Contacts      About the site
home Windows 8

Personal data in the banking sector. Security of personal data in the bank. General characteristics of sources of threats in personal data information systems

It has become especially popular for Russian divisions of foreign companies due to the addition of Part 5 of Article 18 to 152-FZ “On Personal Data”: “... the operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, changing), retrieval personal data citizens of the Russian Federation using databases located on the territory of the Russian Federation" . There are a number of exceptions in the law, but you must admit that in case of inspection by the regulator, you want to have stronger trump cards than “but this does not concern us.”

The penalties for violators are very serious. Online stores, social media, information sites, other businesses related to Internet in case of claims from supervisory authorities, they may actually be closed. It is possible that during the first inspection the regulator will be given time to eliminate the shortcomings, but the period is usually limited. If the problem is not resolved very quickly (which is difficult to do without prior preparation), the losses cannot be compensated in any way. Blocking sites not only leads to a pause in sales, it means a loss of market share.

The appearance of violators of the personal data law on the “black list” for offline companies is less dramatic. But this entails reputational risks, which is a significant factor for foreign companies. In addition, there are now almost no types of activity left that are not at all affected by the protection of personal data. Banks, trade, even production - everything is client bases, which means they are subject to the relevant laws.

It is important to understand here that the issue cannot be considered in isolation within companies either. Personal data protection cannot be limited to installing certified security measures on servers and locking paper cards in safes. Personal data has many entry points into the company - sales departments, HR, customer service, sometimes also training centers, purchasing commissions and other departments. Managing personal data protection is a complex process that affects IT, document flow, regulations, legal registration.

Let's look at what it would take to run and maintain such a process.

What data is considered personal

Strictly speaking, any information that relates directly or indirectly to a specific individual is his personal data. Please note that we are talking about people, not legal entities. It turns out that it is enough to indicate your full name and residential address to initiate the protection of this (as well as related) data. However, receiving email with someone’s personal data in the form of a signature and phone number is not yet a reason to protect them. Key term: “The concept of collecting personal data.” To clarify the context, I would like to highlight several articles of the Law “On Personal Data”.

Article 5. Principles for processing personal data. There should be clear objectives that make it clear why the information is being collected. Otherwise, even with full compliance with all other rules and regulations, sanctions are likely.

Article 10. Special categories of personal data. For example, the HR department may record restrictions on business travel, including pregnancy of employees. Of course, such additional information is also subject to protection. This greatly expands the understanding of personal data, as well as the list of departments and information repositories of the company in which attention needs to be paid to protection.

Article 12. Cross-border transfer of personal data. If an information system with data on citizens of the Russian Federation is located in a country that has not ratified the Convention on the Protection of Personal Data (for example, in Israel), the provisions of Russian legislation should be adhered to.

Article 22. Notification about the processing of personal data. A prerequisite in order not to attract undue attention from the regulator. If you are conducting business activities related to personal data, report it yourself without waiting for inspections.

Where personal data may be located

Technically, PD can be located anywhere, from printed media (paper files) to machine media ( hard disks, flash drives, CDs, etc.). That is, the focus is on any data storage that falls under the definition of ISPD (personal data information systems).

Geography of location is a separate big issue. On the one hand, personal data of Russians (individuals who are citizens of the Russian Federation) must be stored on the territory of the Russian Federation. On the other hand, at the moment this is more a vector of development of the situation than a fait accompli. Many international and export companies, various holdings, and joint ventures have historically had a distributed infrastructure - and this will not change overnight. In contrast to methods of storing and protecting personal data, which must be adjusted almost now, immediately.

Minimum list of departments involved in recording, systematization, accumulation, storage, clarification (updating, changing), retrieving personal data:

  • Personnel service.
  • Sales department.
  • Legal department.

Since there is rarely perfect order, in reality, the most unpredictable units can often be added to this “expected” list. For example, a warehouse may record personalized information about suppliers, or a security service may keep its own detailed records of everyone entering the premises. Thus, by the way, the composition of personal data for employees can be supplemented with data on clients, partners, contractors, as well as random and even other people’s visitors - whose personal data becomes a “crime” when photographed for a pass, scanning an ID card, and in some other cases. ACS (access control and management systems) can easily become a source of problems in the context of personal data protection. Therefore, the answer to the question “Where?” from the point of view of compliance with the Law, it sounds like this: everywhere in the reporting territory. A more precise answer can only be given by conducting an appropriate audit. This is the first stage project on the protection of personal data. Full list of its key phases:

1) Audit current situation in company.

2) Design of a technical solution.

3) Preparation of the process for the protection of personal data.

4) Checking the technical solution and process for protecting personal data for compliance with the legislation of the Russian Federation and company regulations.

5) Implementation of a technical solution.

6) Launching the process to protect personal data.

1. Audit of the current situation in the company

First of all, check with the HR department and other departments that use paper media with personal data:

  • Are there consent forms for the processing of personal data? Are they filled out and signed?
  • Is the “Regulation on the specifics of the processing of personal data carried out without the use of automation tools” dated September 15, 2008 No. 687 observed?

Determine the geographic location of the ISPD:

  • In what countries are they located?
  • On what basis?
  • Are there agreements for their use?
  • What technological protection is used to prevent personal data leakage?
  • What organizational measures are taken to protect personal data?

Ideally, an information system with personal data of Russians should comply with all the requirements of Law 152-FZ “On Personal Data”, even if it is located abroad.

Finally, pay attention to the impressive list of documents that are required in case of verification (this is not all, just the main list):

  • Notification about PD processing.
  • A document identifying the person responsible for organizing the processing of personal data.
  • List of employees authorized to process personal data.
  • A document defining the storage location of PD.
  • Certificate on the processing of special and biometric categories of personal data.
  • Certificate of cross-border transfer of personal data.
  • Standard forms of documents with personal data.
  • Standard form of consent for personal data processing.
  • Procedure for transferring PD to third parties.
  • The procedure for recording requests from PD subjects.
  • List of personal data information systems (ISPD).
  • Documents regulating data backup in ISPD.
  • List of information security tools used.
  • The procedure for destroying personal data.
  • Access matrix.
  • Threat model.
  • Logbook for recording machine media PDn.
  • A document defining the security levels for each ISPD in accordance with PP-1119 dated November 1, 2012 “On approval of requirements for the protection of personal data when processed in information systems personal data."

2. Design of technical solution

A description of the organizational and technical measures that must be taken to protect personal data is given in Chapter 4. “Responsibilities of the operator” of Law 152-FZ “On Personal Data”. The technical solution must be based on the provisions of Article 2 of Law 242-FZ of July 21, 2014.

But how to comply with the law and process the personal data of citizens of the Russian Federation on the territory of Russia in the case when the data source is still located abroad? There are several options here:

  • Physical transfer of the information system and database to the territory of the Russian Federation. If it is technically feasible, this will be the easiest.
  • We leave the PD data abroad, but in Russia we create a copy of it and set up one-way replication of the PD data of Russian citizens from the Russian copy to the foreign one. At the same time, in a foreign system, it is necessary to exclude the possibility of modifying the personal data of citizens of the Russian Federation; all changes must be made only through the Russian ISPD.
  • There are several ISPDs and they are all abroad. The transfer can be expensive or technically infeasible (for example, it is impossible to select part of the database with personal data of citizens of the Russian Federation and move it to Russia). In this case, the solution may be to create a new ISPD on any available platform on a server in Russia, from where one-way replication will be carried out to each foreign ISPD. I note that the choice of platform remains with the company.

If the PDn is not completely and exclusively transferred to Russia, do not forget to indicate in the certificate of cross-border data transfer to whom and what specific set of PD is sent. The processing notice must indicate the purpose of the transfer of personal data. Again, this goal must be legitimate and clearly justified.

3. Preparation of the process for the protection of personal data

The personal data protection process should determine at least the following points:

  • List of those responsible for processing personal data in the company.
  • The procedure for providing access to ISPD. Ideally, this is an access matrix with an access level for each position or specific employee (read/read-write/modify). Or a list of available personal data for each position. It all depends on the implementation of the IP and the requirements of the company.
  • Audit of access to personal data and analysis of access attempts in violation of access levels.
  • Analysis of the reasons for the unavailability of personal data.
  • The procedure for responding to requests from PD subjects regarding their PD.
  • Revision of the list of personal data that is transferred outside the company.
  • Review of recipients of personal data, including abroad.
  • Periodic review of the threat model for personal data, as well as changes in the level of protection of personal data in connection with changes in the threat model.
  • Keeping company documents up to date (the list is above, and it can be supplemented if necessary).

Here you can detail each point, but I would like to pay special attention to the level of security. It is determined based on the following documents (read sequentially):

1. “Methodology for identifying current threats security personal data when processed in personal data information systems" (FSTEC RF February 14, 2008).

2. Decree of the Government of the Russian Federation No. 1119 of November 1, 2012 “On approval of requirements for the protection of personal data during their processing in personal data information systems.”

3. FSTEC Order No. 21 of February 18, 2013 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems.”

Also, do not forget to consider the need to have such expense categories as:

  • Organization project team and project management.
  • Developers for each of the ISPDn platforms.
  • Server capacity (own or rented in a data center).

By the end of the second and third stages of the project you should have:

  • Cost calculation.
  • Quality requirements.
  • Project deadlines and schedule.
  • Technical and organizational risks of the project.

4. Checking the technical solution and process for protecting personal data for compliance with the legislation of the Russian Federation and company regulations

A short but important stage, during which you need to make sure that all planned actions do not contradict the legislation of the Russian Federation and company rules (for example, security policies). If this is not done, a bomb will be placed in the foundation of the project, which can “explode” in the future, destroying the benefits of the results achieved.

5. Implementation of a technical solution

Everything here is more or less obvious. The specifics depend on the initial situation and decisions. But in general the picture should look something like this:

  • Server capacity has been allocated.
  • Network engineers have provided sufficient channel capacity between the PDn receiver and transmitter.
  • The developers have established replication between ISPDn databases.
  • Administrators prevented changes to ISPDs located abroad.

The person responsible for protecting personal data or the “process owner” may be the same person or different. The very fact is that the “process owner” must prepare all the documentation and organize the entire process of protecting personal data. To do this, all interested parties must be notified, employees must be instructed, and the IT service must facilitate the implementation of technical measures to protect data.

6. Launching the process to protect personal data

This is an important step, and in a sense the goal of the entire project is to bring control to the flow. Besides technical solutions and regulatory documentation, the role of the process owner is critical here. He must monitor changes not only in legislation, but also in IT infrastructure. This means that appropriate skills and competencies are required.

In addition, which is critically important in real work conditions, the owner of the process for protecting personal data needs all the necessary powers and administrative support from the company’s management. Otherwise, he will be an eternal “supplicant” to whom no one pays attention, and after some time the project can be restarted, starting again with the audit.

Nuances

A few points that are easy to overlook:

  • If you work with a data center, you need a service agreement for the provision of server capacity, according to which your company stores data legally and controls it.
  • You need licenses for the software that is used to collect, store and process personal data, or lease agreements.
  • If the ISPD is located abroad, an agreement is required with the company that owns the system there - to guarantee compliance with the legislation of the Russian Federation in relation to the personal data of Russians.
  • If personal data is transferred to a contractor of your company (for example, an IT outsourcing partner), then in the event of a personal data leak from the outsourcer, you will be liable for claims. In turn, your company may file claims against the outsourcer. Perhaps this factor may influence the very fact of outsourcing work.

And once again, the most important thing is that the protection of personal data cannot be simply ensured. It's a process. An ongoing iterative process that will be highly dependent on further changes in legislation, as well as on the format and rigor of applying these rules in practice.

INTRODUCTION

Relevance. In the modern world, information is becoming a strategic resource, one of the main assets of an economically developed state. The rapid improvement of informatization in Russia, its penetration into all spheres of vital interests of the individual, society and state, has caused, in addition to undoubted advantages, the emergence of a number of significant problems. One of them was the need to protect information. Considering that currently the economic potential is increasingly determined by the level of development of the information structure, the potential vulnerability of the economy from information influences is growing proportionally.

Spreading computer systems, combining them into communication networks enhances the possibilities of electronic penetration into them. The problem of computer crime in all countries of the world, regardless of their geographical location, necessitates attracting more and more public attention and efforts to organize the fight against this type of crime. Crimes in automated banking systems and e-commerce have become especially widespread. According to foreign data, bank losses as a result of computer crimes annually amount to many billions of dollars. Although the level of implementation of the latest information technologies into practice in Russia is not so significant, computer crimes are making themselves felt more and more every day, and protecting the state and society from them has become a super task for the competent authorities.

No one doubts the relevance of the issue of personal data protection. This is primarily due to the deadline set for bringing personal data information systems (PDIS) into compliance with Federal Law No. 152-FZ of July 27, 2006 “On Personal Data.” This deadline is inexorably approaching, and at the same time the obvious difficulty of fulfilling the requirements of regulatory guidance documents provokes a lot of controversy and ambiguous interpretations. At the same time, the secrecy of some governing documents, their uncertain legal status, as well as a number of other issues, do not contribute to solving the problem. All this creates a situation where the regulatory framework has not been finalized, and it is necessary to comply with legal requirements now.

May 2009 the first meeting was held working group on the issue of personal data in the ARB. At the event, during an open discussion, problem areas of concern to the banking community were quite clearly identified. They mainly concerned the technical protection of personal data and future interaction between financial institutions and FSTEC. Representatives of the Bank of Russia announced in their speech developments in organizing the implementation of the law “On Personal Data”. The attempts of the Bank of Russia to find a compromise with regulators regarding the formulation of technical requirements for the banking community can be called fundamentally new and important. I would especially like to note the activity of the Central Bank of the Russian Federation in working with the FSTEC of Russia. Taking into account the huge number of difficulties in fulfilling the requirements of the governing documents of the FSTEC, the Bank of Russia decided to prepare its own documents (draft documents), which are currently consistent with the FSTEC. It can be assumed that there is a high probability of the emergence of a new industry standard for financial institutions on personal data.

Purpose course work is a study of ways to protect personal data in online banking systems.

To achieve the goal, the following tasks were solved:

studying approaches and basic principles of ensuring security;

determination of methods and means of ensuring security;

identifying features of ensuring the security of personal data in online banking systems;

development of measures to ensure the security of personal data in online banking systems.

The object of study is banking information systems.

The subject of the study is the security of personal information in online banking systems.

The theoretical and methodological basis of the study was based on theoretical principles, the work of scientists, and research by specialists on information provision issues.

The methodological basis of the course work was a systematic approach to the study of security problems.

Logical, comparative legal, and systemic analysis were used. In addition, the method of structural analysis used allows us to study with the necessary care the individual components of the phenomenon under study and analyze the relationship of these elements with each other, as well as with the overall whole.

1. Theoretical aspects of personal data protection in online banking systems

1.1 Approaches, principles of security

Ensuring the security of information systems means measures that protect an information system from accidental or intentional interference in its operating modes.

There are two fundamental approaches to ensuring computer security.

The first of them is fragmented, within its framework there is a focus on countering strictly defined threats under certain conditions (for example, specialized anti-virus tools, stand-alone encryption tools, etc.). The approach has both advantages - suggesting a high level of selectivity in relation to a strictly defined problem, and disadvantages - suggesting fragmentation of protection - i.e. strictly defined elements.

The information security management process includes the components presented in Fig. 1.

The second approach is systemic, its peculiarity is that within its framework information protection is treated on a larger scale - a secure environment for processing, storing and transmitting information is created that combines heterogeneous methods and means of countering threats: software and hardware, legal, organizational and economic. Through the specified secure environment, a certain level of security of the automated information system can be guaranteed.

A systematic approach to information protection is based on the following methodological principles:

final goal - the absolute priority of the final (global) goal;

unity - joint consideration of the system as a whole" and as a collection of parts (elements);

connectivity - consideration of any part of the system together with its connections with the environment;

modular construction - identifying modules in the system and considering it as a set of modules;

hierarchy - introducing a hierarchy of parts (elements) and their ranking;

functionality - joint consideration of structure and function with priority of function over structure;

development - taking into account the variability of the system, its ability to develop, expand, replace parts, accumulate information;

decentralization - combinations of centralization and decentralization in decisions made and management;

uncertainty - taking into account uncertainties and contingencies in the system.

Modern researchers identify the following methodological ones:

organizational and implementation principles of information (including computer) security.

The principle of legality. Consists of following current legislation in the field of information security.

The principle of uncertainty. Arises due to the ambiguity of the subject’s behavior, i.e. who, when, where and how can violate the security of the protected object.

The principle of the impossibility of creating an ideal protection system. It follows from the principle of uncertainty and limited resources of these funds.

The principles of minimal risk and minimal damage stem from the impossibility of creating an ideal protection system. In accordance with it, it is necessary to take into account the specific conditions of existence of the object of protection for any moment in time.

The principle of safe time. It involves taking into account absolute time, i.e. during which it is necessary to preserve the objects of protection; and relative time, i.e. the period of time from the moment malicious actions are detected until the attacker achieves his goal.

The principle of “protecting everyone from everyone.” It involves the organization of protective measures against all forms of threats to the objects of protection, which is a consequence of the principle of uncertainty.

Principles of personal responsibility. Assumes the personal responsibility of each employee of an enterprise, institution and organization for compliance with the security regime within the framework of their powers, functional responsibilities and current instructions.

The principle of limitation of powers. It involves limiting the powers of a subject to familiarize himself with information to which access is not required for the normal performance of his functional duties, as well as the introduction of a ban on access to objects and areas in which stay is not required by the nature of his activity.

The principle of interaction and cooperation. Internally, it involves cultivating trusting relationships between employees responsible for security (including information security) and personnel. In external manifestation - establishing cooperation with all interested organizations and individuals (for example, law enforcement agencies).

The principle of complexity and individuality. It implies the impossibility of ensuring the security of the object of protection by any one measure, but only by a set of complex, interconnected and overlapping measures, implemented with individual reference to specific conditions.

The principle of successive safety lines. Involves the earliest possible notification of an encroachment on the safety of a particular protected object or other adverse incident in order to increase the likelihood that an early alarm signal of protective equipment will provide employees responsible for safety with the opportunity to timely determine the cause of the alarm and organize effective countermeasures.

Principles of equal strength and equal power of protection lines. Equal strength implies the absence of unprotected areas within the protection lines. Equivalence presupposes a relatively equal amount of protection of the protection lines in accordance with the degree of threats to the protected object.

Methods for ensuring information security at an enterprise are the following:

An obstacle is a method of physically blocking an attacker’s path to protected information (equipment, storage media, etc.).

Access control is a method of protecting information by regulating the use of all resources of an enterprise's automated information system. Access control includes the following security features:

identification of users, personnel and resources of the information system (assigning a personal identifier to each object);

authentication (establishing the authenticity) of an object or subject using the identifier presented by it;

verification of authority (checking compliance of the day of the week, time of day, requested resources and procedures with the established regulations);

registration of requests to protected resources;

response (alarm, shutdown, delay of work, refusal of a request when attempting unauthorized actions).

Masking is a method of protecting information in an enterprise's automated information system by cryptographicly closing it.

Regulation is a method of information protection that creates conditions for automated processing, storage and transmission of information under which the possibility of unauthorized access to it would be minimized.

Coercion is a method of protecting information in which users and system personnel are forced to comply with the rules for the processing, transfer and use of protected information under the threat of material, administrative and criminal liability.

Incentive is a method of information security that encourages users and system personnel not to violate established rules by complying with established moral and ethical standards.

The above methods of ensuring information security are implemented using the following basic means: physical, hardware, software, hardware-software, cryptographic, organizational, legislative and moral and ethical.

Physical means of protection are intended for external protection of the territory of objects, protection of components of an automated information system of an enterprise and are implemented in the form of autonomous devices and systems.

Hardware protection means are electronic, electromechanical and other devices directly built into blocks of an automated information system or designed as independent devices and interfaced with these blocks. They are designed for internal protection of structural elements of computer equipment and systems: terminals, processors, peripheral equipment, communication lines, etc.

Software protection tools are designed to perform logical and intelligent protection functions and are included either as part of software automated information system, or as part of means, complexes and control equipment systems.

Information security software is the most common type of protection, having the following positive properties: versatility, flexibility, ease of implementation, possibility of change and development. This circumstance makes them at the same time the most vulnerable elements of protecting an enterprise’s information system.

Hardware-software protection means are means in which the software (firmware) and hardware parts are completely interconnected and inseparable.

Cryptographic means are means of protection by transforming information (encryption).

Organizational means - organizational, technical and organizational and legal measures to regulate the behavior of personnel.

Legislative means are legal acts of the country that regulate the rules for the use, processing and transmission of restricted access information and that establish penalties for violating these rules.

Moral and ethical means - norms, traditions in society, for example: Code of Professional Conduct for Members of the Computer Users Association in the USA.

1.2 Security methods and means

Various encryption mechanisms are used to implement security measures. What are these methods used for? Initially, when sending data (text, speech or drawing), it is unprotected, or, as experts call it, open. Open data can easily be intercepted by other users (intentionally or not). If there is a goal to prevent certain information from reaching third parties, such data is encrypted. The user to whom the specified information is intended then decrypts it using the inverse transformation of the cryptogram, receiving the data in the form he needs.

Encryption can be symmetric (one secret key is used for encryption) and asymmetric (one public key is used for encryption, and another for decryption, not interrelated - i.e., if you know one of them, you cannot determine the other).

Security mechanisms include:

) Digital mechanisms electronic signature are based on asymmetric encryption algorithms and include two procedures: the formation of a signature by the sender and its recognition by the recipient. Formation of a signature by the sender ensures that the data block is encrypted or supplemented with a cryptographic checksum, and in both cases the sender's secret key is used. A public key is used for identification.

) Access control mechanisms check the authority of programs and users to access network resources. When a resource is accessed over a connection, control is performed at both the origination point and intermediate points, as well as at the end point.

) Data integrity mechanisms apply to the individual block and to the data stream. The sender completes the transmitted block with a cryptographic amount, and the recipient compares it with the cryptographic value corresponding to the received block. A discrepancy indicates distortion of information in the block.

) Mechanisms for setting up traffic. They are based on the generation of blocks by AIS objects, their encryption and organization of transmission over network channels. This neutralizes the possibility of obtaining information by observing the external characteristics of flows circulating through communication channels.

) Routing control mechanisms ensure the selection of routes for the movement of information through the communication network in such a way as to exclude the transfer of secret information through unsafe, physically unreliable channels.

) Arbitration mechanisms provide confirmation of the characteristics of data transferred between entities by a third party. To do this, the information sent or received by objects passes through the arbiter, which allows him to subsequently confirm the mentioned characteristics.

The main disadvantages of the security system of economic facilities are:

-a narrow, unsystematic understanding of the problem of facility safety;

-neglecting the prevention of threats, working according to the principle “If a threat has appeared, we begin to eliminate it”;

-incompetence in the economics of security, inability to compare costs and results;

-“technocratism” of management and security specialists, interpretation of all tasks in the language of an area familiar to them.

As a conclusion from the first chapter of the work, we determine the following. Ensuring the security of information systems refers to certain measures by which an information system is protected from accidental or intentional interference in its operating modes. To ensure security, there are two main approaches: 1) fragmented, within which certain threats are countered under certain conditions; and 2) systemic, within which a secure environment for processing, storing and transmitting information is created, combining various types of methods and means of countering threats. Various means and mechanisms are used to protect information. The means include: encryption, digital electronic recording, access control, traffic staging, etc.

bank online system safety

2. Features of ensuring the security of personal data in online banking systems

2.1. General conditions for ensuring the security of personal data in online banking systems

Protection of personal information is the state of security of information and its supporting infrastructure (computers, communication lines, power systems, etc.) from accidental or intentional impacts that could cause damage to the owners or users of this information.

Information security of credentials also means: ensured reliability of the computer; safety of valuable credentials; protection of personal information from changes to it by unauthorized persons; preservation of documented credentials in electronic communications.

Objects of information security in accounting are information resources containing information classified as a trade secret and confidential information; as well as information technology tools and systems.

The owner of information resources, information systems, technologies and means of supporting them is the entity that exercises ownership and use of these objects and exercises the powers of disposal within the limits established by law.

An information user is a subject who turns to an information system or intermediary to obtain the information he needs and uses it.

Information resources are individual documents and individual arrays of documents, documents and arrays of documents in information systems.

The threat to information security lies in the potential possible action, which, through its impact on the components of the personal system, can lead to damage to the owners of information resources or users of the system.

The legal regime of information resources is determined by the rules establishing:

procedure for documenting information;

ownership of individual documents and individual files

documents, documents and arrays of documents in information systems; category of information according to the level of access to it; procedure for legal protection of information.

The main principle violated when implementing an information threat in accounting is the principle of documenting information. An accounting document received from an automated accounting information system acquires legal force after it is signed by an official in the manner established by the legislation of the Russian Federation.

The entire set of potential threats in accounting, according to the nature of their occurrence, can be divided into two classes: natural (objective) and artificial.

Natural threats are caused by objective reasons, usually beyond the control of the accountant, leading to the complete or partial destruction of the accounting department along with its components. Such natural phenomena include: earthquakes, lightning strikes, fires, etc.

Man-made threats are related to human activities. They can be divided into unintentional (unintentional), caused by the ability of employees to make any mistakes due to inattention, or fatigue, illness, etc. For example, an accountant, when entering information into a computer, may press the wrong key, make unintentional errors in the program, introduce a virus, or accidentally disclose passwords.

Intentional (intentional) threats are associated with the selfish aspirations of people - attackers who deliberately create false documents.

Security threats in terms of their focus can be divided into the following groups:

threats of penetration and reading of data from credential databases and computer programs their processing;

threats to the safety of credentials, leading to either their destruction or modification, including falsification of payment documents (payment requests, orders, etc.);

data availability threats that occur when a user cannot access credentials;

Threat of refusal to carry out operations, when one user transmits a message to another and then does not confirm the transmitted data.

Information processes are the processes of collecting, processing, accumulating, storing, searching and distributing information.

An information system is an organizationally ordered set of documents (arrays of documents and information technologies, including the use of computer technology and communications that implement information processes).

Documentation of information is carried out in the manner established by government bodies responsible for organizing office work, standardizing documents and their arrays, and security of the Russian Federation.

Depending on the source of threats, they can be divided into internal and external.

The source of internal threats is the activities of the organization’s personnel. External threats come from outside from employees of other organizations, from hackers and other individuals.

External threats can be divided into:

local, which involve the intruder entering the organization’s territory and gaining access to a separate computer or local network;

remote threats are typical for systems connected to global networks (Internet, SWIFT international banking system, etc.).

Such dangers arise most often in the electronic payment system when making payments between suppliers and buyers, and using Internet networks in payments. The sources of such information attacks can be located thousands of kilometers away. Moreover, not only computers are affected, but also accounting information.

Intentional and unintentional errors in accounting leading to an increase in accounting risk are the following: errors in recording accounting data; incorrect codes; unauthorized accounting transactions; violation of control limits; missed accounts; errors in data processing or output; errors in the formation or correction of directories; incomplete accounts; incorrect assignment of records to periods; data falsification; violation of regulatory requirements; violation of personal policy principles; discrepancy between the quality of services and user needs.

Particularly dangerous are information that constitutes a trade secret and relates to personal and reporting information (data about partners, clients, banks, analytical information about market activities). In order for this and similar information to be protected, it is necessary to draw up agreements with employees of accounting, financial services and other economic departments indicating a list of information that is not subject to public disclosure.

Information protection in automated accounting systems is based on the following basic principles.

Ensuring physical separation of areas intended for processing classified and unclassified information.

Security cryptographic protection information. Ensuring authentication of subscribers and subscriber installations. Ensuring differentiation of access of subjects and their processes to information. Ensuring the establishment of the authenticity and integrity of documentary messages when they are transmitted over communication channels.

Ensuring the protection of equipment and technical means of the system, the premises where they are located, from leakage of confidential information through technical channels.

Ensuring the protection of encryption technology, equipment, technical and software from information leakage due to hardware and software bookmarks.

Ensuring control of the integrity of the software and information part of the automated system.

Using only domestic ones as protection mechanisms

State information resources of the Russian Federation are open and publicly available. The exception is documented information classified by law as restricted access. Documented information with limited access according to the terms of its legal regime, it is divided into information classified as state secret and confidential. The list of confidential information, in particular information related to commercial activities, is established by Decree of the President of the Russian Federation of March 6, 1997 No. 188 (Appendix No.) developments.

Ensuring organizational and regime protection measures. It is advisable to use additional measures to ensure communication security in the system.

Organizing the protection of information about the intensity, duration and traffic of information exchange.

Using channels and methods to transmit and process information that make interception difficult.

Protecting information from unauthorized access is aimed at forming three main properties of the protected information:

confidentiality (classified information should be accessible only to those for whom it is intended);

integrity (information on the basis of which important decisions are made must be reliable, accurate and fully protected from possible unintentional and malicious distortions);

readiness (information and related information services must be available, ready to serve stakeholders whenever they are needed).

Methods for ensuring the protection of personal information are: obstacles; access control, camouflage, regulation, coercion, inducement.

An obstacle should be considered a method of physically blocking an attacker’s path to protected personal information. This method is implemented by the enterprise’s access system, including the presence of security at the entrance to it, blocking the path of unauthorized persons to the accounting department, cash desk, etc.

Access control is a method of protecting personal and reporting information, implemented through:

authentication - establishing the authenticity of an object or subject by the identifier presented by them (carried out by comparing the entered identifier with the one stored in the computer memory);

authority checks - checking the compliance of the requested resources and the operations performed according to the allocated resources and permitted procedures; registration of requests to protected resources;

informing and responding to attempts of unauthorized actions. (Cryptography is a method of protection by transforming information (encryption)).

In the BEST-4 complex, access to information is restricted at the level of individual subsystems and is ensured by setting separate access passwords. At initial setup or at any time while working with the program, the system administrator can set or change one or more passwords. The password is requested each time you log into the subsystem.

In addition, some modules have their own system for restricting access to information. It provides the ability to protect each menu item with special passwords. Passwords can also protect access to individual subsets of primary documents: for example, in the automated workplace “Inventory accounting in a warehouse” and “Accounting for goods and products” it is possible to set access passwords to each warehouse separately, in the automated workplace “Cash transactions accounting” - access passwords for each cash register, in the automated workplace “Accounting for settlements with the bank” - access passwords to each bank account.

Particularly noteworthy is the fact that in order to effectively restrict access to information, it is necessary, first of all, to protect with passwords the very modes for determining passwords for access to certain blocks.

1C.Enterprise, version 7.7 has its own information protection - access rights. In order to integrate and separate user access to information when working with the 1C.Enterprise system on a network of personal computers, the system configurator allows you to set for each user the rights to work with information processed system. Rights can be set within a fairly wide range - from the ability to only view certain types of documents to a full set of rights to enter, view, correct and delete any types of data.

Assigning access rights to a user is carried out in 2 stages. At the first stage, standard sets of rights to work with information are created, differing, as a rule, in the breadth of access capabilities provided. At the second stage, the user is assigned one of these standard sets of rights.

All work on creating standard sets of rights is done on the “Rights” tab of the “Configuration” window. This window is called up by selecting the “open configuration” item from the “Configuration” menu of the program’s main menu

2.2 A set of measures to ensure the security of personal data in online banking systems

The justification for a set of measures to ensure the security of personal data in the ISPD is carried out taking into account the results of assessing the danger of threats and determining the class of ISPD based on the “Basic measures for the organization and technical support of the security of personal data processed in personal data information systems.”

In this case, measures should be determined for:

identifying and closing technical channels of personal data leakage in the information system;

protection of personal data from unauthorized access and unlawful actions;

installation, configuration and use of protective equipment.

Measures to identify and close technical channels of personal data leakage in the information system are formulated based on the analysis and assessment of threats to personal data security.

Measures to protect personal data during their processing in ISPD from unauthorized access and unlawful actions include:

access control;

registration and accounting;

ensuring integrity;

control of the absence of undeclared capabilities;

antivirus protection;

ensuring secure internetwork interaction of ISPD;

security analysis;

intrusion detection.

It is recommended to implement the access control, registration and accounting subsystem on the basis of software tools for blocking unauthorized actions, signaling and registration. These are special, not included in the core of any operating system software and hardware and software for protecting the operating systems themselves, electronic personal data databases and application programs. They perform protection functions independently or in combination with other means of protection and are aimed at eliminating or complicating the execution of actions of a user or violator that are dangerous for the ISPD. These include special utilities and security software systems that implement diagnostic, registration, destruction, alarm and simulation functions.

Diagnostic tools carry out testing of the file system and personal data databases, constantly collecting information about the functioning of the elements of the information security subsystem.

Destruction tools are designed to destroy residual data and may provide for emergency data destruction in the event of an unauthorized access threat that cannot be blocked by the system.

Signaling means are designed to warn operators when they access protected PD and to warn the administrator when detecting the fact of unauthorized access to PD and other facts of violation of the normal operating mode of the ISPD.

Simulation tools simulate working with violators when an attempt to tamper with protected personal data or software is detected. Imitation allows you to increase the time to determine the location and nature of non-directional activities, which is especially important in territorial distributed networks, and misinform the offender about the location of the protected personal data.

The integrity subsystem is implemented primarily by operating systems and database management systems. Means for increasing reliability and ensuring the integrity of transmitted data and transaction reliability, built into operating systems and database management systems, are based on the calculation of checksums, notification of failure in the transmission of a message package, and retransmission of an unaccepted package.

The subsystem for monitoring the absence of undeclared capabilities is implemented in most cases on the basis of database management systems, information security tools, and anti-virus information security tools.

To ensure the security of PD and the software and hardware environment of the ISPD that processes this information, it is recommended to use special anti-virus protection tools that perform:

detection and (or) blocking of destructive viral effects on system-wide and application software that processes personal data, as well as on personal data;

detection and removal of unknown viruses;

ensuring self-monitoring (prevention of infection) of this antivirus product when it is launched.

When choosing antivirus protection tools, it is advisable to consider the following factors:

compatibility of these tools with standard ISPD software;

the degree of decrease in the performance of the ISPD for its main purpose;

availability of means for centralized management of the functioning of anti-virus protection tools from the information security administrator’s workplace in the ISPD;

the ability to promptly notify the information security administrator in the ISPD about all events and facts of manifestation of software and mathematical influences (PMI);

availability of detailed documentation on the operation of the anti-virus protection tool;

the ability to periodically test or self-test the anti-virus protection tool;

the possibility of increasing the composition of protective equipment against WWII with new ones additional funds without significant restrictions on the performance of ISPD and “conflict” with other types of security means.

A description of the procedure for installing, configuring, configuring and administering anti-virus protection tools, as well as the procedure for action in case of detection of a virus attack or other violations of the requirements for protection against program-mathematical influences should be included in the information security administrator’s manual in the ISPD.

To restrict access to ISDN resources during internetwork interaction, firewalling is used, which is implemented by software and hardware-software firewalls (FW). A firewall is installed between the protected network, called the internal network, and the external network. The firewall is part of the protected network. For it, through settings, rules are separately set that restrict access from the internal network to the external one and vice versa.

To ensure secure internetworking in class 3 and 4 ISPD, it is recommended to use ME at least the fifth security level.

To ensure secure internetworking in Class 2 ISPD, it is recommended to use ME at least the fourth security level.

To ensure secure internetworking in Class 1 ISPD, it is recommended to use ME at least the third level of security.

The security analysis subsystem is implemented based on the use of testing (security analysis) and information security control (audit) tools.

Security analysis tools are used to monitor the security settings of operating systems on workstations and servers and allow assessing the possibility of attackers carrying out attacks on network equipment and monitoring software security. To do this, they examine the network topology, looking for unprotected or unauthorized network connections, check the firewall settings. Such analysis is carried out based on detailed descriptions of vulnerabilities in security settings (for example, switches, routers, firewalls) or vulnerabilities in operating systems or application software. The result of the security analysis tool is a report that summarizes information about detected vulnerabilities.

Vulnerability detection tools can operate at the network level (in this case they are called “network-based”), operating system level (“host-based”) and application level (“application-based”). Using scanning software, you can quickly create a map of all available ISDN nodes, identify the services and protocols used on each of them, determine their basic settings and make assumptions regarding the likelihood of implementing the NSD.

Based on the scanning results, the systems develop recommendations and measures to eliminate the identified deficiencies.

In the interests of identifying NSD threats through internetworking, intrusion detection systems are used. Such systems are built taking into account the specifics of the implementation of attacks, the stages of their development, and are based on a number of attack detection methods.

There are three groups of attack detection methods:

signature methods;

anomaly detection methods;

combined methods (using together algorithms defined in signature methods and anomaly detection methods).

To detect intrusions in class 3 and 4 ISPD, it is recommended to use detection systems network attacks, using signature analysis methods.

To detect intrusions into class 1 and class 2 ISPDs, it is recommended to use network attack detection systems that use anomaly detection methods along with signature analysis methods.

To protect personal data from leakage through technical channels, organizational and technical measures are used aimed at eliminating the leakage of acoustic (speech), visual information, as well as information leakage due to side electromagnetic radiation and interference.

As a conclusion to the second chapter of the work, we draw the following conclusions. Protection of personal information is the state of security of information and its supporting infrastructure from accidental or intentional impacts of a natural or artificial nature, fraught with damage to the owners or users of this information. The objects of information security in accounting are defined as: information resources containing information classified as trade secrets and tools and systems informatization. The main methods used within the framework of information protection are: detecting and directly protecting.

CONCLUSION

The problem of information security of economic objects is multifaceted and needs further study.

In the modern world, informatization is becoming a strategic national resource, one of the main assets of an economically developed state. The rapid improvement of informatization in Russia, its penetration into all spheres of vital interests of the individual, society and the state, have entailed, in addition to undoubted advantages, the emergence of a number of significant problems. One of them was the need to protect information. Considering that currently the economic potential is increasingly determined by the level of development of the information infrastructure, the potential vulnerability of the economy in relation to information influences is growing proportionally.

The implementation of information security threats consists of violating the confidentiality, integrity and availability of information. From the standpoint of a systematic approach to information protection, it is necessary to use the entire arsenal of available security means in all structural elements of an economic entity and at all stages of the technological cycle of information processing. Methods and means of protection must reliably cover possible ways unauthorized access to protected secrets. The effectiveness of information security means that the costs of its implementation should not be greater than the possible losses from the implementation of information threats. Information security planning is carried out by each department developing detailed information security plans. There is a need for clarity in the exercise of powers and rights of users to access certain types of information, in ensuring control over security measures and immediate response to their failure.

BIBLIOGRAPHY

1.Automated information technologies in banking / ed. prof. G.A. Titorenko. - M.: Finstatinform, 2007

2.Automated information technologies in economics / Ed. prof. G.A. Titorenko. - M.: UNITY, 2010

.Ageev A. S. Organization and modern methods of information protection. - M.: Concern "Bank. Business Center", 2009

.Adzhiev, V. Myths about software security: lessons from famous disasters. - Open systems, 199. №6

.Alekseev, V.I. Information security of municipalities. - Voronezh: VSTU Publishing House, 2008.

.Alekseev, V.M. International criteria for assessing the security of information technologies and their practical application: Textbook. - Penza: Penz Publishing House. state University, 2002

.Alekseev, V.M. Regulatory provision of information protection from unauthorized access. - Penza: Penz Publishing House. state University, 2007

.Alekseev, V.M. Ensuring information security during software development. - Penza: Penz Publishing House. state University, 2008

.Aleshin, L.I. Information protection and information security: Course of lectures L. I. Aleshin; Moscow state University of Culture. - M.: Moscow. state University of Culture, 2010

.Akhramenka, N.F. and others. Crime and punishment in payment system with electronic documents // Information security management, 1998

.Banks and banking operations. Textbook / Ed. E.F. Zhukova. - M.: Banks and exchanges, UNITY, 2008

.Barsukov, V.S. Security: technologies, tools, services. - M.: Kudits - Image, 2007

.Baturin, Yu.M. Problems of computer law. - M.: Legal. lit., 1991

.Baturin, Yu.M. Computer crime and computer security. M.: Yur.lit., 2009

.Bezrukov, N.N. Introduction to computer virology. General principles of operation, classification and catalog of the most common viruses in M5-005. K., 2005

.Bykov, V.A. Electronic business and safety / V. A. Bykov. - M.: Radio and communication, 2000

.Varfolomeev, A.A. Information Security. Mathematical foundations of cryptology. Part 1. - M.: MEPhI, 1995

.Vekhov, V.B. Computer crimes: Methods of commission and detection. - M.: Law and Law, 1996

.Volobuev, S.V. Introduction to information security. - Obninsk: Obn. Institute of Atomic Energy, 2001

.Volobuev, S.V. Information security of automated systems. - Obninsk: Obn. Institute of Atomic Energy, 2001

.All-Russian scientific and practical conference "Information security in the higher education system", November 28-29. 2000, NSTU, Novosibirsk, Russia: IBVSh 2000. - Novosibirsk, 2001

23.Galatenko, V.A. Information security: a practical approach V. A. Galatenko; Ed. V. B. Betelina; Ross. acad. Sciences, Research Institute of Systems. research - M.: Science, 1998

.Galatenko, V.A.. Fundamentals of information security: A course of lectures. - M.: Internet University of Information. technologies, 2003

.Gennadieva, E.G. Theoretical foundations of computer science and information security. - M.: Radio and communication, 2000

.Ghika, Sebastian Narchis. Hiding information in graphic files of the VMR format Dis. ...cand. tech. Sciences: 05.13.19 - St. Petersburg, 2001

.Ghika, S.N. Hiding information in graphic files of the BMP format: Author's abstract. dis. ...cand. tech. Sciences: 05.13.19 St. Petersburg. state int. point mechanics and optics. - St. Petersburg, 2001

.Golubev, V.V. Security management. - St. Petersburg: Peter, 2004

.Gorbatov, V.S. Information Security. Fundamentals of legal protection. - M.: MEPhI (TU), 1995

.Gorlova, I.I., ed. Information freedom and information security: Materials of the international. scientific Conf., Krasnodar, October 30-31. 2001 - Krasnodar, 2001

.Greensberg, A.S. and others. Protection of information resources of public administration. - M.: UNITY, 2003

.Information security of Russia in the context of the global information society "INFOFORUM-5": Coll. materials 5th All-Russian. Conf., Moscow, February 4-5. 2003 - M.: LLC Ed. magazine Business and Security of Russia, 2003

.Information security: Sat. method. materials Ministry of Education Russian Federation. Federation [and others]. - M.: TSNIIATOMINFORM, 2003

34.Information technologies // Economics and life. No. 25, 2001

35.Information technologies in marketing: Textbook for universities. - M.: 2003

.Information technologies in economics and management: Textbook / Kozyrev A.A. - M.: Publishing house Mikhailov V.A., 2005

.Lopatin, V.N. Information security of Russia Dis. ... Doctor of Law. Sciences: 12.00.01

.Lukashin, V.I. Information Security. - M.: Moscow. state University of Economics, Statistics and Informatics

.Luchin, I.N., Zheldakov A.A., Kuznetsov N.A. Hacking password protection // Informatization of law enforcement systems. M., 1996

.McClure, Stuart. Hacking on the Web. Attacks and defense Stuart McClar, Saumil Shah, Sriraj Shah. - M.: Williams, 2003

.Malyuk, A.A. Theoretical foundations for formalizing predictive assessment of the level of information security in data processing systems. - M.: MEPhI, 1998SPb., 2000

.Economic efficiency of information security systems. Chebotar P.P. - Moldavian Economic Academy, 2003

.Yakovlev, V.V. Information security and information protection in corporate networks railway transport. - M., 2002

.Yarochkin, V.I. Information Security. - M.: Mir, 2003

.Yarochkin, V.I. Information Security. - M.: Foundation "Mir", 2003: Acad. Project

.Yasenev, V.N. Automated information systems in the economy and ensuring their security: Tutorial. - N. Novgorod, 2002

Similar works to - Personal data protection in online banking systems

Dzhabrail Matiev, head of personal data protection for the commercial part of the companyReignVox

Constant work with huge amounts of client data requires a bank of any format to constantly work in the field of protecting this data.

That is why the topic of information security, and with it the topic of trust, is especially relevant in the financial sector. Moreover, the requirement to protect any personal data included in the structure of the information system of a modern financial company is also legally justified - Federal Law No. 152 “On Personal Data” clearly obliges every company processing this data to protect it within a strictly defined time frame. Both new and existing information systems processing personal data must be brought into compliance with legal requirements by January 1, 2011. With such strict time frames, organizations processing such information have less and less time to comply with legal requirements.

Where should you start working to protect personal data? What time frame can you expect for work? Who should be entrusted with the work? What is the average cost of a project and how to minimize costs? All these questions are relevant today for any company doing business in the financial sector. ReignVox's extensive experience in the field of personal data protection in financial institutions allows us to provide expert answers to them.

Life is in countdown mode

Federal Law No. 152 “On Personal Data” comes into full force on January 1, 2011 - more than six months ahead of the deadline set by legislators. But don’t give in to the misleading impression of having too much time.

Firstly, the implementation of a project aimed at meeting the requirements for the protection of personal data requires from four to six months, depending on its complexity. But this figure is not final either - terms may increase to six to eight months due to the period that the bank will spend selecting a worthy integrator for developing and maintaining the project. Carrying out this type of work on its own is fraught for the bank with a loss of objectivity at the stage of examination and analysis, the means of protection existing in it, as well as the need to find separate labor resources for this work. In this case, you should also remember such factors as the availability of specialists trained in the field of personal data protection, the required amount of regulatory and methodological support, and free resources for the very task of protecting personal data. Practice shows that usually it is third-party integrators who fully meet all these requirements.

Secondly, returning to the topic of the deadlines set by the Law “On Personal Data” for data operators (and the fact that banks are precisely such operators is no longer an issue in principle), no matter what they say about their “transfer ", the first regulatory checks are already taking place. The conclusion is quite logical: the relevance of the problem has not only remained, it has increased significantly, and its solution is becoming an urgent need.

“And the casket just opened...”

The task of bringing the ISPD into compliance with the provisions of the Law “On Personal Data” has recently been the subject of active discussions, the result of which basically boils down to one thing: solving this problem is very problematic due to the combination of its organizational and legal features. This conclusion is not entirely correct: the practice of applying requirements for the protection of personal data, which emerged during the first quarter of 2010 (including in the banking sector), confirms the understandability and interpretability of the requirements for ISPD. Their formulation, implementation and documentary confirmation of the latter with a minimal risk of any errors is not so much difficult in its implementation as it is important from the point of view of the security of the banking business. The task is further simplified by the ability to delegate it to a third-party integrator, whose specialists will complete the project to protect personal data as quickly and professionally as possible, taking into account the individual characteristics of the banking business.

Thus, the first priority becomes the choice of an integrator company, which will be entrusted with the management of the project.

"Standard" = "Exclusive"?

Such an equal sign between these mutually exclusive concepts has a right to exist. This statement is supported practical experience successful projects to protect personal data already completed by ReignVox.

On the one hand, each such project includes a standard number of stages: the stage of surveying personal data information systems, the stage of designing a personal data protection system, the stage of implementing the PDSDN, the stage of assessing the compliance of the PDSDN with the requirements of the law, and the stage of supporting the created system. Moreover, the assessment of compliance with ISPD, as a stage, is optional and is carried out at the discretion of the customer company. As well as the stage of supporting the created system.

Typicality usually ends at the first stage (the stage of surveying information systems), since it is this stage that makes it possible to identify and describe those requirements that will be presented in the future to systems. And these parameters are already individual and focused on each specific customer, optimized in accordance with his needs.

During this survey, information resources, standard solutions used in the construction of IT infrastructure, information flows of personal data, existing systems and information security tools are analyzed.

At the same stage, a model of threats and a PD security violator is developed, and the need to ensure PD security in the ISPD using crypto-techniques is assessed.

The classic scheme for the second stage includes an audit of the regulatory framework and assessment of its compliance with regulatory requirements. Its result is the development of the missing internal documents, as well as the development of technical specifications for the development of the SPD. At the same stage, the integrator begins the direct development of a set of measures to protect information.

At the end of this stage, the bank is quite capable of successfully passing inspection by one of the regulators.

The essence of the third stage comes down to the implementation of systems and configuration of existing security measures. After testing, if necessary, the complex of hardware and software is modified.

At each of the described stages, ReignVox, as an integrator, faces various additional tasks determined by the specifics of the business conducted by the customer company, its size, infrastructure, activity of business processes and many other points. And from many such components each time a new, individually adapted project concept for the protection of personal data is formed.

“...and the sheep are safe”

Minimizing expenses, optimizing the budget, saving - no matter what phrase you choose, the essence will remain the same - a rational approach to the use of monetary resources - this is the second cornerstone of the success of a financial structure (after trust, of course). Therefore, the desire to reduce costs as much as possible without compromising information security is natural and quite achievable.

The cost of an average standard project to create a personal data protection system for a banking structure is about 1.5 million rubles. When calculating this amount, a number of principles are taken into account, following which allows one to reduce the budget for creating a personal data protection system.

First of all, we strive to preserve as much as possible the IT infrastructure already existing in the organization. Usually they talk about two polar scenarios for personal data protection. The first is a radical reworking of all ISPD, and the second is formal, consisting only of issuing internal regulatory documents, without making any changes to the ISPD. We consider the third option to be optimal, which consists precisely in maintaining the current IT infrastructure of the bank, accompanied by modifying some of its elements and adding new ones necessary to ensure compliance with the law.

In this case we are talking about the first principle, based on maximum use of existing information security tools when designing information security systems. Protection measures in any company are used regardless of the need to protect personal data, these include anti-virus protection systems, built-in operating system access controls, and firewalls and many other means. Therefore, the maximum number of requirements is covered by existing security measures. And only if some requirements are not met by current means of protection, it is necessary to purchase and implement additional ones.

The second principle is the principle economical logical structuring of information systems personal data. Following this principle, as part of the implementation of a project to protect personal data in a bank, it becomes economically feasible to combine several systems located in the same room into one, in combination with downgrading non-critical segments. Thus, an ISPD “Data Processing Center” is created, in which protection is provided along the perimeter. This allows you to significantly minimize the cost of separating streams within different systems.

Principle three - protect only from current threats. At the same time, the updating of threats is described in a document required for special systems, called the “Threat Model”. When updating threats, those whose probability is low and the damage upon implementation is small are discarded.

Provided that already proven methods are used, the task of bringing the ISPD of any bank into compliance with the requirements of the law by January 1, 2011 is fully achievable. For maximum success in implementing such technologies in the banking sector, it is still necessary to remember an integrated approach to working on the project. In this case, we mean the organization of joint work of specialists from various departments - specialists in IT technologies, information security and project management, financiers, lawyers - guaranteeing compliance with the necessary balance of the overall approach to protecting critical data within the financial structure.

Reference: ReignVox is a Russian company specializing in innovative projects and developments in the field of information technology and ensuring their information security.

The purpose of creating the company is to provide services to ensure the protection of personal data in accordance with the requirements of the Law “On Personal Data” Federal Law No. 152 of July 27, 2006 and to build comprehensive information security systems.

ReignVox is a member of the interregional public organization “Association for Information Security” (IPO “AZI”), an associated member of the “Infocommunication Union”, and also a member of the Association of Regional Banks of Russia.

ReignVox has significant experience in successfully implementing personal data protection projects in large commercial banks. Among its clients are NOTA-Bank, Vnesheconombank, CentroCredit, Tempbank, Alta-Bank, etc.

Estimate:

POSITION

on the protection of personal data

Clients (subscribers)

at Ortes-Finance LLC

Terms and Definitions

1.1. Personal Information- any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, address Email, phone number, family, social, property status, education, profession, income, other information.

1.2. Processing of personal data— actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking.

1.3. Confidentiality of personal data— a mandatory requirement for the designated responsible person who has gained access to personal data to not allow their dissemination without the consent of the subject or other legal basis.

1.4. Dissemination of personal data- actions aimed at transferring personal data to a certain circle of persons (transfer of personal data) or to familiarize themselves with personal data of an unlimited number of persons, including the publication of personal data in the media, posting in information and telecommunication networks or providing access to personal data to any -or in another way.

1.5. Use of personal data— actions (operations) with personal data performed for the purpose of making decisions or performing other actions that give rise to legal consequences in relation to the subjects of personal data or otherwise affect their rights and freedoms or the rights and freedoms of other persons.

1.6. Blocking personal data— temporary cessation of the collection, systematization, accumulation, use, dissemination of personal data, including their transfer.

1.7. Destruction of personal data— actions as a result of which it is impossible to restore the content of personal data in the personal data information system or as a result of which material media of personal data are destroyed.

1.8. Depersonalization of personal data— actions as a result of which it is impossible to determine the ownership of personal data to a specific subject without the use of additional information.

1.9. Public personal data- personal data, access to an unlimited number of persons to which is provided with the consent of the subject or to which, in accordance with federal laws, is not subject to confidentiality requirements.

1.10. Information— information (messages, data) regardless of the form of their presentation.

1.11. Client (subject of personal data)- an individual consumer of the services of Ortes-Finance LLC, hereinafter referred to as the “Organization”.

1.12. Operator- state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data. Within the framework of these Regulations, the Operator is the Limited Liability Company "Ortes-Finance";

2. General provisions.

2.1. This Regulation on the processing of personal data (hereinafter referred to as the Regulation) has been developed in accordance with the Constitution of the Russian Federation, the Civil Code of the Russian Federation, the Federal Law "On Information, information technology and on the protection of information", Federal Law 152-FZ "On Personal Data", other federal laws.

2.2. The purpose of developing the Regulations is to determine the procedure for processing and protecting personal data of all Clients of the Organization, whose data is subject to processing, based on the authority of the operator; ensuring the protection of the rights and freedoms of a person and citizen during the processing of his personal data, including the protection of the rights to privacy, personal and family secrets, as well as establishing the responsibility of officials with access to personal data for failure to comply with the requirements of the rules governing the processing and protection of personal data.

2.3. The procedure for putting into effect and changing the Regulations.

2.3.1. This Regulation comes into force from the moment of its approval by the Director General of the Organization and is valid indefinitely until it is replaced by a new Regulation.

2.3.2. Changes to the Regulations are made on the basis of Orders of the General Director of the Organization.

3. Composition of personal data.

3.1. Clients’ personal data includes, among other things:

3.1.1. Full Name.

3.1.2. Year of birth.

3.1.3. Month of birth.

3.1.4. Date of Birth.

3.1.5. Place of Birth.

3.1.6. Passport details

3.1.7. E-mail address.

3.1.8. Phone number (home, cell).

3.2. The following documents and information can be created (created, collected) and stored in the Organization, including in electronic format, containing data about Clients:

3.2.1. Application for a survey on the possibility of connecting an individual.

3.2.2. Agreement (public offer).

3.2.3. Confirmation of accession to the agreement.

3.2.5. Copies of identification documents, as well as other documents provided by the Client and containing personal data.

3.2.6. Data on payments for orders (goods/services), containing payment and other details of the Client.

4. Purpose of processing personal data.

4.1. The purpose of processing personal data is to carry out a set of actions aimed at achieving the goal, including:

4.1.1. Providing consulting and information services.

4.1.2. Other transactions not prohibited by law, as well as a set of actions with personal data necessary for the execution of the above transactions.

4.1.3. In order to comply with the requirements of the legislation of the Russian Federation.

4.2. The condition for termination of the processing of personal data is the liquidation of the Organization, as well as the corresponding request of the Client.

5. Collection, processing and protection of personal data.

5.1. Procedure for obtaining (collecting) personal data:

5.1.1. All personal data of the Client should be obtained from him personally with his written consent, except for the cases specified in clauses 5.1.4 and 5.1.6 of these Regulations and other cases provided for by the laws of the Russian Federation.

5.1.2. The Client’s consent to the use of his personal data is stored by the Organization in paper and/or electronic form.

5.1.3. The subject’s consent to the processing of personal data is valid for the entire duration of the agreement, as well as within 5 years from the date of termination of the Client’s contractual relationship with the Organization. After the expiration of the specified period, the consent is considered extended for every next five years in the absence of information about its revocation.

5.1.4. If the Client’s personal data can only be obtained from a third party, the Client must be notified of this in advance and written consent must be obtained from him. A third party providing the Client’s personal data must have the subject’s consent to transfer personal data to the Organization. The organization is obliged to obtain confirmation from the third party transferring the Client’s personal data that personal data is transferred with his consent. The organization is obliged, when interacting with third parties, to enter into an agreement with them on the confidentiality of information regarding the personal data of Clients.

5.1.5. The organization is obliged to inform the Client about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the Client’s refusal of personal data to give written consent to receive it.

5.1.6. Processing of Clients’ personal data without their consent is carried out in the following cases:

5.1.6.1. Personal data is publicly available.

5.1.6.2. At the request of authorized state bodies in cases provided for by federal law.

5.1.6.3. The processing of personal data is carried out on the basis of a federal law that establishes its purpose, the conditions for obtaining personal data and the range of subjects whose personal data is subject to processing, as well as defining the powers of the operator.

5.1.6.4. The processing of personal data is carried out for the purpose of concluding and executing an agreement, one of the parties to which is the subject of personal data - the Client.

5.1.6.5. The processing of personal data is carried out for statistical purposes, subject to the mandatory anonymization of personal data.

5.1.6.6. In other cases provided by law.

5.1.7. The organization does not have the right to receive and process the Client’s personal data about his race, nationality, political views, religious or philosophical beliefs, state of health, intimate life.

5.2. Procedure for processing personal data:

5.2.1. The subject of personal data provides the Organization with reliable information about himself.

5.2.2. Only employees of the Organization who are authorized to work with the Client’s personal data and who have signed a Non-Disclosure Agreement for the Client’s personal data may have access to the processing of Clients’ personal data.

5.2.3. The following have the right to access the Client’s personal data in the Organization:

 General Director of the Organization;

 Employees responsible for maintaining financial accounts (manager, accountant).

 Employees of the Customer Relations Department (head of sales department, manager).

 IT workers (technical director, system administrator).

 Client as a subject of personal data.

5.2.3.1. The list of names of the Organization’s employees who have access to Clients’ personal data is determined by order of the General Director of the Organization.

5.2.4. The processing of the Client’s personal data may be carried out solely for the purposes established by the Regulations and compliance with laws and other regulatory legal acts of the Russian Federation.

5.2.5. When determining the volume and content of personal data processed, the Organization shall be guided by the Constitution of the Russian Federation, the law on personal data, and other federal laws.

5.3. Protection of personal information:

5.3.1. The protection of the Client’s personal data is understood as a set of measures (organizational, administrative, technical, legal) aimed at preventing unauthorized or accidental access to it, destruction, modification, blocking, copying, distribution of personal data of subjects, as well as other unlawful actions.

5.3.2. The protection of the Client’s personal data is carried out at the expense of the Organization in the manner established by the federal law of the Russian Federation.

5.3.3. When protecting Clients’ personal data, the Organization takes all necessary organizational, administrative, legal and technical measures, including:

 Anti-virus protection.

 Security analysis.

 Intrusion detection and prevention.

 Access control.

 Registration and accounting.

 Ensuring integrity.

 Organization of normative and methodological local acts regulating the protection of personal data.

5.3.4. The general organization of the protection of personal data of Clients is carried out by the General Director of the Organization.

5.3.5. Employees of the Organization who need personal data in connection with the performance of their job duties have access to the Client’s personal data.

5.3.6. All employees associated with the receipt, processing and protection of Clients’ personal data are required to sign an Agreement on non-disclosure of Clients’ personal data.

5.3.7. The procedure for obtaining access to the Client’s personal data includes:

 Familiarization of the employee with signature with these Regulations. If there are other regulations (orders, instructions, instructions, etc.) governing the processing and protection of the Client’s personal data, these acts are also familiarized with signature.

 Requesting from an employee (with the exception of the General Director) a written commitment to maintain the confidentiality of Clients’ personal data and to comply with the rules for their processing in accordance with the Organization’s internal local regulations governing the security of confidential information.

5.3.8. An employee of the Organization who has access to personal data of Clients in connection with the performance of work duties:

 Provides storage of information containing the Client’s personal data, excluding access to them by third parties.

 In the absence of an employee, there should be no documents containing personal data of Clients at his workplace.

 When going on vacation, during a business trip and in other cases of long-term absence of an employee from his workplace, he is obliged to transfer documents and other media containing the Clients’ personal data to the person who will be entrusted with the execution of it by a local act of the Company (order, decree). labor responsibilities.

 If such a person is not appointed, then documents and other media containing the Clients’ personal data are transferred to another employee who has access to the Clients’ personal data as directed by the General Director of the Organization.

 Upon dismissal of an employee who has access to the Clients’ personal data, documents and other media containing the Clients’ personal data are transferred to another employee who has access to the Clients’ personal data on the instructions of the General Director.

 In order to fulfill the assigned task and on the basis of a memo with a positive resolution of the General Director, access to the Client’s personal data may be provided to another employee. Access to the Client’s personal data to other employees of the Organization who do not have properly authorized access is prohibited.

5.3.9. The HR Manager provides:

 Familiarization of employees with these Regulations against signature.

 Requesting from employees a written commitment to maintain the confidentiality of the Client’s personal data (Non-Disclosure Agreement) and compliance with the rules for their processing.

 General control over employees’ compliance with measures to protect the Client’s personal data.

5.3.10. Protection of Clients’ personal data stored in the Organization’s electronic databases from unauthorized access, distortion and destruction of information, as well as from other unlawful actions, is ensured System administrator.

5.4. Storage of personal data:

5.4.1. Personal data of Clients on paper is stored in safes.

5.4.2. Clients’ personal data is stored electronically in a local computer network Organizations in electronic folders and files in personal computers General Director and employees authorized to process Clients’ personal data.

5.4.3. Documents containing personal data of Clients are stored in locked cabinets (safes) that provide protection from unauthorized access. At the end of the working day, all documents containing personal data of Clients are placed in cabinets (safes) that provide protection from unauthorized access.

5.4.4. Protection of access to electronic databases containing personal data of Clients is ensured by:

 Using licensed anti-virus and anti-hacking programs that do not allow unauthorized entry into local network Organizations.

 Differentiation of access rights using an account.

 Two-level password system: at the local computer network level and at the database level. Passwords are set by the Organization's System Administrator and are communicated individually to employees who have access to Clients' personal data.

5.4.4.1. Unauthorized entry into PCs containing Clients’ personal data is blocked by a password, which is set by the System Administrator and is not subject to disclosure.

5.4.4.2. All electronic folders and files containing personal data of Clients are protected by a password, which is set by the Organization employee responsible for the PC and reported to the System Administrator.

5.4.4.3. Passwords are changed by the System Administrator at least once every 3 months.

5.4.5. Copying and making extracts of the Client’s personal data is permitted solely for official purposes with the written permission of the General Director of the Organization.

5.4.6. Responses to written requests from other organizations and institutions about Clients’ personal data are given only with the written consent of the Client himself, unless otherwise provided by law. Responses are provided in writing, on the Organization’s letterhead, and to the extent that allows not to disclose an excessive amount of the Client’s personal data.

6. Blocking, depersonalization, destruction of personal data

6.1. The procedure for blocking and unblocking personal data:

6.1.1. Blocking of Clients’ personal data is carried out with a written application from the Client.

6.1.2. Blocking personal data implies:

6.1.2.2. Prohibition of dissemination of personal data by any means (e-mail, cellular, material media).

6.1.2.4. Removal of paper documents relating to the Client and containing his personal data from the Organization’s internal document flow and prohibition of their use.

6.1.3. The blocking of the Client’s personal data can be temporarily lifted if this is required to comply with the legislation of the Russian Federation.

6.1.4. Unblocking the Client’s personal data is carried out with his written consent (if there is a need to obtain consent) or the Client’s application.

6.1.5. Repeated consent of the Client to the processing of his personal data (if it is necessary to obtain it) entails the unblocking of his personal data.

6.2. Procedure for depersonalization and destruction of personal data:

6.2.1. Depersonalization of the Client’s personal data occurs upon a written application from the Client, provided that all contractual relations have been completed and at least 5 years have passed from the date of expiration of the last contract.

6.2.2. When depersonalizing, personal data in information systems is replaced by a set of characters, which makes it impossible to determine whether personal data belongs to a specific Client.

6.2.3. When personal data is depersonalized, paper document carriers are destroyed.

6.2.4. The organization is obliged to ensure confidentiality with respect to personal data if it is necessary to test information systems on the developer’s territory and to depersonalize personal data in information systems transferred to the developer.

6.2.5. Destruction of the Client’s personal data implies termination of any access to the Client’s personal data.

6.2.6. If the Client’s personal data is destroyed, the Organization’s employees cannot access the subject’s personal data in information systems.

6.2.7. When personal data is destroyed, paper document carriers are destroyed, and personal data in information systems is anonymized. Personal data cannot be restored.

6.2.8. The operation of destroying personal data is irreversible.

6.2.9. The period after which the destruction of the Client’s personal data is possible is determined by the end of the period specified in clause 7.3 of these Regulations.

7. Transfer and storage of personal data

7.1. Transfer of personal data:

7.1.1. The transfer of personal data of a subject means the dissemination of information through communication channels and on tangible media.

7.1.2. When transferring personal data, employees of the Organization must comply with the following requirements:

7.1.2.1. Do not disclose the Client’s personal data for commercial purposes.

7.1.2.2. Do not disclose the Client’s personal data to a third party without the Client’s written consent, except in cases established by the federal law of the Russian Federation.

7.1.2.3. Warn persons receiving the Client’s personal data that this data can only be used for the purposes for which they were communicated, and require confirmation from these persons that this rule is complied with;

7.1.2.4. Allow access to Clients’ personal data only to specially authorized persons, and these persons must have the right to receive only those Clients’ personal data that are necessary to perform specific functions.

7.1.2.5. Transfer the Client’s personal data within the Organization in accordance with these Regulations, regulatory and technological documentation and job descriptions.

7.1.2.6. Provide the Client with access to his personal data when contacting or upon receiving the Client’s request. The organization is obliged to inform the Client about the availability of personal data about him, as well as provide the opportunity to familiarize himself with it within ten working days from the date of application.

7.1.2.7. Transfer the Client’s personal data to the Client’s representatives in the manner prescribed by law and regulatory and technological documentation and limit this information only to those personal data of the subject that are necessary for the said representatives to perform their functions.

7.2. Storage and use of personal data:

7.2.1. The storage of personal data refers to the existence of records in information systems and on tangible media.

7.2.2. Personal data of Clients is processed and stored in information systems, as well as on paper in the Organization. Clients’ personal data is also stored electronically: on the Organization’s local computer network, in electronic folders and files on the PC of the General Director and employees authorized to process Clients’ personal data.

7.2.3. The Client’s personal data can be stored no longer than required for the purposes of processing, unless otherwise provided by federal laws of the Russian Federation.

7.3. Periods for storing personal data:

7.3.1. The storage period for civil contracts containing personal data of Clients, as well as documents accompanying their conclusion and execution is 5 years from the date of expiration of the contracts.

7.3.2. During the storage period, personal data cannot be anonymized or destroyed.

7.3.3. After the expiration of the storage period, personal data can be anonymized in information systems and destroyed on paper in the manner established in the Regulations and the current legislation of the Russian Federation. (Appendix Act on Destruction of Personal Data)

8. Rights of the personal data operator

The organization has the right:

8.1. Defend your interests in court.

8.2. Provide Clients’ personal data to third parties if required by current legislation (tax, law enforcement agencies, etc.).

8.3. Refuse to provide personal data in cases provided for by law.

8.4. Use the Client’s personal data without his consent, in cases provided for by the legislation of the Russian Federation.

9. Client's rights

The client has the right:

9.1. Require clarification of your personal data, their blocking or destruction if the personal data is incomplete, outdated, unreliable, illegally obtained or not necessary for the stated purpose of processing, and also take measures provided by law to protect your rights;

9.2. Require a list of processed personal data available in the Organization and the source of its receipt.

9.3. Receive information about the terms of processing of personal data, including the periods of their storage.

9.4. Require notification of all persons who were previously provided with incorrect or incomplete personal data about all exceptions, corrections or additions made to them.

9.5. Appeal to the authorized body for the protection of the rights of personal data subjects or in court against unlawful actions or inactions during the processing of his personal data.

10. Responsibility for violation of the rules governing the processing and protection of personal data

10.1. Employees of the Organization who are guilty of violating the rules governing the receipt, processing and protection of personal data bear disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the Russian Federation and internal local acts of the Organization.

Probably everyone who has ever taken out a loan or is an HR person has encountered a situation where bank representatives call the employer and request information about an employee of the organization.

Moreover, most often in practice, the employer does not comply with the requirements of Federal Law 152 on the protection of personal data and discloses information about the employee over the phone. The employer cannot verify the recipient of this information and often does not have the employee’s written consent to such use of his data.

Who in this situation breaks the law more: the one who asks or the one who answers?

In this situation, it all depends on what documents one and the other have from the subject of personal data. There is a situation when neither the one who asks nor the one who answers violates the law, but it happens that both violate it.

Let's figure this out.

So, we are a bank. A person came to us and, for the purpose of obtaining a loan, provided all the necessary documents, including a certificate of earnings, certified by the signatures of the employer’s responsible persons and the seal, as well as other necessary originals and copies of documents.

But, despite the original earnings certificate provided, we want to check whether the loan applicant really works in this organization and whether the income indicated in the provided certificate is real. To be fair, it must be said that recently banks most often only request information about whether a given person works in the specified organization. However, we, as a bank, do not send this request in writing, with our seals and indicating our identification information and do not indicate in writing the purpose of our request, but to speed up the procedure, we simply call the phone number indicated in the documents provided by the potential bank client.

What has always surprised me about this procedure is the certain illogicality of the stages of confirming the accuracy of the data provided.

That is, we are not entirely satisfied with a document with stamps and signatures, but for some reason we would be more satisfied with an answer by phone number indicated by the employee.

What phone number did the employee provide? Does this phone really belong to this organization? Who on the other end of the line will answer me: CEO? Chief Accountant? HR manager? How am I going to identify that these are exactly these officials? Or maybe a secretary who has been working here for a week and doesn’t know anyone yet? Or the cleaning lady? Or a security guard? Or maybe, in principle, someone whom the employee himself asked to respond to the bank’s request accordingly? And if the phone number provided by the employee does not answer, what will this mean for the bank? Will he check to see if the person made a mistake in one number? Could there be an outage at the phone company? Maybe the company no longer uses this particular phone, and the employee did not know about it?

But our task is to figure out whether the actions of the parties: the bank and the employer in this case are legal in principle?

If the bank has the written consent of the subject to check his information and obtain information from his employer, then the bank’s actions are legal.

What about the employer?

An employer can legally provide information about an employee to a bank in the following cases:

2. The employee allowed to provide his data in WRITTEN to a specific legal entity. But in this case, the employer is obliged to make sure that the request came from the bank to which the employee authorized to provide information (that is, the response only to a written request).

What if the employer does not have such consent?

The employer does not have the right to provide information about the employee. Will the employer then fulfill its obligations under the Personal Data Protection Act? Yes. Will the employee be given a loan if the employer refuses to provide information about the employee? Unknown.

Moreover, if the organization is large and has an extensive network of separate divisions, it is not always possible to quickly obtain such consent. Especially in the case when the employee spontaneously decided to take out a loan. And already on the same day or the next, bank employees call the employer to check the accuracy of the information provided.

Moreover, the consent itself must be formalized in writing; it is not enough for the employee to call, for example, the HR department and ask to verbally respond to a request from a specific bank.

Everyone understands perfectly well that when an employer provides information about the work of a particular employee to a bank upon telephone request, he does this in order to protect the interests of the employee in the first place, so that he is not denied a loan. But in this case it automatically violates the law on the protection of personal data if the employer did not bother to obtain written consent from the employee in advance.

Perhaps, if banks stop the practice of illegal telephone checks, there will be fewer such violations on the part of the employer.

The Bank of Russia recently issued a letter from the Bank of Russia dated March 14, 2014 N 42-T “On strengthening control over the risks arising for credit institutions when using information containing personal data of citizens,” which recommends that credit institutions strengthen control over the risks arising during processing (which by the way This also includes the collection) of information containing personal data, as well as updating internal documents defining: the personal responsibility of employees of credit institutions that directly process personal data (including collection) for preserving and ensuring the confidentiality of information generated in the process of servicing clients.

At the same time, in the above letter it was directly stated that the Bank of Russia, when supervising the activities of banks, will take into account cases of identifying shortcomings in the implementation of legislation on the protection of personal data and consider them as a negative factor when assessing the quality of management of a credit organization, including assessing the organization of the internal system control.

It remains to be hoped that banks will finally also begin to comply with the law on the protection of personal data, without leading the employer to a forced violation of the law.

Share with friends or save for yourself:

Loading...
We recommend articles on the topic
Which keyboards for Android are better?
Which keyboards for Android are better?
The ideal gaming keyboard for WoW (World of Warcraft) Cons of the SteelSeries WoW kit
The ideal gaming keyboard for WoW (World of Warcraft) Cons of the SteelSeries WoW kit
Maps Me - navigator right in your Android Does Maps Me work without the Internet
Maps Me - navigator right in your Android Does Maps Me work without the Internet