Protection of accounting information. Designing an information security system for the accounting department of a trading company Protecting accounting information from viruses

Federal Law of the Russian Federation dated July 27, 2006 N 152-FZ “On Personal Data” states: “When processing personal data, the operator is obliged to take the necessary organizational and technical measures, including the use of encryption (cryptographic) means, to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of personal data, as well as from other unlawful actions.” In this paper, we will consider how to solve these problems the Data Protection System (DPS) “Pantsir” for Windows 2000/XP/2003 can be used, which can be used both as an independent means of protection and as part of an Integrated Information Protection System (ICSI). ) "Pantsir-K" for OS Windows 2000/XP/2003 (developed by CJSC "NPP "Information Technologies in Business", FSTEC certificate No. 1144 dated 01/17/2006).
A.Yu. Shcheglov

Data protection system capabilities

Purpose and composition of the system

The system is designed to protect confidential and personal data processed on stand-alone computers and on computers as part of a corporate network; stored on local and remote (network-shared) hard drives and external devices transmitted over the network when accessing remote (shared) resources. The system is implemented in software and contains a system driver and an interface module. All protection capabilities provided by the CPA are implemented by the CPA's own tools (built-in OS mechanisms are not used).

  1. Basic data protection mechanisms
The SPA implements on-the-fly data encryption, automatic guaranteed deletion of residual information, differentiation of access rights to protected objects, and hiding of protected file system objects.
  1. The main distinctive property of the system
Protected objects are any (assigned by the administrator) file objects - logical drives, directories, subdirectories, files (the mask mechanism can be used to specify objects), both on the hard drive and on external media, both local and remote (shared on the network ).
  1. Capabilities of the main protection mechanisms:
    • On-the-fly data encryption. The SDS implements automatic “on-the-fly” (“transparent” for the user) encryption/decryption of data when saving it to a local or remote file object on a hard drive or external storage device. When saving to a remote file object, the data is transmitted over the channel in encrypted form. Supported file systems are NTFS, FAT32 or FAT16, encoding algorithms: XOR, GOST, DES, AES. Connection is provided to the crypto-provider "Signal-COM CSP" (certified by FAPSI according to information security requirements for classes "KS1" and "KS2" - certificates of conformity No. SF/114-0604, No. SF/124-0605 dated 04/21/03), developed by CJSC “Signal COM”, and CIPF “CryptoPro CSP version 3.0” (certified by the FSB of the Russian Federation according to information security requirements for classes “KS1” and “KS2” - certificate of conformity No. SF/124-0810 dated September 12, 2005), developed by CryptoPro LLC , while the SZD provides encryption and decryption “on the fly” of data in accordance with the Russian cryptographic algorithm GOST 28147-89. Various policies for generating, entering and storing key information are supported. The key is assigned to the “group” object, which includes protected file objects. The number of groups and file objects created in a group on one computer is not limited. The key can be specified by a passphrase (at least 6 characters), from which it is then generated automatically (to identify the group, the passphrase is entered from the console). Also, the key can be specified completely: manually (from a file), automatically by the system, or generated through mouse movements. To store key information, an electronic key e-Token (Aladdin eToken R2) or ruToken, a smart card (Aladdin eToken PRO Smart Card 32K), or a file object (local or remote - a key server can be implemented on the network, with all the key information) can be used. information is transmitted over the channel in encrypted form), specified by its full path name, which allows you to store key information on external media, in particular, on a Flash memory device, and the required number of keys can be stored on one device, while the device can be used in its intended way purpose. To identify a group (to gain access to a file object in a group), the system needs to read the key value into RAM once, after which the key can be deleted from the system.
    • Guaranteed removal of residual information. The SPA implements automatic (“transparent” for the user) guaranteed deletion of data in a file object (local or remote, on a hard drive or on an external drive), when it is deleted or modified using standard OS tools. For protected file objects, the system allows you to set the number of “cleaning passes” and the type of masking information written to the file object before deleting data in it using standard OS tools. Protected objects are any (assigned by the administrator) file objects - logical drives, directories, subdirectories, files (the mask mechanism can be used to specify objects), both on the hard drive and on external media, both local and remote (shared on the network ).
    • Differentiation of access rights to protected objects. The SPA implements differentiation of access rights to protected file objects based on the identification of groups of objects by keys (using a password word or key information on an external medium). The key is assigned to a “group” object, which includes protected file objects (local or remote, on a hard drive or on external media), the access rights to which are limited. Any access to a protected file object is permitted only after identification of the group to which the object is included - i.e. only after entering key information (either from the keyboard or by connecting the appropriate device). You can differentiate access rights to file objects in which data is stored, both encrypted and in plain form. Protected objects are any (assigned by the administrator) file objects - logical drives, directories, subdirectories, files (the mask mechanism can be used to specify objects), both on the hard drive and on external media, both local and remote (shared on the network ).
    • Hiding protected file system objects. In addition to delimiting access rights to file objects, the CPA implements the following capabilities:
      • hiding a protected file object (the object remains “invisible” to users);
      • scrambling the name of a file object when it is provided upon an access request;
      • encoding the name of a file object on disk.
Displaying the name (or real name) of a file object is possible only after identifying the group to which the object is included. Protected objects are any (assigned by the administrator) file objects - logical drives, directories, subdirectories, files (the mask mechanism can be used to specify objects), both on the hard drive and on external media, both local and remote (shared on the network ).
  • Exchange of encrypted data (files) on the network using public keys (in the case of using crypto providers). The capabilities of crypto providers Signal-COM and
"CryptoPro CSP version 3.0" exchanges encrypted files over the network using asymmetric encryption keys. BASIC REQUIREMENTS FOR IMPLEMENTING A DATA PROTECTION SYSTEM
  • To formulate these requirements, it is necessary to determine the answers to the following questions:
  • What should serve as the entity “access object”, in other words, what should be an object (in general, a set of objects), when stored in which, the data should be encrypted and/or guaranteed to be deleted (naturally, we are talking about automatic “transparent” for the user, encrypting data “on the fly” when saving it to an object (and correspondingly decrypting it), implemented by the system driver (similarly, guaranteed deletion. Approaches to constructing a data protection system that involve the implementation of encryption and/or guaranteed deletion manually by the user, and even more so). , we will not consider the issues of implementing these functions at the application level - from specific applications; probably, we should not even explain why, if we are talking about effective security measures for corporate applications focused on the protection of personal data;
  • What should serve as the essence of the “right of encryption”. The fact is that when constructing an information security system from NSD, two approaches to implementing a delimitation policy for access to resources are possible: by assigning attributes assigned to objects (here we can talk about the “encryption” and “guaranteed deletion” attributes), or by assigning access rights to objects for users. This question is closely related to the previous one;
  • How to ensure collective access of users to encrypted data (this is one of the key tasks for corporate applications when protecting personal data, consisting in the fact that the data must be located on a shared resource (usually file objects shared on the network), and in encrypted form, with In this case, several users must be granted access to this data, for example, remotely to a file server from workstations on a corporate network). Accordingly, we should talk about guaranteed deletion of data in collectively used resources. The important question here is whether (if so, how) any user identification is taken into account when generating the encryption key.
Let's consider these questions in order, and we will take into account, firstly, that both procedures, encryption and guaranteed deletion, are very resource-intensive and have an impact on the load of the computing resource (even when they are implemented at the system driver level, but if they are implemented on at the application level, the load on a computing resource increases significantly), secondly, on one computing device in corporate applications, as a rule, both open and confidential information is processed (and, sometimes, confidential information can also be categorized), i.e. Not all data should be additionally protected by encryption and guaranteed deletion.

Data of different confidentiality categories should be stored in different file objects (only in this case can different processing modes be implemented), both on the hard drive and on external drives, both on local and on shared networks ( at the same time, it is not possible to provide collective access to data - without the ability to separate file objects on the network). The main object for implementing the restrictive policy of access to resources is the “folder”. As for external drives (for example, Flash devices), sometimes it is allowed to write information to them only in encrypted form, i.e. in this case, the object of encryption should be the disk (however, depending on the type of information, it may be allowed to save data on one external drive, both in open and encrypted form, then the object of encryption again becomes a “folder”, for example, a directory on the drive) . The folder is also a mandatory encryption object when using a shared resource (for example, a hard drive on a server) when implementing collective access to data on a corporate network. In some specific cases, encryption of a separate file may be required; in particular, the entire database may be located in a separate file. Despite the particularity of these cases, their possibility - the object of encryption is a file - must also be implemented in the security tool.

Implementation requirement. Objects of cryptographic protection and guaranteed removal of residual information for corporate applications should be objects of any hierarchy level (disk, folder (directory, subdirectory), file) on the hard drive and on external drives, both local and shared on the network. In this case, the security tool should provide the ability to specify any set of objects (for example, several directories to choose from, including those separated on the network) as objects of cryptographic protection and guaranteed removal of residual information. Despite the seeming obviousness of these requirements, in practice, tools with very limited capabilities are widespread specifying protection objects, for example, only a local disk (the so-called “file safe”), or only local file objects can be assigned for data encryption, or, for example, a very strange solution is implemented in some protection tools in terms of guaranteed removal of residual information - if this mode is activated, then data in all file objects is guaranteed to be deleted (but what about the completely unjustified additional impact on the load of a computing resource in this case?). Naturally, such tools are simpler in practical implementation, however, the consequence of the implementation of such solutions is their low consumer cost in corporate applications.

Let's move on to consider the following two very important interrelated issues. Should the “user” entity be taken into account in any way when constructing a protection scheme, therefore, additional protection should be a privilege of the user (considered as his right) or an object (considered as an additional attribute of the file object). Note that access rights to objects in corporate applications should be considered as a user property, and not as an attribute of a file object (this is exactly the approach implemented in the Pantsir-K CSZ for Windows 2000/XP/2003). In this case, the opposite is true. A feature of corporate applications is that the same user must process both open and confidential information on one computer (if only open, then there is no need for additional data protection, but only confidential - in practice, as a rule, this does not happen ). Therefore, if additional data protection is considered as a user privilege (i.e., setting the appropriate mode for saving and deleting (modifying) data for an account), then in corporate applications this will mean that all data (both open and confidential) user should be encrypted and guaranteed to be deleted. It is pointless! Therefore, encryption and guaranteed deletion should not be considered as a privilege of the user (account), but as a property of the object, which is determined by the corresponding additional attributes: “encryption” and “guaranteed deletion” assigned to objects - when data is saved to this object, it is automatically encrypted, When deleting (modifying) an object, the data is guaranteed to be deleted.

Implementation requirement.

The possibility of additional data protection using encryption and guaranteed deletion methods must be considered as a property of the object, which is determined by the corresponding additional attributes: “encryption” and “guaranteed deletion”, set for the additionally protected object.

Now about collective access to resources. This is a very important functionality. Without its practical implementation, it is impossible to provide not only common file storage for users, but also to fundamentally organize the exchange of protected data through the file system, not only on the network, but also locally, on one computer. Collective access to resources is a priori possible only if such an entity as the “encryption key” is uniform (the key is the same) for users who have the right to access the collectively used resource. Taking into account the above, we can draw two very important conclusions: firstly, the security tool must provide the ability to set different encryption keys for various additionally protected objects (including on the same computer) - in the limit, each object has its own encryption key, Secondly, the encryption key should in no way be generated based on the identification data (ID and password) of the users, because otherwise, these data must be the same for accounts that are allowed access to shared objects (which is not allowed). Note that despite this seemingly obvious requirement, similar solutions implemented in practice exist.

Implementation requirement.

The security tool must provide the ability to set different encryption keys for various additionally protected objects (including on the same computer) - in the limit, each object has its own encryption key, while the encryption key should in no way be generated based on identification data (identifier and password) users.

By way of comment, we note that in order to reduce the resource intensity of the security tool, taking into account the fact that confidential information of various categories can be processed on one computer, which, as a result, requires various additional security, it is advisable to provide the ability to encrypt data of various categories (various objects) using different encryption algorithms (in particular, using different lengths of the encryption key), accordingly, it is guaranteed to delete data of various categories using different rules (in particular, with the ability to specify for different objects a different number of cleaning passes - recording masking information, and different ways of specifying masking information – masking information is the data that is written over the original data when an object is destroyed or modified, in other words, this is the data that remains on the media as residual information).

Now let us dwell on another important issue of implementing collective access, in this case, remote access to additionally protected objects separated on the network. Simplified, we have the following system structure. At workstations, users process data that is stored in an object shared between users, located on a separate computer (file server). The question arises, where to carry out the data encryption procedure - on workstations, before saving it on the server, or on the server itself? Probably the answer to this question is obvious - at workstations. This is explained by the fact that with this solution, data is transmitted over the communication channel in encrypted form (otherwise, in open form).

Implementation requirement.

When implementing collective access to additionally protected objects separated on the network, data encryption must be carried out on workstations on which users process data.

By way of comment, we note that such a solution is possible only if the security measure meets the implementation requirement, namely that the objects of cryptographic protection and guaranteed removal of residual information for corporate applications must be objects of any hierarchy level (disk, folder (directory) , subdirectory), file) on the hard drive and on external drives, both local and shared on the network (see above).

All these requirements are implemented in the Pantsir security protection system for Windows 2000/XP/2003, which gives us the right to talk about the effectiveness of this protection tool.

INTERFACES. ADMINISTRATION

The main window of the Pantsir SZD interface for Windows 2000/XP/2003 is shown in Fig. 1.

Fig.1

To work with objects (objects can be specified either by full path names or by masks, while the mask can include both the entire disk and any removable media), you need to create groups in which the objects are included. For each group of objects, its own encoding key is specified (all objects in the group will be encoded with one key), and the “owner” of the group is determined.

In terms of administering the “Data Protection” mechanisms, the CPA distinguishes three types of users:

  • User "Administrator";
  • User "Group Owner";
  • Unprivileged user.
The “Administrator” user has all the rights to install and configure SPA: has privileges to create and delete a group of file objects and to set an encoding key (identifier) ​​for a group of objects, to set and change the user “Group Owner”, the ability to export the key - create a backup copy key; has all the rights of a “Group Owner”.

The “Group Owner” user is assigned as the Administrator when creating a group. The privileges of the “Group Owner” are adding objects to the group (removing objects from the group), changing protection modes (in particular, access control only mode, encoding and access control mode, etc.); encoding, decoding of objects. The “Group Owner” does not have the authority to create a new group and to set the encryption key for the created group; has all the rights of an “Unprivileged User”

  • An unprivileged user (or user) in the administration of the SDS has the ability (after identification) to set the read mode for the protected object without decoding (in this mode, writing data to the SDS object is prohibited). This mode is necessary for working with external devices (for example, for entering unencrypted data from a floppy disk) and for exchanging files in encoded (encrypted) form over the network, see Fig. 2.

Fig.2

Comment. Different coding algorithms may be used for different groups. This is due to the fact that different algorithms have different effects on the load of a computing resource, therefore, choosing an encoding algorithm for a group, taking into account the resource intensity of its implementation, should take into account the level of confidentiality of information stored in the objects of this group, see Fig. 3

Fig.3

To solve administration problems by any type of user, from the software interface, see Fig. 4, the interface window shown in Fig. 1 is launched. Depending on the rights of the user (administrator, group owner, non-privileged user) opening the interface, the user will be allowed specific administration functions.

Fig.4

The most important issue in implementing a security measure is the key policy implemented in the system, which determines the issues of storing and entering encryption keys. The PPA provides very broad opportunities for the implementation of key policies. It is based on alternative methods of storing and entering a key - from a file (including from input devices such as a floppy disk, CD-ROM disk, Flash memory device), a passphrase, from an Aladdin eToken R2 and ruToken electronic key, from a smart cards, in simple identification mode and in mode with additional identification, in this case, access to key information stored on the electronic key is additionally protected by a password.

The key, depending on the specified protection mode, serves both directly as an encryption key and as an identifying feature of a group of objects (the differentiation of access rights is implemented based on the identification of groups of objects - in order to gain access to objects belonging to the group, it is necessary to carry out identification using key information).

Administration consists of creating a group, specifying its owner, selecting an encoding (encryption) algorithm for the group, see Fig. 3, generating and saving an encoding (encryption) key for a group of objects, and assigning objects included in the group. To add an object (objects) to a group, you need to use the “Add” button (see Fig. 1), or in the “Group” menu select the “Add” submenu, then select which object (objects) should be added to the group (the object can be set the full path address of a file, folder, disk - local, or shared on a network, on a hard drive, or on an external drive, using the “Browse” option, you can also use the mask mechanism).

When creating a group, see Fig. 3, additional options can be installed to differentiate access rights to group objects:

  • “Access Denied” – when this mode is set, access to group objects becomes possible only after identifying the group by key (after the user enters the key manually, or from the appropriate media);
  • The “Encode file names on disk” mode implements encoding of the names of file objects belonging to a group - before the procedure for identifying the group by key, they will be stored in encrypted form;
  • “File name scrambling” - when this mode is set, until the group is identified by key, random combinations of characters are displayed instead of the real file name;
  • “Hiding file names” - when this mode is set, until the group is identified by key, the names of protected objects (group objects) are not displayed - the very fact of the existence of such file objects is hidden.
Quite important is the ability of the CPA, which consists in allowing access to group objects only to CPA processes, see Fig. 3. This option should be used if a key server is implemented on the network (a server in which encryption keys are created in files shared on the network). In this case, a user from a remote machine can only access the keys (which are transmitted over the network in encrypted form) by the CPA process, which is necessary to protect key information from theft. When implementing a network key policy, the user does not have an encryption key; by identifying himself with his key, he can gain access to the key on the server, which will be loaded into the user’s RAM by the CPA process, after which the user will be able to work with data on this machine .

By analogy, setting up a mechanism for guaranteed removal of residual information has been implemented. When you select the appropriate “Guaranteed deletion” tab, see Fig. 1, the configuration window for this protection mechanism opens, see Fig. 5.

Note that the guaranteed deletion mode can also be set for any (in the limit for all) group, the objects in which are encrypted and/or to which access is limited based on key information, see Fig. 3 “Additional parameters”.

Fig.5

To specify a guaranteed deletion object, in the general case, you need to enter its full path address in the “Guaranteed deletion objects” field. To do this, you can use the “Add” button, see Fig. 5, and then select the desired object using the “Browse” option (where you are prompted to enter the full path address of the object or a mask), or right-click to open the menu for working with objects, see Fig. 6, and selecting the “New Path” tab, enter the full path address of the object. Using this menu, you can also edit the address of an object, remove an object from the list of guaranteed cleared ones, and you can also guarantee clearing the selected object manually.

Fig.6

To configure the parameters of guaranteed cleaning: specifying a template (data that will be written by the SSD in place of the deleted information), selecting the number of cleaning passes (how many times the template will be written over the deleted information), you should use the “Properties” tab, see Fig. 5, when This will open the interface for setting parameters for guaranteed deletion, see fig. 7, in which it is necessary to configure the relevant parameters.

Fig.7

EXAMPLE OF PRACTICAL USE OF PPA.PROTECTION OF ACCOUNTING INFORMATION

Let's consider the following example of the practical use of a PPA - the protection of corporate accounting information (this solution has been tested). Let the enterprise use the accounting program 1C Enterprise V 8.0. This is a network application that allows you to store a database on a server and work with it remotely (collective access is implemented) simultaneously for several employees at different workstations on the network.

The solution to protect confidential data is as follows. A CPA is installed on each workstation (if the server is also supposed to work with the database locally, then the CPA is installed on the server as well). The SPD setting is shown in Fig. 8.

Fig.8

Those. the directory with the database (created on the server (ITB5 machine, see Fig. 8) and shared on the network) on each workstation is included in the group of protected objects. For this group, an encryption key has been created on each workstation - it is the same for all stations (only in this case is collective access to the database possible), which can be done with the option of exporting and importing the key, see Fig. 9 - at one station the key is created - exported to a file (for example, to an external drive), then exported from this file to other stations.

Fig.9

Note that this option is also important in the case when a hardware generator must be used to generate encryption keys. When implementing the option of exporting a key to a file and importing a key from a file, one similar generator (one board) can be used for all protected computing devices.

Encryption keys are recorded on appropriate media, which are distributed to employees who need access to the accounting database. Access to the database is limited accordingly (from the workstation it becomes possible only after entering key information); if necessary, the very fact of its presence is hidden, see Fig. 3.

What do we get as a result of all this? Collective access to the database has been implemented, all users can work with it, and at the same time. The database is stored on the server in encrypted form, and in encrypted form it is transmitted over the channel between the workstation and the server (decryption by means of the DPA is carried out directly on the workstation). Access to the database from a workstation can only be obtained by an authorized user - an employee who has a medium with key information. If an unauthorized employee gains access to the protected computer, he will not have access to the database (to do this, he must be identified using key information), and the folder with the database will not even be displayed when viewing file objects on the server separately.

In conclusion, we note that as an example (nothing more), only one of the possible applications of the Pantsir CSD for the Windows 2000/XP/2003 OS is considered. There are many similar PPA applications (practical protection problems in an enterprise’s automated information processing system). In the work, we gave an example of the real practical implementation of a PPA, which illustrated its high efficiency in relation to solving the problem of protecting personal data.

F.S.Seidakhmetova – Doctor of Economics, Professor

B.K. Akhmetbekova. – applicant

ENU named after L. Gumilyov

Selected issues of accounting data protection

in accounting information systems

In modern conditions, the problems of ensuring the safety of accounting information in order to ensure the highest degree of data protection are becoming particularly relevant. According to statistics, more than 80% of companies and agencies suffer financial losses due to security system breaches. Therefore, many companies are now developing various anti-virus programs, data access control systems, copy protection, etc. This is explained by the growing need to develop protection methods in order to operate more efficiently in the market.

The term “protection” means a method of ensuring security in a data processing system (DPS). However, solving this problem becomes much more complicated when organizing computer processing of accounting information under conditions of collective use, where information of various purposes and affiliations is concentrated, processed and accumulated. In systems for collective use of accounting information that have a developed network of terminals, the main difficulty in ensuring security is that a potential violator is a full subscriber of the system. The following can be identified as the main objective reasons determining the need to ensure the safety of information:

1. Increasing growth rates of quantitative and qualitative use of computers and expansion of areas of their use;

2 Constantly increasing flows of new types and volumes of information that a person must perceive and process in the process of his activities;

3. The need for more efficient use of resources in the enterprise economy, with the help of scientific advances aimed at making informed decisions at various levels of management

4. High degree of concentration of information in its processing centers.

Protection of accounting information usually comes down to the choice of means of monitoring the execution of programs that have access to information stored in the SOD. In this regard, when creating accounting information systems, it is necessary to focus on protecting users of accounting data both from each other, and from accidental and targeted threats to data security violations. In addition, the adopted mechanisms for ensuring the safety of accounting information should provide the user with the means to protect his programs and data from himself. The growth in the number of subscribers using the services of the information system; the interconnection of various computers when exchanging information with remote subscriber terminal devices connected to them, form complex information and computing networks. Therefore, it becomes impossible to establish unauthorized access to information. The complexity of the computing process on a computer, operating in multi-program and multi-processor mode, creates conditions for maintaining communication with a significant number of subscribers. The solution to the problem of physical protection of information, and its preservation of information from other users or unauthorized connection of a user who specifically interferes with the computing process becomes urgent.

Therefore, it is necessary to establish requirements for the system for ensuring the safety of accounting information, including such items as:

Separate identification of individual users and terminals;

Creation of individual programs (tasks) by name and function;

Control of accounting data, if necessary, down to the record or element level.

A combination of the following methods allows you to restrict access to information:

Hierarchical access classification;

Classification of accounting information by importance and place of its occurrence;

Specifying specific restrictions and applying them to information objects, for example, the user can only read a file without the right to write to it.

The information security system must ensure that any movement of accounting data is identified, authorized, detected and documented.

The organizational requirements for the information security system include:

Restriction of access to the computer system (registration and support of visitors);

Controlling changes in the software system;

Performing testing and verification for changes in the software system and protection programs;

Maintaining mutual control over compliance with data security rules;

Establishing restrictions on the privileges of personnel servicing the ODS to fulfill warranty requirements in the event of violations;

Carrying out protocol records of access to the system, as well as the competence of service personnel.

In this regard, it is advisable to develop and approve written instructions:

To start and stop the accounting information system;

To control the use of magnetic tapes, disks, cards, listings,

To monitor the order of changes to the software and communicate these changes to the user,

On the procedure for restoring the system in failure situations.

To the policy of restrictions on permitted visits to the computer center,

To determine the volume of issued accounting information.

At the same time, it is important to develop a system for logging the use of computers, data entry and output of results, ensuring periodic cleaning of archives and storage of tapes, disks, cards to eliminate and eliminate unused accounting documents in accordance with established standards.

It should be borne in mind that all types of protection are interconnected and if at least one of them does not fulfill its functions, the efforts of others are nullified. The advantages of software protection include their low cost and ease of development.

Recently, the so-called electronic keys . This device connects to a computer via an LPT port. At the same time, the electronic key does not interfere with the normal operation of the parallel port and is completely “transparent” to the printer and other devices. Keys can be connected in cascade and in a chain, and completely different types of keys issued by different companies can work.

Moreover, they can perform various functions, for example, protecting programs from unauthorized copying, and are also capable of detecting the fact that a protected program is infected with various types of file viruses. When using electronic keys to generate encryption keys, there is no need to remember or write them down and then enter them from the keyboard. The key does not have built-in power supplies and retains the information recorded in it when disconnected from the computer. The most common keys currently available are the American company "Software Security Inc." This company produces keys for DOS, WINDOWS, UNIX, OS/2, Macintosh. Electronic keys can be either one-time recording or reprogrammable and may contain non-volatile memory.

Along with this, plastic ID cards (IR)with a sufficiently high amount of memory to limit unauthorized access to accounting information. This hardware and software complex consists of the following parts: a special board that is inserted into the PC expansion slot, a device for reading information from the IR and the IR itself; a software part: a driver for controlling the board and the IR reader.

The software part of the complex may also include software for organizing access restrictions to parts of the hard disk partitions by requesting a password. This prevents you from logging into the system with a stolen card. An example of such a hardware and software protection system could be the development of Datamedia. Its Netmate series of computers is equipped with a special Securecard reader - a security card reader. Security cards are one of the variants of credit cards. On their magnetic media, with the help of special equipment, which is only at the disposal of the administrator, a record is made about the user: his name, password and all the powers that he receives when entering the system are described. In particular, the card records how many times the user can try to enter a password when logging in. Thus, the accidental loss or theft of a security card prevents an attacker from gaining access to the computer. Only knowingly handing over the security card to someone at the same time as disclosing the password can give someone else access to the computer.

The system administrator can create a security card for legal users. In addition to the information already listed, this card describes the user profile. It includes, for example: the ability to access the SETUP program, that is, such computer characteristics as the screen, number and types of disks are recorded; It also determines which local devices (floppy disks, hard disks, serial and parallel ports) are available to this user, and which local or network devices he can boot from. Translation of passwords is provided here: the password that is assigned to the user is, as a rule, easy to remember, but not the one with which the system works. If you try to simply pull out the security card from the reader, access to the computer is blocked until the same security card is inserted into the reader. If the password is entered incorrectly (if the number of attempts allowed for a given user is exceeded), the machine is blocked, and only the administrator can “revive” it, that is, the need is stimulated to bring to the attention of the administration all cases of violation of the secrecy regime.

From point of view virus protection The listed systems are also important because, in addition to identifying the user, they organize his work on the computer in a certain way, prohibiting certain dangerous actions. IC can also be used to store encryption keys in cryptographic protection systems.

The disadvantage of such a system is the low security of IR with a magnetic stripe. As experience shows, information from them can be easily read. Moreover, the use of IR with a built-in chip, due to its high cost, leads to a significant increase in the cost of installing a protection system. In addition, equipment for reading information from IR is also expensive. But, despite the high cost, IR-based protection systems are widely used where high reliability is required, for example, in commercial structures.

Currently gained great popularity Touch memory (TM) family of devices, manufactured by Dallas Semiconductods. One of the main differences between TouchMemory devices and other compact storage media is the housing design. In addition to protection, the steel case also acts as electrical contacts. The weight and size characteristics are also acceptable - a tablet with a diameter of a small coin and a thickness of 5 mm is very suitable for such applications. Each device in the family is unique, as it has its own serial number, which is recorded in the device using a laser unit during its manufacture and cannot be changed during the entire service life of the device. The factory recording and testing process ensures that no two instruments are manufactured with the same serial number.

This eliminates the possibility of counterfeit devices. When using Touch-memory, the price is also quite acceptable: it is more than 4 times lower than when using plastic cards. ToichMemory devices are non-volatile static memory with multiple write/read capabilities, which is located inside a metal case. Unlike conventional memory with a parallel address/data port, the memory of ToichMempry devices has a serial interface. Data is written to and read into memory over a single bidirectional signal line. In this case, a pulse-width encoding method is used. This digital interface allows TouchMemory devices to be connected directly to personal computers or via a microprocessor controller.

An important feature of the devices is low power consumption, which allows the use of a miniature lithium battery built into the device body to store information in memory for 10 years.

It should be noted that computer security measures are not limited only to protection measures located in the computer itself - inside the computer, or in the form of external devices. All of the above software and hardware-software information protection tools become effective only with strict adherence to a number of administrative and organizational measures. Therefore, before building a protection system, it is necessary to evaluate the costs of its creation and the possible costs of eliminating the consequences in the event of loss of protected accounting data.

Create a concept for ensuring information security for a tire plant that has a design bureau and an accounting department using the “Bank-Client” system. During the production process, an anti-virus security system is used. The company has remote branches.


Share your work on social networks

If this work does not suit you, at the bottom of the page there is a list of similar works. You can also use the search button


Federal State Budgetary Educational Institution

higher professional education

“VOLGOGRAD STATE TECHNICAL UNIVERSITY”

Faculty of Engineering Personnel Training

Department of CAD and PC

TEST

at the rate

“Methods and means of protecting information”

Completed:

student gr. AUZ-361s

I.A. Tyulyaeva

"___" ___________ 2013

Checked:

teacher of the department SAPRiPK

V.V.Natrov

"___" __________ 2013

Volgograd, 2013

Exercise:

Create a concept for ensuring information security for a tire plant that has a design bureau and an accounting department using the “Bank-Client” system. During the production process, an anti-virus security system is used. The company has remote branches.

Target:

Form a concept for protecting information resources of a tire plant.

Introduction

Information security refers to the security of a system from accidental or intentional interference in the normal process of its functioning, from attempts to obtain unauthorized information, modification or physical destruction of its components.

The proposed approach to information protection will provide a holistic view of the problem, improving the quality and, consequently, the reliability of information protection.

Responsibility

Based on the local regulations on trade secrets available in the organization, the employee who is related to it by the nature of his work signs an obligation of non-disclosure of relevant information.

The owner of information constituting a trade secret obtained within the framework of labor relations is the employer.

Admission of officials to trade secrets provides for:

  • accepting an obligation to the employer to not disclose information constituting a trade secret;
  • making a decision by the employer to allow a person access to information constituting a trade secret;
  • The signing by an employee of an employment contract, which includes a condition on non-disclosure of trade secrets, and the corresponding obligation, or the signing of an employment contract and an obligation on non-disclosure of information constituting a trade secret, is an admission and gives the employee access to the relevant information.

Responsibility for the information security of the organization lies with the plant director and system administrator.

Employees are personally responsible for the security of any information used and/or stored under their company accounts. The employee who has access to this information is responsible for the non-disclosure of confidential information available for work reasons. To ensure control over the non-disclosure of confidential information, a written certificate is drawn up with the signatures of this employee and the information security administrator.

The extent of liability for the disclosure of confidential information is determined by the legislative acts of the Russian Federation.

Regulations on the categorization of information

All information in the organization must be categorized. Criticality categories and associated security measures for business information should take into account the business need to share or restrict access to information, as well as the harm to the organization associated with unauthorized access to or damage to information.

Information in an organization is divided into confidential and open.

Confidential information information, access to which is limited in accordance with the legislation of the Russian Federation and constitutes commercial, official or personal secrets protected by its owner. The list of information related to trade secrets is presented in Appendix 1 and approved by the plant director.

Open information information the concealment of which is prohibited by law. Information that does not belong to the list of information is open.

Access to information and information resources

The rules for access to information are described by the relevant Access Policies (Appendix 2).

Technical protection of information resources

To protect the organization's critical information resources, the following technical protection means are used:

  • anti-virus security tools;
  • means of organizing backup;
  • means of encrypting information when transmitting data over networks;
  • network status analyzers;
  • means of encrypting information located on a computer;
  • tools for checking the integrity of disk contents;
  • access control means;
  • tools for analyzing the contents of email messages.

The anti-virus security policy is described in Appendix 3.

The policy for connecting an organization to a branch via a local area network is described in Appendix 4.

The assessment of the risk of expected damage from the occurrence of a threat to information technology security is described in Appendix 5.

The description of working with the Bank-Client application is described in Appendix 6.

User Identification and Authentication

Identification and authentication of users of the plant information system is carried out using the name and password of a specific user.

Procedure for making changes

All changes in this document are carried out only by the appropriate order of the plant director with mandatory approval from the person responsible for information security.

Annex 1

List of confidential information

p/p

Name of information

Note

Accounting information

1C database, documents (accounting statements)

Financial accounting information

1C database, documents (financial statements)

Information about the type and placement of equipment

Placement plan

Information about the nature and volume of production

1C database, documents (production costs)

Information on the strategy and tactics of the organization's activities

Documents (business plan)

Information about clients and partners

Database "1C"

Information about the developments of the design bureau

Documents (drawings, chemical composition of materials)

Information about PC hardware and software, passwords, keys, codes and procedures for accessing information

License agreement, 1C database

Personal information of plant employees

1C database, personal files of employees

Information on payments and money transfers through “Bank-Client”

1C database, contracts with counterparties

p/p

Protected data

Database "1C"

Accounting statements (Documents)

Financial statements (Documents)

Equipment layout plan (Documents)

Production costs (Documents)

Business plan (Documents)

Drawings, chemical composition of materials

License agreement

Personal files of employees

Agreements with counterparties

Appendix 2

Accounting and Financial Reporting Access Policy

p/p

Name

Access

The factory director

Reading

Deputy Plant Director

Reading

Head of the design bureau

Reading

Accountant

Read Write

Deputy accountant

Read Write

Accountant payroll clerk

Read Write

Lead Economist

Read Write

Economist

Reading

System Administrator

Full

Remote access policy

Plant employees with remote access to the organization's network bear the same responsibility as if they were connected locally to the organization's network.

An employee should not share or email his/her login password to anyone, including family members.

Employees with remote access privileges must ensure that their computers that are remotely connected to the network are not connected at the same time to any other network, with the exception of home networks that are under the full control of the employee.

Employees who have remote access privileges on an organization's network should not use company email addresses to conduct their own business.

Appendix 3

Antivirus Security Policy

General provisions of the anti-virus security policy

The anti-virus security policy defines a set of rules that define and limit the types of activities of objects and participants in an integrated anti-virus protection system, its main goals and scope of application, and also establishes a measure of responsibility for violating these rules.

The implementation of a comprehensive anti-virus protection system includes the following steps:

  • creation of a working group of specialists responsible for implementation work (this will necessarily include both specialists from the information security department and specialists from the software and hardware department);
  • development of a plan for the implementation of a complex of anti-virus protection systems;
  • carrying out work on the installation of anti-virus systems and additional work related to its configuration and acceptance testing;
  • industrial operation of a complex of anti-virus security systems.

Only licensed anti-virus tools are allowed for use in the organization (as well as in its branches), centrally purchased by the software and hardware department from the developers (suppliers) of these tools, recommended for use by the information security department. If you need to use anti-virus tools that are not included in the list recommended by the information security department, their use should be agreed with the system administrator.

To install and configure anti-virus control on computers and servers, it is carried out by the system administrator.

Antivirus protection instructions

General provisions

  • Any information (text files of any formats, data files, executable files) received and transmitted via communication channels, as well as information on removable media (magnetic disks, CD-ROMs, USB drives, etc.), must be checked for the presence of malware. To control incoming information, a stand-alone computer is allocated or, provided that a “clean” operating system is loaded into the computer’s RAM on any other computer;
  • Control of outgoing information must be carried out immediately before archiving and sending (writing to removable media).

Requirements for anti-virus protection measures

  • Every day, at the beginning of work, when the computer boots (for servers when restarted), anti-virus monitoring of all disks and files of the computer should be carried out automatically;
  • Periodic checks of electronic archives should be carried out at least once a week;
  • Extraordinary anti-virus control of all disks and files of a personal computer must be performed:
  • immediately after installing (changing) computer software;
  • if there is a suspicion of a computer virus (atypical operation of programs, the appearance of graphic and sound effects, data corruption, missing files, frequent appearance of system error messages, etc.).
  • When sending and receiving email, the user is responsible for checking emails for viruses;
  • If, during an anti-virus scan, files or emails infected with computer viruses are detected, users are obliged to:
  • suspend work;
  • immediately notify the person responsible for ensuring information security in the organization about the fact of detection of files infected with a virus;
  • together with the branch system administrator, analyze the need for further use of infected files;
  • disinfect or destroy infected files.

Responsibility

  • Responsibility for organizing anti-virus protection rests with the plant director and system administrator.
  • Responsibility for carrying out anti-virus control measures in the department and compliance with the requirements of this policy rests with the system administrator.
  • Periodic monitoring of the status of anti-virus protection is carried out by the system administrator.

Appendix 4

Policy for connecting a branch to the organization's local computer network

Branches of the organization gain access to the local computer network of the plant through the organization of communication channels.

It is necessary to organize 2 communication channels: the main and the spare (backup).

To create the main channel, a dedicated channel is used ( xDSL ), and to create a spare dial-up (modem).

The dedicated channel uses 100BASE-FX technology.

Connection and access configuration are carried out by the software and hardware department with the participation of the information security department.

Exclusively the protocol stack is used as exchange protocols over the communication channel TCP/IP . Application layer protocols: POP 3, SMTP, FTP.

Responsibility for the organization and quality of access lies with the organization's software and hardware department and the system administrator.

The system administrator is responsible for access security.

Appendix 5

Risk assessment of expected damage

p/p

Threat name

Risk %

Losses

Unauthorized access to the 1C database

Monetary loss

Substitution of information

Unsolicited correspondence

Lost productivity

DDos attacks

Violation of security by attackers (attacks)

Loss of productivity, difficulty in activities

Power outages

Loss of productivity, difficulty in activities

Loss of productivity, difficulty in activities

Vulnerabilities of the software used

Loss of productivity, difficulty in activities

Hardware failures of server and user equipment

Loss of productivity, difficulty in activities

Lost productivity, monetary loss

Lost productivity, monetary loss

Loss of productivity, difficulty in activities

Information theft

Monetary loss

Man-made disasters

Loss of productivity, difficulty in activities

Monetary loss

TP personnel error

Loss of productivity, difficulty in activities

Monetary loss

Disruption of systems or data, unauthorized modification of system configuration, data files, reports, etc. from internal violators

Loss of productivity, monetary loss, difficulty in activities

p/p

Threat name

Risk %

Losses

DDos attacks

Loss of productivity, difficulty in activities

Lack of implementation of fault tolerance of servers and arrays

Loss of productivity, difficulty in activities

Lack of database backup

Difficulty in activities, financial loss

Abuse of audit tools

Lost productivity, monetary loss

Misuse of Information Processing Tools

Lost productivity, monetary loss

Abuse of enterprise resources or assets

Lost productivity, monetary loss

Unauthorized access to LAN resources

Loss of productivity, difficulty in activities

Active and passive listening of communication channels

Monetary loss

TP personnel error

Loss of productivity, difficulty in activities

Violation of intellectual property rights

Monetary loss

Appendix 6

Working with the Bank-Client application

The Bank-Client system is designed for the exchange of electronic documents and communication between the bank and its clients and provides the client with the ability to quickly manage their own bank accounts, minimizing the time it takes to process payment documents.

To get started, you must enter your username and password in the appropriate fields. The system will check the access rights to the system and if the data is entered correctly, after entering the variable access code, you will be taken to the “Client” page in the “Bank-Client” system.

Working in the menu

The menu of the “Bank-Client” system contains the items “Client”, “Accounts”, “Documents”, “Statements”, “Directories”, “Messages”, “Settings” and “Exit”.

Client.

  • The “Client” section is informational and is divided into three main parts:
  • information about the client’s name, the value of his taxpayer identification number (TIN), current account number, date of last access to the system;
  • current news;
  • exchange rates;
  • information about the movement of funds in the account for a certain period.

Accounts.

All client’s personal accounts are entered into a table with the following columns:

  • the first column “Name” contains the name of the account;
  • the second column “Number” contains the account number;
  • the third column “Remainder” contains the value of the balance - both actual and planned;
  • the fourth column contains the date of the last movement on the account.

If the account number is underlined and highlighted in a different color, this means that you can view a statement for this account, and an automatic transition to the “Statements” section occurs.

Documentation.

All documents are located in a table, the columns of which contain the following data:

  • document status;
  • document type;
  • document creation date;
  • document serial number;
  • the correspondent for whose address the document was created;
  • document amount.

The “Documents” section provides for the following operations:

  • viewing all documents for a specified period with the ability to sort by various parameters;
  • adding (creating) a new document (manually using reference books, based on an existing template or by importing a document from an accounting program);
  • changing (editing) an existing document;
  • removing a document from the list of documents;
  • generation of an electronic digital signature (EDS) of a document;
  • sending the document to the bank for further processing;
  • viewing and printing documents and the register of documents (viewing several documents is possible).

It is possible to work with a group of documents.

Extracts.

You can get to the “Statements” section in two ways: by selecting the “Statements” menu item or by clicking on the account number in the “Accounts” section.

The “Statements” section provides for the generation, viewing and printing of statements for all accounts registered in the system (except for securities accounts) for a specified period of time.

Directories.

For the convenience of filling out payment documents in the “Bank Client Online” system, it is possible to use the following directories:

  • bank directory,
  • directory of correspondents,
  • currency directory,
  • exchange rate directory,
  • SWIFT bank directory,
  • directory of beneficiaries,
  • directory of clearing systems,
  • operation code directory,
  • payment type code directory,
  • base code directory,
  • directory of types of securities,
  • country code directory.

In the “Directories” section you can also view a list of created templates and an address book.

Settings.

The “Settings” section contains the user’s personal information and provides the ability to change the password for logging into the system.

Exit.

Clicking on the “Exit” menu button ends the session in the “Bank-Client” system.

Other similar works that may interest you.vshm>
13721. METHODS AND MEANS OF PROTECTING COMPUTER INFORMATION 203.13 KB
Information security objectives: ensuring the integrity and safety of information; restricting access to important or secret information; ensuring the operability of information systems in adverse conditions. The best option is both backup and copying Threat of disclosure Important or secret information falls into hands that do not have access to it. Threat of service failure discrepancy between the actual load and the maximum permissible load of the information system; random sharp increase in the number of requests to...
12259. Creation of an electronic manual on the subject “Methods and means of information security” for performing laboratory work on the module “Hash Values” 18.23 MB
Launch Fedor14 VM Instance Instructions. Login to Fedor14 Instructions. Launch Terminal Console Instructions. Switching to Root user mode Instructions.
4642. Software tools for protecting information in networks 1.12 MB
Various methods of protecting information have been used by people for thousands of years. But it is precisely over the past few decades that cryptography - the science of protecting information - has experienced unprecedented progress due to
9929. Algorithmic methods of information protection 38.36 KB
For these systems to function properly and safely, their security and integrity must be maintained. What is cryptography Cryptography is the science of ciphers was classified for a long time as it was used mainly to protect state and military secrets. Currently, cryptography methods and means are used to ensure information security not only of the state but also of private individuals in organizations. While cryptographic algorithms for the average consumer are a closely guarded secret, although many already...
20199. Basic methods of information protection 96.33 KB
Legal basis of information security. Basic methods of information protection. Ensuring the reliability and safety of information in automated systems. Ensuring information confidentiality. Information security control.
5309. Types of industrial lighting. Methods and means of collective and individual protection against noise 23.15 KB
The effect of noise on the human body Noise as a hygienic factor is a set of sounds of varying frequencies and intensities that are perceived by the human hearing organs. The nature of industrial noise depends on the type of its sources. The unpleasant impact of noise also depends on the individual attitude towards it...
17819. Development of an office information security system 598.9 KB
Leakage of any information can affect the activities of the organization. Confidential information plays a special role; loss of information can lead to major changes in the organization itself and material losses. Therefore, information protection measures are very relevant and important at this time.
9219. MEANS OF INFORMATION REFLECTION 160.12 KB
One of the properties of aircraft measurement systems (MS) is the need for automatic display of information. Information display is the property of a technical system to reproduce traces of information impacts and the results of information processing. Currently, three methods of information are mainly used: signaling, indication and registration.
8076. Biometrics as a way to control access and protect information 15.71 KB
Biometrics, on the contrary, is a technique for recognizing and identifying people based on their individual psychological or physiological characteristics: fingerprint, hand geometry, iris pattern, DNA structure, etc. Biometric protection based on the presentation of fingerprints This is the most common static method of biometric identification, which is based on uniqueness for each person of the pattern of papillary patterns on the fingers. For...
18765. Problems of information security on the Internet. Internet threats 28.1 KB
In other words: in the archives of free access to the Internet you can find any information on all aspects of human activity, from scientific discoveries to television programs. The virus finds and has a depressing effect on programs and also performs some malicious actions. Thus, outwardly, the operation of the infected program looks the same as that of an uninfected one. The actions that the virus performs can be performed at high speed and without any messages, which is why the user cannot notice the incorrect operation of the computer or program.

It happens that tax and financial accounting in an organization diverge so significantly that it is a shame to show it, or better not to show it at all. It makes sense to take action and allocate resources to solve such a problem. This article describes a specific solution for a small company or division. With a significant increase in jobs, it is worth changing the concept, although some elements can be left.

We have the right to protect our property, and the information we hold is our property. The most important thing here is also our responsibility. If a company itself does not take care of information security, it is often pointless to blame the rights violated by various services. We have to take it and do it. Take it and do it yourself, do not outsource it - this is your safety. And it's not difficult. Where to begin? How to start? So, if we decide that we are responsible and ready to protect, then we need to make sure that this kind of protection does not take much time, is effective and is not expensive, and preferably free. It is these criteria that we will be guided by when choosing a particular tool, as well as implementing the concept as a whole.

Let's decide on the situation.

For a clearer understanding of what we want to do, I will give a situation that can easily arise in any office (because we are in Russia). We are sitting, drinking tea - the door is knocked down, angry young people are running into the room, with the obvious intention of making us uncomfortable. So we have to take a break. People culturally ask us to put down cups of tea and move away from the computers, since their comrades were sleeping and saw how they could take our jobs, to read what they write there... And yet, since the grandmother of one of them is also interested, they naturally they want to take all our computers for reading.

It is precisely for this situation that we will try to ensure that their grandmother is content with TV. We will also make sure that at other times (when no one is there) lovers of prose and poetry and their relatives come to us only to pay for a broken door.

What are we hiding?

We need to clearly understand what exactly is valuable or a threat to us. What information do we hide and why? There's no point in hiding everything. This will extend the time frame of the same backup. Information must be clearly structured and there must be an understanding of what is where. Do all cars need to be entered into the system?

The main goal is to prevent the seizure of compromising information, to prevent the possibility of copying, and it is advisable not to have working computers in the workplace at all. Ensure the safety and accessibility of information.

Formulating the Ideal End Result (IFR)

Information is easily accessible;

Information cannot be taken with you or easily copied;

The system also works in your absence, informing you about external conditions;

The system is not afraid of fire and physical removal of system media;

The system has remote control (it doesn’t work perfectly - there will still be control).

Our auditors should see “empty” cars and a picture like this:

For the purposes of this article, we will not touch on remote servers in Malaysia or other countries. This is a good solution, but we want to consider the situation when all parts of the system are located in one (or) several rooms.

We identify contradictions:

Computers should work and shouldn't work;
- information can and cannot be retrieved;
- information can be taken away and cannot be taken away;
- information can and cannot be destroyed;
- we shouldn't touch computers - but we don't need to!

Having eliminated all five contradictions, we will form a working system for storing and using information, and also limit access to it.
For these purposes, we use the following tools that we integrate into the system:

1. TrueCrypt - a free program for encrypting: entire disks, system disks, disk areas, file containers.
2.Handy Backup - a program for backing up the file structure. You can use it over the network, set tasks - collect files and folders from various machines, archive, encrypt, etc. The cost can be found on torrents.
3. GSM sockets - for remote turning on and off the power via SMS. Price range from 2400 rub. up to 10,000 rub. per socket or pilot. The number of outlets will depend on the goals you set (one machine or twenty; with a minimalistic approach, you can distribute power to 3 computers, but pay attention to the power of the machines; we do not connect monitors and printers to outlets). When choosing, pay attention to ease of operation and quality of reception.
4 . CC U825 - GSM controller - developed by our Tula craftsmen (there are a lot of analogues, but price/quality/reliability). I recommend this particular multi-circuit system - the younger analogue worked for us for several years without false alarms. Independent power source and price.. 7000 rubles. There is also the CCU422 - it costs less, but is greatly reduced in the number of circuits and the depth of adjustment.
5 . Kn fear of panic - optional. If you don’t want hassles with an additional circuit in the CCU, purchase this too. It costs about the same as a GSM socket. The meaning is to send an SMS to several pre-programmed numbers, with a pre-prepared text.
6. Kame ry and video server - this is at your discretion. These options help to more accurately confirm intrusion remotely. We won't touch them.

We will analyze each instrument separately - from “what it looks like” to configuration.

The system integration section is under development and will be available on our audit firm website in the near future

TrueCrypt
Handy Backup
GSM sockets
CCU825
Panic button
cameras and video server (I will not consider)
System integration.

Regulations. The most important part of the system. What should be included:

All employees related to the system must understand what they are doing in a difficult, stressful situation (and so it is - hands will begin to tremble, the head will stop thinking, the legs will give way - this is a damn accountant, not the unforgettable and dearly respected Iron Felix Edmundovich). Understand so that you can click where you need to click and call the person you need to call. It’s even better to assign a bonus - whoever is first gets $100. Just don’t overestimate the premium, otherwise the accountant will approach the business process and start calling them.
- it is advisable to work out the situation once a month, for example, in the evening, every third Friday of the month. It will take minutes, maximum an hour. And the management will sleep more peacefully.
- understanding the balances on SIM cards in GSM modules. Highly depends on the selected tariff plan and the number of SMS alerts. Also from the sockets you choose (there should be a way to check the balance without removing the SIM card from the socket and without inserting it into the phone). SMS should be sent to several employees in order to have redundancy and reduce risks a la “I forgot my phone at home.” Control once a month - we report the money.
- check if our handy backup writes backup archives in a circle in ten parts? Are there any errors in the program tasks? If there is, we fix it. Also once a month.
- send SMS, or turn off all cars with a panic button. Turn it on. Nothing works. Black screen everywhere - a fairy tale! Not everywhere? Let's figure out why - we caught this moment with monthly alarms. We figured it out. Enter passwords, mount screws. We start the backup. Everything works - a fairy tale!
- we carefully check (IMPORTANT - I’ve encountered this many times) - are all computers connected to the GSM socket, and only then to the oops? How about the other way around? It won't turn off if it's the other way around. Let's fix it.
- we appoint a person responsible for the regulations, his deputy, his deputy - in general, under any external circumstances, the regulations must be followed. Otherwise it is no longer a system.

Disadvantages of the system.

The system is dependent on rebooting; machines, when turned on, are a collection of spare parts, not computers. You have to enter passwords manually and mount disks. So it is advisable that they do not turn off at all (at your discretion).
- dependence of the system on GSM communication - we recommend immediately checking the quality of reception of a particular cellular operator. If there is no signal, then you need to make sure there is one - an external antenna, etc. Otherwise, you will not be able to turn off the computers and, as a result, data from them can be copied right in front of you.
- monthly costs for SMS, very little (it could even be neglected), if you choose the right tariff and operator.
- dependence on compliance with regulations (do you even have one?). The system should be checked completely about once a month, based on experience, the backup settings and the very fact of their implementation should be monitored. Because even though everything is automatic, each individual tool has its own level of trouble-free operation (Handy can freeze - although I haven’t seen it in practice, the socket starts to work unstable). It is better to encounter something like this during a routine inspection than in another situation.

The weakest link

Employees. It would be possible not to continue, but.. here I would call the system administrator (the distribution of rights to users and who can do what is beyond the scope of this article). I will only say that I would be very thoughtful in approaching the question of who to give access to and to whom passwords - maybe just different people. The field here is too wide for generalized reasoning. I leave this to the conscience of the manager. As well as drawing up and carrying out routine maintenance.

Conclusion

In this article, we have outlined approximate tools that are advisable (from the standpoint of price/quality/reliability) to use to solve the problem of protecting and preserving an organization’s information. We do not claim originality in this genre and have outlined purely practical techniques so that you can think through the options and immediately implement them. Your tasks may be more complex or simple, but we hope that the set of tools that we have described here will help you solve them.

Best regards, Independent Consultant

Pavel Ivanovich Egorov.