmission by e-mail of the Bank.
When a new employee gets a job at the Bank, his/her direct manager sends an application through the ServiceDesk system to the system administration department for access to the intrabank resource, and after the application is approved by an employee of the information security department, the employee of the system administration department provides the new employee with access to the requested resource.
Often there are situations in which the work of several divisions of the Bank intersects and for the exchange of information these divisions need a separate one on the Bank's file server.
To create this section, the project manager, the head of one of the departments involved in the process of working on the project, creates an application through the ServiceDesk system to create shared resource and access to this resource by certain employees of their department working on a joint project and the head of the department with whom he collaborates on the project. Once approved by the information officer, the system administration officer creates the requested resource and grants access to it to the requested employees. Each head of the department participating in the project requests access only for those employees who are subordinate to him.
2.3.4 How employees work with e-mail
Previously, before creating a basic security policy, each employee himself determined the degree of danger of letters and files received by e-mail from external mail servers.
After creating a basic security policy, each user is required to send each file received by e-mail from external mail servers to the information security department to check it for malicious software, the degree of danger of letters is determined by the employee independently. If an employee of the Bank suspects that an incoming message contains spam or phishing, he is obliged to send the letter in full, that is, containing all the official information about the sender, his Mailbox and IP address, to the information security department. After analyzing a suspicious letter and confirming the threat of this letter, the information security department sends the address of the sender of the letter to the system administration department, and an employee of the system administration department blacklists the address of the sender of the letter.
Always block the workplace when weaning from it.
2.3.6 Rules for employee access to personal data
According to Article 89 of Chapter 14 of the Labor Code of the Russian Federation, a Bank employee has the right to access his personal data, but is allowed to process personal data of other Bank employees or Bank customers only for the performance of his official duties.
To ensure control over access to personal data information systems, the bank has established the following rules for access to personal data information systems:
Only employees whose job responsibilities include the processing of personal data have access to ISPD;
Access to ISPD is allowed only from the local workplace of an employee working with personal data;
The Bank has created a document that defines by last name the employees who are allowed access to the personal data of employees and customers of the Bank, indicating the Personal Data Information System and the list of personal data allowed for processing by the employee.
3. ECONOMIC JUSTIFICATION OF THE PROJECT
To implement a personal data protection system, it is necessary to purchase:
Equipment to protect the Bank's network;
Information security hardware;
Information security software.
To rebuild the organization's network, it is necessary to purchase Cisco Catalyst 2960 switches in the amount of 3 copies. One switch is required for operation at the core level of the Bank's network, 2 others for operation at the distribution level. network hardware who worked in the bank before the network restructuring will also be involved.
Total cost (RUB) 9389159 613
Doctor WEB Enterprise security suit155005500
Total cost1 371 615
CONCLUSION
In my graduation project, I reviewed the legal framework for the protection of personal data. I have considered the main sources of threats to the security of personal data.
Based on the considered personal threats, I analyzed existing system Personal Data Protection at PJSC Citibank and came to the conclusion that it needs to be seriously improved.
During the graduation project, weaknesses were found in the Bank's local network. Taking into account the revealed weaknesses in the Bank's local network, measures were determined to minimize the risks of information security of the Bank's network.
Devices and software for protecting local workplaces of employees processing personal data of employees and customers of the Bank were also considered and selected.
With my participation, a system was created to raise awareness of employees in matters of information security.
The procedure for accessing the Bank's employees to the Internet has been profoundly redesigned, and groups for accessing the Internet have been redesigned. New Internet access groups make it possible to significantly minimize information security risks due to the limited ability of users to download files and access untrusted resources.
Calculations of the cost of rebuilding the network and creating a viable personal data protection system that can reflect most information security threats are given.
LIST OF USED LITERATURE
1. "The Constitution of the Russian Federation" (adopted by popular vote on December 12, 1993) (subject to amendments made by the Laws of the Russian Federation on amendments to the Constitution of the Russian Federation of December 30, 2008 N 6-FKZ, of December 30, 2008 N 7-FKZ, of February 5, 2014 N 2-FKZ, dated July 21, 2014 N 11-FKZ) // The official text of the Constitution of the Russian Federation, as amended on July 21, 2014, was published on the Official Internet Portal of Legal Information http://www.pravo.gov.ru, 08/01/2014
2. "Basic model of personal data security threats during their processing in personal data information systems" (Extract) (approved by the FSTEC of the Russian Federation on February 15, 2008)
3. Federal Law of July 27, 2006 N 149-FZ (as amended on July 6, 2016) “On Information, Information Technologies and Information Protection” // The document was not published in this form. The original text of the document is published in " Russian newspaper", N 165, 29.07.2006
4. "Labor Code of the Russian Federation" dated December 30, 2001 N 197-FZ (as amended on July 3, 2016) (as amended and supplemented, entered into force on October 3, 2016) // The document was not published in this form , the original text of the document was published in Rossiyskaya Gazeta, N 256, 12/31/2001
5. Decree of the Government of the Russian Federation of 01.11.2012 N 1119 "On approval of the requirements for the protection of personal data during their processing in personal data information systems" // "Rossiyskaya Gazeta", N 256, 07.11.2012
6. Order of the FSTEC of Russia dated February 18, 2013 N 21 “On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems” (Registered in the Ministry of Justice of Russia on May 14, 2013 N 28375) // “Russian newspaper”, N 107, 05/22/2013
7. “Standard of the Bank of Russia “Ensuring information security of organizations of the banking system of the Russian Federation. General provisions "STO BR IBBS-1.0-2014" (adopted and put into effect by the Order of the Bank of Russia dated May 17, 2014 N R-399) // Bulletin of the Bank of Russia, No. 48-49, May 30, 2014
8. “Regulation on the requirements for ensuring the protection of information when making money transfers and on the procedure for the Bank of Russia to exercise control over compliance with the requirements for ensuring the protection of information when making money transfers” (approved by the Bank of Russia on 09.06.2012 N 382-P) (as amended dated August 14, 2014) (Registered with the Ministry of Justice of Russia on June 14, 2012 N 24575) // The document was not published in this form, the original text of the document was published in the Bulletin of the Bank of Russia, N 32, 06/22/2012
9. “Regulations on the procedure for the submission by credit institutions to the authorized body of information provided for by the Federal Law “On counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism” (approved by the Bank of Russia on August 29, 2008 N 321-P) (as amended. dated 10/15/2015) (together with the “Procedure for ensuring information security during the transmission and reception of the ECO”, “Rules for the formation of the ECO and filling in individual fields of the ECO records”) (Registered in the Ministry of Justice of Russia on 16.09.2008 N 12296) // In this form, the document was published was not, The original text of the document was published in the Bulletin of the Bank of Russia, N 54, 09/26/2008
10. Order of the FSTEC of Russia dated February 18, 2013 N 21 “On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems” (Registered in the Ministry of Justice of Russia on May 14, 2013 N 28375) // “Russian newspaper”, N 107, 05/22/2013
11. Averchenkov V.I., Rytov M.Yu., Gainulin T.R. Protection of personal data in organizations. M.: Flinta, 2018
12. Agapov A. B. Fundamentals of public administration in the field of informatization in the Russian Federation. M.: Jurist, 2012
13. Kostin A. A., Kostina A. A., Latyshev D. M., Moldovyan A. A. Software complexes series "AURA" for the protection of information systems of personal data // Izv. universities. instrumentation. 2012. V. 55, No. 11
14. Moldovyan A. A. Cryptography for the protection of computer information (part 1) // Integral. 2014. No. 4 (18)
15. Romanov O.A., Babin S.A., Zhdanov S.G. Organizational support of information security. - M.: Academy, 2016
16. Shults V.L., Rudchenko A.D., Yurchenko A.V. Business security. M.: Yurayt Publishing House, 2017
Applications (available in the archive with the work).
It has become especially in demand for Russian divisions of foreign companies in connection with the addition of Part 5 of Article 18 to 152-FZ “On Personal Data”: “... the operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), personal data citizens of the Russian Federation using databases located on the territory of the Russian Federation" . There are a number of exceptions in the law, but you must admit that in case of a check by the regulator, you want to have more reliable trump cards than "but this does not concern us."
The penalties for violators are very severe. online shopping, social media, information sites, other businesses related to internet in the case of claims from the supervisory authorities, they can actually be closed. Perhaps, at the first check, the regulator will give time to eliminate the shortcomings, but the period is usually limited. If the problem is not solved very quickly (which is difficult to do without preliminary preparation), the losses can no longer be compensated. Website blocking not only leads to a pause in sales, it means a loss of market share.
The appearance in the "black list" of violators of the law on personal data for offline companies is less dramatic. But this entails reputational risks, which is a significant factor for foreign companies. In addition, now there are almost no activities that are not at all related to the protection of personal data. Banks, trade, even manufacturing - all maintain customer bases, which means they are subject to the relevant laws.
Here it is important to understand that within companies the issue cannot be considered in isolation either. Personal data protection cannot be limited by installing certified security tools on servers and locking paper cards in safes. Personal data has many entry points into the company - sales departments, HR, customer service, sometimes also training centers, purchasing commissions and other divisions. Personal data protection management is a complex process that affects IT, document flow, regulations, legal registration.
Let's take a look at what it takes to run and maintain such a process.
What data is considered personal
Strictly speaking, any information that relates directly or indirectly to a specific individual is his personal data. Note that we are talking about people, not legal entities. It turns out that it is enough to indicate the full name and address of residence in order to initiate the protection of this (as well as related) data. However, getting email with someone's personal data in the form of a signature and telephone number no reason to defend them. Key term: "The concept of collecting personal data." To clarify the context, I want to highlight several articles of the Law "On Personal Data" in particular.
Article 5. Principles of personal data processing. There should be clear goals that make it clear why this information is being collected. Otherwise, even with full compliance with all other norms and rules, sanctions are likely.
Article 10. Special categories of personal data. For example, the personnel department can fix restrictions on business trips, including the pregnancy of employees. Of course, such additional information is also subject to protection. This greatly expands the understanding of PD, as well as the list of departments and information repositories of the company in which protection needs to be paid attention.
Article 12. Cross-border transfer of personal data. If an information system with data on citizens of the Russian Federation is located on the territory of a country that has not ratified the Convention on the Protection of Personal Data (for example, in Israel), the provisions of Russian legislation should be followed.
Article 22. Notice on the processing of personal data. Required condition in order not to attract undue attention of the regulator. Lead entrepreneurial activity related to PD - report it yourself, without waiting for checks.
Where personal data may be located
Technically, PD can be located anywhere, from printed media (paper file cabinets) to machine media (hard drives, flash drives, CDs, etc.). That is, the focus is on any data storage that falls under the definition of ISPD (personal data information systems).
The geography of the location is a separate big question. On the one hand, the personal data of Russians (individuals who are citizens of the Russian Federation) must be stored on the territory of the Russian Federation. On the other hand, at the moment it is rather a vector of the development of the situation than a fait accompli. Many international and export companies, various holdings, joint ventures have historically had a distributed infrastructure - and this will not change overnight. In contrast to the methods of storing and protecting personal data, which should be adjusted almost now, right away.
The minimum list of departments involved in recording, organizing, accumulating, storing, clarifying (updating, changing), extracting PD:
- Personnel service.
- Sales department.
- Legal department.
Since perfect order rarely reigns, in reality, the most unpredictable units can often be added to this "expected" list. For example, a warehouse may have personalized information about suppliers, or a security service may maintain its own detailed record of everyone entering the territory. Thus, by the way, the composition of PD for employees can be supplemented with data on clients, partners, contractors, as well as random and even other people's visitors - whose PD become a "crime" when photographed for a pass, scanning an ID card and in some other cases. ACS (access control and management systems) can easily become a source of problems in the context of personal data protection. Therefore, the answer to the question "Where?" from the point of view of observance of the Law, it sounds like this: everywhere in the accountable territory. A more accurate answer can only be given by conducting an appropriate audit. This is the first stage project for the protection of personal data. Full list its key phases:
1) Audit of the current situation in the company.
2) Designing a technical solution.
3) Preparation of a process for the protection of personal data.
4) Verification of the technical solution and process for the protection of personal data for compliance with the legislation of the Russian Federation and company regulations.
5) Implementation of a technical solution.
6) Launching the process for the protection of personal data.
1. Audit of the current situation in the company
First of all, check with the personnel service and other departments that use paper media with personal data:
- Are there forms of consent to the processing of personal data? Are they completed and signed?
- Is the “Regulation on the specifics of the processing of personal data carried out without the use of automation tools” dated September 15, 2008 No. 687 being observed?
Determine the geographical location of the ISPD:
- What countries are they in?
- On what basis?
- Are there contracts for their use?
- What technological protection is used to prevent leakage of PD?
- What organizational measures are taken to protect PD?
Ideally, an information system with PD of Russians must comply with all the requirements of the Law 152-FZ "On Personal Data", even if it is located abroad.
Finally, pay attention to the impressive list of documents that are required in case of verification (this is not all, just the main list):
- PD processing notification.
- A document identifying the person responsible for organizing the processing of PD.
- List of employees authorized to process PD.
- A document that determines the location of PD storage.
- Information about the processing of special and biometric categories of personal data.
- Certificate of cross-border transfer of PD.
- Standard forms of documents with PD.
- Standard form of consent to the processing of personal data.
- The procedure for transferring PD to third parties.
- The procedure for accounting for requests from PD subjects.
- List of personal data information systems (ISPD).
- Documents regulating data backup in ISPD.
- List of information security tools used.
- The procedure for the destruction of PD.
- Access Matrix.
- threat model.
- Logbook of machine media PD.
- A document defining the levels of security for each ISPD in accordance with PP-1119 dated November 1, 2012 "On approval of requirements for the protection of personal data during their processing in personal data information systems."
2. Designing a technical solution
A description of the organizational and technical measures that must be taken to protect PD is given in Chapter 4. "Obligations of the operator" of the Law 152-FZ "On Personal Data". The technical solution must be based on the provisions of Article 2 of Law 242-FZ of July 21, 2014.
But how to comply with the law and process the PD of citizens of the Russian Federation on the territory of Russia in the case when the ISPD is still located abroad? There are several options here:
- Physical transfer of the information system and database to the territory of the Russian Federation. If technically feasible, it will be the easiest.
- We leave ISPD abroad, but in Russia we create a copy of it and establish one-way replication of PD of citizens of the Russian Federation from a Russian copy to a foreign one. At the same time, in a foreign system, it is necessary to exclude the possibility of modifying the personal data of citizens of the Russian Federation, all edits only through the Russian ISPD.
- There are several ISPDs and they are all abroad. The transfer can be expensive, or even technically unfeasible (for example, it is impossible to separate a part of the database with personal data of citizens of the Russian Federation and move it to Russia). In this case, the solution may be to create a new ISPD on any available platform on a server in Russia, from where one-way replication will be carried out to each foreign ISPD. I note that the choice of platform is up to the company.
If the PDIS has not been completely and exclusively transferred to Russia, do not forget to indicate in the certificate of cross-border data transfer to whom and which particular set of PD is being sent. The purpose of the transfer of personal data must be indicated in the notice of processing. Again, this goal must be legitimate and clearly justified.
3. Preparation of the process for the protection of personal data
The personal data protection process should define at least the following points:
- List of persons responsible for the processing of personal data in the company.
- The procedure for granting access to ISPD. Ideally, this is an access matrix with the access level for each position or specific employee (read/read-write/modify). Or a list of available PD for each position. It all depends on the implementation of IP and the requirements of the company.
- Audit of access to personal data and analysis of access attempts with violation of access levels.
- Analysis of the reasons for the inaccessibility of personal data.
- The procedure for responding to requests from PD subjects regarding their PD.
- Revision of the list of personal data that is transferred outside the company.
- Review of recipients of personal data, including abroad.
- Periodic review of the threat model for PD, as well as a change in the level of protection of personal data due to a change in the threat model.
- Keeping company documents up to date (the list above, and it can be supplemented, if necessary).
Here you can detail each item, but I want to pay special attention to the level of security. It is determined on the basis of the following documents (read in sequence):
1. "Methodology for determining current threats security personal data during their processing in personal data information systems” (FSTEC RF February 14, 2008).
2. Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012 “On approval of requirements for the protection of personal data during their processing in personal data information systems”.
3. FSTEC Order No. 21 dated February 18, 2013 "On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems."
Also, do not forget to take into account the need for such categories of expenses as:
- Organization project team and project management.
- Developers for each of the ISPD platforms.
- Server capacities (own or rented in the data center).
By the end of the second and third stages of the project, you should have:
- Cost calculation.
- quality requirements.
- Project timing and schedule.
- Technical and organizational risks of the project.
4. Verification of the technical solution and process for the protection of personal data for compliance with the legislation of the Russian Federation and company regulations
Short in terms of wording, but an important step, within which you need to make sure that all planned actions do not contradict the legislation of the Russian Federation and company rules (for example, security policies). If this is not done, a bomb will be laid in the foundation of the project, which can “explode” in the future, destroying the benefits of the results achieved.
5. Implementation of a technical solution
Here everything is more or less obvious. The specifics depend on the initial situation and decisions. But in general, the picture should look something like this:
- Server capacities allocated.
- The network engineers provided sufficient throughput channels between the receiver and transmitter PD.
- The developers have established replication between the ISPD databases.
- Administrators have prevented changes to ISPD located abroad.
The person responsible for protecting PD or the “process owner” can be the same person or different. The very fact that the “process owner” must prepare all the documentation and organize the entire process of protecting PD. To do this, all interested parties must be notified, employees must be instructed, and the IT service must facilitate the implementation of technical data protection measures.
6. Launching the process for the protection of personal data
This is an important step, and in a sense, the goal of the entire project is to put control on the flow. In addition to technical solutions and regulatory documentation, the role of the process owner is critical here. He must track changes not only in legislation, but also in the IT infrastructure. This means that appropriate skills and competencies are required.
In addition, which is critical in real work conditions, the owner of the PD protection process needs all the necessary powers and administrative support from the company's management. Otherwise, it will be an eternal “beggar”, to which no one pays attention, and after a while the project can be restarted, starting again from the audit.
Nuances
A few points that are easy to overlook:
- If you work with a data center, you need a contract for the provision of server capacity services, according to which your company legally stores data and controls it.
- You need licenses for software that is used to collect, store and process PD, or lease agreements for it.
- If the ISPD is located abroad, an agreement is needed with the company that owns the system there - to guarantee compliance with the legislation of the Russian Federation in relation to the personal data of Russians.
- If personal data is transferred to a contractor of your company (for example, an IT outsourcing partner), then in the event of a PD leak from the outsourcer, you will be liable for claims. In turn, your company can make claims to the outsourcer. Perhaps this factor may affect the very fact of transferring work to outsourcing.
And once again, the most important thing is that the protection of personal data cannot be taken and ensured. This is a process. A continuous iterative process that will be highly dependent on further changes in legislation, as well as on the format and rigor of applying these rules in practice.
Probably, everyone who has ever taken a loan or is an HR-th has come across such a situation when bank representatives call the employer and ask for information about an employee of the organization.
At the same time, most often in practice, the employer does not comply with the requirements of the 152-federal law on the protection of personal data and discloses information about the employee by phone. The employer cannot verify the recipient of this information, and often the employee does not have the written consent of the employee to such use of his data.
Who in this situation breaks the law more: the one who asks or the one who answers?
In this situation, it all depends on what documents from the subject of personal data have one and the other. There is a situation when neither the one who asks nor the one who answers the law violates the law, but it happens that both violate.
Let's deal with this.
So we are a bank. A person came to us and, for the purposes of obtaining a loan, provided all the necessary package of documents, including a certificate of earnings, certified by the signatures of the responsible persons of the employer and a seal, as well as other necessary originals and copies of documents.
But, despite the provided original certificate of earnings, we want to check whether the applicant for a loan is working in this organization and whether the real income is indicated in the certificate provided. In fairness, it must be said that recently, banks still most often request only information about whether a given person works in a specified organization. Moreover, we, as a bank, do not send this request in writing, with our seals and indicating our identification information, and do not indicate in writing the purpose of our request, but to speed up the procedure, we simply call the phone number indicated in the documents provided by the potential client of the bank.
What has always surprised me in this procedure is a certain illogicality of the stages of confirming the reliability of the data provided.
That is, a document with seals and signatures does not quite suit us, but for some reason the answer by phone indicated by the employee will suit us more.
What is the employee's phone number? Does this phone really belong to this organization? Who on the other end of the wire will answer me: CEO? Chief Accountant? HR manager? How am I going to identify that these are the officials? Or maybe a secretary who has been working here for a week and doesn't know anyone yet? Or a cleaner? Or a guard? Or maybe, in principle, someone whom the employee himself asked to respond to the bank's request in an appropriate way? And if the phone specified by the employee does not answer, what will this mean for the bank? Will he check if a person made a mistake in one digit? Could it be a problem with the phone company? Maybe the company no longer uses this phone, and the employee did not know about it?
But our task is to figure out whether the actions of the parties: the bank and the employer in this case are legal in principle?
If the bank has the written consent of the subject to verify his information and obtain information from his employer, then the bank's actions are legal.
What about an employer?
An employer may legally submit information about an employee to a bank in the following cases:
2. The employee allowed to provide his data in WRITTEN to a specific legal entity. But in this case, the employer is obliged to make sure that the request came from the bank to which the employee allowed to provide information (that is, a response only to a written request).
What if the employer does not have such consent?
The employer is not entitled to provide information about the employee. Then the employer will fulfill its obligations under the law on the protection of personal data? Yes. Will the employee be given a loan if the employer refuses to provide information about the employee? Unknown.
Moreover, if the organization is large and has an extensive network of separate divisions, it is not always possible to quickly obtain such consent. Especially in the case when the employee spontaneously decided to receive a loan. And on the same day or the next, bank employees call the employer to verify the accuracy of the information provided.
Moreover, the consent itself must be drawn up in writing, it is not enough for the employee to call, for example, the personnel department and ask to verbally answer the request of a particular bank.
After all, everyone is well aware that when an employer provides information about the work of a particular employee to the bank upon a telephone request, he does this in order to protect the interests of the employee in the first place, so that he is not denied a loan. But automatically in this case it violates the law on the protection of personal data, if the employer did not worry in advance about obtaining written consent from the employee himself.
It is possible that if banks stop the practice of illegal telephone checks, there will be fewer such violations on the part of the employer.
Recently, a letter from the Bank of Russia dated March 14, 2014 N 42-T "On strengthening control over risks arising from credit institutions when using information containing personal data of citizens" was issued, which recommends credit institutions to strengthen control over risks arising from processing (which, by the way, collection) of information containing personal data, as well as update internal documents defining: personal responsibility of employees of credit institutions engaged in the direct processing of personal data (including collection) for maintaining and ensuring the confidentiality of information generated in the process of customer service.
At the same time, in the above letter it was expressly stated that the Bank of Russia, when exercising supervision over the activities of banks, would take into account cases of identified shortcomings in the implementation of legislation on the protection of personal data and consider them as a negative factor when assessing the quality of management of a credit institution, including assessing the organization of the system of internal control.
It remains to be hoped that banks will finally also comply with the law on the protection of personal data, without leading the employer to forced violation of the law.
Dzhabrail Matiev, head of personal data protection for the commercial part of the companyReignVox
Constant work with huge arrays of client data requires a bank of any format to constantly work in the field of protecting this data.
That is why the topic of information security, and with it the topic of trust, is especially relevant in the financial sector. Moreover, the requirement to protect any personal data included in the structure of the information system of a modern financial company is also legally justified - federal law No. 152 “On Personal Data” clearly obliges each company that processes this data to protect it within strictly defined terms. Both new and existing information systems that process personal data must be brought into line with the requirements of the law by January 1, 2011. Given such a strictly defined time frame, organizations processing such information have less and less time to comply with the requirements of the law.
How to start working on the protection of personal data? What are the expected turnaround times? Who is responsible for carrying out the work? What is the average project cost and how to minimize costs? All these issues are relevant today for any company doing business in the financial sector. Expert answers to them allow us to give ReignVox extensive experience in the field of personal data protection in financial structures.
Life in countdown mode
Federal Law No. 152 "On Personal Data" comes into full force on January 1, 2011 - more than six months ahead of the deadline set by the legislators. But don't be fooled by the idea of too much time.
Firstly, the implementation of a project aimed at meeting the requirements for the protection of personal data requires four to six months, depending on its complexity. But this figure is not final - terms can increase up to six to eight months due to the period that the bank will spend on choosing a worthy integrator for the development and maintenance of the project. Carrying out this type of work on its own is fraught for the bank with a loss of objectivity at the stage of examination and analysis, the means of protection existing in it, as well as the need to find separate labor resources for this work. In this case, one should also remember such factors as the availability of specialists trained in the subject of personal data protection, the necessary amount of regulatory and methodological support, and free resources for the very task of protecting personal data. Practice shows that it is usually third-party integrators who meet all these requirements in a complex.
Secondly, returning to the topic of the deadlines set by the Law “On Personal Data” for data operators (and the fact that banks are just such operators is no longer a question in principle), no matter what they say about their “transfer ”, the first checks of regulators are already taking place. The conclusion is quite logical: the relevance of the problem has not only been preserved, it has increased many times over, and its solution is becoming an urgent need.
“And the casket just opened…”
Recently, there have been active discussions around the task of bringing ISPD in line with the provisions of the Law “On Personal Data”, the result of which boils down mainly to one thing: the solution of this task is very problematic due to the combination of its organizational and legal features. This conclusion is not entirely correct: the practice of applying the requirements for the protection of personal data, which appeared during the first quarter of 2010 (including in the banking sector), confirms the clarity and interpretability of the requirements for ISPD. Their formulation, implementation and documentary confirmation of the latter with a minimum risk of any errors is not so much difficult to implement as it is important from the point of view of the security of the banking business. Even more simplifies the task is the ability to entrust it to a third-party integrator, whose specialists will quickly and professionally complete the personal data protection project, taking into account the individual characteristics of the banking business.
Thus, the first priority is the choice of an integrator company, which will be entrusted with the project.
"Standard" = "Exclusive"?
Such an equal sign between these mutually exclusive concepts has the right to exist. This statement is backed up by the practical experience of successful personal data protection projects already completed by ReignVox.
On the one hand, each such project includes a standard number of stages: the stage of surveying personal data information systems, the stage of designing a personal data protection system, the stage of implementing SPPD, the stage of assessing the compliance of ISPD with the requirements of the law, and the stage of supporting the created system. Moreover, the assessment of compliance with ISPD, as a stage, is optional and is carried out at the discretion of the customer company. As well as the support stage of the created system.
Typicality usually ends at the first stage (the stage of information systems survey), since it is this stage that allows you to identify and describe those requirements that will be presented in the future to the systems. And these parameters are already individual and focused on each specific customer, optimized in accordance with his needs.
This survey analyzes informational resources, standard solutions used in the construction of IT infrastructure, information flows personal data, available systems and means of information protection.
At the same stage, a model of threats and a violator of PD security is developed, the need to ensure the security of PD in ISPD using cryptographic means is assessed.
The classical scheme for conducting the second stage includes an audit of the regulatory framework and an assessment of its compliance with the requirements of regulators. Its result is the development of the missing internal documents, as well as the development of terms of reference for the development of SZPDn. At the same stage, the integrator proceeds to the direct development of a set of measures to protect information.
At the end of this stage, the bank is already quite capable of successfully passing the test of one of the regulators.
The essence of the third stage is to implement systems and configure existing protection tools. After testing, if necessary, the complex of hardware and software is finalized.
At each of the described stages, the ReignVox company, as an integrator, faces various additional tasks due to the specifics of the business that the customer company runs, its size, infrastructure, business process activity, and many other points. And each time a new, individually adapted concept of the personal data protection project is formed from a multitude of such components.
"...and the sheep are safe"
Cost minimization, budget optimization, savings - whatever phrase you choose, the essence remains the same - a rational approach to the use of financial resources - it is he who is the second cornerstone of the success of a financial structure (after trust, of course). And therefore, the desire to reduce costs as much as possible without compromising information security is natural and quite achievable.
The cost of an average standard project to create a personal data protection system for a banking structure is about 1.5 million rubles. When calculating this amount, a number of principles are also taken into account, following which it is possible to reduce the budget for the creation of a personal data protection system.
First of all, we strive to preserve the existing IT infrastructure in the organization as much as possible. Usually they talk about two polar scenarios for the protection of personal data. The first is a radical alteration of all ISPDs, and the second is a formal one, consisting only in the issuance of internal regulatory documents, without making any changes to ISPDs. We consider the third option to be optimal, which consists precisely in maintaining the current IT infrastructure of the bank, accompanied by a modification of some of its elements, adding new ones necessary to ensure compliance with the law.
In this case, we are talking about the first principle, based on maximum use of existing information security tools when designing information security systems. Protection tools in any company are used regardless of the need to protect personal data, these are anti-virus protection systems, and built-in access control tools of the operating system, and firewalls and many other means. Therefore, the maximum number of requirements is closed by the existing means of protection. And only in the event that some requirements are not satisfied by the current means of protection, it is necessary to purchase and implement additional ones.
The second principle is the principle economical logical structuring of information systems personal data. Following this principle, as part of the implementation of a personal data protection project in a bank, it becomes economically feasible to combine several systems located in the same room into one, combined with a downgrading of non-critical segments. Thus, the ISPD "Data Processing Center" is created, in which protection is provided along the perimeter. This allows you to significantly minimize the cost of separating flows within different systems.
The third principle protect only against current threats. At the same time, the actualization of threats is described in the mandatory special systems document called "Threat Model". When actualizing threats, those of them whose probability is low, and the damage during implementation is small, are discarded.
Subject to the use of already proven methods, the task of bringing the ISPD of any bank in line with the requirements of the law by January 1, 2011 is fully feasible. For maximum success in the implementation of such technologies in the banking sector, it is still necessary to remember an integrated approach to working on a project. In this case, we mean the organization of joint work of specialists from various departments - specialists in IT technologies, information security and project management, financiers, lawyers - guaranteeing the necessary balance of the overall approach to protecting critical data within the financial structure.
Reference: ReignVox is a Russian company specializing in innovative projects and developments in the field of information technology and ensuring their information security.
The purpose of the company's establishment is to provide services to ensure the protection of personal data in accordance with the requirements of the Law "On Personal Data" FZ-152 of July 27, 2006 and to build integrated information security systems.
ReignVox is a member of the interregional public organization "Information Protection Association" (IPO "AZI"), an associated member of the "Infocommunication Union" (Infocommunication Union), as well as a member of the Association of Regional Banks of Russia.
ReignVox has significant experience in successfully implementing personal data protection projects in large commercial banks. Among its clients are NOTA-Bank, Vnesheconombank, CentroCredit, Tempbank, Alta-Bank, etc.
Estimate: