home > Computer > VKR topics information security. Information security system

VKR topics information security. Information security system

Similar Documents

The relevance of information security issues. Software and hardware of LLC "Mineral" network. Building a model of corporate security and protection against unauthorized access. Technical solutions for the protection of the information system.

thesis, added 01/19/2015

The security of an information system as its ability to withstand various influences. Types of computer threats, the concept of unauthorized access. Viruses and malware. Methods and means of protecting information systems.

abstract, added 11/14/2010

Classification of information security threats. Errors in the development of computer systems, software, hardware. The main ways of obtaining unauthorized access (UAS) to information. Ways to protect against NSD. Virtual private networks.

term paper, added 11/26/2013

External threats to information security, forms of their manifestation. Methods and means of protection against industrial espionage, its goals: obtaining information about a competitor, destroying information. Ways of unauthorized access to confidential information.

test, added 09/18/2016

The most common ways of unauthorized access to information, channels of its leakage. Methods for protecting information from threats of a natural (emergency) nature, from random threats. Cryptography as a means of protecting information. Industrial espionage.

abstract, added 06/04/2013

The concept, meaning and directions of information security. A systematic approach to organizing information security, protecting information from unauthorized access. Means of information protection. Methods and systems of information security.

abstract, added 11/15/2011

The concept and principles of information security. Consideration of the main types of hazardous effects on a computer system. Classification of channels of unauthorized access to computers. Characteristics of hardware-software means of information protection.

presentation, added 11/15/2011

Information security, its goals and objectives. Information leakage channels. Software and hardware methods and means of protecting information from unauthorized access. Model of threats to the security of information processed at the facility computer science.

thesis, added 02/19/2017

The impact of the type of activity of the enterprise on the organization integrated system information protection. Content of protected information. Potential channels of unauthorized access to information of the organization. The effectiveness of the information security system.

practice report, added 10/31/2013

Historical aspects of the emergence and development of information security. Information security means and their classification. Types and principle of operation of computer viruses. Legal basis protection of information from unauthorized access.

Introduction

Chapter 1. Theoretical aspects of acceptance and information security

1.1The concept of information security

3 Information security practices

Chapter 2. Analysis of the information security system

1 The scope of the company and the analysis of financial performance

2 Description of the company's information security system

3 Development of a set of measures for modernization existing system information security

Conclusion

Bibliography

Application

Annex 1. Balance sheet for 2010

Introduction

The relevance of the topic of the thesis is determined by the increased level of information security problems, even in the context of the rapid growth of technologies and tools for data protection. It is impossible to provide a 100% level of protection of corporate information systems, while correctly prioritizing data protection tasks in the context of a limited share of the budget allocated to information technology.

Reliable protection of computing and network corporate infrastructure is a basic task in the field of information security for any company. With the growth of the enterprise's business and the transition to a geographically distributed organization, it begins to go beyond a single building.

Effective protection of IT infrastructure and applied corporate systems today is impossible without the introduction of modern network access control technologies. Increasing cases of theft of media containing valuable information of a business nature are increasingly forcing organizational measures.

The purpose of this work will be to evaluate the information security system existing in the organization and develop measures to improve it.

This goal determines the following tasks of the thesis:

) consider the concept of information security;

) consider the types of possible threats to information systems, options for protecting against possible threats of information leakage in the organization.

) identify a list of information resources, violation of the integrity or confidentiality of which will cause the greatest damage to the enterprise;

) develop on their basis a set of measures to improve the existing information security system.

The work consists of an introduction, two chapters, a conclusion, a list of references and applications.

The introduction substantiates the relevance of the research topic, formulates the purpose and objectives of the work.

The first chapter deals with the theoretical aspects of the concepts of information security in the organization.

The second chapter gives a brief description of the company's activities, the main performance indicators, describes the current state of the information security system and proposes measures to improve it.

In conclusion, the main results and conclusions of the work are formulated.

The methodological and theoretical basis of the thesis work was the work of domestic and foreign experts in the field of information security. In the course of work on the thesis work, information was used that reflects the content of laws, legislative acts and regulations, decrees of the Government of the Russian Federation governing information security, international information security standards .

The theoretical significance of the thesis research is the implementation of an integrated approach in the development of information security policy.

The practical significance of the work is determined by the fact that its results make it possible to increase the degree of information protection in an enterprise through the competent design of an information security policy.

Chapter 1. Theoretical aspects of acceptance and information security

1.1 The concept of information security

Information security is understood as the protection of information and the infrastructure supporting it from any accidental or malicious influences, the result of which may be damage to the information itself, its owners or the supporting infrastructure. The tasks of information security are reduced to minimizing damage, as well as to predicting and preventing such impacts.

The parameters of information systems that need to be protected can be divided into the following categories: ensuring the integrity, availability and confidentiality of information resources.

availability is the possibility of obtaining, in a short period of time, the required information service;

integrity is the relevance and consistency of information, its protection from destruction and unauthorized changes;

confidentiality - protection against unauthorized access to information.

Information systems are primarily created to receive certain information services. If for some reason it becomes impossible to obtain information, this causes damage to all subjects of information relations. From this it can be determined that the availability of information is in the first place.

Integrity is the main aspect of information security when accuracy and truthfulness will be the main parameters of information. For example, prescriptions for medical drugs or a set and characteristics of components.

The most developed component of information security in our country is confidentiality. But the practical implementation of measures to ensure the confidentiality of modern information systems is facing great difficulties in Russia. Firstly, information about the technical channels of information leakage is closed, so that most users are unable to form an idea of the potential risks. Second, there are numerous legal and technical challenges that stand in the way of custom cryptography as a primary privacy tool.

Actions that can damage an information system can be divided into several categories.

purposeful theft or destruction of data on a workstation or server;

damage to data by the user as a result of careless actions.

. "Electronic" methods of influence carried out by hackers.

Hackers are people who engage in computer crimes both professionally (including within the framework of competition) and simply out of curiosity. These methods include:

unauthorized penetration into computer networks;

The purpose of unauthorized penetration into the enterprise network from the outside can be to harm (destroy data), steal confidential information and use it for illegal purposes, use the network infrastructure to organize attacks on third-party nodes, steal funds from accounts, etc.

A DOS-type attack (abbreviated from Denial of Service - "denial of service") is an external attack on the enterprise network nodes responsible for its safe and efficient operation (file, mail servers). The attackers organize a massive sending of data packets to these nodes in order to cause them to overload and, as a result, disable them for some time. This, as a rule, entails violations in the business processes of the victim company, loss of customers, damage to reputation, etc.

Computer viruses. A separate category of electronic methods of influence is computer viruses and other malicious programs. They represent a real danger to modern business, which makes extensive use of computer networks, the Internet and e-mail. Penetration of the virus to the nodes of the corporate network can lead to disruption of their functioning, loss of working time, loss of data, theft of confidential information and even direct theft of funds. A virus program that has penetrated a corporate network can provide attackers with partial or full control over the activities of the company.

Spam. In just a few years, spam has gone from a minor annoyance to one of the biggest security threats:

e-mail has recently become the main channel for the distribution of malicious programs;

spam takes a lot of time to view and then delete messages, causes employees a feeling of psychological discomfort;

both individuals and organizations are victims fraudulent schemes implemented by spammers (often victims of this kind of events try not to disclose);

along with spam, important correspondence is often deleted, which can lead to the loss of customers, the failure of contracts, and other unpleasant consequences; The risk of losing mail is especially high when using RBL blacklists and other "rough" spam filtering methods.

"Natural" threats. A variety of external factors can affect the information security of a company: improper storage, theft of computers and media, force majeure, etc. can cause data loss.

The information security management system (ISMS or Information Security Management System) allows you to manage a set of measures that implement a certain conceived strategy, in this case - in relation to information security. Note that we are talking not only about managing an existing system, but also about building a new / redesigning an old one.

The set of measures includes organizational, technical, physical and others. Information security management is a complex process, which makes it possible to implement the most efficient and comprehensive information security management in a company.

The purpose of information security management is to maintain the confidentiality, integrity and availability of information. The only question is what kind of information needs to be protected and what efforts should be made to ensure its safety.

Any management is based on awareness of the situation in which it occurs. In terms of risk analysis, awareness of the situation is expressed in the inventory and assessment of the assets of the organization and their environment, that is, everything that ensures the conduct of business activities. From the point of view of information security risk analysis, the main assets include directly information, infrastructure, personnel, image and reputation of the company. Without an inventory of assets at the business activity level, it is impossible to answer the question of what needs to be protected. It is very important to understand what information is processed in an organization and where it is processed.

In a large modern organization, the number of information assets can be very large. If the organization's activities are automated using an ERP system, then we can say that almost any material object used in this activity corresponds to some information object. Therefore, the primary task of risk management is to identify the most significant assets.

It is impossible to solve this problem without the involvement of managers of the main activity of the organization, both middle and top managers. The optimal situation is when the top management of the organization personally sets the most critical areas of activity, for which it is extremely important to ensure information security. The opinion of senior management on the priorities in ensuring information security is very important and valuable in the process of risk analysis, but in any case, it should be clarified by collecting information about the criticality of assets at the middle level of company management. At the same time, it is advisable to carry out further analysis precisely in the areas of business activity designated by top management. The information received is processed, aggregated and transmitted to top management for a comprehensive assessment of the situation.

Information can be identified and localized based on the description of business processes in which information is considered as one of the types of resources. The task is somewhat simplified if the organization has adopted a business regulation approach (for example, for the purposes of quality management and business process optimization). Formalized business process descriptions are a good starting point for asset inventory. If there are no descriptions, you can identify the assets based on the information received from the organization's employees. Once assets are identified, their value must be determined.

The work of determining the value of information assets in the context of the entire organization is both the most significant and complex. It is the assessment of information assets that will allow the head of the information security department to choose the main areas of activity to ensure information security.

But the economic efficiency of the information security management process largely depends on the awareness of what needs to be protected and what efforts will be required for this, since in most cases the amount of effort applied is directly proportional to the amount of money spent and operating costs. Risk management allows you to answer the question of where you can take risks and where you can not. In the case of information security, the term “risk” means that in a certain area it is possible not to make significant efforts to protect information assets, and at the same time, in the event of a security breach, the organization will not suffer significant losses. Here you can draw an analogy with the protection classes automated systems: the greater the risks, the more stringent the requirements for protection should be.

To determine the consequences of a security breach, one must either have information about recorded incidents of a similar nature, or conduct a scenario analysis. Scenario analysis examines the causal relationships between asset security breach events and the impact of those events on an organization's business. The consequences of scenarios should be evaluated by several people, iteratively or deliberatively. It should be noted that the development and evaluation of such scenarios cannot be completely divorced from reality. One must always remember that the scenario must be probable. Criteria and scales for determining value are individual for each organization. Based on the results of the scenario analysis, it is possible to obtain information about the value of assets.

If the assets are identified and their value is determined, we can say that the goals of ensuring information security are partially established: the objects of protection and the importance of maintaining them in a state of information security for the organization are defined. Perhaps, it remains only to determine who needs to be protected from.

After defining the goals of information security management, it is necessary to analyze the problems that prevent approaching the target state. At this level, the risk analysis process descends to the information infrastructure and traditional concepts of information security - violators, threats and vulnerabilities.

To assess risks, it is not enough to introduce a standard intruder model that separates all intruders according to the type of access to the asset and knowledge about the structure of assets. This separation helps to determine what threats can be directed to an asset, but does not answer the question of whether these threats can in principle be realized.

In the process of risk analysis, it is necessary to assess the motivation of violators in the implementation of threats. At the same time, the violator is not meant to be an abstract external hacker or insider, but a party interested in obtaining benefits by violating the security of an asset.

Initial information about the model of the intruder, as in the case of the choice of initial areas of activity to ensure information security, should be obtained from top management, who understands the position of the organization in the market, has information about competitors and what methods of influence can be expected from them. The information necessary to develop a model of an intruder can also be obtained from specialized studies on violations in the field of computer security in the business area for which risk analysis is being carried out. A well-designed intruder model complements the objectives of ensuring information security, defined in the assessment of the organization's assets.

The development of a threat model and the identification of vulnerabilities are inextricably linked with an inventory of the organization's information asset environment. By itself, the information is not stored or processed. Access to it is provided using the information infrastructure that automates the business processes of the organization. It is important to understand how the information infrastructure and information assets of an organization are related. From the perspective of information security management, the significance of the information infrastructure can only be established after determining the relationship between information assets and infrastructure. In the event that the processes of maintaining and operating the information infrastructure in an organization are regulated and transparent, the collection of information necessary for identifying threats and assessing vulnerabilities is greatly simplified.

Developing a threat model is a job for security professionals who have a good idea of how an intruder can gain unauthorized access to information by violating the security perimeter or using social engineering methods. When developing a threat model, one can also talk about scenarios as successive steps according to which threats can be implemented. It very rarely happens that threats are implemented in one step by exploiting a single vulnerability in the system.

The threat model should include all threats identified as a result of related information security management processes, such as vulnerability and incident management. It must be remembered that threats will need to be ranked relative to each other according to the level of probability of their implementation. To do this, in the process of developing a threat model for each threat, it is necessary to indicate the most significant factors, the existence of which affects its implementation.

The security policy is based on the analysis of risks that are recognized as real for the organization's information system. When the risks are analyzed and the protection strategy is defined, an information security program is drawn up. Resources are allocated for this program, responsible persons are appointed, the procedure for monitoring the implementation of the program, etc. is determined.

In a broad sense, security policy is defined as a system of documented management decisions to ensure the security of an organization. In a narrow sense, security policy is usually understood as local normative document, which defines the security requirements, a system of measures, or an order of actions, as well as the responsibility of the employees of the organization and control mechanisms for a specific area of security.

Before starting to form the information security policy itself, it is necessary to understand the basic concepts with which we will operate.

Information - information (messages, data) regardless of the form of their presentation.

Confidentiality of information is a mandatory requirement for a person who has access to certain information not to transfer such information to third parties without the consent of its owner.

Information security (IS) is the state of protection of the information environment of society, ensuring its formation, use and development in the interests of citizens, organizations, states.

The concept of "information" today is used quite widely and versatile.

Ensuring information security cannot be a one-time act. This is a continuous process, which consists in substantiating and implementing the most rational methods, ways and means of improving and developing the protection system, continuously monitoring its condition, identifying its weaknesses and illegal actions.

Information security can be ensured only with the integrated use of the entire range of available protection tools in all structural elements of the production system and at all stages of the technological cycle of information processing. The greatest effect is achieved when all the means, methods and measures used are combined into a single holistic mechanism of the information protection system. At the same time, the functioning of the system should be monitored, updated and supplemented depending on changes in external and internal conditions.

According to the GOST R ISO / IEC 15408:2005 standard, the following types of security requirements can be distinguished:

functional, corresponding to the active aspect of protection, imposed on the security functions and the mechanisms that implement them;

assurance requirements, corresponding to the passive aspect, imposed on the technology and the process of development and operation.

It is very important that security in this standard is not considered statically, but in relation to the life cycle of the object of assessment. The following stages are distinguished:

determination of the purpose, conditions of use, goals and safety requirements;

design and development;

testing, evaluation and certification;

implementation and operation.

So, let's take a closer look at the functional security requirements. They include:

user data protection;

protection of security functions (the requirements relate to the integrity and control of these security services and the mechanisms that implement them);

security management (the requirements of this class relate to the management of security attributes and parameters);

security audit (identification, registration, storage, analysis of data affecting the security of the object of assessment, response to a possible security breach);

privacy (protection of the user from disclosure and unauthorized use of his identification data);

use of resources (requirements for the availability of information);

communication (authentication of the parties involved in the data exchange);

trusted route/channel (for communication with security services).

In accordance with these requirements, it is necessary to form the information security system of the organization.

The information security system of an organization includes the following areas:

regulatory;

organizational (administrative);

technical;

software;

For a complete assessment of the situation at the enterprise in all areas of security, it is necessary to develop an information security concept that would establish a systematic approach to the problem of the security of information resources and be a systematic presentation of the goals, objectives, design principles and a set of measures to ensure information security at the enterprise.

The corporate network management system should be based on the following principles (tasks):

ensuring the protection of the existing information infrastructure of the enterprise from the intervention of intruders;

providing conditions for localization and minimization of possible damage;

exclusion of the appearance at the initial stage of the causes of the emergence of sources of threats;

ensuring the protection of information on the three main types of emerging threats (availability, integrity, confidentiality);

The solution of the above tasks is achieved by;

regulation of actions of users of work with information system;

regulation of actions of users of work with the database;

uniform requirements for reliability technical means and software;

procedures for monitoring the operation of the information system (logging of events, analysis of protocols, analysis of network traffic, analysis of the operation of technical means);

The information security policy includes:

the main document is the "Security Policy". It generally describes the organization's security policy, general provisions, as well as relevant documents for all aspects of the policy;

instructions for regulating the work of users;

job description of the local network administrator;

job description of the database administrator;

instructions for working with Internet resources;

organization instruction password protection;

organization instruction antivirus protection.

The document "Security Policy" contains the main provisions. Based on it, an information security program is built, job descriptions and recommendations are built.

The instruction on regulating the work of users of the organization's local network regulates the procedure for allowing users to work in the organization's local area network, as well as the rules for handling protected information processed, stored and transmitted in the organization.

The job description of the local network administrator describes the duties of the local network administrator regarding information security.

The job description of a database administrator defines the main duties, functions and rights of a database administrator. It describes in great detail all the duties and functions of a database administrator, as well as rights and responsibilities.

The instruction for working with Internet resources reflects the basic rules for safe work with the Internet, and also contains a list of permissible and unacceptable actions when working with Internet resources.

Instructions for the organization of anti-virus protection defines the main provisions, requirements for the organization of anti-virus protection of an organization's information system, all aspects related to the operation of anti-virus software, as well as responsibility in case of violation of anti-virus protection.

The instruction on the organization of password protection regulates the organizational and technical support for the processes of generating, changing and terminating passwords (deleting user accounts). It also regulates the actions of users and maintenance personnel when working with the system.

Thus, the basis for organizing the process of information protection is a security policy formulated in order to determine from what threats and how information is protected in the information system.

A security policy is a set of legal, organizational and technical measures to protect information adopted in a particular organization. That is, the security policy includes a set of conditions under which users gain access to system resources without losing the information security properties of this system.

The task of ensuring information security should be addressed systematically. This means that various protections (hardware, software, physical, organizational, etc.) must be applied simultaneously and under centralized control.

To date, there is a large arsenal of methods for ensuring information security:

means of identification and authentication of users;

means of encrypting information stored on computers and transmitted over networks;

firewalls;

virtual private networks;

content filtering tools;

tools for checking the integrity of the contents of disks;

means of anti-virus protection;

network vulnerability detection systems and network attack analyzers.

Each of these tools can be used both independently and in integration with others. This makes it possible to create information protection systems for networks of any complexity and configuration, regardless of the platforms used.

Authentication (or identification), authorization and administration system. Identification and authorization are key elements of information security. The authorization function is responsible for what resources a particular user has access to. The administration function is to provide the user with certain identification features within a given network and determine the scope of actions allowed for him.

Encryption systems allow minimizing losses in case of unauthorized access to data stored on a hard drive or other media, as well as interception of information when it is sent by e-mail or transmitted over network protocols. The purpose of this security tool is to ensure confidentiality. Basic requirements for encryption systems - high level cryptographic stability and legality of use in Russia (or other states).

A firewall is a system or combination of systems that forms a protective barrier between two or more networks that prevents unauthorized data packets from entering or leaving the network.

The basic principle of firewalls is to check each data packet for the correspondence of the incoming and outgoing IP address to the base of allowed addresses. Thus, firewalls significantly expand the possibilities of segmenting information networks and controlling the circulation of data.

Speaking of cryptography and firewalls, we should mention secure virtual private networks (Virtual Private Network - VPN). Their use allows solving the problems of data confidentiality and integrity during their transmission over open communication channels. The use of a VPN can be reduced to solving three main tasks:

protection of information flows between different offices of the company (information is encrypted only at the exit to the external network);

secure access of remote network users to the company's information resources, usually via the Internet;

protection of information flows between individual applications within corporate networks (this aspect is also very important, since most attacks are carried out from internal networks).

An effective means of protecting against the loss of confidential information - filtering the content of incoming and outgoing Email. Checking Yourself mail messages and investments in them, based on the rules established by the organization, also helps to protect companies from liability in lawsuits and protect their employees from spam. Content filtering tools allow you to scan files of all common formats, including compressed and graphic. At the same time, the network bandwidth remains practically unchanged.

All changes on the workstation or on the server can be tracked by the network administrator or other authorized user thanks to the technology of checking the integrity of the contents of the hard disk (integrity checking). This allows you to detect any actions with files (modification, deletion or just opening) and identify virus activity, unauthorized access or data theft by authorized users. Control is based on the analysis of file checksums (CRC-sums).

Modern anti-virus technologies make it possible to detect almost all already known virus programs by comparing the code of a suspicious file with samples stored in the anti-virus database. In addition, behavior modeling technologies have been developed to detect newly created virus programs. Detected objects can be disinfected, isolated (quarantined), or deleted. Virus protection can be installed on workstations, file and mail servers, firewalls running under almost any of the common operating systems (Windows, Unix and Linux systems, Novell) on various types of processors.

Spam filters significantly reduce unproductive labor costs associated with parsing spam, reduce traffic and server load, improve the psychological background in the team and reduce the risk of company employees being involved in fraudulent transactions. In addition, spam filters reduce the risk of being infected with new viruses, since messages containing viruses (even those not yet included in the anti-virus databases) often show signs of spam and are filtered out. True, the positive effect of spam filtering can be crossed out if the filter, along with junk, removes or marks as spam and useful messages, business or personal.

Huge damage to companies caused by viruses and hacker attacks, is largely a consequence of weaknesses in the software used. You can identify them in advance, without waiting for a real attack, using computer network vulnerability detection systems and network attack analyzers. Similar software securely simulate common attacks and intrusion methods and determine what exactly a hacker can see on the network and how he can use its resources.

To counter natural threats to information security, a company should develop and implement a set of procedures to prevent emergency situations (for example, to ensure the physical protection of data from a fire) and minimize damage if such a situation does occur. One of the main methods of protection against data loss is backup with strict adherence to established procedures (regularity, media types, copy storage methods, etc.).

An information security policy is a package of documents that regulates the work of employees, describing the basic rules for working with information, an information system, databases, a local network and Internet resources. It is important to understand what place the information security policy occupies in common system organization management. The following are general organizational measures related to security policy.

At the procedural level, the following classes of measures can be distinguished:

personnel Management;

physical protection;

maintaining performance;

response to security breaches;

restoration planning.

Human resource management begins with hiring, but even before that, you should define the computer privileges associated with the position. There are two general principles to keep in mind:

segregation of duties;

privilege minimization.

The principle of segregation of duties prescribes how to distribute roles and responsibilities so that one person cannot disrupt a process that is critical to the organization. For example, a situation where large payments on behalf of the organization is made by one person is undesirable. It is safer to entrust one employee with processing applications for such payments, and another to certify these applications. Another example is procedural restrictions on superuser actions. It is possible to artificially "split" the superuser password by giving the first part of it to one employee and the second part to another. Then only two of them will be able to perform critically important actions for the administration of the information system, which reduces the likelihood of errors and abuses.

The principle of minimization of privileges prescribes to allocate to users only those access rights that they need to perform their duties. The purpose of this principle is obvious - to reduce the damage from accidental or deliberate incorrect actions.

Preliminary preparation of a job description allows you to assess its criticality and plan the procedure for checking and selecting candidates. The more responsible the position, the more carefully you need to check the candidates: make inquiries about them, perhaps talk with former colleagues, etc. Such a procedure can be lengthy and expensive, so there is no point in further complicating it. At the same time, it is unwise to completely refuse a preliminary check in order not to accidentally hire a person with a criminal past or a mental illness.

Once a candidate has been identified, they are likely to be trained; at the very least, he should be thoroughly familiarized with the duties of the job, as well as with the rules and procedures of information security. It is desirable that the security measures be learned by him before taking office and before setting up his system account with a login name, password and privileges.

The security of an information system depends on the environment in which it operates. It is necessary to take measures to protect buildings and the surrounding area, supporting infrastructure, computers, data carriers.

Consider the following areas of physical protection:

physical access control;

protection of the supporting infrastructure;

protection of mobile systems.

Physical access control measures allow you to control and, if necessary, restrict the entry and exit of employees and visitors. The entire building of the organization, as well as individual premises, for example, those where servers, communication equipment, etc. are located, can be controlled.

Supporting infrastructure includes power, water and heat supply systems, air conditioners and communications. In principle, the same integrity and availability requirements apply to them as to information systems. To ensure integrity, equipment must be protected from theft and damage. To maintain availability, you should choose equipment with the maximum time between failures, duplicate critical nodes, and always have spare parts on hand.

Generally speaking, when selecting physical protection means, a risk analysis should be carried out. Thus, when deciding on the purchase of an uninterruptible power supply, it is necessary to take into account the quality of the power supply in the building occupied by the organization (however, it will almost certainly turn out to be poor), the nature and duration of power failures, the cost of available sources and possible losses from accidents (breakdown of equipment, suspension of the organization’s work). and so on.)

Consider a number of measures aimed at maintaining the health of information systems. It is in this area that the greatest danger lurks. Inadvertent errors of system administrators and users can lead to loss of performance, namely, damage to equipment, destruction of programs and data. This is the worst case. At best, they create security holes that allow the implementation of threats to the security of systems.

The main problem of many organizations is the underestimation of security factors in daily work. Expensive security tools are worthless if they are poorly documented, conflict with other software, and the system administrator password has not changed since installation.

For daily activities aimed at maintaining the health of the information system, the following actions can be distinguished:

user support;

software support;

configuration management;

backup;

media management;

documentation;

regulatory work.

User support implies, first of all, consulting and assistance in solving various kinds of problems. It is very important in the flow of questions to be able to identify problems related to information security. Thus, many of the difficulties of users working on personal computers can be the result of virus infection. It is advisable to record user questions in order to identify their typical mistakes and issue memos with recommendations for common situations.

Software support is one of the most important means of ensuring the integrity of information. First of all, you need to keep track of what software is installed on the computers. If users install programs on their own, this can lead to virus infection, as well as the appearance of utilities that bypass security measures. It is also likely that the "initiative" of users will gradually lead to chaos on their computers, and the system administrator will have to correct the situation.

The second aspect of software support is control over the absence of unauthorized changes to programs and access rights to them. This also includes support for master copies. software systems. Typically, control is achieved by a combination of physical and logical access control, as well as the use of verification and integrity utilities.

Configuration management allows you to control and capture changes made to the software configuration. First of all, it is necessary to insure against accidental or ill-conceived modifications, to be able to at least return to the previous working version. Committing changes will make it easy to restore the current version after a crash.

The best way to reduce errors in routine work is to automate it as much as possible. Automation and security depend on each other, because the one who cares first of all about facilitating his task, in fact, optimally forms the information security regime.

Backup is necessary to restore programs and data after disasters. And here it is advisable to automate the work, at least by creating a computer schedule for creating full and incremental copies, and as a maximum, using the appropriate software products. It is also necessary to arrange for copies to be placed in a safe place, protected from unauthorized access, fires, leaks, that is, from anything that could lead to theft or damage to media. It is advisable to have several copies of backups and store some of them outside the organization, thus protecting against major accidents and similar incidents. From time to time, for test purposes, you should check the possibility of recovering information from copies.

Media management is necessary to provide physical protection and accountability for floppy disks, tapes, printouts, and the like. Media management must ensure the confidentiality, integrity, and availability of information stored outside of computer systems. Physical protection here is understood not only as a reflection of unauthorized access attempts, but also protection from harmful environmental influences (heat, cold, moisture, magnetism). Media management should cover all life cycle- from procurement to decommissioning.

Documentation is an integral part of information security. Almost everything is documented - from the security policy to the media inventory log. It is important that the documentation is up to date, reflecting the current state of affairs, and in a consistent form.

For the storage of some documents (containing, for example, an analysis of system vulnerabilities and threats), confidentiality requirements are applicable, for others, such as a disaster recovery plan, integrity and availability requirements (in a critical situation, the plan must be found and read).

Maintenance work is a very serious security threat. The employee who performs routine maintenance gets exclusive access to the system, and in practice it is very difficult to control exactly what actions he performs. Here, the degree of trust in those who perform the work comes to the fore.

The security policy adopted by the organization should provide for a set of operational measures aimed at detecting and neutralizing violations of the information security regime. It is important that in such cases the sequence of actions is planned in advance, since the measures must be taken urgently and in a coordinated manner.

The response to security breaches has three main objectives:

localization of the incident and reduction of the harm caused;

prevention of repeat violations.

Often the requirement to localize the incident and reduce the harm caused conflicts with the desire to identify the offender. The organization's security policy should be prioritized in advance. Since, as practice shows, it is very difficult to identify an intruder, in our opinion, first of all, you should take care of reducing the damage.

No organization is immune from serious accidents caused by natural causes, malicious actions, negligence or incompetence. At the same time, every organization has functions that management considers critical, they must be performed no matter what. Recovery planning allows you to prepare for accidents, reduce damage from them and maintain at least a minimal amount of ability to function.

Note that information security measures can be divided into three groups, depending on whether they are aimed at preventing, detecting or eliminating the consequences of attacks. Most of the measures are preventive in nature.

The recovery planning process can be divided into the following steps:

identification of critical functions of the organization, setting priorities;

identification of resources needed to perform critical functions;

determination of the list of possible accidents;

development of a recovery strategy;

preparation for the implementation of the chosen strategy;

strategy check.

When planning restoration work, one should be aware that it is not always possible to fully preserve the functioning of the organization. It is necessary to identify critical functions without which the organization loses its face, and even among critical functions to prioritize in order to resume work after a disaster as soon as possible and at minimal cost.

When identifying the resources needed to perform critical functions, remember that many of them are non-computer in nature. At this stage, it is desirable to involve specialists of various profiles in the work.

Thus, there are a large number of different methods for ensuring information security. The most effective is the use of all these methods in a single complex. Today, the modern security market is saturated with information security tools. Constantly studying the existing proposals of the security market, many companies see the inadequacy of previously invested funds in information security systems, for example, due to obsolescence of equipment and software. Therefore, they are looking for solutions to this problem. There can be two such options: on the one hand, this is a complete replacement of the corporate information protection system, which will require large investments, and on the other hand, the modernization of existing security systems. The last solution to this problem is the least expensive, but it brings new problems, for example, it requires answering the following questions: how to ensure the compatibility of the old, left from the available hardware and software security tools, and new elements of the information security system; how to provide centralized management of heterogeneous security tools; how to assess and, if necessary, reassess the company's information risks.

Chapter 2. Analysis of the information security system

1 The scope of the company and the analysis of financial performance

OAO Gazprom is a global energy company. The main activities are exploration, production, transportation, storage, processing and sale of gas, gas condensate and oil, as well as the production and sale of heat and electricity.

Gazprom sees its mission in the reliable, efficient and balanced supply of natural gas, other types of energy resources and products of their processing to consumers.

Gazprom has the richest natural gas reserves in the world. Its share in world gas reserves is 18%, in Russian - 70%. Gazprom accounts for 15% of global and 78% of Russian gas production. The company is currently actively implementing large-scale projects to develop the gas resources of the Yamal Peninsula, the Arctic shelf, Eastern Siberia and the Far East, as well as a number of projects for the exploration and production of hydrocarbons abroad.

Gazprom is a reliable gas supplier to Russian and foreign consumers. The company owns the world's largest gas transmission network - one system gas supply to Russia, the length of which exceeds 161 thousand km. On the domestic market, Gazprom sells over half of the gas it sells. In addition, the company supplies gas to 30 countries near and far abroad.

Gazprom is the only producer and exporter of liquefied natural gas in Russia and provides about 5% of the world's LNG production.

The company is one of the five largest oil producers in the Russian Federation, and is also the largest owner of generating assets in its territory. Their total installed capacity is 17% of the total installed capacity of the Russian energy system.

The strategic goal is to establish OAO Gazprom as a leader among global energy companies through the development of new markets, diversification of activities, and ensuring the reliability of supplies.

Consider the financial performance of the company over the past two years. The results of the company's activities are presented in Appendix 1.

As of December 31, 2010, the sales proceeds amounted to 2495557 million rubles, this figure is much lower compared to the data of 2011, that is, 3296656 million rubles.

Sales revenue (net of excise, VAT and customs duties) increased by RUB 801,099 million, or 32%, for the nine months ended September 30, 2011, compared to the same period last year, and amounted to RUB 3,296 656 million rubles

Based on 2011 results, net sales of gas accounted for 60% of total net sales (60% in the same period last year).

Net proceeds from gas sales increased from RUB 1,495,335 mln. for the year up to 1,987,330 million rubles. for the same period in 2011, or by 33%.

Net proceeds from the sale of gas to Europe and other countries increased by 258,596 million rubles, or 34%, compared to the same period last year, and amounted to 1,026,451 million rubles. The overall increase in gas sales to Europe and other countries was due to an increase in average prices. The average price in rubles (including customs duties) increased by 21% in the nine months ended September 30, 2011 compared to the same period in 2010. In addition, gas sales increased by 8% compared to the same period last year.

Net proceeds from the sale of gas to the countries of the former Soviet Union increased over the same period in 2010 by 168,538 million rubles, or 58%, and amounted to 458,608 million rubles. The change was mainly driven by a 33% increase in gas sales to the former Soviet Union in the nine months ended 30 September 2011 year-on-year. In addition, the average price in rubles (including customs duties, excluding VAT) increased by 15% compared to the same period last year.

Net proceeds from the sale of gas in the Russian Federation increased by 64,861 million rubles, or 15%, compared to the same period last year, and amounted to 502,271 million rubles. This is mainly due to a 13% increase in the average gas price compared to the same period last year, which is associated with an increase in tariffs set by the Federal Tariff Service (FTS).

Net proceeds from the sale of oil and gas products (net of excise, VAT and customs duties) increased by 213,012 million rubles, or 42%, and amounted to 717,723 million rubles. compared to the same period last year. This increase is mainly due to the increase in world prices for oil and gas products and the increase in volumes sold compared to the same period last year. Gazprom Neft Group's revenue accounted for 85% and 84% of total net revenue from the sale of refined petroleum products, respectively.

Net proceeds from the sale of electricity and heat (net of VAT) increased by 38,097 million rubles, or 19%, and amounted to 237,545 million rubles. The increase in revenue from the sale of electricity and heat is mainly due to an increase in tariffs for electricity and heat, as well as an increase in the volume of sales of electricity and heat.

Net proceeds from the sale of crude oil and gas condensate (net of excise tax, VAT and customs duties) increased by 23,072 million rubles, or 16%, and amounted to 164,438 million rubles. compared to 141,366 million rubles. for the same period last year. Basically, the change was caused by an increase in the price of oil and gas condensate. In addition, the change was caused by an increase in gas condensate sales. The proceeds from the sale of crude oil amounted to 133,368 million rubles. and 121,675 million rubles. in net proceeds from the sale of crude oil and gas condensate (net of excise, VAT and customs duties) in 2011 and 2010, respectively.

Net revenue from the sale of gas transportation services (net of VAT) increased by 15,306 million rubles, or 23%, and amounted to 82,501 million rubles, compared to 67,195 million rubles. for the same period last year. This growth is mainly due to an increase in gas transportation tariffs for independent suppliers, as well as an increase in ѐ m of gas transportation for independent suppliers compared to the same period last year.

Other revenue increased by RUB 19,617 million, or 22%, and amounted to RUB 107,119 million. compared to 87,502 million rubles. for the same period last year.

Expenditure on trading operations without actual delivery amounted to 837 million rubles. compared to revenue of RUB 5,786 mln. for the same period last year.

As for operating expenses, they increased by 23% and amounted to 2,119,289 million rubles. compared to 1,726,604 million rubles. for the same period last year. The share of operating expenses in sales revenue decreased from 69% to 64%.

Labor costs increased by 18% and amounted to 267,377 million rubles. compared to 227,500 million rubles. for the same period last year. The increase is mainly due to an increase in average wages.

Depreciation for the analyzed period increased by 9% or by 17,026 million rubles, and amounted to 201,636 million rubles, compared with 184,610 million rubles. for the same period last year. The increase was mainly due to the expansion of the base of fixed assets.

As a result of the above factors, sales profit increased by RUB 401,791 million, or 52%, and amounted to RUB 1,176,530 million. compared to 774,739 million rubles. for the same period last year. Profit margin on sales increased from 31% to 36% in the nine months ended September 30, 2011.

Thus, OAO Gazprom is a global energy company. The main activities are exploration, production, transportation, storage, processing and sale of gas, gas condensate and oil, as well as the production and sale of heat and electricity. The financial condition of the company is stable. Performance indicators have a positive trend.

2 Description of the company's information security system

Let's consider the main activities of the departments of the Corporate Security Service of JSC "Gazprom":

development of targeted programs for the development of systems and complexes of engineering and technical means of protection (ITSO), information security systems (IS) of OAO Gazprom and its subsidiaries and organizations, participation in the formation of an investment program aimed at ensuring information and technical security;

implementation of the powers of the customer of work on the development of information security systems, as well as ITSO systems and complexes;

consideration and approval of budget requests and budgets for the implementation of measures for the development of information security systems, ITSO systems and complexes, as well as for the creation of IT in terms of information security systems;

consideration and approval of design and pre-project documentation for the development of information security systems, ITSO systems and complexes, as well as technical specifications for the creation (modernization) of information systems, communication and telecommunications systems in terms of information security requirements;

organization of work to assess the conformity of ITSO systems and complexes, IS support systems (as well as works and services for their creation) to the established requirements;

coordination and control of performance of works on technical protection of information.

Gazprom has created a system that ensures the protection of personal data. However, the adoption by the federal executive authorities of a number of regulatory legal acts in the development of existing laws and government decrees necessitates the improvement of the current system of personal data protection. In the interests of solving this problem, a number of documents have been developed and are being coordinated within the framework of research work. First of all, these are draft standards of the Gazprom Development Organization:

"Methodology for classifying personal data information systems of OAO Gazprom, its subsidiaries and organizations";

"Model of threats to personal data during their processing in information systems of personal data of OAO Gazprom, its subsidiaries and organizations".

These documents have been developed taking into account the requirements of Decree of the Government of the Russian Federation dated November 17, 2007 No. 781 "On Approval of the Regulations on Ensuring the Security of Personal Data during their Processing in Personal Data Information Systems" in relation to the class of special systems, which include most of the ISPDs of JSC " Gazprom".

In addition, the "Regulations on the organization and technical support of the security of personal data processed in the information systems of personal data of OAO Gazprom, its subsidiaries and organizations" are currently being developed.

It should be noted that, within the framework of OAO Gazprom's standardization system, standards for the information security system have been developed, which will also allow solving the tasks of protecting PD processed in OAO Gazprom's information systems.

Seven standards related to the information security system have been approved and are being put into effect this year.

The standards define the main requirements for building information security systems for OAO Gazprom and its subsidiaries.

The results of the work done will make it possible to more rationally use material, financial and intellectual resources, form the necessary regulatory and methodological support, introduce effective means of protection and, as a result, ensure the security of personal data processed in Gazprom information systems.

As a result of the information security analysis of OAO Gazprom, the following shortcomings in ensuring information security were identified:

the organization does not have a single document regulating a comprehensive security policy;

given the size of the network and the number of users (more than 100), it should be noted that system administration, information security and technical support handled by one person;

there is no classification of information assets according to the degree of importance;

information security roles and responsibilities are not included in job descriptions;

the employment contract concluded with the employee does not contain a clause on information security responsibilities of both those who are employed and the organization itself;

training of personnel in the field of information security is not carried out;

in terms of protection against external threats: there are no typical procedures for data recovery after accidents resulting from external and environmental threats;

the server room is not a separate room, the status of two departments is assigned to the room (in addition to the system administrator, one more person has access to the server room);

technical probing and physical examination for unauthorized devices connected to the cables are not carried out;

despite the fact that the entrance is carried out by electronic passes and all information is entered into a special database, its analysis is not carried out;

in terms of protection against malware: there is no formal policy to protect against the risks associated with receiving files both from or through external networks, and contained on removable media;

in terms of protection against malware: there are no guidelines for protecting the local network from malicious code;

there is no traffic control, there is access to mail servers of external networks;

all backups are stored in the server room;

insecure, easy-to-remember passwords are used;

the receipt of passwords by users is not confirmed in any way;

passwords in clear text are stored by the administrator;

passwords do not change;

there is no order for reporting information security events.

Thus, based on these shortcomings, a set of regulations regarding information security policy was developed, including:

policy regarding hiring (dismissal) and vesting (deprivation) of employees with the necessary authority to access system resources;

policy regarding the work of network users during its operation;

password protection policy;

physical protection policy;

Internet policy;

and administrative security measures.

Documents containing these regulations are under consideration by the management of the organization.

3 Development of a set of measures to modernize the existing information security system

As a result of the analysis of the information security system of OAO Gazprom, significant system vulnerabilities were identified. To develop measures to eliminate the identified deficiencies in the security system, we single out the following groups of information that are subject to protection:

information about the private life of employees, allowing to identify their identity (personal data);

information related to professional activities and constituting banking, auditing and communications secrecy;

information related to professional activities and marked as information "for official use";

information, the destruction or modification of which will adversely affect the efficiency of work, and the restoration will require additional costs.

In terms of administrative measures, the following recommendations have been developed:

the information security system must comply with the legislation of the Russian Federation and state standards;

buildings and premises where information processing facilities are installed or stored, work is carried out with protected information, must be guarded and protected by means of signaling and access control;

personnel training on information security issues (explaining the importance of password protection and password requirements, briefing on anti-virus software, etc.) should be organized when an employee is hired;

every 6-12 months to conduct trainings aimed at improving the literacy of employees in the field of information security;

an audit of the system and adjustment of the developed regulations should be carried out annually, on October 1, or immediately after the introduction of major changes in the structure of the enterprise;

the access rights of each user to information resources must be documented (if necessary, access is requested from the head in a written statement);

the information security policy should be ensured by the software administrator and the hardware administrator, their actions are coordinated by the head of the group.

Let's formulate a password policy:

do not store them in unencrypted form (do not write them down on paper, in a plain text file, etc.);

change the password in case of its disclosure or suspicion of disclosure;

length must be at least 8 characters;

password characters must contain letters in the upper and lower case, numbers and Special symbols, the password should not include easily calculated character sequences (names, animal names, dates);

change once every 6 months (an unscheduled password change must be made immediately after receiving notification of the incident that initiated the change);

when changing the password, you cannot select those that were previously used (passwords must differ by at least 6 positions).

Let's formulate a policy regarding antivirus programs and virus detection:

licensed anti-virus software must be installed on each workstation;

updating anti-virus databases on workstations with Internet access - once a day, without Internet access - at least once a week;

set up an automatic scan of workstations for viruses (frequency of scans - once a week: Friday, 12:00);

only the administrator can stop updating anti-virus databases or scanning for viruses (password protection should be set for the specified user action).

Let's formulate a policy regarding physical protection:

technical sounding and physical examination for unauthorized devices connected to the cables, to be carried out every 1-2 months;

network cables must be protected from unauthorized interception of data;

records of all suspected and actual failures that have occurred with the equipment should be kept in a log

Each workstation must be equipped with an uninterruptible power supply.

Let's define a policy regarding the reservation of information:

for backups, a separate room should be allocated, located outside the administrative building (the room should be equipped with an electronic lock and alarm);

reservation of information should be made every Friday at 16:00.

The policy regarding the hiring / dismissal of employees should have the following form:

any personnel changes (hiring, promotion, dismissal of an employee, etc.) must be reported to the administrator within 24 hours, who, in turn, must make appropriate changes to the system for delimiting access rights to enterprise resources within a period of half a working day ;

a new employee must be instructed by the administrator, including familiarization with the security policy and all necessary instructions, the level of access to information for a new employee is assigned by the manager;

when an employee leaves the system, his ID and password are removed from the system, the workstation is checked for viruses, and the integrity of the data to which the employee had access is analyzed.

Policy regarding work with the local internal network (LAN) and databases (DB):

when working at his workstation and in the LAN, the employee must perform only tasks that are directly related to his official activities;

the employee must notify the administrator about messages from anti-virus programs about the appearance of viruses;

no one, except administrators, is allowed to make changes to the design or configuration of workstations and other LAN nodes, install any software, leave the workstation unattended or allow unauthorized persons to access it;

administrators are advised to keep two programs running at all times: the ARP-spoofing attack detection utility and the sniffer, the use of which will allow you to see the network through the eyes of a potential intruder and identify violators of security policies;

you should install software that prevents the launch of programs other than those assigned by the administrator, based on the principle: "Any person is granted the privileges necessary to perform specific tasks." All unused computer ports must be hardware or software disabled;

The software should be updated regularly.

Internet Policy:

administrators are assigned the right to restrict access to resources, the content of which is not related to the performance of official duties, as well as to resources, the content and orientation of which are prohibited by international and Russian legislation;

the employee is prohibited from downloading and opening files without first checking for viruses;

all information about the resources visited by company employees should be kept in a log and, if necessary, can be provided to department heads, as well as management

confidentiality and integrity of electronic correspondence and office documents is ensured through the use of EDS.

In addition, we will formulate the basic requirements for compiling passwords for employees of OAO Gazprom.

A password is like the keys to a house, only it is the key to information. For ordinary keys, it is extremely undesirable to be lost, stolen, or transferred into the hands of a stranger. The same goes for the password. Of course, the safety of information depends not only on the password, but to ensure it, you need to install a number of special settings and maybe even write a program that protects against hacking. But choosing a password is exactly the action where it depends only on the user how strong this link will be in the chain of measures aimed at protecting information.

) the password must be long (8-12-15 characters);

) should not be a word from a dictionary (any, even a dictionary of special terms and slang), a proper name or a Cyrillic word typed in the Latin layout (Latin - kfnsym);

) it cannot be associated with the owner;

) it changes periodically or as needed;

) is not used in this capacity on various resources (i.e. for each resource - to enter a mailbox, operating system or database - a different password must be used);

) can be remembered.

Selecting words from a dictionary is undesirable, since an attacker, carrying out a dictionary attack, will use programs that can sort through up to hundreds of thousands of words per second.

Any information associated with the owner (be it the date of birth, the dog's name, the mother's maiden name, and similar "passwords") can be easily recognized and guessed.

The use of uppercase and lowercase letters, as well as numbers, makes it much more difficult for an attacker to guess a password.

The password should be kept secret, and if you suspect that the password has become known to someone, change it. It is also very useful to change them from time to time.

Conclusion

The study made it possible to draw the following conclusions and formulate recommendations.

It has been established that the main reason for the problems of the enterprise in the field of information security is the lack of an information security policy that would include organizational, technical, financial solutions with subsequent monitoring of their implementation and evaluation of effectiveness.

The definition of information security policy is formulated as a set of documented decisions, the purpose of which is to ensure the protection of information and information risks associated with it.

The analysis of the information security system revealed significant shortcomings, including:

storage of backups in the server room, the backup server is located in the same room as the main servers;

lack of proper rules regarding password protection (password length, rules for choosing and storing it);

The network is administered by one person.

The generalization of international and Russian practice in the field of information security management of enterprises has led to the conclusion that to ensure it, it is necessary:

forecasting and timely identification of security threats, causes and conditions that contribute to the infliction of financial, material and moral damage;

creation of conditions for activities with the least risk of realizing security threats to information resources and causing various types of damage;

creation of a mechanism and conditions for effective response to information security threats based on legal, organizational and technical means.

In the first chapter of the work, the main theoretical aspects are considered. An overview of several standards in the field of information security is given. Conclusions are drawn for each and in general, and the most appropriate standard for the formation of an information security policy is chosen.

The second chapter considers the structure of the organization, analyzes the main problems associated with information security. As a result, recommendations were formed to ensure the proper level of information security. Measures were also considered to prevent further incidents related to information security violations.

Of course, ensuring the information security of an organization is an ongoing process that requires constant monitoring. And a naturally formed policy is not an iron guarantor of protection. In addition to the implementation of the policy, constant monitoring of its quality implementation is needed, as well as improvement in case of any changes in the company or precedents. It was recommended for the organization to hire an employee whose activities will be directly related to these functions (protection administrator).

Bibliography

information security financial harm

1. Belov E.B. Fundamentals of information security. E.B. Belov, V.P. Elk, R.V. Meshcheryakov, A.A. Shelupanov. -M.: Hotline - Telecom, 2006. - 544s

Galatenko V.A. Information security standards: a course of lectures. Educational

allowance. - 2nd edition. M.: INTUIT.RU "Internet University of Information Technologies", 2009. - 264 p.

Glatenko V.A. Information Security Standards / Open Systems 2006.- 264c

Dolzhenko A.I. Management of information systems: Training course. - Rostov-on-Don: RGEU, 2008.-125 p.

Kalashnikov A. Formation of the corporate policy of internal information security #"justify">. Malyuk A.A. Information security: conceptual and methodological foundations of information security / M.2009-280s

Maywald E., Network security. Tutorial // Ekom, 2009.-528 p.

Semkin S.N., Belyakov E.V., Grebenev S.V., Kozachok V.I., Fundamentals of organizational support of information security of informatization objects // Helios ARV, 2008, 192 p.

How to choose a relevant topic of the thesis in the specialty of information security systems. The relevance of the topic of the diploma on information security systems, recommendations of experts, examples of topics of the thesis.

Themes diploma in the specialty of information security systems devoted to solving various research and practical problems aimed at ensuring the information security of the object under study. Issues similar works due to the growing number of information security attacks on various information systems and their components.

The object of study can be a computer system, a system component, a business process, an enterprise, a room, or circulating data.

As a subject of research, one can single out information security methods, threat analysis methods, or an assessment of the effectiveness of an information security system.

As a target thesis in the specialty of information security systems one can single out the construction or study of the possibility of using risk models and a protection algorithm (more on this).

Tasks of works related to themes of diploma works in the specialty of information security systems, can be defined by the following list:

1. Selection and study of statistical data, including hypotheses and their proof regarding random variables.

2. Substantiation of damage types and functions, development of an analytical risk model.

3. Formation of a dynamic risk model based on sensitivity coefficients.

The following main points can be defended diploma theses in the specialty of information security systems:

1. Reliability of the proof of the put forward hypotheses about the areas of effective application of the law for information security tasks.

2. Analytical risk models for system components in which losses have a given distribution.

3. Analytical risk models for systems whose components are subject to joint or non-joint effects of identified attacks.

4. Dynamic models, system sensitivity functions.

5. Algorithms for system risk management.

The scientific novelty of the study of diplomas on such topics can be formalized in the following list.

1. For the first time, the areas of effective application of the law for information security tasks were studied.

2. Previously unexplored analytical risk models of components in which damages have a given distribution are considered.

3. Analytical risk models of distributed systems exposed to identified information security attacks have been studied.

4. Algorithmization of risk management systems for dedicated distribution and information security attacks was carried out for the first time.

The practical value may be as follows:

1. The proof of the hypotheses put forward makes it possible to reasonably apply the results of the study to solve information security problems.

2. The obtained analytical risk models in the future will make it possible to develop complex models capable of analyzing the entire range of information security attacks.

3. Dynamic models, sensitivity functions of computer systems allow solving information security problems with a variation in the level of risk.

The most relevant topics of final qualifying works (WQR) and scientific research works (R&D), as well as diploma topics in the specialty of information security systems can be shown in the following table.

1. Protection of information in terms of control channels of the automated system of the airport	2. Implementation of an intrusion detection system on the example of false information systems
3. Design and development of information security systems	4. Protection against DDOS attacks
5. Protecting enterprise information at the email level	6. Information security of a geographically distributed enterprise
7. Comprehensive information protection at an industrial enterprise	8. Information security of a computer system in the implementation of threats of unauthorized access
9. Development of a risk model for an information security management system under conditions of uncertainty	10. Modernization of the protection system of information and telecommunication networks
11. Ensuring information security of mobile workstations	12. Organization of protection of personal data in the context of the implementation of virus attacks
13. Organization of counteraction to security threats of the organization based on Petri nets	14. Main directions, principles and methods of ensuring information security in computer networks
15. Construction typical model actions of an attacker who implements remote attacks	16. Problems of information security of banks based on discretionary models
17. Development of an algorithm to counter the use of covert communication channels	18. Development of a set of security measures for the safety of information in the interaction of M2M components
19. Development of an information security system for a sensitive strategic enterprise	20. Development of a system for protecting confidential information in banking systems
21. WRC: Automation and information security of the workplace of the client manager of the company	22. Thesis: Organization of information security of the electronic archive of the real estate register in the BTI
23. Bachelor's thesis: Development of an information security policy in a trading and manufacturing company	24. Thesis: Development of a company's information security policy
25. Diploma: Ensuring information security in an investment company	26. Diploma: Audit of information security in the information security system of the bank
27. Graduation bachelor's work: Development and provision of information security of the automated workplace of the secretary	28. Thesis: Development of a set of measures for information security and data protection in state departments. institutions
29. Thesis: Implementation of an integrated information security system in a company	30. Thesis: Modernization of the information security system in the company
31. Master's thesis: Modernization of the existing information security system in order to increase its security	32. Diploma: Modernization of the existing system in order to improve information security
33. Diploma: Ensuring information security in the implementation and operation of electronic payment processing systems	34. Master's thesis: Increasing the level of information security of an enterprise through the implementation of ACS
35. Diploma: Development of information security policy in the company	36. Diploma: Ensuring information security in a commercial organization

How to choose a relevant topic of the thesis on information security. The relevance of the topic of the diploma in information security, recommendations of experts, examples of topics of the thesis.

Topics of thesis on information security usually associated with the study of information security of automated systems, computer systems, as well as information and telecommunication systems.

As the subject of such research, a threat or a group of information security threats is chosen, the implementation of which can harm the system in question (more on this). When preparing a thesis, you should investigate the system and build an attack implementation algorithm according to Figure 1.

Figure 1 - Algorithm for conducting analysis when writing a diploma on the topic of information security

The system of a specific enterprise or a geographically distributed network of an organization is chosen as the object of study.

The relevance of the choice thesis topics on information security is due to a wide range of threats to information security and the continuous growth in the number of intruders and the attacks they implement.

The most relevant topics of final qualifying works (WQR) and scientific research works (R&D), as well as topics of diplomas in information security can be shown in the following table.

1. Development of the information security system of the system under study	2. Risk analysis of the systems under study, in respect of which the identified threats to information security are implemented
3. Designing an intrusion detection system (false information systems)	4. Protection of information from identified threats to information security
5. Assessing the risks of implementing identified attacks on the system under study	6. Development of a mathematical model of an intruder / detected information security attack
7. Organization of protection of personal data of the system under study	8. Organization of protection of confidential information of the system under study
9. Analysis of threats to information security in the studied system of the enterprise / organization	10. Modernization of the existing information security system of the system under study
11. Development of a protection profile of the enterprise under study	12. Risk assessment of the implementation of epidemiological processes in social networks
13. Risk management for the implementation of identified information security attacks in the system under study	14. Evaluation of the effectiveness of means and methods of information protection in the enterprise
15. Evaluation of the effectiveness of information protection measures in the system under study	16. WRC: The use of DLP-systems as a tool for ensuring the information security of the company
17. Thesis: Analysis and improvement of information security in the enterprise	18. Research: Development of information security policy on the example of a computer company
19. Thesis: Automation and information security of warehouse accounting in the company	20. Diploma: Development of information security policy in a commercial bank
21. Bachelor's thesis: Organization of information security of the electronic archive of payment documents payment by the population	22. Final bachelor's work: Development of a set of protective measures to ensure information security of databases
23. Diploma: Development of regulations for the audit of information security of a state budgetary institution	24. Master's thesis: Development of a set of organizational measures to ensure information security and information protection
25. Thesis: Modernization of the existing system in order to improve information security in the company	26. Master's work: Increasing the level of security of the information security system in the company
27. Research work: Development and implementation of an information security system in a company	28. Diploma: Development and implementation of an information security system in a transport company
29. Thesis: Automation and information security of the Service Desk system	30. Final qualification work: Development of an information security system for the LAN of an SEO company

Information security is usually understood as a set of measures aimed at implementing the required level of protection of software and hardware from illegal and unauthorized intruders. To date, the most popular is the comprehensive protection of information in the enterprise, which includes all possible methods and security tools that are available for implementation at once. If we consider any diploma in information security, then it will certainly contain an analysis of each such means of protecting information in IS, namely:

Physical means of protection, consisting of installed surveillance cameras, various locking devices (locks), doors, bars, metal cabinets, safes, etc. Designed primarily to create a natural barrier for an intruder;
Hardware protection, which includes various devices, sensors, detectors, scanners and encoders, which most effectively contribute to maintaining the confidentiality of data and the security of systems and networks (the scope of the most frequent application is the protection of information in local networks, as well as cryptographic protection of information) ;
Protection software, which is primarily represented by a variety of firewalls, anti-virus systems, firewalls, security policies, etc., i.e. various software that somehow expands the capabilities of standard security tools and relatively successfully copes with the task. The only nuance worth highlighting is that if you are doing a diploma in the development of a personal data protection system, then it is better to give preference to hardware protection, since they become much more effective and are not so susceptible to hacking;
Organizational means of protection, which are represented by various charters, rules and technical regulations for working with specific categories of data. The organization and technology of information protection in this case is as follows - all employees strictly comply with the regulations and requirements regarding the work with data classified as "confidential" or "personal". In case of non-compliance with the requirements, penalties, administrative or criminal liability occur.

Of course, the data protection methods described above are not the only ones, but each of them plays an important role in the process of conducting an enterprise information security audit.

We highlight the key features that characterize almost all diplomas in information security:

A clearly identified and justified goal of the project, the high relevance of the ongoing research and a clear desired result based on the results of all work;
Correctly formulated main task, which contains a step-by-step list of all necessary actions that, if successfully completed, lead to the required final result;
Multiple selection available solutions task, taking into account all the requirements and conditions of data protection, further selection of the most appropriate (in terms of time and cost) possible option and justification of the choice made. The fundamental factor in this case is the efficiency and compliance with all data protection requirements;
Determination of the most accessible and understandable presentation of the outcome of the study for greater clarity in the process of speaking at the defense.

It is not difficult to guess that diplomas in information security in an enterprise are quite complex and cover a wide variety of areas, and in order to properly develop a personal data protection system, it is important to have good theoretical and practical knowledge. But this condition is not always met.

More than once, students asked themselves the question - what to do if I myself do not have time to complete the entire amount of work. The answer is quite simple - you need to contact our online store in advance, where a huge number of different works on information security are presented. It suffices to give just a few examples:

Work on the organization of information security;
Diploma work on information security;
Consideration of problems of ensuring information security.

And we are absolutely sure that each of you will be able to choose a diploma from us according to your requirements, and if there is no chosen topic, you can easily order it from our specialists.

This category presents works related to ensuring the information security of enterprises, information systems and local area networks, including:

document security;
security of operating systems and databases;
security of computing systems;
security of Internet resources;
engineering and technical protection of information.

Works prepared for specialists of the following specialties:

090000 INFORMATION SECURITY

090100 Information security

090101 Cryptography

090102 Computer security

E If you have not found a suitable finished work, you can order the writing of a new one, which will be completed on time and in full accordance with your requirements. Order form for .

13.12.2021

Computer

The most interesting:

Samsung Galaxy Note5 - Specifications

Introducing themes for Galaxy s6 Samsung galaxy s6 themes in Russian

The phone is charging slowly: what to do?