Diploma work on information security (Security of information systems). Information security List of WRC topics on information security

Introduction

Chapter 1. Theoretical aspects of acceptance and information security

1.1The concept of information security

3 Information security practices

Chapter 2. Analysis of the information security system

1 The scope of the company and the analysis of financial performance

2 Description of the company's information security system

3 Development of a set of measures for modernization existing system information security

Conclusion

Bibliography

Appendix

Annex 1. Balance sheet for 2010

Annex 1. Balance sheet for 2010

Introduction

The relevance of the topic of the thesis is determined by the increased level of information security problems, even in the context of the rapid growth of technologies and tools for data protection. It is impossible to provide a 100% level of protection for corporate information systems while correctly prioritizing data protection tasks in the context of a limited share of the budget allocated to information technology.

Reliable protection of computing and network corporate infrastructure is a basic task in the field of information security for any company. With the growth of the enterprise's business and the transition to a geographically distributed organization, it begins to go beyond a single building.

Effective protection of IT infrastructure and applications corporate systems today is impossible without the implementation modern technologies control network access. Increasing cases of theft of media containing valuable information of a business nature are increasingly forcing organizational measures.

The purpose of this work will be to evaluate the information security system existing in the organization and develop measures to improve it.

This goal determines the following tasks of the thesis:

) consider the concept of information security;

) consider the types of possible threats to information systems, options for protecting against possible threats of information leakage in the organization.

) identify a list of information resources, violation of the integrity or confidentiality of which will cause the greatest damage to the enterprise;

) develop on their basis a set of measures to improve the existing information security system.

The work consists of an introduction, two chapters, a conclusion, a list of references and applications.

The introduction substantiates the relevance of the research topic, formulates the purpose and objectives of the work.

The first chapter deals with the theoretical aspects of the concepts of information security in the organization.

The second chapter gives a brief description of activities of the company, key performance indicators, describes the current state of the information security system and proposes measures to improve it.

In conclusion, the main results and conclusions of the work are formulated.

The methodological and theoretical basis of the thesis work was the work of domestic and foreign experts in the field of information security. Russian Federation governing the protection of information, international standards on information security.

The theoretical significance of the thesis research is the implementation of an integrated approach in the development of information security policy.

The practical significance of the work is determined by the fact that its results make it possible to increase the degree of information protection in an enterprise through the competent design of an information security policy.

Chapter 1. Theoretical aspects of acceptance and information security

1.1 The concept of information security

Information security is understood as the protection of information and the infrastructure supporting it from any accidental or malicious influences, the result of which may be damage to the information itself, its owners or the supporting infrastructure. The tasks of information security are reduced to minimizing damage, as well as to predicting and preventing such impacts.

The parameters of information systems that need to be protected can be divided into the following categories: ensuring the integrity, availability and confidentiality of information resources.

availability is the possibility of obtaining, in a short period of time, the required information service;

integrity is the relevance and consistency of information, its protection from destruction and unauthorized changes;

confidentiality - protection against unauthorized access to information.

Information systems are primarily created to obtain certain information services. If for some reason it becomes impossible to obtain information, this causes damage to all subjects of information relations. From this it can be determined that the availability of information is in the first place.

Integrity is the main aspect of information security when accuracy and truthfulness will be the main parameters of information. For example, prescriptions for medical drugs or a set and characteristics of components.

The most developed component of information security in our country is confidentiality. But the practical implementation of measures to ensure the confidentiality of modern information systems is facing great difficulties in Russia. First, information about technical channels information leaks are closed, so that most users are unable to form an idea of ​​the potential risks. Second, there are numerous legal and technical challenges that stand in the way of custom cryptography as a primary privacy tool.

Actions that can damage an information system can be divided into several categories.

purposeful theft or destruction of data on a workstation or server;

damage to data by the user as a result of careless actions.

. "Electronic" methods of influence carried out by hackers.

Hackers are people who engage in computer crimes both professionally (including within the framework of competition) and simply out of curiosity. These methods include:

unauthorized penetration into computer networks;

The purpose of unauthorized penetration into the enterprise network from the outside can be to harm (destroy data), steal confidential information and use it for illegal purposes, use the network infrastructure to organize attacks on third-party nodes, steal funds from accounts, etc.

A DOS-type attack (abbreviated from Denial of Service - "denial of service") is an external attack on the network nodes of an enterprise responsible for its security and efficient work(file, mail servers). The attackers organize a massive sending of data packets to these nodes in order to cause them to overload and, as a result, disable them for some time. This, as a rule, entails violations in the business processes of the victim company, loss of customers, damage to reputation, etc.

Computer viruses. Separate category electronic methods impact - computer viruses and other malware. They represent a real danger to modern business, which makes extensive use of computer networks, the Internet and e-mail. Penetration of the virus to the nodes of the corporate network can lead to disruption of their functioning, loss of working hours, loss of data, theft of confidential information, and even direct theft of funds. A virus program that has penetrated a corporate network can give attackers partial or complete control over the company's activities.

Spam. In just a few years, spam has gone from a minor annoyance to one of the biggest security threats:

Email has become the main distribution channel in recent years. malware;

spam takes a lot of time to view and then delete messages, causes employees a feeling of psychological discomfort;

both individuals and organizations are victims fraudulent schemes implemented by spammers (often victims of this kind of events try not to disclose);

along with spam, important correspondence is often deleted, which can lead to the loss of customers, the failure of contracts, and other unpleasant consequences; The risk of losing mail is especially high when using RBL blacklists and other "rough" spam filtering methods.

"Natural" threats. A variety of external factors can affect the information security of a company: improper storage, theft of computers and media, force majeure, etc. can cause data loss.

The information security management system (ISMS or Information Security Management System) allows you to manage a set of measures that implement a certain conceived strategy, in this case - in relation to information security. Note that we are talking not only about managing an existing system, but also about building a new / redesigning an old one.

The set of measures includes organizational, technical, physical and others. Information security management is a complex process, which makes it possible to implement the most efficient and comprehensive information security management in a company.

The purpose of information security management is to maintain the confidentiality, integrity and availability of information. The only question is what kind of information needs to be protected and what efforts should be made to ensure its safety.

Any management is based on awareness of the situation in which it occurs. In terms of risk analysis, awareness of the situation is expressed in the inventory and assessment of the assets of the organization and their environment, that is, everything that ensures the conduct of business activities. From the point of view of information security risk analysis, the main assets include directly information, infrastructure, personnel, image and reputation of the company. Without an inventory of assets at the business activity level, it is impossible to answer the question of what needs to be protected. It is very important to understand what information is processed in an organization and where it is processed.

In a large modern organization, the number of information assets can be very large. If the organization's activities are automated using an ERP system, then we can say that almost any material object used in this activity corresponds to some information object. Therefore, the primary task of risk management is to identify the most significant assets.

It is impossible to solve this problem without the involvement of managers of the main activity of the organization, both middle and top managers. The optimal situation is when the top management of the organization personally sets the most critical areas of activity, for which it is extremely important to ensure information security. The opinion of senior management on the priorities in ensuring information security is very important and valuable in the process of risk analysis, but in any case, it should be clarified by collecting information about the criticality of assets at the middle level of company management. At the same time, it is advisable to carry out further analysis precisely in the areas of business activity designated by top management. The information received is processed, aggregated and transmitted to top management for a comprehensive assessment of the situation.

Information can be identified and localized based on the description of business processes in which information is considered as one of the types of resources. The task is somewhat simplified if the organization has adopted a business regulation approach (for example, for the purpose of quality management and business process optimization). Formalized business process descriptions are a good starting point for asset inventory. If there are no descriptions, you can identify the assets based on the information received from the organization's employees. Once assets are identified, their value must be determined.

The work of determining the value of information assets in the context of the entire organization is both the most significant and complex. It is the assessment of information assets that will allow the head of the information security department to choose the main areas of activity to ensure information security.

But the economic efficiency of the information security management process largely depends on the awareness of what needs to be protected and what efforts will be required for this, since in most cases the amount of effort applied is directly proportional to the amount of money spent and operating costs. Risk management allows you to answer the question of where you can take risks and where you can not. In the case of information security, the term “risk” means that in a certain area it is possible not to make significant efforts to protect information assets, and at the same time, in the event of a security breach, the organization will not suffer significant losses. Here we can draw an analogy with the protection classes of automated systems: the greater the risks, the more stringent the protection requirements should be.

To determine the consequences of a security breach, one must either have information about recorded incidents of a similar nature, or conduct a scenario analysis. Scenario analysis examines the causal relationships between asset security breach events and the impact of those events on an organization's business. The consequences of scenarios should be evaluated by several people, iteratively or deliberatively. It should be noted that the development and evaluation of such scenarios cannot be completely divorced from reality. One must always remember that the scenario must be probable. Criteria and scales for determining value are individual for each organization. Based on the results of the scenario analysis, it is possible to obtain information about the value of assets.

If the assets are identified and their value is determined, we can say that the goals of ensuring information security are partially established: the objects of protection and the importance of maintaining them in a state of information security for the organization are defined. Perhaps, it remains only to determine who needs to be protected from.

After defining the goals of information security management, it is necessary to analyze the problems that prevent approaching the target state. At this level, the risk analysis process descends to the information infrastructure and traditional concepts of information security - violators, threats and vulnerabilities.

To assess risks, it is not enough to introduce a standard intruder model that separates all intruders according to the type of access to the asset and knowledge about the structure of assets. This separation helps to determine what threats can be directed to an asset, but does not answer the question of whether these threats can in principle be realized.

In the process of risk analysis, it is necessary to assess the motivation of violators in the implementation of threats. At the same time, the violator is not meant to be an abstract external hacker or insider, but a party interested in obtaining benefits by violating the security of an asset.

Initial information about the model of the intruder, as in the case of the choice of initial areas of activity to ensure information security, should be obtained from top management, who imagines the position of the organization in the market, has information about competitors and what methods of influence can be expected from them. The information necessary to develop a model of an intruder can also be obtained from specialized studies on violations in the field of computer security in the area of ​​business for which the risk analysis is carried out. A well-designed intruder model complements the objectives of ensuring information security, defined in the assessment of the organization's assets.

The development of a threat model and the identification of vulnerabilities are inextricably linked with an inventory of the organization's information asset environment. By itself, the information is not stored or processed. Access to it is provided using the information infrastructure that automates the business processes of the organization. It is important to understand how the information infrastructure and information assets of an organization are related. From the perspective of information security management, the significance of the information infrastructure can only be established after determining the relationship between information assets and infrastructure. In the event that the processes of maintaining and operating the information infrastructure in an organization are regulated and transparent, the collection of information necessary for identifying threats and assessing vulnerabilities is greatly simplified.

Developing a threat model is a job for security professionals who have a good idea of ​​how an intruder can gain unauthorized access to information by violating the security perimeter or using social engineering methods. When developing a threat model, one can also talk about scenarios as successive steps according to which threats can be implemented. It very rarely happens that threats are implemented in one step by exploiting a single vulnerability in the system.

The threat model should include all threats identified as a result of related information security management processes, such as vulnerability and incident management. It must be remembered that threats will need to be ranked relative to each other according to the level of probability of their implementation. To do this, in the process of developing a threat model for each threat, it is necessary to indicate the most significant factors, the existence of which affects its implementation.

The security policy is based on the analysis of risks that are recognized as real for the organization's information system. When the risks are analyzed and the protection strategy is defined, an information security program is drawn up. Resources are allocated for this program, responsible persons are appointed, the procedure for monitoring the implementation of the program, etc. is determined.

In a broad sense, security policy is defined as a system of documented management decisions to ensure the security of an organization. In a narrow sense, a security policy is usually understood as a local regulatory document that defines security requirements, a system of measures, or an order of actions, as well as the responsibility of employees of the organization and control mechanisms for a specific area of ​​​​security.

Before starting to form the information security policy itself, it is necessary to understand the basic concepts with which we will operate.

Information - information (messages, data) regardless of the form of their presentation.

Confidentiality of information - a mandatory requirement for a person who has access to certain information not to transfer such information to third parties without the consent of its owner.

Information Security(IS) is the state of protection of the information environment of society, ensuring its formation, use and development in the interests of citizens, organizations, states.

The concept of "information" today is used quite widely and versatile.

Ensuring information security cannot be a one-time act. This is a continuous process, which consists in substantiating and implementing the most rational methods, ways and means of improving and developing the protection system, continuously monitoring its condition, identifying its weaknesses and illegal actions.

Information security can be ensured only with the integrated use of the entire range of available protection tools in all structural elements of the production system and at all stages of the technological cycle of information processing. The greatest effect is achieved when all the means, methods and measures used are combined into a single holistic mechanism of the information protection system. At the same time, the functioning of the system should be monitored, updated and supplemented depending on changes in external and internal conditions.

According to the GOST R ISO / IEC 15408:2005 standard, the following types of security requirements can be distinguished:

functional, corresponding to the active aspect of protection, imposed on the security functions and the mechanisms that implement them;

assurance requirements, corresponding to the passive aspect, imposed on the technology and the process of development and operation.

It is very important that security in this standard is not considered statically, but in relation to the life cycle of the object of assessment. The following stages are distinguished:

determination of the purpose, conditions of use, goals and safety requirements;

design and development;

testing, evaluation and certification;

implementation and operation.

So, let's take a closer look at the functional security requirements. They include:

user data protection;

protection of security functions (the requirements relate to the integrity and control of these security services and the mechanisms that implement them);

security management (the requirements of this class relate to the management of security attributes and parameters);

security audit (identification, registration, storage, analysis of data affecting the security of the object of assessment, response to a possible security breach);

privacy (protection of the user from disclosure and unauthorized use of his identification data);

use of resources (requirements for the availability of information);

communication (authentication of the parties involved in the data exchange);

trusted route/channel (for communication with security services).

In accordance with these requirements, it is necessary to form the information security system of the organization.

The information security system of an organization includes the following areas:

regulatory;

organizational (administrative);

technical;

software;

For a complete assessment of the situation at the enterprise in all areas of security, it is necessary to develop an information security concept that would establish a systematic approach to the problem of information resource security and be a systematic statement of goals, objectives, design principles and a set of measures to ensure information security at the enterprise.

The corporate network management system should be based on the following principles (tasks):

ensuring the protection of the existing information infrastructure of the enterprise from the intervention of intruders;

providing conditions for localization and minimization of possible damage;

exclusion of the appearance at the initial stage of the causes of the emergence of sources of threats;

ensuring the protection of information on the three main types of emerging threats (availability, integrity, confidentiality);

The solution of the above tasks is achieved by;

regulation of actions of users of work with information system;

regulation of actions of users of work with the database;

unified requirements for the reliability of technical means and software;

procedures for monitoring the operation of the information system (logging of events, analysis of protocols, analysis of network traffic, analysis of the operation of technical means);

The information security policy includes:

the main document is the "Security Policy". It generally describes the organization's security policy, general provisions, as well as relevant documents for all aspects of the policy;

instructions for regulating the work of users;

job description of the local network administrator;

job description of the database administrator;

instructions for working with Internet resources;

instructions for organizing password protection;

organization instruction antivirus protection.

The document "Security Policy" contains the main provisions. Based on it, an information security program is being built, job descriptions and recommendations.

Instructions for regulating the work of users of the organization's local network governs the procedure for allowing users to work in the local computer network organization, as well as the rules for handling protected information processed, stored and transmitted in the organization.

The job description of the local network administrator describes the duties of the local network administrator regarding information security.

The job description of a database administrator defines the main duties, functions and rights of a database administrator. It describes everything in great detail. official duties and functions of the database administrator, as well as rights and responsibilities.

Instructions for working with Internet resources reflect the basic rules safe work with the Internet, also contains a list of acceptable and unacceptable actions when working with Internet resources.

Instructions for the organization of anti-virus protection defines the main provisions, requirements for the organization of anti-virus protection of an organization's information system, all aspects related to the operation of anti-virus software, as well as responsibility in case of violation of anti-virus protection.

The instruction on the organization of password protection regulates the organizational and technical support for the processes of generating, changing and terminating passwords (deleting user accounts). It also regulates the actions of users and maintenance personnel when working with the system.

Thus, the basis for organizing the process of information protection is a security policy formulated in order to determine from what threats and how the information in the information system is protected.

The security policy is understood as a set of legal, organizational and technical measures for the protection of information adopted in a particular organization. That is, the security policy includes a set of conditions under which users gain access to system resources without losing the information security properties of this system.

The task of ensuring information security should be addressed systematically. This means that various protections (hardware, software, physical, organizational, etc.) must be applied simultaneously and under centralized control.

To date, there is a large arsenal of methods for ensuring information security:

means of identification and authentication of users;

means of encrypting information stored on computers and transmitted over networks;

firewalls;

virtual private networks;

content filtering tools;

tools for checking the integrity of the contents of disks;

means of anti-virus protection;

network vulnerability detection systems and network attack analyzers.

Each of these tools can be used both independently and in integration with others. This makes it possible to create information protection systems for networks of any complexity and configuration, regardless of the platforms used.

Authentication (or identification), authorization and administration system. Identification and authorization are key elements of information security. The authorization function is responsible for what resources a particular user has access to. The administration function is to provide the user with certain identification features within a given network and determine the scope of actions allowed for him.

Encryption systems allow minimizing losses in case of unauthorized access to data stored on a hard drive or other media, as well as interception of information when it is sent by e-mail or transmitted over network protocols. Task this tool protection - ensuring confidentiality. Basic requirements for encryption systems - high level cryptographic stability and legality of use in Russia (or other states).

A firewall is a system or combination of systems that forms a protective barrier between two or more networks that prevents unauthorized data packets from entering or leaving the network.

The basic principle of firewalls is to check each data packet for the correspondence of the incoming and outgoing IP address to the base of allowed addresses. Thus, firewalls significantly expand the possibilities of segmenting information networks and controlling the circulation of data.

Speaking of cryptography and firewalls, we should mention secure virtual private networks (Virtual Private Network - VPN). Their use allows solving the problems of data confidentiality and integrity during their transmission over open communication channels. The use of a VPN can be reduced to solving three main tasks:

protection of information flows between different offices of the company (information is encrypted only at the exit to the external network);

secure access remote users networks to information resources companies are usually carried out via the Internet;

protection of information flows between individual applications inside corporate networks(this aspect is also very important since most attacks come from internal networks).

An effective means of protecting against the loss of confidential information - filtering the content of incoming and outgoing Email. Validating email messages and their attachments based on the rules set by the organization also helps to protect companies from liability in lawsuits and protect their employees from spam. Content filtering tools allow you to scan files of all common formats, including compressed and graphic. Wherein throughput the network remains virtually unchanged.

All changes on a workstation or server can be tracked by a network administrator or other authorized user thanks to content integrity verification technology hard drive(integrity checking). This allows you to detect any actions with files (modification, deletion or just opening) and identify virus activity, unauthorized access or data theft by authorized users. Control is based on the analysis of file checksums (CRC-sums).

Modern anti-virus technologies make it possible to detect almost all already known virus programs by comparing the code of a suspicious file with samples stored in the anti-virus database. In addition, behavior modeling technologies have been developed to detect newly created virus programs. Detected objects can be disinfected, isolated (quarantined), or deleted. Virus protection can be installed on workstations, file and mail servers, firewalls running under almost any of the common operating systems (Windows, Unix and Linux systems, Novell) on various types of processors.

Spam filters significantly reduce unproductive labor costs associated with parsing spam, reduce traffic and server load, improve the psychological background in the team and reduce the risk of company employees being involved in fraudulent transactions. In addition, spam filters reduce the risk of being infected with new viruses, since messages containing viruses (even those not yet included in the databases) antivirus programs) often show signs of spam and are filtered out. True, the positive effect of spam filtering can be crossed out if the filter, along with junk, removes or marks as spam and useful messages, business or personal.

Huge damage to companies caused by viruses and hacker attacks, is largely a consequence of weaknesses in the software used. You can identify them in advance, without waiting for a real attack, using computer network vulnerability detection systems and network attack analyzers. Such software safely simulates common attacks and intrusion methods and determines what exactly a hacker can see on the network and how he can use its resources.

To counter natural threats to information security, a company should develop and implement a set of procedures to prevent emergency situations (for example, to ensure the physical protection of data from a fire) and minimize damage if such a situation does occur. One of the main methods of protection against data loss is backup with strict adherence to established procedures (regularity, media types, copy storage methods, etc.).

An information security policy is a package of documents that regulates the work of employees, describing the basic rules for working with information, an information system, databases, a local network and Internet resources. It is important to understand what place the information security policy occupies in the overall management system of the organization. The following are general organizational measures related to security policy.

At the procedural level, the following classes of measures can be distinguished:

personnel Management;

physical protection;

maintaining performance;

response to security breaches;

restoration planning.

Human resource management begins with hiring, but even before that, you should define the computer privileges associated with the position. There are two general principles to keep in mind:

segregation of duties;

privilege minimization.

The principle of segregation of duties prescribes how to distribute roles and responsibilities so that one person cannot disrupt a process that is critical to the organization. For example, a situation where large payments on behalf of the organization is made by one person is undesirable. It is safer to entrust one employee with processing applications for such payments, and another to certify these applications. Another example is procedural restrictions on superuser actions. It is possible to artificially "split" the superuser password by giving the first part of it to one employee and the second part to another. Then only two of them will be able to perform critically important actions for the administration of the information system, which reduces the likelihood of errors and abuses.

The principle of minimization of privileges prescribes to allocate to users only those access rights that they need to perform their duties. The purpose of this principle is obvious - to reduce the damage from accidental or deliberate incorrect actions.

Preliminary preparation of a job description allows you to assess its criticality and plan the procedure for checking and selecting candidates. The more responsible the position, the more carefully you need to check the candidates: make inquiries about them, perhaps talk with former colleagues, etc. Such a procedure can be lengthy and expensive, so there is no point in further complicating it. At the same time, it is unwise to completely refuse a preliminary check in order not to accidentally hire a person with a criminal past or a mental illness.

Once a candidate has been identified, they are likely to be trained; at the very least, he should be thoroughly familiarized with the duties of the job, as well as with the rules and procedures of information security. It is desirable that the security measures be learned by him before taking office and before setting up his system account with a login name, password and privileges.

The security of an information system depends on the environment in which it operates. It is necessary to take measures to protect buildings and the surrounding area, supporting infrastructure, computers, data carriers.

Consider the following areas of physical protection:

physical access control;

protection of the supporting infrastructure;

protection of mobile systems.

Physical access control measures allow you to control and, if necessary, restrict the entry and exit of employees and visitors. The entire building of the organization, as well as individual premises, for example, those where servers, communication equipment, etc. are located, can be controlled.

Supporting infrastructure includes power, water and heat supply systems, air conditioners and communications. In principle, the same integrity and availability requirements apply to them as to information systems. To ensure integrity, equipment must be protected from theft and damage. To maintain availability, you should choose equipment with the maximum time between failures, duplicate critical nodes, and always have spare parts on hand.

Generally speaking, when selecting physical protection means, a risk analysis should be carried out. Thus, when deciding to purchase an uninterruptible power supply, it is necessary to take into account the quality of the power supply in the building occupied by the organization (however, it will almost certainly turn out to be poor), the nature and duration of power failures, the cost of available sources and possible losses from accidents (breakdown of equipment, suspension of the organization’s work). etc.)

Consider a number of measures aimed at maintaining the health of information systems. It is in this area that the greatest danger lurks. Inadvertent errors of system administrators and users can lead to loss of performance, namely, damage to equipment, destruction of programs and data. This is the worst case. V best case they create security holes that allow the implementation of threats to the security of systems.

The main problem of many organizations is the underestimation of security factors in daily work. Expensive security tools lose their meaning if they are poorly documented, conflict with other software, and a password system administrator has not changed since installation.

For daily activities aimed at maintaining the health of the information system, the following actions can be distinguished:

user support;

software support;

configuration management;

backup;

media management;

documentation;

regulatory work.

User support implies, first of all, consulting and assistance in solving various kinds of problems. It is very important in the flow of questions to be able to identify problems related to information security. So, many of the difficulties of users working on personal computers may be due to virus infection. It is advisable to record user questions in order to identify them typical mistakes and issue leaflets with recommendations for common situations.

Software support is one of the most important means of ensuring the integrity of information. First of all, you need to keep track of what software is installed on the computers. If users install programs on their own, this can lead to virus infection, as well as the appearance of utilities that bypass security measures. It is also likely that the "initiative" of users will gradually lead to chaos on their computers, and the system administrator will have to correct the situation.

The second aspect of software support is control over the absence of unauthorized changes to programs and access rights to them. This also includes support for master copies. software systems. Typically, control is achieved by a combination of physical and logical access control, as well as the use of verification and integrity utilities.

Configuration management allows you to control and capture changes made to the software configuration. First of all, it is necessary to insure against accidental or ill-conceived modifications, to be able to at least return to the previous working version. Committing changes will make it easy to restore the current version after a crash.

The best way to reduce errors in routine work is to automate it as much as possible. Automation and security depend on each other, because the one who cares first of all about facilitating his task, in fact, optimally forms the information security regime.

Backup is necessary to restore programs and data after disasters. And here it is advisable to automate the work, at least by creating a computer schedule for creating full and incremental copies, and as a maximum, using the appropriate software products. It is also necessary to arrange for copies to be placed in a safe place, protected from unauthorized access, fires, leaks, that is, from anything that could lead to theft or damage to media. Good to have multiple copies. backups and store some of them outside the organization's premises, thus protecting against major accidents and similar incidents. From time to time, for test purposes, you should check the possibility of recovering information from copies.

Media management is necessary to provide physical protection and accountability for floppy disks, tapes, printouts, and the like. Media management must ensure the confidentiality, integrity, and availability of information stored outside of computer systems. Physical protection here is understood not only as a reflection of unauthorized access attempts, but also protection from harmful environmental influences (heat, cold, moisture, magnetism). Media management should cover the entire life cycle, from procurement to decommissioning.

Documentation is an integral part of information security. Almost everything is documented - from the security policy to the media inventory log. It is important that the documentation is up to date, reflecting the current state of affairs, and in a consistent form.

Confidentiality requirements apply to the storage of some documents (containing, for example, analysis of system vulnerabilities and threats), while integrity and availability requirements apply to others, such as a disaster recovery plan (in a critical situation, the plan must be found and read).

Maintenance work is a very serious security threat. The employee who performs routine maintenance gets exclusive access to the system, and in practice it is very difficult to control exactly what actions he performs. Here, the degree of trust in those who perform the work comes to the fore.

The security policy adopted by the organization should provide for a set of operational measures aimed at detecting and neutralizing violations of the information security regime. It is important that in such cases the sequence of actions is planned in advance, since the measures must be taken urgently and in a coordinated manner.

The response to security breaches has three main objectives:

localization of the incident and reduction of the harm caused;

prevention of repeat violations.

Often the requirement to localize the incident and reduce the harm caused conflicts with the desire to identify the offender. The organization's security policy should be prioritized in advance. Since, as practice shows, it is very difficult to identify an intruder, in our opinion, first of all, you should take care of reducing the damage.

No organization is immune from serious accidents caused by natural causes, malicious actions, negligence or incompetence. At the same time, every organization has functions that management considers critical, they must be performed no matter what. Recovery planning allows you to prepare for accidents, reduce damage from them and maintain at least a minimal amount of ability to function.

Note that information security measures can be divided into three groups, depending on whether they are aimed at preventing, detecting or eliminating the consequences of attacks. Most of the measures are preventive in nature.

The recovery planning process can be divided into the following steps:

identification of critical functions of the organization, setting priorities;

identification of resources needed to perform critical functions;

determination of the list of possible accidents;

development of a recovery strategy;

preparation for the implementation of the chosen strategy;

strategy check.

When planning restoration work, one should be aware that it is not always possible to fully preserve the functioning of the organization. It is necessary to identify critical functions, without which the organization loses its face, and even among critical functions, prioritize so that as quickly and efficiently as possible minimal cost resume work after an accident.

When identifying the resources needed to perform critical functions, remember that many of them are non-computer in nature. At this stage, it is desirable to involve specialists of various profiles in the work.

Thus, there is a large number of various methods of ensuring information security. The most effective is the use of all these methods in a single complex. Today, the modern security market is saturated with information security tools. Constantly studying the existing proposals of the security market, many companies see the inadequacy of previously invested funds in information security systems, for example, due to obsolescence of equipment and software. Therefore, they are looking for solutions to this problem. There can be two such options: on the one hand, this is a complete replacement of the corporate information protection system, which will require large investments, and on the other hand, the modernization of existing security systems. The last solution to this problem is the least expensive, but it brings new problems, for example, it requires answering the following questions: how to ensure the compatibility of old, left from the available hardware software tools security, and new elements of the information security system; how to provide centralized management of heterogeneous security tools; how to assess and, if necessary, reassess the company's information risks.

Chapter 2. Analysis of the information security system

1 The scope of the company and the analysis of financial performance

OAO Gazprom is a global energy company. The main activities are exploration, production, transportation, storage, processing and sale of gas, gas condensate and oil, as well as the production and sale of heat and electricity.

Gazprom sees its mission in the reliable, efficient and balanced supply of natural gas, other types of energy resources and products of their processing to consumers.

Gazprom has the richest natural gas reserves in the world. Its share in world gas reserves is 18%, in Russian - 70%. Gazprom accounts for 15% of global and 78% of Russian gas production. The company is currently actively implementing large-scale projects to develop the gas resources of the Yamal Peninsula, the Arctic shelf, Eastern Siberia and the Far East, as well as a number of projects for the exploration and production of hydrocarbons abroad.

Gazprom is a reliable gas supplier to Russian and foreign consumers. The company owns the world's largest gas transmission network - one system gas supply to Russia, the length of which exceeds 161 thousand km. On the domestic market, Gazprom sells over half of the gas it sells. In addition, the company supplies gas to 30 countries near and far abroad.

Gazprom is the only producer and exporter of liquefied natural gas in Russia and provides about 5% of the world's LNG production.

The company is one of the five largest oil producers in the Russian Federation, and is also the largest owner of generating assets in its territory. Their total installed capacity is 17% of the total installed capacity of the Russian energy system.

The strategic goal is to establish OAO Gazprom as a leader among global energy companies through the development of new markets, diversification of activities, and ensuring the reliability of supplies.

Consider the financial performance of the company over the past two years. The results of the company's activities are presented in Appendix 1.

As of December 31, 2010, the sales proceeds amounted to 2495557 million rubles, this figure is much lower compared to the data of 2011, that is, 3296656 million rubles.

Sales revenue (net of excise, VAT and customs duties) increased by RUB 801,099 million, or 32%, for the nine months ended September 30, 2011, compared to the same period last year, and amounted to RUB 3,296 656 million rubles

Based on 2011 results, net sales of gas accounted for 60% of total net sales (60% in the same period last year).

Net proceeds from gas sales increased from RUB 1,495,335 mln. for the year up to 1,987,330 million rubles. for the same period in 2011, or by 33%.

Net proceeds from the sale of gas to Europe and other countries increased by 258,596 million rubles, or 34%, compared to the same period last year, and amounted to 1,026,451 million rubles. The overall increase in gas sales to Europe and other countries was due to an increase in average prices. The average price in rubles (including customs duties) increased by 21% in the nine months ended September 30, 2011 compared to the same period in 2010. In addition, gas sales increased by 8% compared to the same period last year.

Net proceeds from the sale of gas to the countries of the former Soviet Union increased over the same period in 2010 by 168,538 million rubles, or 58%, and amounted to 458,608 million rubles. The change was mainly driven by a 33% increase in gas sales to the former Soviet Union in the nine months ended 30 September 2011 year-on-year. In addition, the average price in rubles (including customs duties, excluding VAT) increased by 15% compared to the same period last year.

Net proceeds from the sale of gas in the Russian Federation increased by 64,861 million rubles, or 15%, compared to the same period last year, and amounted to 502,271 million rubles. This is mainly due to the increase in the average gas price by 13% compared to the same period last year, which is associated with an increase in tariffs set by Federal Service at tariffs (FTS).

Net proceeds from the sale of oil and gas products (net of excise, VAT and customs duties) increased by 213,012 million rubles, or 42%, and amounted to 717,723 million rubles. compared to the same period last year. This increase is mainly due to the increase in world prices for oil and gas products and the increase in volumes sold compared to the same period last year. Gazprom Neft Group's revenue accounted for 85% and 84% of total net revenue from the sale of refined petroleum products, respectively.

Net proceeds from the sale of electricity and heat (net of VAT) increased by 38,097 million rubles, or 19%, and amounted to 237,545 million rubles. The increase in revenue from the sale of electricity and heat is mainly due to an increase in tariffs for electricity and thermal energy, as well as an increase in the volume of sales of electrical and thermal energy.

Net proceeds from the sale of crude oil and gas condensate (net of excise tax, VAT and customs duties) increased by 23,072 million rubles, or 16%, and amounted to 164,438 million rubles. compared to 141,366 million rubles. for the same period last year. Basically, the change was caused by an increase in the price of oil and gas condensate. In addition, the change was caused by an increase in gas condensate sales. The proceeds from the sale of crude oil amounted to 133,368 million rubles. and 121,675 million rubles. in net proceeds from the sale of crude oil and gas condensate (net of excise, VAT and customs duties) in 2011 and 2010, respectively.

Net revenue from the sale of gas transportation services (net of VAT) increased by RUB 15,306 million, or 23%, and amounted to RUB 82,501 million, compared to RUB 67,195 million. for the same period last year. This growth is mainly due to an increase in gas transportation tariffs for independent suppliers, as well as an increase in ѐ m of gas transportation for independent suppliers compared to the same period last year.

Other revenue increased by RUB 19,617 million, or 22%, and amounted to RUB 107,119 million. compared to 87,502 million rubles. for the same period last year.

Expenditure on trading operations without actual delivery amounted to 837 million rubles. compared to revenue of RUB 5,786 mln. for the same period last year.

As for operating expenses, they increased by 23% and amounted to 2,119,289 million rubles. compared to 1,726,604 million rubles. for the same period last year. The share of operating expenses in sales revenue decreased from 69% to 64%.

Labor costs increased by 18% and amounted to 267,377 million rubles. compared to 227,500 million rubles. for the same period last year. The increase is mainly due to an increase in average wages.

Depreciation for the analyzed period increased by 9% or by 17,026 million rubles, and amounted to 201,636 million rubles, compared with 184,610 million rubles. for the same period last year. The increase was mainly due to the expansion of the base of fixed assets.

As a result of the above factors, sales profit increased by RUB 401,791 million, or 52%, and amounted to RUB 1,176,530 million. compared to 774,739 million rubles. for the same period last year. Profit margin on sales increased from 31% to 36% in the nine months ended September 30, 2011.

Thus, OAO Gazprom is a global energy company. The main activities are exploration, production, transportation, storage, processing and sale of gas, gas condensate and oil, as well as the production and sale of heat and electricity. The financial condition of the company is stable. Performance indicators have a positive trend.

2 Description of the company's information security system

Let's consider the main activities of the departments of the Corporate Security Service of JSC "Gazprom":

development of targeted programs for the development of systems and complexes of engineering and technical means of protection (ITSO), information security systems (IS) of OAO Gazprom and its subsidiaries and organizations, participation in the formation of an investment program aimed at ensuring information and technical security;

implementation of the powers of the customer of work on the development of information security systems, as well as ITSO systems and complexes;

consideration and approval of budget requests and budgets for the implementation of measures for the development of information security systems, ITSO systems and complexes, as well as for the creation of IT in terms of information security systems;

consideration and approval of design and pre-project documentation for the development of information security systems, ITSO systems and complexes, as well as technical specifications for the creation (modernization) of information systems, communication and telecommunications systems in terms of information security requirements;

organization of work on assessing the conformity of ITSO systems and complexes, IS support systems (as well as works and services for their creation) to the established requirements;

coordination and control of work on technical protection information.

Gazprom has created a system that ensures the protection of personal data. However, the adoption by the federal executive authorities of a number of regulatory legal acts in the development of existing laws and government decrees necessitates the improvement of the current system of personal data protection. In the interests of solving this problem, within the framework of research work, a whole line documents. First of all, these are draft standards of the Gazprom Development Organization:

"Methodology for classifying personal data information systems of OAO Gazprom, its subsidiaries and organizations";

"Model of threats to personal data during their processing in information systems of personal data of OAO Gazprom, its subsidiaries and organizations".

These documents have been developed taking into account the requirements of Decree of the Government of the Russian Federation dated November 17, 2007 No. 781 "On Approval of the Regulations on Ensuring the Security of Personal Data during their Processing in Personal Data Information Systems" in relation to the class of special systems, which include most of the ISPDs of JSC " Gazprom".

In addition, the "Regulations on the organization and technical security of personal data processed in the information systems of personal data of OAO Gazprom, its subsidiaries and organizations" are currently being developed.

It should be noted that, within the framework of OAO Gazprom's standardization system, standards for the information security system have been developed, which will also allow solving the tasks of protecting PD processed in OAO Gazprom's information systems.

Seven standards related to the information security system have been approved and are being put into effect this year.

The standards define the main requirements for building information security systems for OAO Gazprom and its subsidiaries.

The results of the work done will make it possible to more rationally use material, financial and intellectual resources, form the necessary regulatory and methodological support, introduce effective means of protection and, as a result, ensure the security of personal data processed in Gazprom information systems.

As a result of the information security analysis of OAO Gazprom, the following shortcomings in ensuring information security were identified:

the organization does not have a single document regulating a comprehensive security policy;

given the size of the network and the number of users (more than 100), it should be noted that system administration, information security and technical support handled by one person;

there is no classification of information assets according to the degree of importance;

information security roles and responsibilities are not included in job descriptions;

the employment contract concluded with the employee does not contain a clause on information security responsibilities of both those who are employed and the organization itself;

training of personnel in the field of information security is not carried out;

in terms of protection against external threats: there are no typical procedures for data recovery after accidents resulting from external and environmental threats;

the server room is not a separate room, the status of two departments is assigned to the room (in addition to the system administrator, one more person has access to the server room);

technical probing and physical examination for unauthorized devices connected to the cables are not carried out;

despite the fact that the entrance is carried out by electronic passes and all information is entered into a special database, its analysis is not carried out;

in terms of protection against malware: there is no formal policy to protect against the risks associated with receiving files both from or through external networks, and contained on removable media;

in terms of protection against malware: there are no guidelines for protecting the local network from malicious code;

there is no traffic control, there is access to mail servers external networks;

all backups are stored in the server room;

insecure, easy-to-remember passwords are used;

the receipt of passwords by users is not confirmed in any way;

passwords in clear text are stored by the administrator;

passwords do not change;

there is no order for reporting information security events.

Thus, based on these shortcomings, a set of regulations regarding information security policy was developed, including:

policy regarding hiring (dismissal) and vesting (deprivation) of employees with the necessary authority to access system resources;

policy regarding the work of network users during its operation;

password protection policy;

physical protection policy;

Internet policy;

and administrative security measures.

Documents containing these regulations are under consideration by the management of the organization.

3 Development of a set of measures to modernize the existing information security system

As a result of the analysis of the information security system of OAO Gazprom, significant system vulnerabilities were identified. To develop measures to eliminate the identified shortcomings of the security system, we single out following groups information to be protected:

information about the private life of employees, allowing to identify their identity (personal data);

information related to professional activities and constituting banking, auditing and communications secrecy;

information related to professional activities and marked as information "for official use";

information, the destruction or modification of which will adversely affect the efficiency of work, and the restoration will require additional costs.

In terms of administrative measures, the following recommendations have been developed:

the information security system must comply with the legislation of the Russian Federation and state standards;

buildings and premises where information processing facilities are installed or stored, work is carried out with protected information, must be guarded and protected by means of signaling and access control;

personnel training on information security issues (explaining the importance of password protection and password requirements, briefing on anti-virus software, etc.) should be organized when an employee is hired;

every 6-12 months to conduct trainings aimed at improving the literacy of employees in the field of information security;

an audit of the system and adjustment of the developed regulations should be carried out annually, on October 1, or immediately after the introduction of major changes in the structure of the enterprise;

the access rights of each user to information resources must be documented (if necessary, access is requested from the manager in a written statement);

information security policy should be ensured by the software administrator and the software administrator hardware, their actions are coordinated by the head of the group.

Let's formulate a password policy:

do not store them in unencrypted form (do not write them down on paper, in a normal text file etc.);

change the password in case of its disclosure or suspicion of disclosure;

length must be at least 8 characters;

the password characters must contain upper and lower case letters, numbers and special characters, the password should not include easily calculated character sequences (names, animal names, dates);

change once every 6 months (an unscheduled password change must be made immediately after receiving notification of the incident that initiated the change);

when changing the password, you cannot select those that were previously used (passwords must differ by at least 6 positions).

Let's formulate a policy regarding antivirus programs and virus detection:

licensed anti-virus software must be installed on each workstation;

update anti-virus databases at workstations with Internet access - once a day, without Internet access - at least once a week;

install automatic check workstations for virus detection (frequency of checks - once a week: Friday, 12:00);

only the administrator can stop updating anti-virus databases or scanning for viruses (password protection should be set for the specified user action).

Let's formulate a policy regarding physical protection:

technical sounding and physical examination for unauthorized devices connected to the cables, to be carried out every 1-2 months;

network cables must be protected from unauthorized interception of data;

records of all suspected and actual failures that have occurred with the equipment should be kept in a log

Each workstation must be equipped with an uninterruptible power supply.

Let's define a policy regarding the reservation of information:

for backups, a separate room should be allocated, located outside the administrative building (the room should be equipped with an electronic lock and alarm);

reservation of information should be made every Friday at 16:00.

The policy regarding the hiring / dismissal of employees should have the following form:

any personnel changes (hiring, promotion, dismissal of an employee, etc.) must be reported to the administrator within 24 hours, who, in turn, must make appropriate changes to the system for delimiting access rights to enterprise resources within a period of half a working day ;

a new employee must be instructed by the administrator, including familiarization with the security policy and all necessary instructions, the level of access to information for a new employee is assigned by the manager;

when an employee leaves the system, his identifier and password are removed from the system, the workstation is checked for viruses, and the integrity of the data to which the employee had access is analyzed.

Policy regarding work with the local internal network (LAN) and databases (DB):

when working at his workstation and in the LAN, the employee must perform only tasks that are directly related to his official activities;

the employee must notify the administrator about messages from anti-virus programs about the appearance of viruses;

no one, except administrators, is allowed to make changes to the design or configuration of workstations and other LAN nodes, install any software, leave the workstation unattended or allow unauthorized persons to access it;

administrators are advised to keep two programs running at all times: the ARP-spoofing attack detection utility and the sniffer, the use of which will allow you to see the network through the eyes of a potential intruder and identify violators of security policies;

you should install software that prevents the launch of programs other than those designated by the administrator, based on the principle: "Any person is granted the privileges necessary to perform specific tasks." All unused computer ports must be hardware or software disabled;

The software should be updated regularly.

Internet Policy:

administrators are assigned the right to restrict access to resources, the content of which is not related to the performance of official duties, as well as to resources, the content and orientation of which are prohibited by international and Russian legislation;

the employee is prohibited from downloading and opening files without first checking for viruses;

all information about the resources visited by company employees should be kept in a log and, if necessary, can be provided to department heads, as well as management

confidentiality and integrity of electronic correspondence and office documents is ensured through the use of EDS.

In addition, we will formulate the basic requirements for compiling passwords for employees of OAO Gazprom.

A password is like the keys to a house, only it is the key to information. For ordinary keys it is highly undesirable to be lost, stolen, handed over stranger. The same goes for the password. Of course, the safety of information depends not only on the password, but to ensure it, you need to install a number of special settings and maybe even write a program that protects against hacking. But choosing a password is exactly the action where it depends only on the user how strong this link will be in the chain of measures aimed at protecting information.

) the password must be long (8-12-15 characters);

) should not be a word from a dictionary (any, even a dictionary of special terms and slang), a proper name or a Cyrillic word typed in the Latin layout (Latin - kfnsym);

) it cannot be associated with the owner;

) it changes periodically or as needed;

) is not used in this capacity on various resources (i.e. for each resource - to enter mailbox, operating system or database - you must use your own, different from others, password);

) can be remembered.

Selecting words from a dictionary is undesirable, since an attacker, conducting a dictionary attack, will use programs that can sort through up to hundreds of thousands of words per second.

Any information associated with the owner (be it the date of birth, the dog's name, the mother's maiden name, and similar "passwords") can be easily recognized and guessed.

The use of uppercase and lowercase letters, as well as numbers, makes it much more difficult for an attacker to guess a password.

The password should be kept secret, and if you suspect that the password has become known to someone, change it. It is also very useful to change them from time to time.

Conclusion

The study made it possible to draw the following conclusions and formulate recommendations.

It has been established that the main reason for the problems of the enterprise in the field of information security is the lack of an information security policy that would include organizational, technical, financial solutions with subsequent monitoring of their implementation and evaluation of effectiveness.

The definition of information security policy is formulated as a set of documented decisions, the purpose of which is to ensure the protection of information and information risks associated with it.

The analysis of the information security system revealed significant shortcomings, including:

storage of backups in the server room, the backup server is located in the same room as the main servers;

lack of proper rules regarding password protection (password length, rules for choosing and storing it);

The network is administered by one person.

The generalization of international and Russian practice in the field of information security management of enterprises has led to the conclusion that to ensure it, it is necessary:

forecasting and timely identification of security threats, causes and conditions that contribute to the infliction of financial, material and moral damage;

creating conditions for activities with the least risk of implementing security threats to information resources and various kinds damage;

creation of a mechanism and conditions for effective response to information security threats based on legal, organizational and technical means.

In the first chapter of the work, the main theoretical aspects are considered. An overview of several standards in the field of information security is given. Conclusions are drawn for each and in general, and the most appropriate standard for the formation of an information security policy is chosen.

The second chapter considers the structure of the organization, analyzes the main problems associated with information security. As a result, recommendations were formed to ensure the proper level of information security. Measures were also considered to prevent further incidents related to information security violations.

Of course, ensuring the information security of an organization is an ongoing process that requires constant monitoring. And a naturally formed policy is not an iron guarantor of protection. In addition to the implementation of the policy, constant monitoring of its quality implementation is needed, as well as improvement in case of any changes in the company or precedents. It was recommended for the organization to hire an employee whose activities will be directly related to these functions (protection administrator).

Bibliography

information security financial harm

1. Belov E.B. Fundamentals of information security. E.B. Belov, V.P. Elk, R.V. Meshcheryakov, A.A. Shelupanov. -M.: Hot line- Telecom, 2006. - 544s

Galatenko V.A. Information security standards: a course of lectures. Educational

allowance. - 2nd edition. M.: INTUIT.RU "Internet University Information technologies", 2009. - 264 p.

Glatenko V.A. Information security standards / open systems 2006.- 264s

Dolzhenko A.I. Information systems management: Training course. - Rostov-on-Don: RGEU, 2008.-125 p.

Kalashnikov A. Formation of the corporate policy of internal information security #"justify">. Malyuk A.A. Information security: conceptual and methodological foundations of information security / M.2009-280s

Maywald E., Network security. Tutorial // Ekom, 2009.-528 p.

Semkin S.N., Belyakov E.V., Grebenev S.V., Kozachok V.I., Fundamentals of organizational support of information security of informatization objects // Helios ARV, 2008, 192 p.

How to choose a relevant topic of the thesis on information security. The relevance of the topic of the diploma in information security, recommendations of experts, examples of topics of the thesis.

Topics of thesis on information security usually associated with the study of information security of automated systems, computer systems, as well as information and telecommunication systems.

As the subject of such research, a threat or a group of information security threats is chosen, the implementation of which can harm the system in question (more on this). When preparing a thesis, you should investigate the system and build an attack implementation algorithm according to Figure 1.

Figure 1 - Algorithm for conducting analysis when writing a diploma on the topic of information security

The system of a specific enterprise or territorial distributed network organizations.

The relevance of the choice thesis topics on information security is due to a wide range of threats to information security and the continuous growth in the number of intruders and the attacks they implement.

The most relevant topics of final qualifying works (WQR) and scientific research works (R&D), as well as topics of diplomas in information security can be shown in the following table.

focus (profile) "Information systems and technologies"

areas of training 09.03.02 "Information systems and technologies"

1. Virtualization of the information infrastructure of the enterprise (name of the enterprise).

2. Integration of information systems of the enterprise based on the OS of the Linux family and a freely distributed DBMS.

3. Modernization and administration of the corporate information system of the enterprise (name of the enterprise).

4. Modernization, administration and maintenance of the information network of the enterprise (name of the enterprise).

5. Modernization of the information and control system of the enterprise (process) (name of the enterprise or process) and development of measures to support it.

6. Development of the Intranet-portal of the enterprise (name of the enterprise).

7. Designing the information network of the enterprise (name of the enterprise).

8. Designing the corporate information system of the enterprise (name of the enterprise).

9. Development and maintenance of the corporate web-portal of the enterprise (name of the enterprise).

10. Development of an automated information processing system for the enterprise (name of the enterprise).

11. Development of a prototype information system for a process control enterprise (name of a process or object).

12. Development of a web service for the information system of the enterprise (name of the enterprise).

13. Development of reference and information system of the enterprise (name of the enterprise).

14. Development of a model and design of an information management system of an enterprise (name of an enterprise).

15. Development of technological software for the maintenance of the system (name of the system).

16. Development of software for a microprocessor device (device name).

17. Development of a mobile client application for the enterprise information system (name of the enterprise).

18. Development of a simulation model to optimize the parameters of the production process.

19. Designing virtual servers based on tools (name of virtualization tools) and data transmission channels for an enterprise (name of an enterprise).

20. Development of a module (subsystem) (name of the implemented function) of the information (corporate information) system of the enterprise (name of the enterprise).

on educational program Applied Baccalaureate

areas of study 09.03.04 "Software engineering"

1. Development of an application for site parsing, social network, portal.

2. Design and software implementation information (information and reference) system (appointment or function of the system).

3. Development of the firmware of the device (device name).

4. Development of application software for the system (name of the system).

5. Development of a software and information system (name of the area of ​​use or the process being implemented).

6. Development of a methodology for testing and debugging software (name of software).

7. Development of a software module (module name) for the 1C: Enterprise enterprise system (name of the enterprise).

8. Development of a web service for the information and control system of the enterprise (name of the enterprise).

9. Development of an application to support the information-measuring system (appointment of the system).

10. Research of information security of web services of the 1C: Enterprise system.

11. Development of a module (subsystem) (name of the implemented function) of the information (corporate information) system of the enterprise (name of the enterprise).

12. Development of server (client) software for the system (name of the system).

Topics of final qualifying works

on the educational program of applied bachelor's degree

focus (profile) "Information service"

1. Modernization, administration and maintenance of the local network of the enterprise (name of the enterprise).

2. Modernization and administration of the information system of the enterprise (name of the enterprise).

3. Designing the information system of the enterprise (name of the enterprise).

4. Design and development of technology for the operation of the local network of the enterprise (name of the enterprise).

5. Designing hardware and software protection of the information system of the enterprise (name of the enterprise).

6. Development of technology for diagnostics, repair and maintenance of the device (name of the device, group of devices, measuring equipment, computer unit, computer or microprocessor system, local network).

7. Development and administration of the company's website (name of the company).

8. Development of the enterprise data network server configuration (enterprise name).

9. Development and administration of the enterprise information system database (name of the enterprise).

10. Development of the Intranet-portal of the enterprise (name of the enterprise).

11. Development of a subsystem for controlling production processes on the 1C: Enterprise platform.

12. Development of a project for a distributed information system (name of the system) of an enterprise (name of an enterprise).

13. Development of an information and reference accounting system (name of the accounting object).

14. Development of a WCF service for an enterprise information system.

15. Development of a model of the information system of the enterprise (name or area of ​​activity of the enterprise).

16. Development of a methodology for testing and debugging software (name of software).

17. Development of a set of measures for the administration and maintenance of the software and information system (name of the area of ​​use or the process being implemented).

18. Modeling and research of the data transmission system (name of the system).

19. Research and optimization of the parameters of a distributed information system on the 1C: Enterprise platform.

20. Design of the division of the enterprise (name of the enterprise) for the repair and maintenance of electronic (computer) equipment and organization of the operation of technical means.

21. Designing virtual servers based on tools (name of virtualization tools) and data transmission channels for the enterprise (name of the enterprise).

22. Development of server (client) software for the system (name of the system).

Topics of final qualifying works

on the educational program of applied bachelor's degree

orientation (profile) "Electronic technology service"

areas of training 43.03.01 "Service"

1. Development of technology for diagnostics, repair and maintenance of the device (name of the electronic device, microprocessor or telecommunication system, measuring equipment, data transmission network).

2. Development electronic system(name of the system) enterprise (name of the enterprise, trade and office center, entertainment complex).

3. Development of an information input-output device (device name).

4. Development of software for a microprocessor device (device name).

5. Development of a corporate telecommunications network of an enterprise (name of an enterprise).

6. Development of a digital device (module) (name of the device, module; name of the implemented function).

7. Development of a power supply device for electronic equipment (name of equipment).

8. Development of technology for monitoring (parameter control) of objects (name of objects).

9. Development and research of a wireless sensor (name of the measured parameter).

10. Design of the division of the enterprise (name of the enterprise) for the repair and maintenance of electronic (computer) equipment and organization of the operation of technical means.

11. Development of a subsystem (name of the subsystem) of the integrated security system of the enterprise (name of the enterprise).

Topics of final qualifying works

on the educational program of applied bachelor's degree

orientation (profile) "Radio engineering means of transmission, reception and processing of signals"
areas of training 11.03.01 "Radio Engineering"

1. Development of a device (block, module; receiving, transmitting, transceiver) of the system (name of the system).

2. Development of a wireless interface for radio-electronic equipment (name of equipment).

3. Research virtual model device (specify device type) in the environment (name of the software environment).

4. Development of a subsystem (name of the subsystem) of the integrated enterprise security system (name of the enterprise.

Topics of final qualifying works

on the educational program of applied bachelor's degree

orientation (profile) "Mobile communication systems"

areas of study 11.03.02 "Infocommunication technologies and communication systems"

1. Designing the telecommunications network of the enterprise (name of the enterprise).

2. Administration and maintenance of the telecommunications network of the enterprise (name of the enterprise).

3. Development of a block (codec, vocoder, synchronization device, matching device) digital telecommunication system.

4. Development wireless adapter interfaces (name of interfaces).

5. Development of an information processing device (device type) of the system (name of the system).

6. Development of a system interface device (name of systems).

7. Development of the system controller (name of the system).

8. Development of a synchronization device for a telecommunications system (name of the system).

9. Development of a technological device for testing telecommunications equipment (name of equipment).

10. Development of a wireless network (network segment) based on technology (name of technology).

11. Development of technology for remote monitoring of object parameters (name of parameters).

12. Development of a sensor network to control the state of the object (name of the object).

13. Development of a technology for diagnosing and measuring the parameters of a telecommunication device (name of the device, system, network, environment).

14. Development of a transceiver device of the system (name of the system).

15. Development of telecommunication devices for remote control object (name of the object).

16. Development of a parameter meter for telecommunication equipment components (name of components).

17. Development of a wireless information input-output device (device name).

18. Development of hardware and software for infocommunication technology (name of technology).

19. Study of information transfer protocols in the system (name of the system).

20. Research of digital signal processing methods for the system (name of the system).

21. Development of infocommunication technology and facility management system (name of the facility).

22. Development of a wireless system for measuring a parameter (parameter name).

23. Designing virtual servers based on tools (name of virtualization tools) and data transmission channels for an enterprise (name of an enterprise).

Topics of final qualifying works

according to the educational program of secondary vocational education

specialty 09.02.01 "Computer systems and complexes"

PM.01 Design of digital devices,

PM.02 Application of microprocessor systems, installation and configuration of peripheral training,

PM.03 Maintenance and repair of computer systems and complexes.

1. Diagnostics of malfunctions and monitoring of the technical condition of means (name of hardware and software of computer technology or computer network).

2. Acquiring, configuring and setting up tools (name of hardware and software tools for computer technology or a computer network).

3. Development of a set of measures to ensure the information security of the computer network of the enterprise (name of the enterprise).

4. Development of a contactless identification system for the enterprise (name of the enterprise).

5. Maintenance and administration of the information system of the enterprise (name of the enterprise).

6. Maintenance and administration of the computer network of the enterprise (name of the enterprise).

7. Service hardware and software maintenance and maintenance of funds (name of computer hardware or computer network).

8. Installation, adaptation and maintenance of software (name of software).

9. Development and research of a digital (microprocessor) device (module) (name of the device, module).

10. Development of testing technology and complex debugging of software (name of software).

Topics of graduation qualification works for graduates

focus (profile) "Elements and devices of computer technology and information systems"

areas of training 09.04.01 "Informatics and Computer Engineering»

1. Modeling and research of network protocols for information transfer (the type of information is indicated).

2. Research and development of computer methods for improving the parameters of systems (parameters or parameters and type of system are indicated).

3. Computer modelling, research and optimization of information or telecommunication systems (the class of systems is indicated).

4. Research and optimization of building wireless sensor networks.

5. Research and analysis of construction wireless networks Internet of things.

6. Development of performance criteria and distribution study virtual machines within the cloud infrastructure.

7. Development, research and evaluation of the effectiveness of distributed information (or information-measuring) systems (the scope or type of systems is indicated).

8. Development and research of the wireless interface of the equipment (name of the equipment).

9. Development and research of an object tracking device (name of objects).

10. Development and research of devices for monitoring the state of the object (name of the object).

11. Development of hardware and software tools for diagnosing devices (name of devices).

12. Development and research of a wireless sensor (name of the measured parameter).

13. Study of correction algorithms for parameter converters (parameter name) into code.

14. Development of algorithms and software for monitoring the parameters of the facility management system (name of the facility).

15. Development and research wireless devices object management (object name).

16. Modeling and research of parameter converters (name of parameters).

17. Methods for assessing the quality of software (the purpose of the software is indicated).

18. Study of the functioning of devices (name of devices) under conditions (conditions are indicated) in order to improve performance (characteristics are indicated).

19. Development of methods for analysis and synthesis of devices (name of devices) in order to improve performance (characteristics are indicated).

Topics of final qualifying works

according to the educational program of the academic magistracy

focus (profile) "Development of software and information systems"
areas of study 09.04.04 "Software engineering"

1. Development and research of a REST service for displaying timetables in higher education institutions.

2. Research and development of test tools software products for mobile operators.

3. Recognition of the physiological state of a person based on the theory of systems with a random structure.

4. Designing an information system for sales automation (name of the enterprise) based on the MDA approach.

5. Development and research of a software and information system for assessing the quality of software tools (the name of the software tools is indicated).

6. Development of distributed software and information systems (the scope of the system is indicated) and the study of the possibilities of their optimization based on performance criteria (criteria are indicated).

7. Development of software support for input/output devices for the system (name of the system).

8. Investigation of the security of the components of the software and information system (name of the system).

How to choose a relevant topic of the thesis in the specialty of information security systems. The relevance of the topic of the diploma on information security systems, recommendations of experts, examples of topics of the thesis.

Themes diploma in the specialty of information security systems devoted to solving various research and practical problems aimed at ensuring the information security of the object under study. The problem of such work is due to the growing number of information security attacks on various information systems and their components.

The object of study can be a computer system, a system component, a business process, an enterprise, a room, or circulating data.

As a subject of research, one can single out information security methods, threat analysis methods, or an assessment of the effectiveness of an information security system.

As a target thesis in the specialty of information security systems one can single out the construction or study of the possibility of using risk models and a protection algorithm (more on this).

Tasks of works related to themes of diploma works in the specialty of information security systems, can be defined by the following list:

1. Selection and study of statistical data, including hypotheses and their proof in relation to random variables.

2. Substantiation of damage types and functions, development of an analytical risk model.

3. Formation of a dynamic risk model based on sensitivity coefficients.

The following main points can be defended diploma theses in the specialty of information security systems:

1. Reliability of the proof of the put forward hypotheses about the regions effective application law for information security tasks.

2. Analytical risk models for system components in which losses have a given distribution.

3. Analytical risk models for systems whose components are subject to joint or non-joint effects of identified attacks.

4. Dynamic models, system sensitivity functions.

5. Algorithms for system risk management.

The scientific novelty of the study of diplomas on such topics can be formalized in the following list.

1. For the first time, the areas of effective application of the law for information security tasks were studied.

2. Previously unexplored analytical risk models of components in which damages have a given distribution are considered.

3. Analytical risk models of distributed systems exposed to identified information security attacks have been studied.

4. Algorithmization of risk management systems for dedicated distribution and information security attacks was carried out for the first time.

The practical value may be as follows:

1. The proof of the hypotheses put forward makes it possible to reasonably apply the results of the study to solve information security problems.

2. The obtained analytical risk models in the future will make it possible to develop complex models capable of analyzing the entire range of information security attacks.

3. Dynamic models, sensitivity functions of computer systems allow solving information security problems with a variation in the level of risk.

The most relevant topics of final qualifying works (WQR) and scientific research works (R&D), as well as diploma topics in the specialty of information security systems can be shown in the following table.