The article is devoted to providing information security in banking institutions on the basis of domestic regulatory requirements of sectoral standards of the Bank of Russia STR BR IBBS-1.0-2014. Some aspects of protection in automated banking systems (ABS) are considered, the protection of personal data in the banking sector, internal audit and self-assessment for compliance with IB requirements, as well as some features and problem places relating to the specifics of information security in banks.

Introduction

It is no secret that banks are the cornerstone of the country's credit and financial system and the most important financial institute of modern society. In this regard, they are imposed on special requirements for information security. Until the emergence of domestic sectoral information security standards, STR BRBS banks managed security, based on the provisions of the internal regulatory documents. But after the adoption of these documents, there are many issues that require their decision. Some questions considered in the article are associated with the resolution of "bottlenecks" of the IB banking system and adapting security policies for new requirements, taking into account already available "baggage" in the field of information protection.

Formation of IB Bank Russia standards

In Russia until the mid-2000s, the word "safety"mainly associated with control "Bank risks" . Control of situations that could lead to a credit institution loss and \\ or degradation of its liquidity due to the onset of adverse events. Such categories as "Information Security" or "protection of information" It did not exist in principle. Only the Federal Law "On Banking Activities" from 02.12.1990 N 395-1 FZ in Article 26, banking secrecy gave limited right and the ability to protect confidential information in the banking sector. More than a decade, the domestic rulprons issued the Federal Law "On Commercial Secret" on July 29, 2004 N 98-ФЗ, which finally, to fully declare a new form of activity and a separate category of issues such as "information security of banks".

In the same years, trends have emerged in the domestic banking community to adopt international bank standards, in particular Basel II standard. In his interpretation, this standard examined information security as an operational risk and, in general, demanded measures to audit and control the information sphere, which was an absolute innovation for Russian banks at the time. However, this was not enough - the development of modern information technologies and the constant desire of the proposal of new banking products to the market required more attention to these issues.

The next evolutionary development of development was 2004 with the release of the first edition of the package of domestic sectoral standards for the information security of STR BRA IBS. The IT security standard was considered the best sectoral standard at that time, because he imagined the best world experience and practice, combines the basic provisions of IT security management standards (ISO 17799, 13335), regulates the description of the life cycle of software and Criteria for IT security assessment (GOST R ISO / IEC 15408-1-2-3). Also, the document reflects the technologies for the assessment of threats and vulnerabilities, some of the provisions of the British methodology for assessing the CRAMM informational risks (see Figure 1).

Figure 1. Relationship of various requirements and standards in IT, security and management

Among the main provisions of the Central Bank standard, it was possible to note the orientation on solving the problem of insiders. For this, the Bank of Russia establishes control over the appeal of confidential information within the corporate environment. Considerable attention is paid to external threats: the provisions of the standard require from banks to have antivirus protection with regularly updated bases, spam filtering tools, access control, regulate internal audit procedures, use encryption to protect against unauthorized access, etc.

Despite all these obvious advantages, the standard was a recommendatory nature - its position could be applied by domestic banks only on a voluntary basis. Nevertheless, according to the results of the study of the respondents presented in the III of the Interbank Conference, there was a clear trend towards the adoption of these documents as a mandatory basic basis for Russian banks.

In parallel with the development of bank standards in the mid-2000s, the process of the formation of domestic legislation in the field of information security was also included in Russia. Key Moment The update of the Federal Law "On Information, Information Technologies and Information Protection" of July 27, 2006 N 149-FZ, which gives new actual definitions of information, information technologies and processes, separately the title "Protection of information" is allocated. Following him separate category In the practice of information protection, I marked the way out of the law "On Personal Data" of July 27, 2006 N 152-FZ.

Given all these innovations and changing the realities of society, the new editions of STR BR EBBS have been published. Thus, in the third edition of the standard of 2008, the package of documents was significantly reworked, new terms and notions were told, some security requirements were refined and detailed; Updated requirements for information security management system. Also, the standard acquired its own model of threats and violators of information security of the BS organizations of the RF. New blocks were introduced according to the requirements of IB in automated banking systems, the process of banking payment and information technological processes was regulated, separately it was said about the use of funds of cryptographic information protection.

Against the background of the last world events of 2014 and the economic sanctions imposed by Western countries in relation to Russia, there has been a clear trend towards the development and transition to the national payment card system. This, accordingly, makes additional requirements for the reliability and safety of such systems, which entails and increasing the importance of domestic IB standards.

The result of all these events was the next reissue of the standard. And in June 2014, an updated fifth entered into force, and while the last to date, the editorial office of STR BR IBBS - 2014. The new edition corrected the flaws of past issues and, which is very important, the requirements and recommendations of the STR lead in line with the above described 382-p. So, for example, a list of requiring registration of operations in the DBO has been clarified, the list of protected information has been expanded, based on P-382, a table of compliance with private valuation indicators from a hundred and indicators from the current version of 382-p.

A not less significant achievement was the actualized base of regulatory requirements, taking into account the latest changes in the legislation in the field of personal data protection, namely added references to the Government Decree No. 1119 and the Order of the FSTEC of Russia No. 21.

All this has formed a unified methodological and regulatory platform to ensure comprehensive information security, taking into account banking specifics. Pack of documents STR BR IBBS russian banks Having built in them a security system from a sectoral point of view, but at the same time absorbed the best global practice and experience of foreign colleagues to ensure information security.

Information security in banks, taking into account STR BR IBBS-2014

Currently, the Bank of Russia's order package of documents of STR BRBS consists of the following parts:

1. STR BR IBBS-1.2-2014. "Methods for assessing the compliance of information security of organizations of the Banking System of the Russian Federation with the requirements of STR BBBS-1.0-2014 (4 edition)";

In addition, the Bank of Russia developed and introduced the following recommendations in the field of IB standardization:

1. RS BR IBBS-2.0-2007. "Methodical recommendations for information security documentation in line with the requirements of STR BRA IBBS-1.0";
2. RS BR IBBS-2.1-2007. "Guidelines for self-assessment compliance of the information security of the organizations of the Banking System of the Russian Federation with the requirements of STR Br IBBS-1. 0 ";
3. RS BR IBBS-2.2-2009. "Methods for assessing the risk of informational security";
4. RS BR IBBS-2.5-2014. "Management of Information Security Incidents"

The first three documents are mandatory for all banks that adopted the specified standard as their basic policy. Document "General" are the basis for the formation of all activities to protect information. The whole structure is broken into separate blocks. They describe in detail the safety requirements, are given specific lists of protection measures by a particular block. (see Table 1)

Table 1. Information security requirements

- when assigning and distributing roles and ensuring confidence in personnel;

- in automated banking systems (ABS) at the stages of the life cycle;

- when managing access and user registration;

- to the means of antivirus protection;

- when using the Internet resources;

- when using the means of cryptographic protection of information;

- in bank payment technological processes;

- on handling personal data;

- The hotel heading has been issued requirements for the information security management system.

Document "Audit of information security" The most smallproof of all, indicates the need to conduct an audit of the IB system, and also gives reference to the annual self-assessment according to the requirements of the standard. The data of the final self-assessment serve as a basis for the reporting form in the case of testing by the Central Bank and the conclusion of compliance with the level of security of the information security system of the Bank by the revealed risks and threats of IB.

And the last document under consideration "Methods for assessing compliance with IB requirements" - This is a set of assessment methods and tables with the corresponding fields for filling. Each event and measure of protection give a certain weight value in the evaluation of the group indicator. According to the results of group indicators, a circular diagram of compliance with the requirement of STR BRA IBBS is drawn (see Figure 2). All values \u200b\u200bof group indicators are in the range from 0 before 1 In which another 6 levels of compliance with the standard starting with zero are allocated to determine the result. The Bank of Russia recommended levels 4 and 5 (see Figure 2). Accordingly, the higher the value, the more expected the protected system. On a circular diagram, these sectors have green, red - critical level indicator.

Figure 2. Circular compliance chart requirements of STR BR IBBS

What else can you add - quite a lot of attention is paid to the information security management processes, in particular, you can allocate Cycle Demingused by top managers in quality management (Figure 3).

Figure 3. Deming Cycle for Soci BR St. IBBS

In the new edition, the Bank of Russia updated the methodology for assessing the compliance of information security. The main changes affected the assessment approach:

• all requirements are now attributed to one of three classes ( documenting, performance , documentation and execution);
• assessment of group indicators is defined as the arithmetic average (there are no weighting coefficients of private indicators);
• the concept of corrective coefficients affecting estimates in the directions and dependent on the number of fully implemented requirements of the standard is introduced;
• the value of the M9 indicator (general requirements for personal data processing) is calculated by the general scheme (and not as the minimum of the values \u200b\u200bof incoming private indicators in the previous version of the standard).

It is worth noting the fact that it has become much longer to pay attention to the documentation of security procedures in the internal regulatory documents of banks. Thus, even if the procedure is actually not executed, but is provided and documented, it increases the result of internal audit.

Compared to last edit, the number of private indicators has increased, as well as the weight values \u200b\u200bof the estimates have changed (see Figure 4).

Figure 4. Changes in the past and current edition of STR BR IBBS (according to infocontal management, www. Km-ltd.com, 2014)

It should be said about one more important addition regarding the built-in ABS protection mechanisms - the Bank of Russia issued the recommendations of "Ensuring information security at the stages of the life cycle of automated banking systems" (RS BR IBBS-2.6-2014). " Their essence lies in the fact that banks now can, referring to this document, set the requirements to developers to the software functionality in terms of protection mechanisms. We must not forget that these are the recommendations, and not the requirements, and the Bank of Russia himself cannot impose anything, but it allows you to broadcast these recommendations on behalf of the banking community, and this is already a change for the better.

Protection of personal data in banks

Before the release of the 5th edition of STR BR IBBS-2014, the protection of personal data in banks was based on two documents: BR IBBS-2.3-2010. "Personal data security requirements in information systems Personal data of organizations of the banking system of the Russian Federation "and RS BR IBBS-2.4-2010. "The sectoral private model of threats to the security of personal data when they are processed in the information systems of personal data of organizations of the banking system of the Russian Federation."

In practice, it looked like this: they took a private industrial model of threats proposed by the central bank, according to the methodological recommendations, they determined the requirements for the protection of each CDN, based on and the number and list of the processed data, and later built the list of necessary events on them.

The main headache of specialists to today was that the present requirements were operating up to the next edition of STR BR IBBS - 2014, although at that time the defense of PDN was already built in accordance with paragraph 1119 and the order of FSTEC No. 21. In view of the fact that banks must comply with the accepted package of STR Br IBBS, many of them used not relevant techniques and, as a result, did not meet the new realities of security.

With the release of these two mentioned regulatory documents, the situation has changed for the better - some strict licensing requirements were canceled, the procedures of the Classification of the CD, the OPN operator is given more rights to choose protection measures. Capture protection Calculation Calculation table "The level of protection" and the safety procedures applied to them, the details of which were presented by order of FSTEC No. 21. This allowed to level differences in the method of protection of PDNs in the sectoral standard of the Central Bank and the General Russian legislation.

The updated standard has a new term "resource PDN", for which the requirements for the documentation of individual procedures related to personal data processing (Section 7.10) are formed. Separately, issues related to the destruction of personal data are considered: organizations are given the opportunity to destroy PDNs not immediately, but on a periodic basis, but at least once every six months.

Roskomnadzor was separately made explanations for biometric PDNs, such as the photos of employees, if such are used in order to carry out the check-in mode or are exhibited on the company's website as publicly available guidelines, do not fall under special protection requirements.

To the banks that have previously fulfilled the requirements for the protection of PD on the old standard, to meet new requirements, you need to adjust your internal regulatory documents, to re-classify and redirect it and, in accordance with the level of security, determine for yourself a new list of protective events. I would like to note that now the banks have more freedom in the choice of funds and protection methods, however, the application of the information security tools is still assorted.

Information Security of the National Payment System

The National Payment System (NPS), in view of the latest events, is becoming an increasingly priority direction in the domestic policy of the state. Russian President Vladimir Putin signed the law on the establishment of a national payment card (NSPK) in Russia and ensuring the uninterrupted work of international payment systems. The NPC operator is created in the form of JSC, 100% of the assets of which belongs to the Bank of Russia. The purpose of the project is indicated infrastructure and information on the implementation of the implementation money transfers Inside Russia, consolidate the territorially inside the country operating centers and payment clearing centers.

In fact, before the release of the law, the money could appear from "nowhere" and disappear into "nowhere". With the output of the law, the situation changes, the NPC makes it possible to track all monetary operations, including financing of dubious transactions and fraudulent operations that can threaten the security of citizens or the country as a whole. In addition, departure from the government, according to the government, is another step in the fight against bribery.

To ensure the safety of the NPS, a whole glad of the subband acts were released, which are the fundamental provision on the protection of information in the payment system "from 13.06.2012 No. 584. But the Regulation on the requirements for ensuring information protection in the implementation of money transfer ... "from 09.06.2012 No. 382-P) is responsible for the Bank

With the update of P-382, protection trends are now shifted to the side:

• application of ATMs and payment terminals;
• applications of plastic payment cards;
• use of the Internet (remote banking systems (DB) and mobile banking systems);
• requirements for the procedure for the development and distribution of specialized software intended for use by the client when transferring funds;
• which was very pleased, expanding customer awareness requirements about the possible risks of receiving unauthorized access to the protected information and recommended measures to reduce them;
• the requirements for the need to classify ATMs and payment terminals, the results of which should be taken into account when choosing protection measures;
• procedures for suspending the payment by the payment by the operator for the transfer of funds in case of detecting signs of fraudulent actions;
• protection procedures from modern security threats are provided, such as: skimming (by using specialized funds that impede unauthorized reading of payment card tracks; protection of services located on the Internet from external attacks (DOS-attacks); phishing protection (from falsified family resources of the Internet ).
• requirement for the use of payment cards equipped with a microprocessor, since 2015 and the prohibition of the release of cards not equipped with a microprocessor, after January 1, 2015;
• 29 new evaluation indicators.

Information Security of Payment Systems

A similar situation is applied using plastic cards. In the world community, the recognized security standard is considered the Payment Card Industry Data Security Standard (PCI DSS), which was developed by the PCI SSC advice. It includes such card brands like Visa, Mastercard, American Express, JCB and Discovery.

The PCI DSS standard describes the requirements for the protection of data on the cardholders grouped into twelve thematic sections. The main focus in the PCI DSS standard is made to ensure the security of the network infrastructure and the protection of stored data on payment card holders, as the most vulnerable in terms of confidentiality threats. It should also be noted that the Standard regulates the rules for the safe development, support and operation of payment systems, including the procedures for their monitoring. An equally important role is to the development and support of the base of regulatory documents of the information security management system.

International payment systems oblige the organizations to be subject to the requirements of the standard, to undergo a regular verification of compliance with these requirements, which sooner or later may affect the NSPK. However, the certification of Russian banks on the foreign PCI DSS standard went rather slowly, and there is no domestic counterpart today.

However, fulfilling the requirements of the P-382 and the last editorial board of US BR IBBS-2014, it is possible to largely prepare for the passage of certification on PCI DSS, because many of its provisions intersect with the requirements of the domestic document: Anti-virus security, encryption, filtering with firewalls, distinction access, tracking of communication sessions, as well as monitoring, auditing and management of the IB system (see Figure 5).

Figure 5. Comparison of the categories of protected information by various standards (according to the Ural Security System Center, www.usssc.ru, 2014)

Unlike all foreign standards, the Russian 382-P is called up to stimulate domestic developers and manufacturers of information protection tools (СZI), such, for example, obliging the subjects of the NPC to ensure the use of non-agitation access from unauthorized access, including those in the prescribed manner the compliance assessment procedure. At the same time, the application of foreign production solutions is clearly permitted.

Moreover, the Bank of Russia strengthens its control over the compliance of the established rules. In his document, indication No. 2831-y dated 09.06.2012 "On reporting to ensure the protection of information in payment systems ..." explicitly indicates in what form, and with which frequency the subjects of payment systems should be reported on the state of information security in the payment systems.

Despite the popularity and widespread PCI DSS, there are other international security standards of case systems that would also like to say a little. One of them is the PCI PA-DSS Standard (Payment of Application Data Security Standard). Defining applications for applications processing data on cardholders and the process of their development. And, the second - standard of Payment Card Industry Pin Transaction Security (PCI PTS), previously PCI PED relate to manufacturers that specify and implement technical parameters and control system for devices that support a set of PIN code and used to carry out payment transactions.

conclusions

STR Br IBBS is a very important milestone of the evolutionary path of development of the domestic information security system. This is one of the first industry and adapted for the Russian reality of standards. Of course, this is not a panacea from all the troubles, there are still many problems that specialists are fighting, but this is the first and very successful experience bringing us to the references of the best foreign practice.

Following the requirements of the standard, many banks prepare themselves to international certification for ensuring the security of PCI DSS payment systems. Provide personal data protection in accordance with the latest requirements of regulators. Holded annual internal audit Allows you to objectively check the security of banks from substantial risks and threats of IB, and managers are more efficient to plan the construction and management of a comprehensive protection system.

Existing shortcomings and obvious mistakes, we hope will be corrected in the following editions, the release of which is not far off. In the spring of 2015, we are waiting for an updated P-382, and the changes in the BR EBBS complex can follow and follow. I can still be content with the October release "Standard of Financial Operations" TC 122 and do not forget that no matter how good all the efforts of higher authorities are good, our safety is still in our hands!

Volzhsky state University Service

Alshanskaya Tatyana Vladimirovna, Candidate of Pedagogical Sciences, Associate Professor, Department of Applied Informatics in Economics, Volga State University of Service

Annotation:

This article reflects the current state of the methods of information sewn banking sector and prospects for its development. The article discloses the main threats to the information security of banks. Activities for protecting information in a bank that must be carried out to create an effective protection system.

This article Reflects The Current State of Methods of Protection of Inform of the Banking Sector and Its Development Prospects. The Article Covers The Main Threats to Information Security of Banks. Presents Measures to Protect The Information in The Bank, to Be Carried Out to Create An Effective System of Protection.

Keywords:

bank; Information Security; protection of information.

information Safety; Information Security.

UDC 338.14.

Any Bank's activities are directly depending on how speed is the exchange of information within it and to what extent is the system of information security. The results of the undeveloped banking infrastructure are catastrophic: the bank is able to lose not only customer bases, but also their confidence. The collision with this task led to the formation of the latest concepts for the protection of information, which were developed under the conditions of credit institutions. Thus, the study of information protection systems in the banking sector is a relevant task.

According to Art. 19 of the Federal Law "On Information, Information Technology and Information Protection" of 27.07.2006 No. 149-FZ, information protection is the adoption of legal, organizational and technical measures aimed at ensuring information from unlawful access, destruction, modification, blocking, Copying, providing, distribution, as well as other illegal actions regarding such information, compliance with the confidentiality of information of limited access, as well as the implementation of the right to access information.

Protection of banking data contains the implementation of a single set of events - from the audit of information protection and up to the formation of the concepts of protection of various banking services. Experts of this sphere are ready to form exactly as an independent security module and a complete concentrated concept of data protection system.

In the process of implementing the basic functions of the information protection service, tasks arise, the solution of which is poorly amenable to formalization. In this case, it is possible to use the methods of the theory of systems and system analysis aimed at activating intuition and experience of specialists.

One of the methods of protecting the Bank's information is to control the passage and registration of secret information. The most significant in this problem is to establish extremely secure alternatives to the exchange of files within the bank.

To protect the information of the Bank, the concepts of identification are used, characterizing the availability of data access rights. To this end, use the password system to enter the local network of the bank. They can be selected by the user, generated by the system or assign them to him by the security manager. In addition, there are plastic access cards with chip. With the help of a special algorithm, the system encodes and makes individual data of a specific user. Electronic keys act when contact with the mechanism on the doors installed in the secret rooms, in server and user PCs.

Protection of the Bank's information will work reliably only when the system of external threats is timely determined. In the external environment of the system, the following types of information threats are separated, Table. one.

Table 1. Types of threats of information in the external environment

	Name of the threat	Characteristic
	violation of physical integrity	destruction, destruction of elements
	violation of logical integrity	destruction of logical connections
	modification of content	changing information blocks, external imposition of false information
	privacy Violation	defense protection, reducing the degree of security of information
	violation of ownership of information	unauthorized copying

The planning of data protection systems for the company should facilitate the decrease in the likely adverse results related to the application of information technologies and guarantee the possibility of the implementation of key goals and objectives of the credit institution. Building models When designing or upgrading data protection system in banks is a natural means of solving problems of analysis and design with the smallest costs and significant returns. The banks use the model of information security violator, which includes:

1. Description of information security violators;
2. Classification of information security violators;
3. Description of the experience and knowledge of the intruders;
4. A description of the available resources required for the implementation of the threat;
5. A description of the possible motivation of the actions of the intruder;
6. Ways to implement the threats of information security by the specified violators.

To build a violator model, information from the security service, risk-units and the internal control service of the Bank on existing means of accessing information and processing, on possible methods of intercepting data at the stage of transfer, processing and storage, on the setting in the team and on the object of protection, Information about competitors and the situation in the market, about the cases of theft of information and the like. .

In addition, the real operational technical capabilities of the offender are estimated to influence the concept of protection or on the protected object. Under technical capabilities it is understood as a list of various technical means that the offender can be placed during the operation of operations aimed against the information protection system.

Finally, it should be noted that the efficient use of models is permissible only with high-quality source data necessary to describe models when solving protection tasks. The fact that the overwhelming amount of source data has a high degree of uncertainty. For this reason, it is necessary not to simulate the necessary data, but to regularly make them assessment and concretization.

Bibliographic list:

1. Alshanskaya, T. V. Application of system analysis methods by experts on information security [Text] / T. V. Alshanskaya. Information Systems and Technologies: Management and Security: Sat. Art. III International Correspondence Scientific and Practical Conference / Volga State. University of Service. - Tolyatti: Publishing House Pvgus, 2014. - 348 p.
2. Trofimova, V. V. Information systems and technologies in the economy and management [Text] / V.V. Trofimova. M.: Yurait, 2012. - 521 p.
3. Federal Law "On Information, Information Technologies and Information Protection" of 07/27/2006 No. 149-FZ

Banking activities have always been associated with the processing and storage of a large number of confidential data. First of all, these are personal data on clients, their contributions and all operations carried out.

All commercial information stored and processed in credit organizationsis subjected to a wide variety of risks associated with viruses, failure of hardware, operational system failures, etc. But these problems are not able to inflict any serious damage. Daily backup of data, without which the work of the information system of any enterprise is unthinkable, reduces the risk of an irrevocable loss of information to a minimum. In addition, methods for protection against listed threats are well designed and widely designed. Therefore, the risks associated with unauthorized access to confidential information (NSD) come to the fore.

Unauthorized access is reality.

To date, three ways of theft of confidential information are most common. First, physical access to its storage and processing places. There are many options here. For example, attackers can climb the bank office at night and steal hard drives with all databases. It is possible even an armed flaw, the purpose of which is not money, but information. The situation is not excluded when the Bank's employee himself can bear a carrier of information outside the territory.

Secondly, the use of backups. In most banks, the redundancy system of important data is based on strides. They record the created copies for magnetic tapes, which are then stored in a separate place. Access to them is regulated much more gently. When they are transported and stored, a relatively large number of people can remove copies from them. Risks associated with backup confidential data cannot be underestimated. For example, most experts are confident that the databases of the Central Bank of the Russian Federation in 2005 were stolen thanks to copies from magnetic tapes. In world practice, there are a lot of similar incidents. In particular, in September last year, Chase Card Services staff (Division of JPMorgan Chase & Co.), a supplier of credit cards, mistakenly pounded five magnetic tapes with backups containing information about 2.6 million credit account holders Circuit City.

Thirdly, the most likely way to leak confidential information is unauthorized access by bank employees. When used to separate the rights of only standard tools of operating systems, users often have the ability to indirectly (using a specific software) entirely copy the databases with which they work and make them out of the company. Sometimes employees do it without any malicious intent, just to work with the information at home. However, such actions are a major security violation and they can become (and become!) The reason for the publicity of confidential data.

In addition, in any bank there is a group of people who have in elevated privileges in the local network. We are talking about system administrators. On the one hand, it is necessary for them to fulfill official duties. But, on the other hand, they have the opportunity to access any information and "check tracks".

Thus, protection system banking information From unauthorized access should consist of at least three subsystems, each of which ensures protection against its type of threats. This is a subsystem of protection against physical access to data, backup security subsystem and insiders security subsystems. And it is desirable not to neglect any of them, since each threat can cause the disclosure of confidential data.

Banks law not written?

Currently, the activities of banks are regulated by the Federal Law "On Banks and Banking Activities". In it, among other things, the concept of "banking mystery" is introduced. According to him, any credit organization is obliged to ensure the confidentiality of all data on customer deposits. For their disclosure, it is responsible, including reimbursement of damage due to leakage. At the same time, no requirements for security of bank information systems are not presented. This means that all decisions on the protection of commercial data banks are accepted independently, based on the experience of their specialists or third-party companies (for example, carrying out an audit of information security). The only recommendation is the Standard of the Central Bank of the Russian Federation "Ensuring the information security of organizations of the Banking System of the Russian Federation. General. " He first appeared in 2004, and in 2006 a new version was adopted. When creating and refining this departmental document, existing Russian and international standards in the field of information security were used.

The Central Bank of the Russian Federation can only recommend it to other banks, but cannot insist on compulsory implementation. In addition, in the standard there are little clear requirements that determine the choice of specific products. He is definitely important, but at the moment does not have a serious practical value. For example, about certified products in it is said like this: "... Certified or authorized tools for the protection of information from NSD can be used. The corresponding list is missing.

Listed in the standard and requirements for cryptographic means of protecting information in banks. And here there is already a more or less clear definition: "Ski ... should be implemented on the basis of algorithms that meet national standards of the Russian Federation, the terms of the contract with the counterparty and (or) organization standards." Confirm the correspondence of the GOST 28147-89 cryptographic module can be done by certification. Therefore, when used in the bank of encryption systems, it is desirable to apply certified FSB of the Russian Federation software or hardware cryptoprovideers, that is, external modules that are connected to the software and the current encryption process.

In July last year, the Federal Law of the Russian Federation "On Personal Data" was adopted, which came into effect on January 1, 2007. Some experts associated with him the emergence of more specific requirements for banking protection systems, since banks belong to organizations processing personal data. However, the law itself is definitely very important in general, today not applicable in practice. The problem lies in the absence of standards for the protection of private data and organs that could control their execution. That is, it turns out that currently banks are free in the choice of commercial information protection systems.

Physical Access Protection

Banks traditionally pay a lot of attention to the physical safety of operating offices, property storage branches, etc. All this reduces the risk of unauthorized access to commercial information by physical access. However, bank offices and technical buildingswhich host servers, according to the degree of protection, do not usually differ from the offices of other companies. Therefore, to minimize the risks described, it is necessary to use a cryptographic protection system.

Today there are a large number of utilities in the market that encrypt data. However, the features of their processing in banks impose to the appropriate additional requirements. First, in the cryptographic protection system, the principle of transparent encryption should be implemented. When using it, data is mostly repository are always only encoded. In addition, this technology allows you to minimize regular work costs. They do not need to decipher and encrypt every day. Access to information is carried out using a special software installed on the server. It automatically decrypts information when accessing it and encrypts before writing to the hard disk. These operations are carried out directly in server RAM.

Secondly, bank databases are very voluminous. Thus, the cryptographic information protection system should work not with virtual, but with real partitions of hard drives, RAID arrays and other server information carriers, for example, with SAN storage facilities. The fact is that container files that can be connected to the system as virtual disks are not intended to work with large amounts of data. In the case when a virtual disk created from such a file has a large size, when accessing it simultaneously, even several people, you can observe a significant reduction in the speed of reading and writing information. The work of several dozen people with a large-volume container file can turn into a visual torment. In addition, it must be borne in mind that these objects are subject to risk of damage due to viruses, file system failures, etc. After all, in essence, they represent ordinary files, but quite large. And even their small change can lead to the impossibility of decoding the entire information contained in it. Both of these mandatory requirements significantly narrow the circle suitable for product protection. Actually today russian market There are only a few such systems.

It is not necessary to consider the technical features of server systems of cryptographic protection of information in detail, since in one of the past numbers we have already compared these products. (Stolyarov N., Davletkhanov M. UTM-Protection.) But it is worth noting some of the features of such systems, the presence of which is preferably for banks. The first is associated with the already mentioned certification of the used cryptographic module. The corresponding software or hardware is already in most banks. Therefore, the server security system must provide for the possibility of connecting them and use. The second special requirement for the information security system is the possibility of integrating the physical security system of the office and / or server room. This allows you to protect information from unauthorized access associated with theft, hacking, etc.

Particular attention in banks should be given to the safety of information, since it is actually the money of customers. Therefore, in the protection system, special possibilities must be provided for minimizing the risk of its loss. One of the most notable is the function of determining spoiled sectors on the hard disk. In addition, the possibility of suspension and cancellation of the processes of the initial disk encryption, its decryption and stirring is most important. These are quite long procedures, any failure during which threatens the full loss of all data.

A very big impact on the risks associated with unauthorized access to confidential information has a human factor. Therefore, it is desirable that the protection system provides for the possibility of reducing such relationships. This is achieved by using reliable storage tools for encryption keys - smart cards or USB keys. The optimal is the entry of these tokens into the product, it allows not only to optimize costs, but also provides full compatibility of software and hardware.

Another important feature that allows you to minimize the influence of the human factor on the reliability of the protection system is the quorum of keys. Its essence lies in the division of the encryption key into several parts, each of which is given to the use of one responsible employee. To connect the closed disk, the presence of a given number of parts is required. Moreover, it may be less than the total number of parts of the key. This approach allows you to secure data from misuse of responsible employees, and also provides the necessary flexibility to work.

Backup protection

Regular reservation of the entire information stored in the bank is an absolutely necessary measure. It allows you to significantly reduce losses in case of problems such as damage to viruses, failure of hardware, etc. But at the same time, it enhances the risks associated with unauthorized access. Practice shows that the media on which backups are recorded should not be stored in the server room, but in another room or even a building. Otherwise, when a fire occurs or another serious incident, irrevocably lost may be both the data and their archives. You can safely protect backup copies from unauthorized use using cryptography. In this case, keeping the key encryption in itself, the security officer can calmly transmit media with technical staff archives.

The main complexity in the organization of cryptographic protection of backup copies is the need to separate the duties for managing data archiving. To configure and implement the backup process itself, a system administrator or other technical officer. To manage the same information encryption must be a responsible employee - security officer. In this case, it is necessary to understand that reservation in the overwhelming majority is carried out in automatic mode. You can solve this problem only by "embedding" the cryptographic protection system between the backup control system and devices that record data (streamers, DVD drives, etc.).

Thus, cryptographic products for the possibility of their use in banks should also be able to work with various devices used to record backup copies to media: strides, CD- and DVD drives, removable hard disks, etc.

Today there are three types of products designed to minimize risks associated with unauthorized access to backup copies. The first includes special devices. Such hardware solutions have many advantages, including reliable information encryption, and high speed. However, they possess three significant disadvantages that do not allow them to use them in banks. The first: very high cost (tens of thousands of dollars). Second: possible problems with import to Russia (you can not forget that we are talking about cryptographic means). The third minus is the inability to connect external certified cryptoprodes to them. These boards work only with encryption algorithms implemented in the hardware level.

The second group of cryptographic protection systems for backups make up modules that offer software developers software and hardware for backup. They exist for all the most famous products in this area: ArcServe, Veritas Backup Exec and others. True, and they have their own features. The most important is the work only with "your" software or drive. Meanwhile, the Bank's information system is constantly evolving. And it is possible that the replacement or expansion of the backup system may require additional costs to modify the protection system. In addition, in most products of this group, old slow encryption algorithms (for example, 3DES) are implemented, there are no key management tools, there is no possibility of connecting external cryptoprovideers.

All this forces the close attention to the cryptographic protection systems of backup copies from the third group. It includes specially designed software, software and hardware and hardware products that are not affected by specific data archiving systems. They support a wide range of information recording devices, which allows them to apply them throughout the bank, including all its branches. This ensures the uniformity of the tools used and minimizing operating costs.

True, it is worth noting that, despite all their advantages, quite some products from the third group are represented on the market. This is most likely due to the lack of great demand for the cryptographic protection systems of backup copies. As soon as the management of banks and other major organizations is aware of the reality of risks associated with the archiving of commercial information, the number of players in this market will grow.

Protection against insiders

Recent research in the field of information security, such as the annual CSI / FBI COMPUTER CRIME AND SECURITY SURVEY, has shown that the financial losses of companies from most threats are decreasing from the year. However, there are several risks, losses from which grow. One of them is the intentional theft of confidential information or a violation of the rules for the treatment of it by those employees whose access to commercial data is necessary to fulfill official duties. They are called insiders.

In the overwhelming majority of cases, theft of confidential information is carried out using mobile media: CD and DVDs, ZIP devices and, most importantly, all sorts of USB drives. It is their mass distribution and led to the flowering of insider worldwide. The leaders of most banks perfectly understand what they can threaten, for example, the database from the personal data from their customers or, especially, wiring on their accounts in the hands of criminal structures. And they are trying to fight with the likely theft of information available to them by organizational methods.

However, organizational methods in this case are ineffective. Today you can organize the transfer of information between computers using a miniature flash drive, a cell phone, an MP3 player, a digital camera ... Of course, you can try to prohibit all these devices into the office, but this, first, will negatively affect the relationship with employees And secondly, to establish really effective control over people is still very difficult - the bank is not an "mailbox". And even shutdown on computers all devices that can be used to record information on external carriers (FDD and ZIP discs, CD and DVD drives, etc.), and USB ports will not help. After all, the first is needed for work, and the second is connected by various peripherals: printers, scanners, etc. And no one can prevent a person to disable the printer for a minute, insert a flash drive into the freed port and copy important information to it. You can, of course, find original ways to protect. For example, in one bank, such a method of solving the problem was trying: a USB port connections and an epoxy-resin cable were poured, tightly "tied" the last to the computer. But, fortunately, today there are more modern, reliable and flexible monitoring methods.

The most effective means of minimizing the risks associated with insider is special software that exercises dynamic management of all the devices and ports of the computer that can be used to copy information. The principle of their work is such. For each user group or for each user, permissions are set to use various ports and devices. The greatest advantage of this software is flexible. You can enter restrictions for specific types of devices, their models and individual instances. This allows you to implement very complex access rights policies.

For example, some employees can allow you to use any printers and scanners connected to USB ports. All the remaining devices inserted into this port will remain inaccessible. If the Bank is used in the bank, a token-based authentication system, then in the settings you can specify the keys used. Then users will be allowed to use only the device purchased by the company, and all others will be useless.

Based on the principle of operation of protection systems described above, it can be understood which moments are important when choosing programs that implement dynamic blocking of records and ports of the computer. First, this is versatility. The protection system should cover the entire spectrum of possible ports and I / O devices. Otherwise, the risk of theft of commercial information remains unacceptable high. Secondly, the following should be flexible and allow us to create rules using a large number of diverse information about devices: their types, models manufacturers, unique numbers that have each instance, etc. Well, thirdly, insiders' protection system should be able to integrate with the Bank's information system, in particular with Active Directory. Otherwise, the administrator or officer of the security will have to conduct two databases of users and computers, which is not only inconvenient, but also increases the risks of errors.

Let's sum up

So, today there are products on the market with which any bank can arrange reliable system Protection of information from unauthorized access and inappropriate use. True, when they choose, you need to be very prudent. Ideally, this should deal with their own experts of the relevant level. The use of foreign companies is allowed. However, in this case, a situation is possible when the bank will be skillfully imposed on not adequate software, and that is beneficial to the company supplier. In addition, the domestic consulting market in the field of information security is in the infancy.

Meanwhile, make the right choice quite simple. It is enough to arma our criteria listed by us and carefully examine the safety system market. But there is a "underwater stone", which must be remembered. In the ideal case, the Bank's information security system must be united. That is, all subsystems should be integrated into the existing information system and, it is desirable to have a common management. Otherwise, increasing labor costs are inevitable for administrative protection and increasing risks due to errors in management. Therefore, to build all three pretension described today, it is better to choose products issued by one developer. Today there are companies in Russia that create everything necessary to protect bank information from unauthorized access.

The information security strategy of banks is very different from similar strategies of other companies and organizations. This is primarily due to the specific nature of the threats, as well as the public activity of banks that are forced to make access to accounts are sufficiently easy to convenience for customers.

The usual company builds its information security, proceeding only from a narrow circle of potential threats - mainly the protection of information from competitors (in Russian realities the main task is to protect information from tax authorities and the criminal community in order to reduce the likelihood of uncontrollable growth of tax payments and raceta). Such information is interesting only to a narrow circle of interested parties and organizations and is rarely liquid, i.e. Assemble into a monetary form.

The information security of the bank must take into account the following specific factors:

1. Storing and processed in banking systems information is real money. Based on the computer information, payments can be paid, loans to open, translate significant amounts. It is clear that illegal manipulation with such information can lead to serious losses. This feature sharply expands the circle's circle sharply on banks (in contrast to, for example, industrial companies, internal information is of little interest).

2. Information in banking systems affects the interests of a large number of people and organizations - customers of the bank. As a rule, it is confidential, and the Bank is responsible for providing the required degree of secrecy to its customers. Naturally, customers have the right to expect that the bank should take care of their interests, otherwise, he risks his reputation with all the consequences that arise.

3. The competitiveness of the Bank depends on how convenient to work with the bank, as well as how wide the range of services provided, including services related to remote access. Therefore, the client should be able to quickly and without tedious procedures to dispose of his money. But such ease of access to money increases the likelihood of criminal penetration into banking systems.

4. The information security of the bank (in contrast to most companies) should ensure high reliability of computer systems, even in case of emergency situations, since the Bank is responsible not only for its funds, but also for customer money.

5. The Bank stores important information about its clients, which expands the range of potential intruders interested in theft or damage to such information.

Crimes in the banking sector also have their own characteristics:

Many crimes committed in the financial sphere remain unknown to the general public due to the fact that bank managers do not want to disturb their shareholders, they are afraid to expose their organizations to new attacks, fear their reputation as a reliable warehouse of funds and, as a result, losing customers.

As a rule, attackers usually use their own accounts to which abducted amounts are translated. Most criminals do not know how to "wash" stolen money. The ability to commit a crime and the ability to get money is not the same thing.

Most computer crimes are small. Damage from them lies in the range from $ 10,000 to $ 50,000.

Successful computer crimes, as a rule, require a large number of banking operations (up to several hundred). However, large sums can be sent over and in just a few transactions.

Most attackers are clerks. Although the highest personnel of the bank can also commit crimes and put the bank much more damage - such cases are single.

Computer crimes are not always high-tech. It is enough to fake data, changes in the parameters of the asoib medium, etc., and these actions are accessible to both service personnel.

Many attackers explain their actions by the fact that they only take into debt by the bank with the subsequent return. However, "return", as a rule, does not occur.

The specifics of the protection of automated systems for processing information of banks (asoib) are due to the features of the tasks solved by them:

AsoB is usually handled a large stream of constantly incoming requests in real time, each of which does not require for the processing of numerous resources, but together they can only be treated with a high-performance system;

The asoib is stored and confidential information is processed, not intended for the general public. Its fake or leakage can lead to serious (for the bank or its clients) consequences. Therefore, AsoB is doomed to remain relatively closed, work under the control of specific software and pay great attention to ensuring its safety;

Another feature of AsoIB is the increased requirements for the reliability of hardware and software. By virtue of this, many modern asoib are to the so-called fault-tolerant architecture of computers, which makes it possible to carry out continuous processing of information even in conditions of various failures and failures.

You can select two types of tasks solved asoib:

1. Analytical. This type includes planning tasks, account analysis, etc. They are not operational and may require for solving a long time, and their results may affect the Bank's policy regarding a particular client or project. Therefore, the subsystem with which analytical tasks are solved must be securely isolated from the main information processing system. To solve such problems, there are usually no powerful computing resources, usually 10-20% of the capacity of the entire system is usually enough. However, due to the possible value of the results, their protection must be permanent.

2. Casual. This type includes the tasks solved in everyday activity, first of all, payments and adjust accounts. It is them that determine the size and capacity of the main system of the bank; To solve them, it is usually needed much more resources than for analytical tasks. At the same time, the value of information processed when solving such tasks is temporary. Gradually, the value of information, for example, to perform any payment, becomes not relevant. Naturally, it depends on many factors, somehow: amounts and time of payment, account numbers, additional characteristics, etc. Therefore, it is usually sufficient to protect the payment precisely at the time of its implementation. In this case, the protection of the processing process and end results should be permanent.

What measures to protect information processing systems are preferred by foreign specialists? This question can be answered using the survey results conducted by DataPro Information Group in 1994 among banks and financial institutions:

Formulated information security policies have 82% of respondents. Compared to 1991, the percentage of organizations with security policies increased by 13%.

Another 12% of respondents plan to develop security policies. The following trend is clearly pronounced: organizations with a large number of personnel prefer to have a developed security policy in more thanthan organizations with a small number of personnel. For example, according to this polling, only 66% of organizations, with the number of employees less than 100 people have security policies, whereas for organizations with the number of employees more than 5,000 people the share of such organizations is 99%.

In 88% of organizations with information security policies, there is a special division that is responsible for its implementation. In those organizations that do not contain such a unit, these functions are mainly entrusted with the administrator of the system (29%), on the information system manager (27%) or to the physical security service (25%). This means that there is a tendency to allocate employees responsible for computer security into a special division.

In terms of protection, special attention is paid to the protection of computer networks (90%), large computers (82%), recovery of information after accidents and disasters (73%), protection against computer viruses (72%), protection of personal computers (69%).

The following conclusions can be drawn about the features of information protection in foreign financial systems:

The main thing in the defense of financial organizations is operational and, if possible, full recovery of information after accidents and failures. About 60% of respondents of financial organizations have a plan for such a recovery, which is revised annually in more than 80% of them. Basically, the protection of information from destruction is achieved by the creation of backups and their external storage, the use of uninterrupted power supply and the organization of the "hot" hardware reserve.

The following problem is as important for financial organizations - this is the management of user access to stored and processed information. There are widely used various access control systems that can sometimes replace antivirus software. Mainly use purchased access control software. Moreover, in financial institutions, special attention is paid to such users to the network. However, certified access controls are extremely rare (3%). This can be explained by the fact that with certified software, it is difficult to work and they are extremely expensive in operation. This is explained by the fact that the certification parameters were developed taking into account the requirements for military systems.

On the differences in the organization of protection of computer networks in financial institutions include widespread use of the standard (i.e. adapted, but not specifically designed for a particular organization) Commercial software for network access control (82%), protection of dots connection to the system through switched lines communication (69%). Most likely, this is due to the greater prevalence of telecommunications in financial areas and the desire to protect against outside interference. Other protective methods, such as the use of antivirus, terminal and channel encryption of transmitted data, message authentication are approximately the same and mainly (with the exception of antivirus agents), less than 50% of the surveyed organizations.

Much attention in financial institutions is given to the physical protection of premises in which computers are located (about 40%). This means that the protection of the computer from access to unauthorized persons is solved not only with the help of software, but also organizational and technical (security, code locks, etc.).

Local information encryption is used by just over 20% of financial organizations. The reasons for this are the complexity of the distribution of keys, strict requirements for the speed of the system, as well as the need for operational recovery of information in case of failures and failures of equipment.

Significantly less attention in financial organizations is given to the protection of telephone communication telephone lines (4%) and the use of computer developed, taking into account the requirements of the Tempest standard (protection against information leakage through electromagnetic emission channels and tip). In government organizations, solving the problem of countering information using electromagnetic emissions and filing pays much more attention.

An analysis of statistics allows you to make an important conclusion: the protection of financial organizations (including banks) is somewhat different than ordinary commercial and state organizations. Consequently, asoB protection cannot be applied to the same technical and organizational solutions that have been developed for standard situations. It is impossible to mindlessly copy other people's systems - they were designed for other conditions.

Since its appearance, banks have consistently caused interest from the criminal world. And this interest was associated not only with storage in credit institutions of funds, but also with the fact that the banks focused important and often secret information on the financial and economic activities of many people, companies, organizations and even entire states. Currently, the banking secrecy is protected by law along with the state secret.

In connection with universal information and computerization of banking activities, the importance of information security of banks has repeatedly increased. Another 30 years ago, the object of information attacks were data on customers of banks or on the activities of the Bank itself. Such attacks were rare, the circle of their customers was very narrow, and the damage could be significant only in special cases. Currently, as a result of the widespread distribution of electronic payments, plastic cards, computer networks, the object of information attacks has become directly cash both banks and their customers. An attempt to embellish can anyone - only the presence of a computer connected to the Internet. And for this not required physically penetrating the bank, you can "work" and thousands of kilometers from it.

Services provided by banks today are largely based on the use of electronic interaction of banks among themselves, banks and their customers and trading partners. Currently, access to banks has become possible from various remote points, including home terminals and service computers. This fact causes to move away from the concept of "locked doors", which was characteristic of banks in the 1960s, when computers were used in most cases in batch mode as an aid and have no connection with the outside world.

Computer systems without which no modern bank can do - the source of completely new, previously unknown threats. Most of them are due to the use of banking business New information technologies and are characteristic not only for banks.

The level of equipment in automation by means of automation plays an important role in the activities of the Bank and, therefore, directly reflected in its position and income. Strengthening competition between banks leads to the need to reduce time on the production of calculations, an increase in the nomenclature and improving the quality of the services provided.

The less time the calculations between the bank and customers will take, the higher the bank turnover and, therefore, profit. In addition, the Bank will more quickly respond to changing the financial situation. A variety of bank services (first of all, this refers to the possibility of non-cash payments between the bank and its clients using plastic cards) can significantly increase the number of its customers and, as a result, increase profits. At the same time, ABS Bank becomes one of the most vulnerable places in the entire organization that attracts intruders as from the outside and from among the employees of the Bank itself. To protect yourself and their customers, most banks are making the necessary protection measures, including the protection of ABS takes one of the most important places. Protection ABS Bank is an expensive and complex event, it requires not only significant one-time investments, but provides for the cost of supporting the protection system at the proper level. On average, banks at the moment to support a sufficient level of protection spend more than $ 20 million annually.

The information security strategy of banks is very different from similar strategies of other companies and organizations. This is primarily due to the specific nature of the threats, as well as the public activity of banks that are forced to make access to accounts are sufficiently easy to convenience for customers.

The usual company builds its information security, proceeding only from a narrow circle of potential threats - mainly the protection of information from competitors (in Russian realities the main task is to protect information from tax authorities and the criminal community in order to reduce the likelihood of uncontrolled growth of tax payments and racetis). Such information is interesting only to a narrow circle of stakeholders and organizations and is rarely liquid, that is, turning into a monetary form.

7.2. Bank Information Security Requirements

The information security of the bank must take into account the following specific factors:

1. Storing and processed in banking systems information is real money. Based on the computer information, payments can be paid, loans to open, translate significant amounts. It is clear that illegal manipulation with such information can lead to serious losses. This feature sharply expands the circle's circle sharply on banks (as opposed to industrial companies, internal information of which is few people who are interested).
2. Information in banking systems affects the interests of a large number of people and organizations - bank customers. As a rule, it is confidential, and the Bank is responsible for providing the required degree of secrecy to its customers. Naturally, customers have the right to expect that the bank should take care of their interests, otherwise, he risks his reputation with all the consequences that arise.
3. The competitiveness of the Bank depends on how convenient to work with the bank, as well as how wide the range of services provided, including services related to remote access. Therefore, the client should be able to quickly and without tedious procedures to dispose of his money. But such ease of access to money increases the likelihood of criminal penetration into banking systems.
4. The information security of the bank (in contrast to most companies) should ensure high reliability of computer systems, even in case of emergency situations, since the Bank is responsible not only for its funds, but also for customer money.
5. The bank keeps important information about its clients, which expands the range of potential intruders interested in theft or damage to such information.

Crimes in the banking sector also have their own characteristics:

• Many crimes committed in the financial sector remain unknown to the general public due to the fact that the heads of banks do not want to disturb their shareholders, they are afraid to undergo their organization to new attacks, fear their reputation as a reliable warehouse of funds and, as a result, losing customers.
• As a rule, attackers use their own accounts to which the abducted amounts are translated. Most criminals do not know how to "wash" stolen money. The ability to commit a crime and the ability to get money is not the same thing.
• Most computer crimes are small. Damage from them lies in the range from $ 10,000 to 50.000.
• Successful computer crimes, as a rule, require a large number of banking operations (up to several hundred). However, large sums can be sent over and in just a few transactions.
• Most of the attackers are employees of low-level banks, clerks. Although the highest personnel of the bank can also commit crimes and put the bank much more damage - such cases are single.
• Computer crimes are not always high-tech. It is enough to fake data, changes in the parameters of the ABS medium, etc., and these actions are available and service personnel.
• Many attackers explain their actions by the fact that they only take into debt by the bank with the subsequent return. However, "return", as a rule, does not occur.

The specifics of the protection of automated systems for processing information of banks (ABS) are due to the features of the tasks solved by them:

• The ABS handle a large stream of constantly incoming requests in real time, each of which does not require to handle numerous resources, but together they can be processed only by a high-performance system.
• In ABS, confidential information is stored and processed, not intended for the general public. Its fake or leakage can lead to serious (for the bank or its clients) consequences. Therefore, the ABS are doomed to remain relatively closed, work under the control of specific software and pay great attention to ensuring their safety.
• Another feature of the ABS is the increased requirements for the reliability of hardware and software. Therefore, most modern ABS are built using a fault-tolerant computer network architecture that allows for continuous processing of information even in conditions of various failures and failures.

You can select two types of tasks solved ABS:

1. Analytical. This type includes the tasks of planning, analyzing accounts, etc. They are not operational and may require for solving a long time, and their results may affect the Bank's policy regarding a particular client or project. Therefore, the subsystem, with which analytical tasks are solved, should be securely isolated from the main information processing system and, in addition, due to the possible value of the results, their protection must be permanent.
2. Operational. This type includes the tasks solved in everyday activity, first of all, payments and adjust accounts. It is them that determine the size and capacity of the main system of the bank; To solve them, it is usually needed much more resources than for analytical tasks. At the same time, the value of information processed when solving such tasks is temporary. Gradually, the value of information, such as the execution of any payment, becomes irrelevant. Naturally, it depends on many factors, somehow: the amounts and time of payment, the number of the account, additional characteristics, etc. Therefore, it is usually enough to ensure the protection of the payment precisely at the time of its implementation. In this case, the protection of the processing process and end results should be permanent.

7.3. Methods for the protection of information in automated data processing systems

Under the protection of information in information systems (IP) means regular use of funds and methods in them, taking measures and implementing measures in order to systemic support for the required reliability of stored and processed information. Reliability of information - an integral indicator that characterizes the quality of information from the point of view of physical integrity (lack of distortion or destruction of elements of information), confidence in information (confidence in the absence of substitution) and security - the lack of its unauthorized receipt and copying.

Integral information security components:

• organizational security measures;
• security measures: protection and protection of buildings, premises, computers transported by documents, etc.
• ensuring the safety of hardware: ensuring reliable operation of computers and network equipment;
• ensuring the safety of communication channels: protection of communication channels from external influences;
• providing security software and mathematical support: protection against viruses, hackers, malicious programs carrying confidential information.

It is known that 80% of crimes related to theft, damage or distortion of information are committed with the participation of employees of the company. Therefore, the most important task of the leadership, the personnel and security services department is a careful selection of employees, the distribution of powers and the construction of a system of admission to elements of information, as well as control of the discipline and behavior of employees, creating a good moral climate in the team.

Organizational means Information protection is special organizational and technical and legal activities carried out in the process of creating and operating a system that integrate information protection.

Legislativeinformation protection tools are defined as legislative acts that regulate the procedure for the use and processing of information, access restrictions and which establish responsibility and sanctions for violating these rules.

Technical means are divided into physical (locks, lattices, signaling systems, etc.) and hardware(locks, locking, alarms and other devices used directly on the means of computing technology and data means). Software Information protection is special information protection tools built into the system software and independently or in a complex with other means to protect information in the system.

Softwareinformation security tools:

1. Software user identification and determining their powers.
2. Software identification of terminals.
3. Software file protection.
4. Software oS protection, computer and user programs.
5. Auxiliary programs for various purposes.

Cryptographic products Information security - special encoding methods, encryption or other information conversion as a result of which content becomes inaccessible without presenting some special information and reverse transformation. The use of cryptographic methods has become particularly relevant in connection with the transfer of large volumes of public, military, commercial and private information on the open network. Due to the high cost of damage from loss, disclosure and distortion of information stored in databases and transmitted over local networks, it is recommended to store and transmit information in encrypted form.

Cryptographic system- Family of open text conversion algorithms in ciphertext.

Alphabet- Final sets used for encoding information information. As examples of the alphabets used in modern information systems, the following can be brought:

• alphabet Z33 - 32 letters of the Russian alphabet and space;
• alphabet Z256 - symbols included in standard ASCII codes;
• binary alphabet - z2 \u003d (0,1).

Encryption involves converting the source text using the key to the encrypted text T. Key- Replaceable cipher element, which is applied to encrypt a specific message. When encryption, the concept of "cipher gamma" is used - this is a pseudo-random numerical sequence generated by a given algorithm, to encrypt open data and decrypt cipherograms.

By the nature of the use of the key, the known cryptosystems can be divided into two types: symmetric (Solid, with a secret key) and asymmetric(open key).

In the first case, the same key is used in the sender encoder and the recipient decoder. The encoder forms a cipherogram that is the function of the open text, the specific view of the encryption function is determined by the secret key. The message recipient decoder performs the reverse transformation in the same way. The secret key is kept in secret and is transmitted by the sender of the message to the recipient over a protected channel, excluding the interception of the key of the opponent's cryptanalitics.

Encryption is carried out by substitution and permutation methods. The simplest, but not decompatible encryption - with the replacement of text symbols to random characters or numbers. In this case, the key length must match the text length, which is inconvenient with large amounts of information. The key is used once, then it is destroyed, so this method is called "encryption with a tear notepad".

In reality, encryption is made in binary code using short keys - in the international standard Des (Data Encryption Standard), which works with 64 bytes 64 data blocks (1998), in GOST 28147 - 89 - 256 bytes, which provides significantly greater cryptostility . Based on the short key, the computer creates a long key-gamut, using one of several algorithms outlined in DES encryption standards or GOST. The algorithms for creating a gamma - gamming are based on a series of replacements and shifts, it is possible using a ciphertext. Encryption algorithms are not secret, only keys are secrete. To distribute key keys common use The following technology is applied: the first rank keys are transmitted through couriers, they are encrypted and transmitted over their networks the second rank keys used to encrypt documents.

The most modern encryption systems use asymmetric algorithms with open and secret keys, where there is no problem of safe transportation of the key. Such systems include the RSA algorithm called by developers (Rivest-Shamir-Adleman - the developers of this system Ronald Rivest, Adi Shamir and Leonard Admenoman, 1977), based on the expansion of large numbers on multipliers.

IN asymmetric cryptosystems (open key cryptosystems) In the encryption and decryption algorithms, various keys are used, each of which cannot be obtained from the other with acceptable costs of temporary and other resources. One key is open - used to encrypt information, the other is secret - for decryption, i.e. read a message can only one to whom it is intended, for example, the head of the company receiving messages from its numerous agents.

Electronic signature systemsbased on asymmetric encryption, but the secret key is stored at the sender of messages, and the open key created on the basis of the secret of mathematical transformation, many have. The public key can be transferred with the message. But in this case, the message is not encrypted, and its hash function obtained from the message by converting it to a specific algorithm and occupying only a few bytes. Change at least one bit in the message text leads to a significant change in hash function. The recipient of the message can decipher the encrypted hash function transmitted with the message, create a hash function of the received message using a well-known algorithm, and compare the decrypted and recreated hash function. Their coincidence guarantees the integrity of the document received, i.e. the absence of distortion in it. The recipient cannot make changes to the received document, since it cannot encrypt a new hash function. Therefore, the electronic signature has the same legal force as the usual signature and printing on paper. Secret and open keys, programs and equipment for electronic signature systems supply licensed FSB of firms, which, if necessary, can submit a copy of the keys to the court.

There are two main protection methods: Software and hardware. A software protection method is good in that with relatively low costs, you can get a program that ensures the required reliability of information storage. But software tools have several significant disadvantages, which should be known when choosing this path:

• typically work slower hardware;
• any program can be opened, it is only a matter of time and qualifications of a specialist;
• when the media is embezzled, the program is kidnapped.

Hardware also have a number of shortcomings: their development is more expensive, the costs of production and maintenance are added, the hardware system is more complex and also requires the software in addition to hardware.

But the advantages of using hardware are obvious:

• fast work without system resources;
• it is impossible to penetrate the hardware program without its embezzlement;
• having no hardware, it is impossible to decrypt the protected data.

7.4. Legislative acts in the field of information protection

Russia takes measures to counter information weapons and computer crime. In the State Duma of the Russian Federation there is a deputy group "Electronic Russia", round tables for information security are held to develop relevant laws. The Law of the Russian Federation "On Security", the Law "On Electronic Signature" and "On Information, Informatization and Information Protection", which determines that the information is subject to protection as well as the material property of the owner. The provision of secure transmission of government information was previously engaged in FAPSI, now FSB and FSO, the protection of commercial information - firms that have a license FSB. A guiding document of the State State Commission of the Russian Federation "Automated Systems has been developed. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection »and relevant government standards:

GOST 28147-89. Information processing systems. Cryptographic protection. Cryptographic transformation algorithm;

GOST R 34. 10-94. Information technology. Cryptographic information protection. Procedures for developing and verifying an electronic digital signature based on an asymmetric cryptographic algorithm;

GOST R 34. 11-94. Information technology. Cryptographic information protection. Hashing function;

GOST R 50739-95. Computer equipment. Protection against unauthorized access to information. General technical requirements.

Since 2004, there has been a new National Security Standard GOST / ISO IEC 15408 - 2002. General criteria for assessing the safety of information technology.

The Year of Birth of the Standard can be considered the 1990s - it was then that work began on creating a standard for assessing the safety of information technologies (IT) under the auspices of the International Organization for Standardization (ISO). This document was translated and taken as a basis for the development of GOST / ISO IEC 15408 - 2002. The name of the standard has developed historically. Work on it was carried out with the assistance state organizations According to the standardization of the United States, Canada, Great Britain, France, Germany and Holland and pursued the following conceptual objectives:

• unification of various national standards in IT security assessment;
• improving the level of confidence in IT security assessment;
• reducing IT security assessment costs based on mutual recognition of certificates.

Russian standard is an accurate translation international Standard. He was adopted by the Resolution of the State Standard of Russia dated 04.04.2002 No. 133-space with the date of implementation on January 1, 2004. The emergence of this GOST reflects not only the process of improving Russian standards using international experience, but also part of the government program on Russia's accession to the WTO (As is well known, when joining this organization, the applicant must be unified duties, taxes, production standards, quality standards and some standards in the field of information security).

Within the framework of the new standard, the concepts of "threat" and "profile" are introduced.

Protection profile - "independent of the implementation of safety requirements for some category of products or IT systems that meets specific consumer requests."

All security mechanisms described in the profile are called object security features (FBO). The protection profile includes only those security features that must be protected from threats and comply with security policies.

Security Assumptions are a description of the specific conditions in which the system will be operated. Security Policy - "One or more rules, procedures, practical techniques or guidelines in the field of security guided by the organization in their activities." In general, such a set of rules is a kind of functionality of a software product that is necessary for its use in a particular organization.

One of the most balanced and viable documents is an intra-industry standard of the Bank of Russia on IB. His latest edition (2006) indicates the explicit intention of the Central Bank to change the recommendation of the document for the mandatory status.

7.5. Standard for the protection of information in the field of bank cards

PAYMENT Card Industry Data Security Standard (PCI DSS) is a standard for the protection of information in the payment card industry developed by international Visa and MasterCard payment systems.

The decision to create this unified standard was adopted by international payment systems due to the increasing number of companies that reported that their confidential information on their clients' accounts were lost or stolen.

Standard objectives:

• increasing the security of electronic trading and payment systems;
• ensuring a secure environment for storing cardholders data;
• reduction of inconsistency in safety requirements in the payment card industry;
• modernization and rationalization of business processes and reduced costs.

The requirements of the PCI DSS standard are distributed to all companies working with Visa and MasterCard International Payment Systems. Depending on the number of transactions of each company, each company is assigned a certain level with an appropriate set of requirements that they must perform. As part of the requirements of the Standard, annual audits of companies, as well as quarterly network scans are envisaged.

Since September 2006, the PCI Data Security Standard standard has been introduced by the international VISA payment system in the CEMEA region as a mandatory, respectively, its action applies to Russia. Therefore, service providers (processing centers, payment gateways, Internet providers) operating directly from Visanet must pass the audit procedure for compliance with the requirements of the standard. Otherwise, Visa will apply certain penalties to companies.

Questions for self-test

1. What is the main difference between the protection of banking computer systems from the protection of industrial computer systems?
2. What activities can be attributed to organizational protection measures?
3. What is the principle of "closed doors" in banks and why it cannot be effectively applied at the moment?
4. What means of protection can be attributed to physical?
5. What systems, analytical or operational, require more thorough protection methods and why?
6. What are cryptographic text transformation methods?
7. What is the key?
8. Give the definition of "gamming". Why is it required?
9. What is coding with "tear-off notebook" and why it is not applicable now?
10. What is the length of the key when coding using the DES standard?
11. Is the key length differ on Russian standards from international? What is she?
Name of workshop annotation

Presentations

Presentation name	annotation