What does confidential information mean. The concept and types of confidential information, classification and characteristics

"Kadrovik.ru", 2012, N 7

In any company there is confidential information, which is especially carefully protected from employees who do not have access to it, as well as competitors and suppliers. At the same time, it is quite difficult to determine the degree of data secrecy. As a result, all information related to the activities of the organization is considered confidential. As a result, litigation arises both with employees and with other companies.

The list of relevant data is given in several legislative acts, however, the company can independently restrict access to some information. At the same time, the main document that makes it possible to determine whether information is classified as confidential is Federal Law No. 98-FZ of July 29, 2004 "On Commercial Secrets" (hereinafter - Law No. 98-FZ). However, the list contained in this Law is incomplete, and other information about confidential information is contained in other regulatory legal acts.

List of confidential data defined by law

View confidential information	List of information	Legislative norm
Information, component commercial secret	Information of any kind (production, technical, economic, organizational and others), including the results intellectual activity in scientific technical area, as well as information about ways of professional activities that have actual or potential commercial value due to their unknown to third parties	Article 3 Federal law dated 29.07.2004 N 98-FZ "On commercial secret"
banking secret	Information about transactions, accounts and deposits of organizations - clients of banks and correspondents	Article 26 Federal law dated 02.12.1990 N 395-1 "O banks and banking activities"
Advocate secret, notarial secret	Information related to the provision legal aid lawyer to the principal; information that became known to the notary in connection with his professional activity	Basics legislation Russian Federation of notary (appr. Armed Forces of the Russian Federation 11.02.1993 N 4462-1); Art. eight Federal law dated 31.05.2002 N 63-FZ "On lawyer activities and advocacy in Russian Federation"
Intelligence, Related audit organizations	Any information and documents received and (or) drawn up by the audit organization and its employees, and individual auditor and employees, with whom they have employment contracts contracts for the provision of services, provided for by this Federal law, with the exception of: 1) information disclosed by the person himself, to whom the services were rendered, provided for by this Federal by law, or with his consent; 2) information about the conclusion with the audited the face of the agreement on holding mandatory audit; 3) information about the amount of payment audit services	Article 9 Federal law dated 30.12.2008 N 307-FZ "On audit activities"

In practice, the confidentiality regime is determined by:

• a list of information constituting a trade secret; a list of confidential information in the organization;
• contractual regulation of relations with employees;
• contractual regulation of relations with counterparties by establishing the relevant provisions in the contract;
• applying restrictive marks and a confidentiality stamp to material carriers of confidential information indicating its owner.

In addition to these measures, the company may, if necessary, apply means and methods of technical protection of confidential information, as well as other measures that do not contradict the legislation of the Russian Federation.

The trade secret regime cannot be established in relation to the following information:

• contained in the constituent documents of a legal entity and documents confirming the fact of making entries about legal entities in state registers;
• contained in the documents giving the right to carry out entrepreneurial activities;
• on environmental pollution, the state of fire safety, the sanitary-epidemiological and radiation situation, food safety and other factors that have a negative impact on ensuring the safe operation of production facilities, the safety of each citizen and the safety of the population as a whole;
• on the number and composition of employees, the system of remuneration, on working conditions, including labor protection, on indicators of industrial injuries and occupational morbidity, the availability of vacancies;
• on employers' debts for wages and other social benefits;
• about violations of the legislation of the Russian Federation and the facts of bringing to responsibility for their commission;
• on the size and structure of income of non-profit organizations, on the size and composition of their property, on their expenses, on the number and wages of their employees, on the use of unpaid labor of citizens in the activities of a non-profit organization;
• on the list of persons entitled to act without a power of attorney on behalf of a legal entity;
• information, the mandatory disclosure of which or the inadmissibility of restricting access to which is established by federal laws before the entry into force of Law N 98-FZ.

Consider the procedure for establishing a list in a particular company.

How to deal with an employee who discloses confidential information?

In many companies, the following measures are applied to an employee who discloses classified information: they impose a disciplinary sanction, recover damages in court. Some employers simply fire the offenders, believing that the dissemination of confidential information is a serious offense. Indeed, there is such a possibility. According to paragraphs. "c" p. 6 h. 1 art. 81 of the Labor Code of the Russian Federation, an employment contract can be terminated by the employer even in the event of a single disclosure of a trade secret that has become known to the employee in connection with the performance of his labor duties.

In the event of a dispute about the reinstatement of a person dismissed on the grounds under consideration, it is the employer who has the burden of proving all the circumstances of the disclosure of trade secrets. It is necessary to carefully consider all the circumstances of a particular case, analyze whether there are legal grounds for dismissing an employee suspected of disclosing confidential information, and also assess the possible risks if the employee disputes the dismissal.

Let's take the following example: an employee used a flash drive to print a document on a printer. However, the employer considered these actions to be the disclosure of trade secrets, since the prohibition on the use of a flash drive to transfer confidential information was contained in a local act. However, the organization did not have an exact list of such classified data. As a result, the employee turned to the labor inspectorate, and after the check, he managed to achieve the removal of the disciplinary sanction.

Thus, when imposing a disciplinary sanction, the employer must:

• prove that the employee caused material harm to the organization;
• establish that the employee disclosed confidential data included in the list;
• confirm the fact of disclosure and familiarization of the employee with the list of confidential information.

If the company wants to recover damages in court (for example, the manager quit and sold the confidential database to competitors), then it will be necessary to assess the material damage. The key condition for forming an evidence base is the availability of a list of confidential information.

List of confidential information in a separate organization

Each organization has its own list of confidential information. As a rule, it includes:

• information about production and management;
• data on the level of wages of employees;
• personal data of employees;
• management decisions, production development plans, investment programs;
• meeting minutes;
• confidential contracts;
• information about the negotiations;
• information about staffing, staffing;
• cost and prices;
• financial statements, primary documentation;
• information about taxes and fees paid;
• auditors' reports.

Please note: personal data and confidential information are not equivalent concepts. The latter is broader and may include various financial statements, data on the personnel of the organization and other information that is protected by the company in accordance with the established trade secret regime.

Information constituting a trade secret (production secret) is information of any nature (production, technical, economic, organizational, and others), including the results of intellectual activity in the scientific and technical field, as well as information about the methods of carrying out professional activities that have actual or potential commercial value due to their being unknown to third parties, to which third parties do not have free access on a legal basis and in respect of which the owner of such information has introduced a trade secret regime. Disclosure of information constituting a trade secret is an action or inaction, as a result of which such information in any possible form (oral, written, otherwise, including using technical means) becomes known to third parties without the consent of the owner or contrary to labor or civil legal contract (Determination of the Moscow City Court dated November 14, 2011 in case N 33-36486).

The concept of personal data is established in the Federal Law of July 27, 2006 N 152-FZ "On Personal Data". This is any information relating directly or indirectly to a specific or identifiable natural person (subject of personal data).

That is, if confidential information can apply to both individuals and legal entities, personal data - only to individuals. The list of confidential data classified as such at the legislative level is given in the appendix.

It is necessary to pay attention to the fact that information recognized by the company as confidential may not be classified as such. Confidential documents may be classified as financial statements provided to the company's members for information only (Resolution of the Federal Antimonopoly Service of the Volga District dated 05.04.2005 N A12-12462 / 04-C56). A similar conclusion was made in the Decree of the Federal Antimonopoly Service of the Far Eastern District dated 05/16/2007, 05/08/2007 N F03-A73 / 07-1 / 1090 in case N A73-9822 / 2006-9, in which the court recognized that neither the norms of the Federal Law of 11.21. .1996 N 129-FZ "On accounting", no art. 89 of the Federal Law of December 26, 1995 N 208-FZ "On Joint Stock Companies" does not provide for the mandatory provision to the shareholder of copies of primary accounting documents, turnover sheets of analytical accounting and an electronic database of the company's accounting program. At the same time, for example, information about the fulfillment by taxpayers of their obligations to pay taxes is not a tax secret and can be disclosed (Resolution of the Federal Antimonopoly Service of the West Siberian District of July 27, 2010 in case N A27-25441 / 2009).

Thus, the employer must independently draw up a list of confidential information and establish it in an administrative document, depending on the importance of this information. However, the recognition of data as confidential can be challenged in court. At the same time, an important point is also not only the establishment of the list of confidential information itself, but also the procedure for its protection.

Procedure for protecting confidential information

In accordance with Art. 10 of Law N 98-FZ, measures to protect the confidentiality of information taken by its owner should include:

• determination of the list of data constituting a commercial secret;
• restriction of access to such information by establishing a procedure for handling them and monitoring compliance with this procedure;
• accounting of persons who have gained access to confidential information, and (or) persons to whom it was provided or transferred;
• regulation of relations on the use of data constituting a commercial secret by employees on the basis of employment contracts and contractors on the basis of civil law contracts;
• putting on material media containing confidential information, or including in the details of documents containing such information, the stamp "Commercial secret" indicating the owner of such information.

In order to protect the confidentiality of information, the employer must:

• to acquaint the employee, who needs access to such information in order to perform his/her job duties, with a list of information constituting a commercial secret, owned by the employer and his counterparties, against receipt;
• familiarize the employee against receipt with the trade secret regime established by the employer and with the measures of responsibility for its violation;
• create the necessary conditions for the employee to comply with the established regime (Article 11 of Law N 98-FZ).

The employment contract with the head of the organization should provide for the obligation of this employee to ensure the confidentiality of information owned by the organization and its counterparties, and responsibility for appropriate measures.

Recognition of data as confidential can be challenged in court

In doing so, the company can take the following actions:

• implementation of a permit system for the access of performers (users, maintenance personnel) to information and related works and documents;
• restriction of access of personnel and unauthorized persons to protected premises and premises where informatization and communication means are located, as well as information carriers are stored;
• transcripts of meetings;
• differentiation of access of users and maintenance personnel to information resources, software tools for processing (transfer) and data protection;
• accounting and secure storage of paper and machine media, keys (key documentation) and their circulation, excluding their theft, substitution and destruction;
• redundancy of technical means and duplication of arrays and storage media;
• copy protection of information, the use of certified means of its protection;
• use of secure communication channels;
• cryptographic transformation of data processed and transmitted by means of computer technology and communications.

It is very important to establish in the local act of the organization not only a list of confidential information, but also the procedure for their use.

In relations with employees, companies usually use two tactics: protection of interests in court, protection of interests in pre-trial order by terminating the contract with the employee. Let's consider the first way. As an example, we can cite the Decision of the Moscow City Court dated 12/22/2011 in case N 4g / 8-10945 / 11. Resolving the stated claims, guided by Article. 81 of the Labor Code of the Russian Federation, the Federal Law "On Commercial Secrets", the court concluded that the plaintiff's dismissal was legal and justified, since he divulged a commercial secret. The plaintiff sent documents to a third party by e-mail, to which third parties did not have free access and in respect of which the employer introduced a trade secret regime.

In court, the company proved the following facts: familiarization of the employee with the regulation "On Commercial Secrets", compliance with the procedure for bringing to disciplinary responsibility, the fact of sending documents to the Deputy General Director of a third-party organization - data on counterparties, information on the timing and methods of rendering services, the amount of remuneration.

But, if confidential information is not transferred to third parties, the fact of copying information without transferring it to third parties cannot be regarded as disclosure. So, in the Ruling dated 12.12.2011 in case N 4g / 8-10961 / 2011, the Moscow City Court concluded that the information copied by the plaintiff onto a flash card was a trade secret of the company, however, evidence that this information was transmitted by her third parties, the defendant's side did not present, and the plaintiff denied the commission of such actions. The court also did not receive evidence that the plaintiff forwarded the said information to the e-mail boxes of third parties, as well as the facts of placement on the Internet. When inspecting the plaintiff's home computer and removing the copied information from it, the defendant did not record such facts. There was no mention of this in the act of deleting information. The actions of an employee, as a result of which the specified information becomes available to other employees who monitor compliance with the trade secret regime in the organization, cannot be qualified under paragraphs. "c" p. 6 h. 1 art. 81 of the Labor Code of the Russian Federation. In such circumstances, when confidential information has not been disclosed to third parties, an individual may be reinstated with compensation for the time of forced absenteeism.

Dissemination of unclassified information is not a disclosure of confidential information. This conclusion follows from the ruling of the Moscow City Court dated November 14, 2011 in case No. 33-36486. The court came to the conclusion that information about the availability of equipment, its cost, data on distributors does not represent a trade secret, because. placed in price lists, catalogs and booklets. Thus, confidentiality was not violated. A similar conclusion was made by the Moscow City Court in the Ruling dated 10/18/2011 in case No. 33-33741. In resolving the dispute and partially satisfying the claims, the court reasonably proceeded from the fact that the obligation to prove the existence of a legal basis for dismissal and compliance with the established procedure for dismissal rests with the employer. The employer did not provide either evidence that the B2B system contained confidential information or evidence that the plaintiff disseminated data constituting a trade secret.

Of course, many companies cannot prove their case in court, since the regulatory framework does not contain a specific list of documents that can be used to confirm losses associated with the illegal disclosure of confidential information. In addition, it is very difficult to assess exactly the material component, for example, leaks of information about counterparties or financial indicators, as well as the very fact of disclosure. After all, disclosure can be carried out both in writing and orally. In this regard, many companies are forced to use such methods of punishing negligent employees as disciplinary sanctions.

However, sometimes companies prefer not to wash dirty linen in public and part with such employees in an amicable way. In such situations, it is preferable to issue a dismissal by agreement of the parties, provided for in Art. 78 of the Labor Code of the Russian Federation. One of the significant advantages is that it is almost impossible to challenge such a dismissal, since there is a mutual agreement between the parties.

In conclusion, it should be noted that the integrity of the trade secret, the protection of the interests of the organization and the possibility of restoring justice in court depend on how clearly the company defines the list of confidential information, as well as the procedure for their protection.

Application

Example list of confidential data The list of information classified as confidential (official) information in the central office of the Federal Agency for Railway Transport and its subordinate enterprises and institutions, approved. Order of the Federal Agency for Railway Transport dated January 24, 2011 N 18

N p/n	Information classified as confidential (official) information
I. Information about sectoral management activities
1	Separate materials of the meetings of the Federal Agency for Railway transport (hereinafter - Roszheldor) and the information contained therein, restriction of access to which is established by the decision of the meeting of the PDTK Roszheldor
2	Information (information) prepared by Roszheldor for incoming from public authorities, enterprises, institutions and organizations, regardless of the organizational and legal form and form property marked "For official use", "Commercial secret", "Confidential" and others in the part that does not contain information, constituting a state secret
3	Information containing indicators of the state defense order in part that does not contain information constituting a state secret
4	Information contained in the materials of the internal audit (investigation), before the approval of the act (conclusion) on verification, and also if the information obtained as a result of the verification (investigation), can be used in the future for illegal action (damage)
5	Information about the organization of work, about specific measures or ongoing measures aimed at ensuring information security in the implementation of international cooperation with the participation representatives of Roszheldor, as well as those contained in the preparatory or reporting documents (forms) on the meeting
II. Information about administrative and economic activities
6	Information about the personal data of an employee of Roszheldor contained in employee's personal file, except as provided for legislation of the Russian Federation
7	Information obtained during the admission of a citizen to the state civil service, necessary for obtaining admission to state secret
8	Information about the employee's awareness of information constituting state secret
9	Minutes of meetings of tender commissions for holding tenders for filling vacancies in the civil service
10	Acts of inspections of the activities of territorial departments and subordinate organizations
11	Information about the staffing of Roszheldor
12	Information about the location of structural units in the building
13	Minutes of the meetings of the housing commission
14	Minutes of the meetings of the competition commission for holding qualification exam and certification
III. Information about the regime of secrecy, mobilization preparation, civil defense, emergencies and transport security
15	Acts of inspections to ensure access control in the administrative Roszheldor building
16	Information on the results of the vulnerability assessment of transport facilities infrastructure and means of transport other than those providing the security of which is carried out exclusively by federal executive authorities
17	Information Contained in Transportation Security Plans object of transport infrastructure and vehicle
18	Information that is information resources of the unified state transport security information system, prepared by Roszheldor, with the exception of extracts from the register categorized objects of transport infrastructure and transport funds
IV. Data protection information
19	Information about the organization of the processing of service information on the means computer technology of Roszheldor
20	Information that reveals the organization, state of information protection, or media, or information process
21	Information about methods, means or effectiveness (status of protection) confidential information in automated information systems, computer facilities, other technical means
22	Generalized information contained in the scheme of local computing networks of Roszheldor, indicating the organizational and technological parameters or technical characteristics and locations of its responsible components, information nodes (defined on scheme)
23	Information about specific ongoing and (or) planned activities to information security of confidential information
V. Other information
24	Information about the organization, state or location of engineering systems video surveillance, fire or burglar alarm of the Roszheldor building
25	Information disclosing the content of plans and specific measures for protection of the building of Roszheldor, premises in which work is carried out, materials are stored, confidential negotiations are underway
26	Data of security video surveillance, fixation of the security system of the premises, electronic access system to the building

Confidentiality

Confidentiality.(English) confidence- trust) - the need to prevent leakage (disclosure) of any information.

In the Anglo-American tradition, there are two main types of confidentiality: voluntary (privacy) and forced (secrecy). (See Edward Shiels - The Torment of Secrecy: The Background & Consequences Of American Security Policies (Chicago: Dee) The first case refers to the prerogatives of the individual, the second refers to information for official use, available to a limited circle of company officials corporation, state body, public or political organization.Although privacy and secrecy are similar in meaning, in practice they usually contradict each other: the strengthening of secrecy leads to a violation and a decrease in privacy.In totalitarian and authoritarian states, confidentiality, as a rule, means secrecy only.

Definitions

Confidentiality information - the principle of audit, which consists in the fact that auditors are obliged to ensure the safety of documents received or compiled by them in the course of audit activities, and are not entitled to transfer these documents or their copies to any third parties, or to disclose orally the information contained in them without consent of the owner of the economic entity, except for the cases provided for by legislative acts.

Confidentiality information - a mandatory requirement for a person who has access to certain information not to transfer such information to third parties without the consent of its owner.

Confidential information- information, access to which is restricted in accordance with the legislation of the Russian Federation and is a commercial, official or personal secret, protected by its owner.

Official secret- confidential information protected by law, which became known in state bodies and local governments only on legal grounds and due to the performance of their official duties, as well as official information about the activities of state bodies, access to which is limited by federal law or due to official necessity. There is no unambiguous definition of the term "official secret" in the current legislation of the Russian Federation. An official secret is one of the objects of civil rights under the civil legislation of the Russian Federation. The regime for the protection of official secrets is generally similar to the regime for the protection of trade secrets. In some cases, the law provides for criminal liability for disclosing official secrets (for example, for disclosing the secret of adoption, or for disclosing information constituting a commercial, tax or banking secret by a person to whom such information became known in the service).

Official secret- information with restricted access, with the exception of information classified as state secrets and personal data, contained in state (municipal) information resources, accumulated at the expense of the state (municipal) budget and owned by the state, the protection of which is carried out in the interests of the state.

Protecting confidentiality is one of the three objectives of information security (along with protecting the integrity and availability of information).

Relevance of privacy

Since the beginning of the use of computer technology in all areas of human activity, there have been many problems related to the protection of confidentiality. This is mainly due to the processing of documents using computer technology. Many administrative measures to protect the privacy of individuals and organizations have lost their force due to the transition of workflow to a completely new environment.

When receiving personal letters, when concluding contracts, during business correspondence, during telephone conversations with acquaintances and strangers, a person used various means of authentication. Personal letters were sent with an existing postal address or had a stamp of exactly those post offices where such letters were processed. When concluding contracts, letterheads produced at printing houses were used, on which, using typewriters that had unique serial numbers, a text was printed, which was then signed by an official and certified by the seal of the organization. When talking on the phone, it was reliably known that the conversation was being conducted with the person whose voice was previously known. Many hundreds of administrative measures have been aimed at protecting the privacy of people's communications.

With the introduction of computer technology in human life, much has changed. When using, for example, e-mail, it became possible to indicate a non-existent return address or simulate receiving a letter from a familiar person. In everyday communication via the Internet, many signs that identify a particular person in ordinary life (gender, age, degree of education) have ceased to be such. The so-called "virtual reality" has appeared.

It is impossible to quickly and effectively solve problems related to the protection of confidentiality in computer systems. There is a need for an integrated approach to solving these problems. This approach should involve the use of organizational and legal measures, as well as software and hardware that ensure the protection of confidentiality, integrity and availability.

To date, organizations have a set of standards to ensure the correct handling of confidential information. The head of the organization signs the list of information of a confidential nature. In the contract signed by the employee and the employer, there is a clause that talks about liability for incorrect work with confidential information, as a result of which, if the standards for working with this information prescribed in the contract are not observed, there is a legal basis for bringing such employees to administrative or criminal liability . And also in organizations there is a set of measures aimed at ensuring the protection of confidential information. For example, such measures can be: the selection of qualified personnel, the prediction of possible threats and the implementation of measures to prevent them, the use of different levels of personnel access to information with different secrecy.

Since it is impossible to study this area in detail in a short time, a direction was introduced to train specialists in the field of information security.

With the help of software and hardware information protection tools provided by various manufacturers, it is possible to achieve higher performance indicators if they are used in a complex manner. Such tools include equipment for cryptographic protection of speech information, programs for cryptographic protection of text or other information, programs for providing authentication of mail messages by means of an electronic digital signature, programs for providing anti-virus protection, programs for protecting against network intrusions, programs for detecting intrusions, programs for hiding the reverse email sender address.

Such a list of software and hardware, as a rule, is developed by experts in the field of information security, taking into account many factors, for example, the characteristics of an automated system, the number of users in this system, the difference in the level of access of these users, etc.

Confidentiality in the legislation of the Russian Federation

Notes

Literature

• Big legal dictionary. 3rd ed., add. and reworked. / Ed. prof. A. Ya. Sukharev. - M.: INFRA-M, 2007. - VI, 858 s - (B-ka dictionaries "INFRA-M")

Links

• Confidential information in Russian law

see also

Wikimedia Foundation. 2010 .

Synonyms:

Antonyms:

See what "Confidentiality" is in other dictionaries:

Secrecy, secrecy, confidentiality, secrecy. Ant. openness, glasnost Dictionary of Russian synonyms. confidentiality see secrecy Dictionary of synonyms of the Russian language. Practical guide. M.: Russian language ... Synonym dictionary

confidentiality- The property of information that it cannot be read by unauthorized users and/or processes. Keeping critical information secret; access to it is limited to a narrow circle of users (individuals ... ... Technical Translator's Handbook

CONFIDENTIAL [de], oh, oh; flax, flax (book). Secret, confidential. K. conversation. Report confidentially (adv.). Explanatory dictionary of Ozhegov. S.I. Ozhegov, N.Yu. Shvedova. 1949 1992 ... Explanatory dictionary of Ozhegov

Confidentiality- An ethical requirement that applies both in experimental research and in psychotherapy. Under this requirement, participants or patients have the right to have information collected during a study or treatment session not… … Great Psychological Encyclopedia

confidentiality- 2.6 confidentiality property of information to be inaccessible and private to an unauthorized individual, entity or process. [ISO/IEC 7498-2] Source ... Dictionary-reference book of terms of normative and technical documentation

confidentiality- ▲ limited access to (subject), information confidentiality. confidential not subject to wide publicity; accessible to a narrow circle of people (# conversation). confidentially. confidence. trust (# tone). confidentially. trust (#… … Ideographic Dictionary of the Russian Language

Confidential information - information, access to which is limited in accordance with the legislation of the country and the level of access to the information resource. Confidential information is made available or disclosed only to authorized persons, entities, or processes.

Russian legislation distinguishes several types of confidential information - state secrets, official secrets, commercial secrets, medical (medical) secrets, notarial secrets, auditor secrets, lawyer secrets, bank secrets, tax secrets, personal and family secrets, adoption secrets, secrets of the meeting of judges, secrecy of the investigation and legal proceedings, secrecy of insurance, etc. According to V. A. Kolomiyets, about 50 types of confidential information are currently mentioned in regulatory legal acts of various levels.

The importance of information in the life and activities of every modern person is well known. It is also known how great is the role of information for the successful solution of a specific problem, to achieve the goals. To find the exact answer to the question being solved, to avoid mistakes in decision-making, it is better for someone who is clearly oriented in the information space, who, if necessary, has the opportunity to easily and timely obtain information of interest to him.

44. Formation and modern definition of the concept of "state secret"

The concept of state secrets is one of the most important in the system of protecting state secrets in any country. The policy of the country's leadership in the field of protecting secrets also depends on its correct definition.

The definition of this concept is given in the Law of the Russian Federation "On State Secrets": "State secret - information protected by the state in the field of its military, foreign policy, economic, intelligence, counterintelligence and operational-search activities, the dissemination of which may harm the security of the Russian Federation."

This definition indicates the categories of information that are protected by the state, and that the dissemination of this information may be detrimental to the interests of state security.

The model for determining state secrets usually includes the following essential features:

1. Objects, phenomena, events, areas of activity constituting a state secret.

2. The enemy (given or potential), from which the protection of state secrets is mainly carried out.

3. Indication in the law, list, instructions of information constituting a state secret.

4. Damage to the defense, foreign policy, economy, scientific and technological progress of the country, etc. in case of disclosure (leakage) of information constituting a state secret.

For comparison, here are brief definitions of the concept of state secrets given by experts from other countries.

The German Criminal Code stipulates that state secrets are facts, objects or knowledge that are accessible only to a limited circle of people and must be kept secret from a foreign government in order to prevent the danger of serious damage to the external security of the Federal Republic of Germany.

The Executive Order of the President of the United States, dated April 2, 1982, states that national security information refers to certain information on national defense and international affairs that is protected from unauthorized disclosure.

In some countries, this concept is expressed in other terms, for example, in Japan - "Defense Secret".

What information can be classified as a state secret is determined in Decree of the President of the Russian Federation of November 30, 1995 No. 1203. Information is classified as such (only sections are indicated): in the military field; on foreign policy and foreign economic activity; in the field of economics, science and technology; in the field of intelligence, counterintelligence and operational-search activities.

It is impossible to classify information as a state secret:

If its leakage (disclosure, etc.) does not cause damage to the national security of the country;

In violation of applicable laws;

If the concealment of information will violate the constitutional and legislative rights of citizens;

To conceal activities that damage the natural environment, threatening the life and health of citizens. This list is detailed in Art. 7 of the Law of the Russian Federation "On State Secrets".

An important feature of state secrets is the degree of secrecy of information related to it. In our country, the following system for designating information constituting state secrets has been adopted: “of special importance”, “top secret”, “secret”. These stamps are affixed to documents or products (their packaging or accompanying documents). The information contained under these stamps is a state secret.

What criteria are used to classify information, firstly, as a state secret, and secondly, as a particular degree of secrecy?

The answer to this question is given by the Rules for classifying information constituting a state secret to various degrees of secrecy, specified in the Decree of the Government of the Russian Federation No. 870 of September 4, 1995.

Information of particular importance should include information the dissemination of which may harm the interests of the Russian Federation in one or more areas.

Top secret information should include information, the dissemination of which may harm the interests of the ministry (department) or sectors of the economy of the Russian Federation in one or more areas.

Secret information should include all other information constituting a state secret. Damage can be done to the interests of an enterprise, institution or organization.

From these definitions, one can see a relatively high degree of uncertainty of the signs characterizing one or another degree of secrecy of information constituting a state secret.

Attempts have been made to equate the degree of secrecy of information with the amount of damage (for example, in terms of money) that can occur in the event of information leakage. However, they have not received any wide distribution and approval.

There is no clarity on this issue in the Decree of the President of the United States "Information on National Security". It specifically says:

1. Top secret should be applied to information whose unauthorized disclosure could, within reasonable limits, cause exceptionally serious harm to national security.

2. Classified "secret" should be used in relation to information, the unauthorized disclosure of which could cause, within reasonable limits, serious damage to national security.

3. The label "confidential" is the same, only the amount of damage is indicated as "damage to national security."

As can be seen from the foregoing, the difference between the three degrees of secrecy depends on the magnitude of the damage, which is designated as "extremely serious", "serious" or simply "damage".

These qualitative features - the criteria for the degree of secrecy of information containing state secrets - always leave room for the voluntary or involuntary introduction of a subjective factor in the process of classifying information.

The concept, types and amount of damage have not yet been sufficiently developed and, apparently, will be different for each specific object of protection - the content of information constituting a state secret, the essence of the facts, events, and phenomena of reality reflected in it. Depending on the type, content and

The extent of damage can be divided into groups of certain types of damage in case of leakage (or possible leakage) of information constituting a state secret.

Political damage can occur when information of a political and foreign policy nature, about the intelligence activities of the state’s special services, etc. is leaked. Political damage can be expressed in the fact that as a result of information leakage, serious changes in the international situation can occur not in favor of the Russian Federation, the country loses political priorities in some areas, deterioration of relations with any country or group of countries, etc.

Economic damage can occur when information of any content is leaked: political, economic, military, scientific and technical, etc. Economic damage can be expressed primarily in terms of money. Economic losses from information leakage can be direct and indirect.

Thus, direct losses can occur as a result of leakage of classified information about weapons systems, the country's defense, which as a result of this have practically lost or lost their effectiveness and require large expenses for their replacement or readjustment. For example, A. Tolkachev, an agent of the US CIA, a leading engineer at the Research Institute of the Radio Engineering Industry, gave the Americans a lot of important and valuable information. The Americans estimated the value of the information received from him at about six billion dollars.

Indirect losses are most often expressed as the amount of lost profits: failure of negotiations with foreign firms, with which there was an agreement on profitable deals; loss of priority in scientific research, as a result, the rival brought his research to completion faster and patented it, etc.

Moral damage, as a rule, of a non-property nature comes from a leak of information that caused or initiated an illegal propaganda campaign against the state, undermining the reputation of the country, which led to the expulsion of our diplomats, intelligence agents operating under diplomatic cover, etc. from some states.

Confidential information in all areas is carefully protected by law. Therefore, the duty of employees who have access to it is to protect the data and prevent disclosure. There are different responsibilities for disclosure of confidential information. A person can even be convicted under an article from the Criminal Code if he has committed a serious violation. Therefore, it is in the interests of the employees themselves that, through their fault, information is not leaked to third parties.

What is confidential information

Confidential information is personal information with restricted access. Such data is of different types, but all of them are protected by law. Employees who have access to them are required to maintain secrecy and not allow publicity. Moreover, they themselves should not disclose such information even in the family circle.

Types of confidential information:

1. Personal data of an individual. These include everything related to events and facts of private life.
2. Official secret. Only state employees holding a certain position have access to it. This may include tax secrecy, information about adoption, etc.
3. professional secret. It is protected by the Russian Constitution, and is known to a limited number of people who perform their professional duty.
4. Personal files of those convicted of crimes.
5. Trade secret. This information must be kept in order to protect the legal entity from competition, or to obtain benefits.
6. Information about court decisions and their execution within the framework of proceedings.
7. Secrecy of the investigation and legal proceedings. This may include information about victims and witnesses who are in need of state protection. Data on judges and law enforcement officials are also kept secret.

This information is confidential and not subject to disclosure. It is necessary to maintain the confidentiality of such information in order to protect the interests of individuals and legal entities. Non-disclosure is a necessity, because publicity can lead to dire consequences. For example, to the bankruptcy of a company, public condemnation of a person, the danger that has arisen for witnesses and victims. If an employee allows the dissemination of information, then they have the right to punish him depending on the severity of the violation.

non-disclosure agreement

To allow an employee to access classified data, you will need to sign a non-disclosure agreement. Because on the basis of this document it will be possible to call for liability if the employee does not comply with his obligations regarding the safety of data. There is no specific template for an agreement, but all important points must be present, such as the obligations of the parties and the responsibility for disclosure.

But you also need to understand that without it you cannot get access to classified information. In any case, it is worth discussing the situation personally with the authorities in order to resolve the issue with the contract.

How to prove disclosure of personal information

Punishment, for example, a fine under a non-disclosure agreement, will be imposed only if it is possible to confirm the fact of violation. For this, any evidence will do. As a rule, it is not difficult to get them if it was possible to identify an unscrupulous employee.

However, to begin with, it is necessary to confirm the fact that there really were secret data, and a specific person had access to it. To do this, you need to use documents, for example, a non-disclosure agreement. Evidence will be required in any case, even for disciplinary action. Moreover, they will be needed for the court, because in order to be held liable under the article, weighty grounds and evidence base are required.

What is the liability

The employee must know what information will be secret and what will be public. Therefore, he cannot publish confidential data only for the reason that he did not know about the limited access to them. In most cases, employees deliberately release information that will be subject to protection. This is done for personal reasons or for selfish purposes.

The punishment depends on the nature of the violation. Consider the types depending on the responsibility to which the guilty person can be brought.

What could be the punishment?

1. Disciplinary punishment. He is appointed by the management of the organization after an internal audit and investigation. An employee can be reprimanded, reprimanded, or even fired. The specific solution depends on the situation.
2. Administrative responsibility. It can occur when personal data is disclosed, as well as in violation of the protection of information, in addition to state secrets. A guilty person can be punished with a fine of up to 10,000 rubles.
3. Criminal liability. The components of crimes are quite diverse and are determined on an individual basis. If the violation is criminal in nature, then they can even deprive them of liberty.
4. Civil liability. The victim can claim moral damages.

In Ukraine, there are approximately the same rules regarding punishment for the disclosure of classified information. Liability can only be avoided in certain cases.

Bibliographic description:

Nesterov A.K. Ensuring information security [Electronic resource] // Educational encyclopedia site

Along with the development of information technologies and the increasing importance of information resources for organizations, the number of threats to their information security is growing, as well as the possible damage from its violations. There is an objective need to ensure the information security of the enterprise. In this regard, progress is possible only in conditions of targeted prevention of threats to information security.

Information security tools

Ensuring information security is carried out using two types of tools:

• software and hardware
• secure communication channels

Software and hardware tools for ensuring information security in modern conditions of information technology development are most common in the work of domestic and foreign organizations. Let's take a closer look at the main software and hardware information protection tools.

Software and hardware protection against unauthorized access includes measures of identification, authentication and access control to the information system.

Identification is the assignment of unique identifiers to access subjects.

This includes radio frequency tags, biometric technologies, magnetic cards, universal magnetic keys, logins for entering the system, etc.

Authentication - verification of the ownership of the access subject to the presented identifier and confirmation of its authenticity.

Authentication procedures include passwords, pin codes, smart cards, usb keys, digital signatures, session keys, etc. The procedural part of the means of identification and authentication is interconnected and, in fact, represents the basic basis of all software and hardware tools for ensuring information security, since all other services are designed to serve specific subjects correctly recognized by the information system. In general, identification allows the subject to identify himself to the information system, and with the help of authentication, the information system confirms that the subject is really who he claims to be. Based on the passage of this operation, an operation is performed to provide access to the information system. Access control procedures allow authorized entities to perform actions permitted by the regulations, and the information system to control these actions for the correctness and correctness of the result obtained. Access control allows the system to hide from users data to which they do not have access.

The next means of software and hardware protection is logging and auditing of information.

Logging includes the collection, accumulation and storage of information about events, actions, results that took place during the operation of the information system, individual users, processes and all software and hardware that are part of the enterprise information system.

Since each component of the information system has a predetermined set of possible events in accordance with the programmed classifiers, the events, actions and results are divided into:

• external, caused by the actions of other components,
• internal, caused by the actions of the component itself,
• client, caused by the actions of users and administrators.

Information audit consists in carrying out operational analysis in real time or in a given period.

Based on the results of the analysis, either a report is generated on the events that have taken place, or an automatic response to an emergency situation is initiated.

The implementation of logging and auditing solves the following tasks:

• ensuring accountability of users and administrators;
• enabling the reconstruction of the sequence of events;
• detection of attempts to violate information security;
• providing information to identify and analyze problems.

Often, information protection is impossible without the use of cryptographic tools. They are used to provide encryption, integrity and authentication services when the means of authentication are stored in encrypted form by the user. There are two main encryption methods: symmetric and asymmetric.

Integrity control allows you to establish the authenticity and identity of an object, which is a data array, individual portions of data, a data source, and also to ensure the impossibility of marking the action performed in the system with an array of information. The implementation of integrity control is based on data conversion technologies using encryption and digital certificates.

Another important aspect is the use of screening, a technology that allows, by delimiting the access of subjects to information resources, to control all information flows between the enterprise information system and external objects, data arrays, subjects and counter-subjects. Flow control consists in filtering them and, if necessary, transforming the transmitted information.

The task of shielding is to protect internal information from potentially hostile external factors and actors. The main form of shielding implementation is firewalls or firewalls of various types and architectures.

Since one of the signs of information security is the availability of information resources, ensuring a high level of availability is an important direction in the implementation of software and hardware measures. In particular, two areas are divided: ensuring fault tolerance, i.e. failover of the system, the ability to work when errors occur, and the provision of safe and fast recovery from failures, i.e. serviceability of the system.

The main requirement for information systems is that they always work with a given efficiency, minimum downtime and response speed.

In accordance with this, the availability of information resources is ensured by:

• the use of a structural architecture, which means that individual modules can be disabled or quickly replaced if necessary without affecting other elements of the information system;
• ensuring fault tolerance due to: the use of autonomous elements of the supporting infrastructure, the introduction of excess capacity in the configuration of software and hardware, hardware redundancy, replication of information resources within the system, data backup, etc.
• ensuring maintainability by reducing the time for diagnosing and eliminating failures and their consequences.

Another type of information security means is secure communication channels.

The functioning of information systems is inevitably associated with the transfer of data, therefore, it is also necessary for enterprises to ensure the protection of transmitted information resources using secure communication channels. The possibility of unauthorized access to data during the transmission of traffic through open communication channels is due to their general availability. Since "communications throughout their entire length cannot be physically protected, therefore it is better to initially proceed from the assumption of their vulnerability and provide protection accordingly" . For this, tunneling technologies are used, the essence of which is to encapsulate data, i.e. pack or wrap the transmitted data packets, including all service attributes, in their own envelopes. Accordingly, the tunnel is a secure connection through open communication channels, through which cryptographically protected data packets are transmitted. Tunneling is used to ensure traffic confidentiality by hiding service information and ensuring the confidentiality and integrity of transmitted data when used together with cryptographic elements of an information system. The combination of tunneling and encryption makes it possible to implement a virtual private network. At the same time, the endpoints of tunnels that implement virtual private networks are firewalls that serve the connection of organizations to external networks.

Firewalls as points of implementation of virtual private networks service

Thus, tunneling and encryption are additional transformations performed in the process of filtering network traffic along with address translation. The ends of the tunnels, in addition to corporate firewalls, can be personal and mobile computers of employees, more precisely, their personal firewalls and firewalls. Thanks to this approach, the functioning of secure communication channels is ensured.

Information security procedures

Information security procedures are usually divided into administrative and organizational levels.

• Administrative procedures include general actions taken by the management of the organization to regulate all work, actions, operations in the field of ensuring and maintaining information security, implemented by allocating the necessary resources and monitoring the effectiveness of the measures taken.
• The organizational level represents the procedures for ensuring information security, including personnel management, physical protection, maintaining the operability of the software and hardware infrastructure, promptly eliminating security breaches and planning recovery work.

On the other hand, the distinction between administrative and organizational procedures is meaningless, since the procedures of one level cannot exist separately from another level, thereby violating the relationship between physical level protection, personal and organizational protection in the concept of information security. In practice, when ensuring information security, organizations do not neglect administrative or organizational procedures, therefore it is more logical to consider them as an integrated approach, since both levels affect the physical, organizational and personal levels of information protection.

The basis of complex procedures for ensuring information security is the security policy.

Information security policy

Information security policy in an organization, it is a set of documented decisions made by the management of the organization and aimed at protecting information and its associated resources.

In organizational and managerial terms, the information security policy can be a single document or drawn up in the form of several independent documents or orders, but in any case it should cover the following aspects of protecting the organization's information system:

• protection of information system objects, information resources and direct operations with them;
• protection of all operations related to the processing of information in the system, including processing software;
• protection of communication channels, including wired, radio channels, infrared, hardware, etc.;
• protection of the hardware complex from side electromagnetic radiation;
• management of the security system, including maintenance, upgrades and administrative actions.

Each of the aspects should be described in detail and documented in the internal documents of the organization. Internal documents cover three levels of the protection process: upper, middle and lower.

Top-level information security policy documents reflect the organization's basic approach to protecting its own information and compliance with national and/or international standards. In practice, there is only one top-level document in an organization, entitled "Information Security Concept", "Information Security Regulation", etc. Formally, these documents are not of confidential value, their distribution is not limited, but they can be issued in an edition for internal use and open publication.

The middle-level documents are strictly confidential and relate to specific aspects of the information security of the organization: the means of information protection used, the security of databases, communications, cryptographic tools and other information and economic processes of the organization. Documentation is implemented in the form of internal technical and organizational standards.

Documents of the lower level are divided into two types: work regulations and operating instructions. The work regulations are strictly confidential and are intended only for persons who, on duty, carry out work on the administration of individual information security services. Operating instructions can be either confidential or public; they are intended for the organization's personnel and describe the procedure for working with individual elements of the organization's information system.

World experience shows that the information security policy is always documented only in large companies that have a developed information system that imposes increased requirements for information security, medium-sized enterprises most often have only a partially documented information security policy, small organizations in the vast majority do not care at all about documenting the security policy. Regardless of whether the documentation format is holistic or distributed, the basic aspect is the security mode.

There are two different approaches that form the basis information security policy:

1. "Everything that is not forbidden is allowed."
2. "Everything that is not allowed is prohibited."

The fundamental defect of the first approach is that in practice it is impossible to foresee all dangerous cases and prohibit them. Without a doubt, only the second approach should be used.

Organizational level of information security

From the point of view of information security, organizational procedures for ensuring information security are presented as "regulation of production activities and relationships between performers on a legal basis that excludes or significantly hinders the misappropriation of confidential information and the manifestation of internal and external threats" .

Personnel management measures aimed at organizing work with personnel in order to ensure information security include the separation of duties and the minimization of privileges. The division of duties prescribes such a distribution of competencies and areas of responsibility, in which one person is not able to disrupt a process that is critical to the organization. This reduces the chance of errors and abuse. Privilege minimization dictates that users be given only the level of access that is appropriate for their job function. This reduces the damage from accidental or intentional incorrect actions.

Physical protection means the development and adoption of measures for the direct protection of buildings that house the information resources of the organization, adjacent territories, infrastructure elements, computing equipment, data carriers and hardware communication channels. These include physical access control, fire protection, supporting infrastructure protection, eavesdropping protection, and mobile system protection.

Maintaining the health of the software and hardware infrastructure is to prevent stochastic errors that threaten to damage the hardware complex, disrupt programs and lose data. The main directions in this aspect are to provide user and software support, configuration management, backup, media management, documentation and preventive maintenance.

Rapid resolution of security breaches has three main objectives:

1. Incident localization and damage reduction;
2. Identification of the offender;
3. Prevention of repeated violations.

Finally, recovery planning allows you to prepare for accidents, reduce damage from them and maintain at least a minimal amount of ability to function.

The use of software and hardware and secure communication channels should be implemented in the organization on the basis of an integrated approach to the development and approval of all administrative and organizational regulatory procedures for ensuring information security. Otherwise, the adoption of separate measures does not guarantee the protection of information, and often, on the contrary, provokes leaks of confidential information, loss of critical data, damage to the hardware infrastructure and disruption of the software components of the organization's information system.

Information security methods

Modern enterprises are characterized by a distributed information system that allows you to take into account the distributed offices and warehouses of the company, financial accounting and management control, information from the customer base, taking into account the selection of indicators, and so on. Thus, the array of data is very significant, and the vast majority of it is information that is of priority importance for the company in commercial and economic terms. In fact, ensuring the confidentiality of data that has commercial value is one of the main tasks of ensuring information security in the company.

Ensuring information security at the enterprise should be regulated by the following documents:

1. Information security regulation. It includes the formulation of goals and objectives for ensuring information security, a list of internal regulations on information security tools and a regulation on the administration of a company's distributed information system. Access to the regulations is limited to the management of the organization and the head of the automation department.
2. Regulations for the technical support of information protection. Documents are confidential, access is limited to employees of the automation department and higher management.
3. Regulations for the administration of a distributed information protection system. Access to the regulation is limited to employees of the automation department responsible for administering the information system and senior management.

At the same time, these documents should not be limited, but the lower levels should also be worked out. Otherwise, if the enterprise does not have other documents related to information security, this will indicate an insufficient degree of administrative information security, since there are no lower-level documents, in particular, instructions for operating individual elements of the information system.

Mandatory organizational procedures include:

• the main measures to differentiate personnel by the level of access to information resources,
• physical protection of the company's offices from direct penetration and threats of destruction, loss or interception of data,
• maintaining the functionality of the hardware and software infrastructure is organized in the form of automated backup, remote verification of storage media, user and software support is provided upon request.

This should also include regulated measures to respond to and eliminate cases of information security violations.

In practice, it is often observed that enterprises are not sufficiently attentive to this issue. All actions in this direction are carried out exclusively in working order, which increases the time to eliminate cases of violations and does not guarantee the prevention of repeated violations of information security. In addition, the practice of planning actions to eliminate the consequences after accidents, information leaks, data loss and critical situations is completely absent. All this significantly worsens the information security of the enterprise.

At the level of software and hardware, a three-level information security system should be implemented.

Minimum criteria for ensuring information security:

1. Access control module:

• implemented a closed entrance to the information system, it is impossible to enter the system outside of verified workplaces;
• access with limited functionality from mobile personal computers was implemented for employees;
• authorization is carried out according to logins and passwords formed by administrators.

2. Encryption and integrity control module:

• an asymmetric encryption method for transmitted data is used;
• arrays of critical data are stored in databases in encrypted form, which does not allow access to them even if the company's information system is hacked;
• integrity control is provided by a simple digital signature of all information resources stored, processed or transmitted within the information system.

3. Shielding module:

• implemented a system of filters in firewalls, allowing you to control all information flows through communication channels;
• external connections to global information resources and public communication channels can only be made through a limited set of verified workstations that have a limited connection to the corporate information system;
• secure access from employees' workplaces to perform their official duties is implemented through a two-level system of proxy servers.

Finally, with the help of tunneling technologies, a virtual private network must be implemented in an enterprise in accordance with a typical construction model to provide secure communication channels between various company departments, partners and company customers.

Despite the fact that communications are directly carried out over networks with a potentially low level of trust, tunneling technologies, through the use of cryptographic tools, make it possible to ensure reliable protection of all transmitted data.

conclusions

The main goal of all measures taken in the field of information security is to protect the interests of the enterprise, one way or another related to the information resources that it has. Although the interests of enterprises are not limited to a specific area, they all center around the availability, integrity and confidentiality of information.

The problem of ensuring information security is explained by two main reasons.

1. The information resources accumulated by the enterprise are valuable.
2. Critical dependence on information technologies causes their wide application.

Given the wide variety of existing threats to information security, such as the destruction of important information, unauthorized use of confidential data, interruptions in the operation of the enterprise due to violations of the information system, we can conclude that all this objectively leads to large material losses.

In ensuring information security, a significant role is played by software and hardware tools aimed at controlling computer entities, i.e. hardware, software elements, data, forming the last and highest priority frontier of information security. The transmission of data must also be secure in the context of maintaining its confidentiality, integrity and availability. Therefore, in modern conditions, tunneling technologies are used in combination with cryptographic means to provide secure communication channels.

Literature

1. Galatenko V.A. Information security standards. - M.: Internet University of Information Technologies, 2006.
2. Partyka T.L., Popov I.I. Information Security. – M.: Forum, 2012.