How to choose a relevant topic for your thesis on information security. The relevance of the topic of a diploma in information security, recommendations from experts, examples of topics for thesis.

Topics of theses on information security usually associated with information security research automated systems, computer systems, as well as information and telecommunication systems.

The subject of such research is a threat or group of information security threats, the implementation of which could cause damage to the system in question (more on this). When preparing your thesis, you should examine the system and build an algorithm for implementing the attack according to Figure 1.

Figure 1 - Algorithm for conducting analysis when writing a diploma on the topic of information security

The system of a specific enterprise or geographical area is selected as the object of study distributed network organizations.

Relevance of choice dissertation topics on information security is due to a wide range of information security threats and the continuous growth in the number of attackers and the attacks they carry out.

The most relevant topics for final qualifying works (GQR) and scientific research works (R&D), as well as information security diploma topics can be given in the following table.

Methodological recommendations are intended for students of all forms of specialty training 10.02.01 (090905) and represent a set of requirements for the organization, implementation and defense of final qualifying works (GQR).

• Federal state educational standard for basic and advanced training in the specialty 10.02.01 (090905) Organization and technology of information security,
• Federal Law of December 29, 2012 No. 273-FZ “On Education in Russian Federation»,
• procedure for conducting state final certification for educational programs secondary vocational education, approved. by order of the Ministry of Education and Science of the Russian Federation dated August 16, 2013 No. 968 (hereinafter referred to as the Procedure for conducting the State Examination),
• provisions of the State Budgetary Educational Institution “Technological College No. 34” “On the procedure for conducting state final certification for educational programs of secondary vocational education”,
• quality management systems.

1. GENERAL PROVISIONS

State final certification of a graduate of the Moscow State Budgetary Educational Institution “Technological College No. 34” in specialties 10.02.01(090905)Organization and technology of information securityincludes the preparation and defense of a final qualifying thesis.

Quality control Graduate training is carried out in two main areas:

• assessment of the level of development academic disciplines, MDK and PM;
• assessment of the level of mastery of competencies.

Area of ​​professional activitygraduates. Information security specialist by specialty 10.02.01(090905) performs work related to ensuring comprehensive information protection based on developed programs and techniques. Collects and analyzes materials from institutions, organizations and industry enterprises in order to develop and make decisions and measures to ensure information security and the effective use of automatic control and detection tools possible channels leaks of information representing state, military, official and commercial secrets. Analyzes existing methods and means used to control and protect information and develops proposals for improving them and increasing the effectiveness of this protection. Participates in the inspection of protected objects, their certification and categorization. Develops and prepares for approval draft normative and methodological materials regulating work on information protection, as well as regulations, instructions and other organizational and administrative documents. Organizes the development and timely submission of proposals for inclusion in the relevant sections of long-term and current work plans and programs of measures for control and protection of information. Provides feedback and conclusions on projects of newly constructed and reconstructed buildings and structures and other developments on issues of ensuring information security. Participates in the review of technical specifications for design, preliminary, technical and detailed designs, ensures their compliance with current regulatory and methodological documents, as well as in the development of new basic diagrams of control equipment, control automation tools, models and information security systems, assessment of the technical and economic level and the effectiveness of the proposed and implemented organizational and technical solutions: organizing the collection and analysis of materials in order to develop and take measures to ensure data protection and identify possible channels of information leakage representing official, commercial, military and state secrets.

Objects of professional activitygraduates are:

• participation in the planning and organization of work to ensure the protection of the facility;
• organizing work with documentation, including confidential ones;
• use of software, hardware and technical means of information security;
• participation in the implementation of a comprehensive facility protection system;
• participation in the collection and processing of materials to develop solutions to ensure information security and the effective use of means of detecting possible channels of leakage of confidential information;
• participation in the development of programs and methods for organizing information security at the facility;
• monitoring compliance by personnel with the requirements of the information security regime;
• participation in the preparation of organizational and administrative documents regulating the work on information protection;
• organization of document flow, including electronic, taking into account the confidentiality of information.

Final qualifying workinformation security specialist has the goal of systematizing and deepening knowledge, improving the skills and abilities of the graduate in solving complex complex scientific and technical problems with elements scientific research, as well as demonstrate the degree of professional preparedness of the graduate and its compliance with this educational standard. The research and development work for the qualification “information security specialist” is carried out in the form of a thesis or graduation project. The subject matter of the educational qualifications for the basic form of training assumes compliance with the content of one or more professional modules.

Professional cycle of specialty10.02.01(090905) Organization and technology of information securityincludes 4 professional modules:

1. Participation in the planning and organization of work to ensure the protection of the facility.
2. Organization and technology of working with confidential documents.
3. Application of software, hardware and technical means of information security.
4. Carrying out work in one or more worker professions or office positions.

The final qualifying work must meet a number of mandatory requirements:

• demonstrate the level of development of general and professional competencies;
• be relevant and practice-oriented;
• comply with the developed task;
• include an analysis of sources on the topic with generalizations and conclusions, comparisons and assessment of different points of view;
• demonstrate the graduate’s level of readiness for one/several type(s) of professional activity;
• consistency of presentation, persuasiveness of the presented factual material;
• reasoned conclusions and generalizations.

In the final qualifying work, the student must demonstrate mastery of general and professional competencies, including the ability to:

OK 1. Understand the essence and social significance of your future profession, have high motivation to perform professional activities in the field of information security.

OK 2. Organize your own activities, choose standard methods and ways of performing professional tasks, evaluate their effectiveness and quality.

OK 3. Make decisions in standard and non-standard situations and take responsibility for them.

OK 4. Search and use information necessary for the effective performance of professional tasks, professional and personal development.

OK 5.

OK 6. Work in a team and team, communicate effectively with colleagues, management, and consumers.

OK 7. Take responsibility for the work of team members (subordinates), the result of completing tasks.

OK 8. Independently determine the tasks of professional and personal development, engage in self-education, consciously plan professional development.

OK 9. To navigate the conditions of frequent changes in technology in professional activities.

OK 10.

OK 11. Apply mathematical tools to solve professional problems.

OK 12. Assess the significance of documents used in professional activities.

OK 13. Find your bearings in the structure of federal executive authorities that ensure information security.

PM 01 Participation in the planning and organization of work to ensure the protection of the facility.

PC 1.1. Participate in the collection and processing of materials to develop solutions to ensure the protection of information and the effective use of means of detecting possible channels of leakage of confidential information.

PC 1.2. Participate in the development of programs and methods for organizing information security at the facility.

PC 1.3. Plan and organize the implementation of information security measures.

PC 1.4. Participate in the implementation of developed organizational solutions at professional sites.

PC 1.5. Keep records, processing, storage, transmission, use of various media of confidential information.

PC 1.6. Ensure safety precautions during organizational and technical activities.

PC 1.7. Participate in organizing and conducting inspections of information technology objects subject to protection.

PC 1.8. Monitor staff compliance with information security regime requirements.

PC 1.9. Participate in assessing the quality of facility protection.

PM 02 Organization and technology of working with confidential documents.

PC 2.1. Participate in the preparation of organizational and administrative documents regulating the work on information protection.

PC 2.2. Participate in the organization and provide technology for record keeping, taking into account the confidentiality of information.

PC 2.3. Organize document flow, including electronic, taking into account the confidentiality of information.

PC 2.4. Organize archival storage confidential documents.

PC 2.5. Prepare documentation for the operational management of information security tools and personnel.

PC 2.6. Keep records of work and objects to be protected.

PC 2.7. Prepare reporting documentation related to the operation of control and information security tools.

PC 2.8. Document the progress and results of the internal investigation.

PC 2.9. Use regulatory legal acts, regulatory and methodological documents on information protection.

PM 03 Application of software, hardware and technical means of information security.

PC 3.1. Apply software, hardware and technical means of protecting information on protected objects.

PC 3.2. Participate in the operation of systems and means of protecting information of protected objects.

PC 3.3. Carry out routine maintenance and record failures of protective equipment.

PC 3.4. Identify and analyze possible threats to the information security of objects.

PM 04 Performing work in one or more worker professions, employee positions.

21299 "Clerk"

16199 “Operator of electronic computers and computers”

1. PERFORMANCE OF GRADUATE QUALIFICATION WORK

Final qualifying work (FQR) is the final work of an educational and research nature during college education.Preparation of final qualifying workis the final stage of a student’s education and at the same time a test of his ability to independently decide learning objectives. The student’s independent work on the chosen topic begins during pre-graduation practice. At the same time, there is a further deepening of his theoretical knowledge, their systematization, the development of applied skills and practical skills, and an increase in general and professional erudition.

VKR ( graduate work) has some similarities with course work, for example, working with theoretical sources or their design. However, the thesis (thesis) is a theoretical and (or) experimental study of one of the current problems information security in the graduate's specialty. Research may include the development of various methods, methods, software and hardware, models, systems, techniques, etc., which serve to achieve the goals of the thesis. The results of the thesis are presented in the form of an explanatory note with graphs, tables, drawings, maps, diagrams, etc. attached.

When performing research and development work, information about the latest domestic and foreign achievements of science and technology in the field of information security should be used. The period of preparation and defense of the thesis (thesis) is preceded by pre-graduation practice. The terms of pre-diploma practice, as well as the terms of preparation and defense of thesis are determined by the schedule for organizing the educational process, approved by the order of the college before the start of the current academic year. The graduate work must be carried out by the graduate using materials collected by him personally during the pre-graduation internship, as well as during the writing of the course work.

The topics of final qualifying works are determined during the development of the State Examination Program. When determining the topic of the WRC, it should be taken into account that its content may be based on:

• on summarizing the results of course work previously completed by students;
• using the results of previously completed practical tasks.

The assignment of topics for final qualifying works to students is formalizedno later than November 1stfinal year of study. At the same time, students are assigned to supervisors. The supervisor helps the student in developing areas of research, determining the range of theoretical issues to study, and developing the practical part of the study. Each leader can be assigned no more than 8 students.

1. STRUCTURE OF GRADUATE QUALIFICATION WORK

The structure of the theoretical part of the qualifying thesis: introduction, theoretical section, practical section, conclusion, list of references, applications.

The volume of the diploma project is 40-50 pages of printed text and includes:

1. Title page (Appendix 1).
2. Content. The content of the WRC is created automatically in the form of links for ease of work withlarge amount of text material. The use of an electronic table of contents also demonstrates the mastery of the general competence OK 5 (Use information and communication technologies in professional activities).
3. Introduction. It is necessary to substantiate the relevance and practical significance of the chosen topic, formulate the goal and objectives, the object and subject of the research project, and the range of problems under consideration.

4. Main part of the WRCincludes sections in accordance with the logical structure of the presentation. The title of the section should not duplicate the title of the topic, and the title of the paragraphs should not duplicate the title of the sections.

The main part of the proposal must contain two sections.

• Section I is devoted to the theoretical aspects of the object and subject being studied. It contains an overview of the information sources used, the regulatory framework for topic of the WRC, and can also find a place for statistical data in the form of tables and graphs.

Section II is devoted to the analysis of practical material obtained during industrial (pre-graduate) internship. This section contains:

analysis of specific material on the chosen topic;

• description of identified problems and development trends of the object and subject of study;
• description of ways to solve identified problems using calculations, analysis of experimental data, and the product of creative activity.

During the analysis, analytical tables, calculations, formulas, diagrams, diagrams and graphs can be used.

5. Conclusion - should contain conclusions and recommendations on the possibility of using or practical application of the research results. Should be no more than 5 pages of text.

6. Referencesdrawn up in accordance with GOST.

7. Applications are located at the end of the work and are drawn up in accordance with With

The introduction, each chapter, conclusion, and list of sources used begin on a new page.

Handout.The presentation is accompanied by a demonstration of materials from the applications.

To do this, you need to prepare an electronic presentation. But there can also be a presentation on paper - handouts for the commission in separate folders or posters hung before the speech.

During the student’s speech, the commission gets acquainted with the thesis, handouts issued by the student, and video presentation.

Electronic version of workattached to the WRC on paper. The disc must be placed in an envelope and signed.

2.2. STAGES OF PREPARATION OF GRADUATE QUALIFICATION WORK

Stage I: Involvement in activities involves:

• choosing a research topic;
• selection, study, analysis and synthesis of materials on the topic;
• development of a work plan.

Stage II: Determining the level of work involves a theoretical study of the literature and formulation of the problem.

Stage III: Construction of research logic. The data from this stage is reflected in the introduction.

The introduction can be compared to an abstract to a book: it discusses the theoretical foundations of the diploma, discusses its structure, stages and methods of work. Therefore, the introduction should be written as competently and briefly as possible (2-3 pages). The introduction should prepare the reader to perceive the main text of the work. It consists of mandatory elements that must be correctly formulated.

1. The relevance of research- an explanation of why your topic is important and who is in demand. (Answers the question: why should this be studied?) At this point it is necessary to reveal the essence of the problem being studied. It is logical to begin this point of introduction with the definition of the economic phenomenon at which the research activity is aimed. Here you can list the sources of information used for the research. ( Information base research can be included in the first chapter). However, you need to understand that there are some objective difficulties that can be resolved by writing your thesis. These difficulties, that is, the disadvantages that exist from the outside, reflect diploma problem.
2. Research problem(answers the question: what should be studied?) A research problem shows a complication, an unsolved problem, or factors that interfere with its solution. Defined by 1 - 2 terms. (Exampleresearch problems: “...the contradiction between the organization’s need for reliable information protection and the actual organization of work to ensure information protection in the organization”).

3. Purpose of the study- this is what you should ultimately receive, that is, the final result of the diploma. (The goal presupposes an answer to the question: what result will be obtained?) The goal should be to solve the problem under study through its analysis and practical implementation. The goal is always aimed at the object. For example:

• Develop a project (recommendations)...
• Identify conditions, relationships...
• Determine the dependence of something on something...

4. Object of study(what will be studied?). Involves working with concepts. This paragraph provides a definition of the economic phenomenon that the research activity is aimed at. The object can be a person, environment, process, structure, economic activity of an enterprise (organization).

1. Subject of study(how and through what will the search go?) Here it is necessary to define the specific properties of the object planned for research or the methods of studying the economic phenomenon. The subject of the research is aimed at practice and is reflected through the results of the internship.

6. Research objectives- these are steps to achieve your goals (show how to go to the result?), ways to achieve the goal. They correspond to the hypothesis. Determined based on the goals of the work. The formulation of problems must be done as carefully as possible, since the description of their solution should form the content of the subsections and points of the work. As a rule, 3-4 tasks are formulated.

Each task must begin with an infinitive verb. Tasks are described through a system of sequential actions, For example:

• analyze...;
• study...;

• research...;
• reveal...;
• define...;
• develop...

As a rule, 5-7 tasks are distinguished in the thesis (thesis work).

Each task should be reflected in one of the subsections of the theoretical or practical part. Tasks should be reflected in the table of contents. If the task is stated in the introduction, but it is not visible in the table of contents and in the text of the thesis, this is a serious mistake.

List of required tasks:

1. “Based on a theoretical analysis of literature, develop...” (key concepts, basic concepts).
2. “Determine...” (highlight the main conditions, factors, reasons influencing the object of study).
3. “Expand...” (highlight the main conditions, factors, reasons influencing the subject of the study).
4. “Develop...” (means, conditions, forms, programs).
5. “Test (what we have developed) and make recommendations...

8. Theoretical and practical significance of the study:
“The results of the study will allow us to implement...; will contribute

development...; will allow us to improve... The presence of formulated directions for the implementation of the obtained conclusions and proposals gives the work great practical significance. It is not mandatory.

9. Research methods:A brief listing is given.Research methodology- these are the methods that the student used in the process of writing a diploma. To methods research activities include: theoretical methods (method of analysis, synthesis, comparison) and empirical methods (observation, survey method, experiment).

1. Research base- this is the name of the enterprise, organization on the basis of which the research was carried out. Most often, the research base is the student’s pre-diploma internship.

The final phrase of the introduction is a description of the structure and number of pages in the thesis: “The structure of the work corresponds to the logic of the study and includes an introduction, a theoretical part, a practical part, a conclusion, a list of references, and applications.” Here it is permissible to give a more detailed structure of the WRC and briefly outline the content of the sections.

Thus, the introduction should prepare the reader to perceive the main text of the work.

Stage IV: work on the main part of the WRC.

The main part of the thesis should contain sections, subsections and paragraphs that outline the theoretical and practical aspects of the topic based on an analysis of published literature, discuss controversial issues, and formulate the position and point of view of the author; the observations and experiments carried out by the student, the research methodology, calculations, analysis of experimental data, and the results obtained are described. When dividing the text into subsections and paragraphs, it is necessary that each paragraph contains complete information.

The theoretical part involves an analysis of the object of study and should contain key concepts, the history of the issue, the level of development of the problem in theory and practice. In order to write a theoretical part correctly, you need to work enough a large number of scientific, scientific-methodological and other sources on the topicdiploma As a rule - no less than 10.

Section 1 should be devoted to a description of the object of research, Section 2 - a description of the subject of research constitutes the main part of the research work and should be logically connected with each other.

The main part of the WRC should contain tables, diagrams, graphs with appropriate links and comments. Sections should have headings that reflect their content. In this case, section headings should not repeat the title of the work. Let us consider in more detail the content of each of the sections of the WRC.

Section 1 is of a theoretical, educational nature and is devoted to a description of the basic theoretical principles, methods, methods, approaches and hardware and software used to solve the problem or tasks similar to the problem. This section includes only what is necessary as an initial theoretical basis for understanding the nature of the research and development carried out, described in the following sections. Theoretical issues are presented: methods, methods, algorithms for solving the problem, information flows are analyzed, etc. The last of the main sections usually provides a description of the results of experimentation with the proposed (developed) methods, methods, hardware, software and systems, carried out comparative analysis obtained results. Special attention should be paid to the discussion of the results obtained in the WRC and their illustration. When presenting the content of publications by other authors, it is necessary Necessarily provide links to them indicating the page numbers of these information sources. In the first section it is recommended to analyze current state problems and identify trends in the development of the process under study. For this purpose, current regulatory documents, official statistics, materials from analytical reviews and journal articles are used. Consequenceanalysis of regulations should contain conclusions about their impact on the problem under study and recommendations for their improvement. When preparing statistical material in the text of the work in mandatory In order, references are made to the data source.

In the first section, it is advisable to pay attention to the history (stages) of development of the process under study and analysis of foreign experience in its organization. The result of the analysis of foreign practice should be a comparison of the process under study with domestic practice and recommendations on the possibilities of its application in Russia.

This section should also provide a comparative analysis of existing approaches and methods for solving the problem. It is necessary to justify the choice of method for solving the problem under study and present it in detail. You can also suggest your own method.

In the process of studying theoretical sources, you need to highlight and mark the text that is significant for this section of the diploma. These text fragments can be placed in your thesis research as a quotation, as an illustration for your analysis and comparison. The theoretical part of the thesis cannot include entire sections and chapters from textbooks, books, and articles.

Any work must contain theoretical, methodological and practical aspects of the problem under study.

Section 2 must be of a purely applied nature. It is necessary to quantitatively describe a specific object of study, provide the results of practical calculations and directions for their use, as well as formulate directions for improving activities in the organization and technology of information security. To write the second section, as a rule, materials collected by the student during industrial practice. This section The WRC contains a description of the practical results of the research. It can describe the experiment and the methods used to conduct it, the results obtained, and the possibilities of using the research results in practice.

Approximate structure of the practical part of the thesis

The title of the practical part, as a rule, formulates the research problem using the example of a specific organization.

1. Purpose of the study- is given in the first sentence.

Technico - economic characteristics enterprises,on the basis of which the research is carried out (status of the enterprise, morphological features of the organization, organizational and management structure, features technological process etc).

1. Research methods.
2. Progress of the study.After formulating the name of each method, the purpose is given his use and a description is given. Next, the application of the research method in a specific organization is revealed. All materials on the application of research methods (questionnaire forms, internal documents for ensuring the protection of data of an organization/enterprise) are placed in the Appendices. The results obtained are analyzed and a conclusion is drawn. To obtain more accurate results, use not one, butseveral research methods.
3. General conclusions. At the end of the study, general results (conclusions) are drawn on the entire topic. The methodology used should confirm or refute the research hypothesis. If the hypothesis is refuted, recommendations are given for possible improvement of organizational activities and data protection technology of the organization/enterprise in the light of the problem under study.
4. In custody A short list of the results obtained in the work should be presented. The main purpose of the conclusion is to summarize the content of the work, to summarize the results of the research. In conclusion, the conclusions obtained are presented, their relationship with the purpose of the work and the specific tasks set and formulated in the introduction is analyzed, itforms the basis of the student’s defense report and should not be more than 5 pages of text.

3. GENERAL RULES FOR REGISTRATION OF GRADUATE QUALIFICATION WORK

3.1 DESIGN OF TEXT MATERIAL

The text part of the work must be executed in a computer version on A 4 paper on one side of the sheet. Font - Times New Roman, font size - 14, style - regular, one and a half spacing, justified. Pages must have margins (recommended): bottom - 2; top - 2; left - 2; right - 1. The volume of the proposal should be 40-50 pages. The following proportion of the main listed elements in the total volume of the final qualifying work is recommended: introduction - up to 10%; sections of the main part – 80%; conclusion – up to 10%.

The entire text of the WRC must be broken down into its component parts. The text is broken down by dividing it into sections and subsections. In the content of the work, there should not be a coincidence in the wording of the title of one of the components with the title of the work itself, as well as a coincidence in the names of sections and subsections. The names of sections and subsections should reflect their main content and reveal the topic of the WRC.

Sections and subsections must have headings. As a rule, paragraphs do not have headings. Headings of sections, subsections and paragraphs should be printed with a paragraph indent of 1.25 cm, with a capital letter without a period at the end, without underlining, font No. 14 “Times New Roman”. If the title consists of two sentences, they are separated by a period. Headings should clearly and concisely reflect the content of sections and subsections.

When dividing the VKR into sections in accordance with GOST 2.105-95, the designation is made by serial numbers - Arabic numerals without a dot. If necessary, subsections can be divided into paragraphs. The item number must consist of the section, subsection and item numbers separated by dots. There is no dot at the end of the section (subsection) or paragraph (subparagraph) number. Each section must begin on a new sheet (page).

If a section or subsection consists of one paragraph, then it should not be numbered. Points, if necessary, can be divided into sub-points, which must be numbered within each point, for example:

1 Types and main sizes

Listings may be provided within clauses or subclauses. Each listing must be preceded by a hyphen or lowercase letter followed by a parenthesis. For further detail of the transfers, it is necessary to use Arabic numerals, followed by a parenthesis.

Example:

A)_____________

b)_____________

1) ________

2) ________

V) ____________

The page numbering of the main text and appendices should be continuous. The page number is placed in the center of the bottom of the sheet without a dot. The title page is included in the overall page numbering of the WRC. The page number is not indicated on the title page and contents.

The thesis work must use scientific and special terms, designations and definitions established by the relevant standards, and in their absence - generally accepted in the special and scientific literature. If specific terminology is adopted, then the list of references should be preceded by a list of accepted terms with appropriate explanations. The list is included in the content of the work.

3.2 DESIGN OF ILLUSTRATIONS

All illustrations placed in the final qualifying work must be carefully selected, clearly and precisely executed. Figures and diagrams should be directly related to the text, without unnecessary images and data that are not explained anywhere. The number of illustrations in the WRC should be sufficient to explain the text presented.

Illustrations should be placed immediately after the text in which they are first mentioned, or on the next page.

Illustrations placed in the text should be numbered in Arabic numerals, For example:

Figure 1, Figure 2

It is allowed to number illustrations within a section (chapter). In this case, the illustration number must consist of the section (chapter) number and the serial number of the illustration, separated by a dot.

Illustrations, if necessary, may have a name and explanatory data (text below the figure).

The word “Figure” and the name are placed after the explanatory data, in the middle of the line, for example:

Figure 1 – Document route

3. 3 GENERAL RULES FOR PRESENTING FORMULAS

In formulas and equations, symbols, images or signs must correspond to the designations adopted in the current state standards. In the text, before the parameter designation, an explanation is given, for example:Temporary tensile strength.

If it is necessary to use symbols, images or signs that are not established by current standards, they should be explained in the text or in the list of symbols.

Formulas and equations are separated from the text on a separate line. At least one free line must be left above and below each formula or equation.

An explanation of the meanings of symbols and numerical coefficients should be given directly below the formula in the same sequence in which they are given in the formula.

Formulas should be numbered sequentially throughout the work using Arabic numerals in parentheses at the far right position at the formula level.

For example:

If an organization is modernizing an existing system, then when calculating efficiency, the current costs of its operation are taken into account:

E r = (P1-P2)+ΔP p , (3.2)

where P1 and P2 are, respectively, operating costs before and after the implementation of the developed program;

ΔР p - savings from increased productivity of additional users.

Formulas and equations can be numbered within each section with double numbers separated by a dot, indicating the section number and the serial number of the formula or equation, for example: (2.3), (3.12) etc.

Moving parts of formulas to another line is allowed on equal signs, multiplication, addition, subtraction and ratio signs (>;), and the sign at the beginning of the next line is repeated. The order of presentation of mathematical equations is the same as that of formulas.

Numerical values ​​of quantities with the designation of units of physical quantities and units of counting should be written in numbers, and numbers without designation of units of physical quantities and units of counting from one to nine - in words, for example:test five pipes, each 5 m long.

When citing the largest or smallest values ​​of quantities, the phrase “should be no more (no less)” should be used.

3.4 DESIGN OF TABLES

Tables are used for better clarity and ease of comparison of indicators. The title of the table, if available, should reflect its content, be accurate, and concise. The title of the table should be placed above the table on the left, without indentation, on one line with its number separated by a dash.

When moving part of a table, the title is placed only above the first part of the table; the lower horizontal line limiting the table is not drawn.

The table should be placed immediately after the text in which it is mentioned for the first time, or on the next page.

Table with big amount lines can be transferred to another sheet (page). When transferring part of a table to another sheet, the word “Table” and its number are indicated once on the right above the first part of the table, above the other parts the word “Continuation” is written and the table number is indicated, for example: “Continuation of table 1”. When transferring a table to another sheet, the heading is placed only above its first part.

If digital or other data is not given in any row of the table, then a dash is placed in it.

Example of table design:

Tables within the entire explanatory note are numbered in Arabic numerals with continuous numbering, before which the word “Table” is written.. It is allowed to number tables within a section. In this case, the table number consists of the section number and the table sequence number, separated by the dot “Table 1.2”.

The tables of each application are designated by separate numbering in Arabic numerals with the addition of the application designation before the number.

Headings of columns and table rows should be written with a capital letter in the singular, and column subheadings with a lowercase letter if they form one sentence with the heading, or with a capital letter if they have an independent meaning. There are no periods at the end of headings and subheadings of tables.

It is allowed to use a font size in the table that is smaller than in the text.

Column headings are written parallel or perpendicular to the rows of the table. In table columns, it is not allowed to draw diagonal lines with vertical chapter headings posted on both sides of the diagonal.

1. 5 DESIGN OF THE LIST OF REFERENCES

The list of references is compiled taking into account the rules of bibliography(Appendix 5). The list of used literature must contain at least 20 sources (at least 10 books and 10-15 periodicals) with which the author of the thesis worked. The literature in the list is arranged by sections in the following sequence:

• Federal laws (in order from the last year of adoption to the previous ones);
• decrees of the President of the Russian Federation (in the same sequence);
• resolutions of the Government of the Russian Federation (in the same order)
• other regulatory legal acts;
• other official materials (resolutions and recommendations of international organizations and conferences, official reports, official reports, etc.)
• monographs, textbooks, teaching aids(In alphabet order);
• foreign literature;
• Internet resources.

Sources in each section are placed in alphabetical order. Continuous numbering is used for the entire list of references.

When referring to literature in the text of the explanatory note, you should write not the title of the book (article), but the serial number assigned to it in the “List of References” index in square brackets. References to the literature are numbered in the order of their appearance in the text of the WRC. Continuous numbering or numbering by sections (chapters) is used.

The procedure for selecting literature on the topic of research and development work and preparing a list of used literature

IN the list of used literature includes sources studied by the student in the process of preparing the thesis, including those to which he refers.

The writing of the thesis is preceded by an in-depth study of literary sources on the topic of the work. To do this, you must first contact the college library. Here the library's reference and search apparatus comes to the student's aid, the main part of which is catalogs and card indexes.

A catalog is a list of documentary sources of information (books) available in the library collections.

If the student knows exactly the names of the required books or at least the names of their authors, it is necessary to use the alphabetical catalog.

If it is necessary to find out which books on a specific issue (topic) are available in a given library, the student must also consult the systematic catalogue.

A systematic catalog reveals the library collection by content. For ease of use of the systematic catalog, it has an alphabetical subject index (ASU). In the listed catalogues, a student can only find the titles of books, while in order to write a thesis, he also needs material published in magazines, newspapers and various collections. For this purpose, libraries organize bibliographic files where descriptions of magazine and newspaper articles and materials from collections are placed.

When writing a VKR for clarification and clarification various options, facts, concepts, terms, the student widely uses reference literature. Reference literature includes various encyclopedias, dictionaries, reference books, and statistical collections.

Registration of bibliographic references

When writing a thesis, a student often has to refer to the works of various authors and use statistical material. In this case, it is necessary to provide a link to one or another source.

In addition to observing the basic rules of citation (you cannot tear out phrases from the text, distort it with arbitrary abbreviations, quotes must be placed in quotation marks, etc.), you should also pay attention to the exact indication of the sources of quotes.

1. IN footnoteslinks (footnotes) are placed at the bottom of the page on which the cited material is located. To do this, a number is placed at the end of the quotation, which indicates the serial number of the quotation on this page. At the bottom of the page, under the line separating the footnote (link) from the text, this number is repeated, and it is followed by the name of the book from which the quotation is taken, with the obligatory indication of the number of the cited page. For example:

"Shipunov M.Z. Fundamentals of management activities. - M.: INFRA - M, 2012, p. 39.

1. In-text linksare used in cases where information about the source being analyzed is an organic part of the main text. They are convenient because they do not take attention away from the text. The description in such links begins with the initials and surname of the author, the title of the book or article is indicated in quotation marks, and the output data is given in parentheses.
2. Beyond text links- these are indications of the sources of quotes with a reference to the numbered list of references placed at the end of the thesis. A reference to a literary source is made at the end of the phrase by putting the serial number of the document used in straight brackets, indicating the page.

For example: “Currently, the main document regulating the privatization of state and municipal property on the territory of the Russian Federation is the Law “On the Privatization of State and Municipal Property” dated December 21, 2001 No. 178-FZ (as amended on December 31, 2005, as amended 01/05/2006).

At the end of the work (on a separate page) an alphabetical list of the literature actually used should be provided.

3.6 DESIGN OF APPLICATIONS

Applications are issued if necessary. Applications to the work may consist of additional reference materials of auxiliary value, for example: copies of documents, excerpts from reporting materials, statistical data, diagrams, tables, charts, programs, regulations, etc.

The appendices also include those materials that can specify the practical or theoretical parts of the diploma. For example, the application may include: texts of questionnaires, questionnaires and other methods that were used in the research process, examples of respondents’ answers, photographic materials, diagrams and tables not related to the theoretical conclusions in the thesis.

All applications must be referenced in the main text.

For example: Derived units of the SI system (Appendices 1, 2, 5).

Applications are arranged in a sequence of links to them in the text. Each application must begin on a new sheet (page) with the words Application in the upper right corner of the page.and its designations in Arabic numerals, excluding the number 0.

4. DEFENSE OF THE GRADUATE WORK

4.1 MONITORING THE READINESS OF SCR

Each student is assigned a reviewer of the final qualifying work from among external specialists who are well versed in issues related to this topic.

On approved topics, scientific supervisors of final qualifying work developindividual assignmentsfor students who are considered by the PCC “Information Technologies” are signed by the academic supervisor and the chairman of the PCC.

Assignments for final qualifying works are approved by the Deputy Director for educational work and are issued to students no later than two weeks before the start of pre-graduation practice.

On approved topics, scientific supervisors draw up individual consultation schedules,according to which the process of completing final qualifying works is controlled.

Monitoring the degree of readiness of the WRC is carried out according to the following schedule:

Table 3

Upon completion of the preparation of the work, the manager checks the quality of the work, signs it and, together with the task and his written feedback, passes it on to the deputy manager in the area of ​​activity.

In order to determine the degree of readiness of the final qualifying work and identify existing shortcomings, teachers of special disciplines conduct a preliminary defense in the last week of preparation for the State Examination. The results of preliminary protection are recorded.

4.2 REQUIREMENTS FOR SCR PROTECTION

The defense of the final qualifying work is carried out at an open meeting of the State Certification Commission for the specialty, which is created on the basis of the Regulations on the final state certification of graduates of educational institutions of secondary vocational education in the Russian Federation (Resolution of the State Committee for Higher Education of Russia dated December 27, 1995 No. 10).

During the defense, the following requirements are imposed on the VRC:

• deep theoretical study of the problems under study based on literature analysis;
• skillful systematization of digital data in the form of tables and graphs with the necessary analysis, generalization and identification of development trends;
• a critical approach to the factual materials being studied in order to find areas for improving activities;
• reasoned conclusions, validity of proposals and recommendations;

• logically consistent and independent presentation of the material;
• design of material in accordance with established requirements;

• It is mandatory to have a supervisor’s review of the thesis and a review by a practical worker representing a third-party organization.

When drawing up abstracts, it is necessary to take into account the approximate time of the presentation at the defense, which is 8-10 minutes.It is advisable to build a reportnot by presenting the contents of the work in chapters, but by task, - revealing the logic behind obtaining meaningful results. The report must contain reference to illustrative material that will be used during the defense of the work. The volume of the report should be 7-8 pages of text in Word format, font size 14, one and a half spacing.

Table 4

To speak at the defense, students must independently prepare and agree with the supervisor the abstracts of the report and illustrative material.

Illustrations should reflect the main results achieved in the work and be consistent with the theses of the report.

Forms of presentation of illustrative material:

1. Printed material for each member of the State Examination Committee(at the discretion of the scientific supervisor of the research and development project). Printed material for SAC members may include:

• empirical data;
• excerpts from regulatory documents on the basis of which the research was conducted;

• excerpts from the wishes of employers formulated in contracts;

• other data not included in the slide presentation, but confirming the correctness of the calculations.

1. Slide - presentations(for demonstration on a projector).

Accompanying the presentation of work results with presentation materials is prerequisite VKR protection.

The supervisor writes a review of the final qualifying work completed by the student.

The defense of final qualifying works is carried out at an open meeting of the State Attestation Commission in a specially designated audience, equipped with the necessary equipment for demonstrating presentations. Up to 20 minutes are allotted to defend the qualifying work. The defense procedure includes a student’s report (no more than 10 minutes), reading a review and review, questions from committee members, and student answers. The speech of the head of the final qualifying work, as well as the reviewer, if they are present at the meeting of the State Examination Committee, can be heard.

Decisions of the State Executive Committee are made at closed meetings by a simple majority of votes of the commission members participating in the meeting. In case of an equal number of votes, the chairman's vote is decisive. The results are announced to students on the day of the thesis defense.

4.3 CRITERIA FOR EVALUATING WRC

The defense of the final qualifying work ends with the assignment of grades.

"Excellent" rating awarded for the thesis if the thesis is of a research nature, has a well-presented theoretical chapter, a deep theoretical analysis, a critical review of practice, a logical, consistent presentation of the material with appropriate conclusions and reasonable proposals; has positive reviews from the supervisor and reviewer.

When defending a thesis with “excellence,” a student-graduate demonstrates deep knowledge of the topic, freely operates with research data, makes informed proposals, and during the report uses visual aids (Power Point presentation, tables, diagrams, graphs, etc.) or handouts material, easily answers the questions posed.

Rating "Good" The thesis is awarded if the thesis is of a research nature, has a well-presented theoretical chapter, it presents a sufficiently detailed analysis and critical analysis of practical activities, a consistent presentation of the material with appropriate conclusions, but the student’s proposals are not sufficiently substantiated. VKR has positive feedback scientific supervisor and reviewer. When defending it, the student-graduate shows knowledge of the issues of the topic, operates with research data, makes proposals on the research topic, and during the report uses visual aids (Power Point presentation, tables, diagrams, graphs, etc.) or handouts, without much difficulty answers the questions asked.

Grade "Satisfactorily"It is awarded for the thesis if the thesis is of a research nature, has a theoretical chapter, is based on practical material, but has a superficial analysis and insufficient critical analysis, there is an inconsistency in the presentation of the material, and unfounded proposals are presented. The reviewers' reviews contain comments on the content of the work and the analysis methodology. When defending such a thesis, the student-graduate shows uncertainty, shows poor knowledge of the issues on the topic, and does not always give comprehensive, reasoned answers to the questions asked.

Grade "Unsatisfactory"The thesis is awarded if the thesis is not of a research nature, does not have an analysis, and does not meet the requirements set out in these guidelines. There are no conclusions in the work, or they are declarative in nature. There are critical comments in the reviews of the supervisor and the reviewer. When defending a thesis, a graduate student finds it difficult to answer the questions posed on the topic, does not know the theory of the question, and makes significant mistakes when answering. Visual aids and handouts are not prepared for the defense.

Thus, when determining the final assessment for the examination, members of the State Examination Committee take into account:

• quality of graduate report;
• the illustrative material presented by him;
• mobility of the graduate and his literacy in answering questions;
• assessment of the thesis by the reviewer;
• review from the head of the research and development team.

ANNEX 1

(Example of title page design)

MOSCOW DEPARTMENT OF EDUCATION

STATE BUDGETARY PROFESSIONAL EDUCATIONAL INSTITUTION

"TECHNOLOGICAL COLLEGE No. 34"

GRADUATE WORK

Subject:

Group student / /

Speciality

Supervisor / /

Allow for protection:

Deputy Director for Management and Development/ _ /

Rating Date

Chairman of the State

certification commission/ /

Moscow 2016

APPENDIX 2

Agreed

Chairman of the PCC "Information Technologies"

Dzyuba T.S.

Exercise

to complete a thesis

student(s)________________________________________________________________________________

(full name)

Topic of the thesis ______________________________________________________________

_______________________________________________________________________________

Deadline for submitting the thesis for defense (date)______________________________

1. Introduction

Relevance of the chosen topic;

The purpose and objectives of writing a thesis;

Name of the enterprise, organization, sources of writing the work.

2. - Section I (theoretical part)

Section II (practical part)

(deadline for submission for review) __________________________________________

Conclusion ______________________________________________________________

Manager ___________________ __________ “___” _______ 20__

Full name Signature

Student ____________________ __________ “____” ________20___

Full name Signature

APPENDIX 3

(reference form for the thesis supervisor)

GBPOU "Technological College No. 34"

Review

For the student’s thesis (full name)

1. Relevance of the topic.

2. Scientific novelty and practical significance.

3. Characteristics of the student’s business qualities.

4. Positive aspects of work.

5. Disadvantages, comments.

Supervisor _______________________________________

"_____" __________ 2016

APPENDIX 4

(review form)

Review

For the student’s thesis (full name) ____________________________

Completed on the topic _________________________________________________

1. Relevance, novelty
2. Job content assessment

1. Distinctive, positive aspects of the work
2. Practical significance of the work
3. Disadvantages, comments

1. Recommended assessment of work performed ____________________________

_________________________________________________________________________

Reviewer (full name, academic title, position, place of work)

APPENDIX 5

(Example of a list of used literature)

List of used literature

Regulatory materials

1. "Constitution of the Russian Federation" (adopted by popular vote on December 12, 1993) (taking into account amendments made by the Laws of the Russian Federation on amendments to the Constitution of the Russian Federation dated December 30, 2008 N 6-FKZ, dated December 30, 2008 N 7-FKZ)
2. Federal Law "On Information, Information Technologies and Information Protection" dated July 27, 2006 N 149-FZ (as amended on December 28, 2013)

Scientific, technical and educational publications

1. Automated workplaces and computer systems in internal affairs activities. M., 2010.
2. Andreev B.V., Bushuev G.I. Modeling in solving criminal law and criminological problems. M., 2012.
3. Office work in educational institutions (using information technologies): textbook. manual for universities MO Rep. Belarus / E.M. Kravchenya, T.A. Tsesarskaya. - Minsk: TetraSystems, 2013
4. Information Security and information protection: textbook. manual / Stepanov E.A., Korneev I.K. - M.: INFRA-M, 2011. -
5. Information systems in economics: textbook. for universities, educational according to special economics and management (060000) rec. RF Ministry of Defense / G.A. Titorenko, B.E. Odintsov, V.V. Braga et al.; edited by G.A. Titorenko. - 2nd ed., revised. and additional - M.: UNITY, 2011. - 463 p.
6. Information systems and their security: textbook. allowance d / Vasilkov A.V. Vasilkov A.A., Vasilkov I.A.. - M: FORUM, 2010.
7. Information technologies of management: textbook. manual for universities RF Ministry of Defense / G.A. Titorenko, I.A. Konopleva, G.L. Makarova and others; edited by G.A. Titorenko. - 2nd ed., add. - M.: UNITY, 2009.
8. Corporate document management. Principles, technologies, implementation methodologies. Michael J. D. Sutton. Azbuka Publishing House, St. Petersburg, 2012
9. Ostreykovsky V.A. Informatics: Textbook. For universities. – M.: Higher. school, 2008.
10. Electronic documents in corporate networks Klimenko S.V., Krokhin I.V., Kushch V.M., Lagutin Yu.L.M.: Radio and Communication, ITC Eco-Trends, 2011

Internet resources

http://www.security.ru/ - Means of cryptographic information protection: website of the Moscow branch of PNIEI;

www.fstec.ru – official website of FSTEC of Russia

APPENDIX 6

Approximate structure of a report to defend a thesis

Requirements for the presentation of the thesis defense

1. Relevance of the problem.
2. Purpose, object, subject of research.
3. Research objectives (3 main ones).
4. Research algorithm (sequence of research).
5. Brief economic characteristics of the enterprise (organization, institution, etc.).
6. Brief results of the analysis of the problem under study.
7. Deficiencies identified during the analysis.
8. Directions (paths) for solving the identified shortcomings of the problem under study.
9. Economic assessment, effectiveness, practical significance of the proposed activities.

APPENDIX 6

(Calendar form for writing a thesis)

I approve

Thesis supervisor

"_____" _____________20 __g.

SCHEDULE

writing a thesis on the topic __________________________________________

Drawing up the content of the thesis and agreeing it with the supervisor.

supervisor

Introduction with justification of the relevance of the chosen topic, goals and objectives of the work.

supervisor

Completing the theoretical section and submitting it for testing.

Consultant

Complete the practical section and submit it for review.

Consultant

Coordination of conclusions and proposals with the manager

supervisor

Preparation of the thesis

supervisor

Receiving feedback from your manager

supervisor

Getting a review

reviewer

10.

Pre-defense of the thesis

Manager, consultant

11.

Defense of the thesis

supervisor

Student-(graduate) _________________________________________________

(signature, date, transcript of signature)

Thesis supervisor_________________________________________________________________

APPENDIX 8

(Example of formatting the content of a thesis)

Content

Introduction…………………………………………………………………………………..3

1. Technical and economic characteristics subject area and enterprises......5

1. General characteristics of the subject area…………………...5
2. Organizational and functional structure of the enterprise……………………6
3. Information security risk analysis……………………………...8

2. Justification of the need to improve the system for ensuring information security and information protection at the enterprise………..25

1. Selecting a set of information security tasks………29
2. Determining the place of the projected set of tasks in the complex of enterprise tasks, detailing the tasks of information security and information protection…………………………………………………………………………………35
3. Selection of protective measures……………………………………………………….39

3. A set of organizational measures to ensure information security and protection of enterprise information……………………………………………..43

1. A set of designed software and hardware tools for ensuring information security and protecting enterprise information…….…48
2. Structure of the software and hardware complex of information security and information protection of the enterprise……………………………51
3. An example of project implementation and its description…………………………………...54
4. Calculation of project economic efficiency indicators…………………57

4. Conclusion…………………………………………………………………………………...62
5. List of references………………………………………………………………..65

Introduction

Chapter 1. Theoretical aspects of adoption and information security

1.1The concept of information security

3 Information security methods

Chapter 2. Analysis of the information security system

1 Scope of activity of the company and analysis of financial indicators

2 Description of the company’s information security system

3 Development of a set of measures to modernize the existing information security system

Conclusion

Bibliography

Application

Appendix 1. Balance sheet for 2010

Appendix 1. Balance sheet for 2010

Introduction

The relevance of the topic of the thesis is determined by the increased level of information security problems, even in the context of the rapid growth of technologies and tools for data protection. It is impossible to ensure a 100% level of protection for corporate information systems while correctly prioritizing data protection tasks given the limited share of the budget allocated to information technology.

Reliable protection of the computing and network corporate infrastructure is a basic information security task for any company. With the growth of an enterprise's business and the transition to a geographically distributed organization, it begins to go beyond the confines of a single building.

Effective protection of IT infrastructure and applications corporate systems today is impossible without implementation modern technologies control network access. Increasing cases of theft of media containing valuable business information increasingly force organizational measures to be taken.

The purpose of this work will be to evaluate the existing information security system in the organization and develop measures to improve it.

This goal determines the following objectives of the thesis:

) consider the concept of information security;

) consider the types of possible threats to information systems and options for protection against possible threats of information leakage in the organization.

) identify a list of information resources, violation of the integrity or confidentiality of which will lead to the greatest damage to the enterprise;

) develop on their basis a set of measures to improve the existing information security system.

The work consists of an introduction, two chapters, a conclusion, a list of sources used and applications.

The introduction substantiates the relevance of the research topic and formulates the purpose and objectives of the work.

The first chapter discusses theoretical aspects concepts of information security in an organization.

The second chapter gives a brief description of activity of the company, main performance indicators, describes Current state information security system and measures to improve it are proposed.

In conclusion, the main results and conclusions of the work are formulated.

Methodological and theoretical basis thesis was the work of domestic and foreign specialists in the field of information security. During the work on the thesis, information was used that reflected the content of laws, legislative acts and regulations, decrees of the Government of the Russian Federation regulating the protection of information, international standards on information security.

The theoretical significance of the thesis research lies in the implementation of an integrated approach when developing an information security policy.

The practical significance of the work is determined by the fact that its results make it possible to increase the degree of information protection in an enterprise through the competent design of an information security policy.

Chapter 1. Theoretical aspects of adoption and information security

1.1 Concept of information security

Information security refers to the security of information and its supporting infrastructure from any accidental or malicious influences that may result in damage to the information itself, its owners or supporting infrastructure. The objectives of information security come down to minimizing damage, as well as predicting and preventing such impacts.

Parameters of information systems that need protection can be divided into the following categories: ensuring the integrity, availability and confidentiality of information resources.

accessibility is the ability to obtain, in a short period of time, the required information service;

integrity is the relevance and consistency of information, its protection from destruction and unauthorized changes;

confidentiality - protection from unauthorized access to information.

Information systems, first of all, are created to obtain certain information services. If obtaining information for any reason becomes impossible, this causes damage to all subjects of information relations. From this we can determine that the availability of information comes first.

Integrity is the main aspect of information security when accuracy and truthfulness are the main parameters of information. For example, prescriptions for medical drugs or a set and characteristics of components.

The most developed component of information security in our country is confidentiality. But practical implementation Measures to ensure the confidentiality of modern information systems face great difficulties in Russia. Firstly, information about technical channels information leaks are closed, so most users are unable to get an idea of ​​the potential risks. Second, there are numerous legislative obstacles and technical challenges standing in the way of custom cryptography as a primary means of ensuring privacy.

Actions that can cause damage to an information system can be divided into several categories.

targeted theft or destruction of data on a workstation or server;

Damage to data by the user as a result of careless actions.

. "Electronic" methods of influence carried out by hackers.

Hackers are understood as people who engage in computer crimes both professionally (including as part of competition) and simply out of curiosity. These methods include:

unauthorized entry into computer networks;

The purpose of unauthorized entry into an enterprise network from the outside may be to cause harm (destruction of data), steal confidential information and use it for illegal purposes, use the network infrastructure to organize attacks on third-party nodes, steal funds from accounts, etc.

A DOS attack (abbreviated from Denial of Service) is an external attack on enterprise network nodes responsible for its secure and effective work(file, mail servers). Attackers organize massive sending of data packets to these nodes in order to overload them and, as a result, put them out of action for some time. This, as a rule, entails disruptions in the business processes of the victim company, loss of customers, damage to reputation, etc.

Computer viruses. Separate category electronic methods impacts - computer viruses and other malicious programs. They pose a real danger to modern businesses that widely use computer networks, the Internet and e-mail. The penetration of a virus into corporate network nodes can lead to disruption of their functioning, loss of working time, loss of data, theft of confidential information and even direct theft of financial resources. A virus program that has penetrated a corporate network can give attackers partial or complete control over the company's activities.

Spam. In just a few years, spam has grown from a minor irritation to one of the most serious security threats:

email has recently become the main distribution channel malware;

spam takes a lot of time to view and subsequently delete messages, causing employees a feeling of psychological discomfort;

Both individuals and organizations become victims fraudulent schemes carried out by spammers (victims often try not to disclose such events);

important correspondence is often deleted along with spam, which can lead to the loss of customers, broken contracts and other unpleasant consequences; the danger of losing correspondence especially increases when using RBL blacklists and other “crude” spam filtering methods.

"Natural" threats. A company’s information security can be affected by a variety of external factors: data loss can be caused by improper storage, theft of computers and media, force majeure, etc.

An information security management system (ISMS or Information Security Management System) allows you to manage a set of measures that implement a certain intended strategy, in this case in relation to information security. Note that we are talking not only about managing an existing system, but also about building a new one/redesigning an old one.

The set of measures includes organizational, technical, physical and others. Information security management is a complex process, which allows for the most effective and comprehensive information security management in a company to be implemented.

The goal of information security management is to maintain the confidentiality, integrity and availability of information. The only question is what kind of information needs to be protected and what efforts should be made to ensure its safety.

Any management is based on awareness of the situation in which it occurs. In terms of risk analysis, awareness of the situation is expressed in the inventory and assessment of the organization's assets and their environment, that is, everything that ensures the conduct of business activities. From the point of view of information security risk analysis, the main assets include information, infrastructure, personnel, image and reputation of the company. Without an inventory of assets at the business activity level, it is impossible to answer the question of what exactly needs to be protected. It is important to understand what information is processed within an organization and where it is processed.

In a large modern organization, the number of information assets can be very large. If the activities of an organization are automated using an ERP system, then we can say that almost any material object used in this activity corresponds to some kind of information object. Therefore, the primary task of risk management is to identify the most significant assets.

It is impossible to solve this problem without the involvement of managers of the main activity of the organization, both middle and senior levels. The optimal situation is when the top management of the organization personally sets the most critical areas of activity, for which it is extremely important to ensure information security. The opinion of senior management regarding priorities in providing information security is very important and valuable in the risk analysis process, but in any case it should be clarified by collecting information about the criticality of assets at the average level of company management. At the same time, it is advisable to carry out further analysis precisely in the areas of business activity designated by top management. The information received is processed, aggregated and transmitted to senior management for a comprehensive assessment of the situation.

Information can be identified and localized based on a description of business processes in which information is considered as one of the types of resources. The task is somewhat simplified if the organization has adopted an approach to regulating business activities (for example, for the purposes of quality management and optimization of business processes). Formalized descriptions of business processes are a good starting point for asset inventory. If there are no descriptions, you can identify assets based on information received from the organization's employees. Once assets have been identified, their value must be determined.

The work of determining the value of information assets across the entire organization is both the most significant and complex. It is the assessment of information assets that will allow the head of the information security department to choose the main areas of activity to ensure information security.

But the economic efficiency of the information security management process largely depends on the awareness of what needs to be protected and what efforts this will require, since in most cases the amount of effort applied is directly proportional to the amount of money spent and operating expenses. Risk management allows you to answer the question of where you can take risks and where you can’t. In the case of information security, the term “risk” means that in a certain area it is possible not to make significant efforts to protect information assets, and at the same time, in the event of a security breach, the organization will not suffer significant losses. Here we can draw an analogy with the protection classes of automated systems: the more significant the risks, the more stringent the protection requirements should be.

To determine the consequences of a security breach, you must either have information about recorded incidents of a similar nature, or conduct a scenario analysis. Scenario analysis examines the cause-and-effect relationships between asset security events and the consequences of these events on the organization's business activities. The consequences of scenarios should be assessed by several people, iteratively or deliberatively. It should be noted that the development and evaluation of such scenarios cannot be completely divorced from reality. You must always remember that the scenario must be probable. The criteria and scales for determining value are individual for each organization. Based on the results of scenario analysis, information about the value of assets can be obtained.

If assets are identified and their value is determined, we can say that the goals of providing information security are partially established: the objects of protection and the importance of maintaining them in a state of information security for the organization are determined. Perhaps all that remains is to determine who needs to be protected from.

After determining the goals of information security management, you should analyze the problems that prevent you from approaching the target state. At this level, the risk analysis process descends to the information infrastructure and traditional information security concepts - intruders, threats and vulnerabilities.

To assess risks, it is not enough to introduce a standard violator model that divides all violators by type of access to the asset and knowledge of the asset structure. This division helps determine what threats can be directed at an asset, but does not answer the question of whether these threats can, in principle, be realized.

In the process of risk analysis, it is necessary to assess the motivation of violators in implementing threats. In this case, the violator does not mean an abstract external hacker or insider, but a party interested in obtaining benefits by violating the security of an asset.

It is advisable to obtain initial information about the offender’s model, as in the case of choosing the initial directions of information security activities, from top management, who understands the organization’s position in the market, has information about competitors and what methods of influence can be expected from them. The information necessary to develop a model of an intruder can also be obtained from specialized research on computer security violations in the business area for which the risk analysis is being carried out. A properly developed intruder model complements the information security objectives determined when assessing the organization's assets.

The development of a threat model and the identification of vulnerabilities are inextricably linked with an inventory of the environment of the organization’s information assets. The information itself is not stored or processed. Access to it is provided using an information infrastructure that automates the organization’s business processes. It is important to understand how an organization's information infrastructure and information assets are related to each other. From the perspective of information security management, the importance of information infrastructure can be established only after determining the relationship between information assets and infrastructure. If the processes for maintaining and operating the information infrastructure in an organization are regulated and transparent, the collection of information necessary to identify threats and assess vulnerabilities is greatly simplified.

Developing a threat model is a job for information security professionals who have a good understanding of how an attacker can gain unauthorized access to information by breaching the security perimeter or using social engineering methods. When developing a threat model, you can also talk about scenarios as sequential steps according to which threats can be realized. It very rarely happens that threats are implemented in one step by exploiting a single vulnerable point in the system.

The threat model should include all threats identified through related information security management processes, such as vulnerability and incident management. It must be remembered that threats will need to be ranked relative to each other according to the level of likelihood of their implementation. To do this, in the process of developing a threat model for each threat, it is necessary to indicate the most significant factors, the existence of which influences its implementation.

The security policy is based on an analysis of risks that are recognized as real for the organization’s information system. Once the risks have been analyzed and the protection strategy has been determined, an information security program is drawn up. Resources are allocated for this program, responsible persons are appointed, the procedure for monitoring the implementation of the program is determined, etc.

In a broad sense, security policy is defined as a system of documented management decisions to ensure the security of an organization. In a narrow sense, a security policy is usually understood as a local regulatory document that defines security requirements, a system of measures or a procedure, as well as the responsibilities of the organization’s employees and control mechanisms for a certain area of ​​security.

Before we begin to formulate the information security policy itself, it is necessary to understand the basic concepts with which we will operate.

Information - information (messages, data) regardless of the form of their presentation.

Confidentiality of information is a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without the consent of its owner.

Information security (IS) is the state of security of the information environment of society, ensuring its formation, use and development in the interests of citizens, organizations, and states.

The concept of “information” today is used quite widely and versatilely.

Ensuring information security cannot be a one-time act. This is a continuous process consisting of justification and implementation of the most rational methods, methods and ways of improving and developing the security system, continuous monitoring of its condition, identifying its weaknesses and illegal actions.

Information security can be ensured only through the comprehensive use of the entire range of available protection means in all structural elements production system and at all stages of the technological cycle of information processing. The greatest effect is achieved when all the means, methods and measures used are combined into a single holistic mechanism - an information security system. At the same time, the functioning of the system must be monitored, updated and supplemented depending on changes in external and internal conditions.

According to the GOST R ISO/IEC 15408:2005 standard, the following types of safety requirements can be distinguished:

functional, corresponding to the active aspect of protection, requirements for security functions and the mechanisms that implement them;

trust requirements corresponding to the passive aspect imposed on the technology and the development and operation process.

It is very important that security in this standard is not considered statically, but in relation to the life cycle of the object being assessed. The following stages are distinguished:

determination of purpose, conditions of use, goals and safety requirements;

design and development;

testing, evaluation and certification;

implementation and operation.

So, let’s take a closer look at the functional security requirements. They include:

user data protection;

protection of security functions (requirements relate to the integrity and control of these security services and the mechanisms that implement them);

security management (the requirements of this class relate to the management of security attributes and parameters);

security audit (identification, registration, storage, analysis of data affecting the security of the object being assessed, response to a possible security violation);

privacy (protecting the user from disclosure and unauthorized use of his identification data);

use of resources (requirements for information availability);

communication (authentication of parties involved in data exchange);

trusted route/channel (for communication with security services).

In accordance with these requirements, it is necessary to formulate an organization’s information security system.

The organization's information security system includes the following areas:

regulatory;

organizational (administrative);

technical;

software;

To fully assess the situation at an enterprise in all areas of security, it is necessary to develop an information security concept that would establish a systematic approach to the problem of security of information resources and represent a systematic statement of goals, objectives, design principles and a set of measures to ensure information security in an enterprise.

The corporate network management system should be based on the following principles (tasks):

ensuring the protection of the existing information infrastructure of the enterprise from intruders;

providing conditions for localizing and minimizing possible damage;

eliminating the emergence of sources of threats at the initial stage;

ensuring the protection of information against three main types of emerging threats (availability, integrity, confidentiality);

The solution to the above problems is achieved by;

regulation of user actions when working with the information system;

regulation of user actions when working with the database;

uniform requirements for the reliability of hardware and software;

procedures for monitoring the operation of the information system (logging events, analyzing protocols, analyzing network traffic, analyzing the operation of technical equipment);

The information security policy includes:

the main document is the “Security Policy”. It generally describes the organization’s security policy, general provisions, and also indicates the relevant documents for all aspects of the policy;

instructions for regulating the work of users;

job description for local network administrator;

job description of the database administrator;

instructions for working with Internet resources;

instructions for organizing password protection;

instructions for organization antivirus protection.

The Security Policy document contains the main provisions. Based on it, an information security program is built, job descriptions and recommendations.

Instructions for regulating the work of users of an organization's local network regulate the procedure for allowing users to work in the organization's local computer network, as well as the rules for handling protected information processed, stored and transmitted in the organization.

The job description of a local network administrator describes the responsibilities of a local network administrator regarding information security.

The job description of a database administrator defines the main responsibilities, functions and rights of a database administrator. It describes in great detail all the job responsibilities and functions of a database administrator, as well as rights and responsibilities.

Instructions for working with Internet resources reflect the basic rules safe work with the Internet, also contains a list of acceptable and unacceptable actions when working with Internet resources.

The instructions for organizing anti-virus protection define the basic provisions, requirements for organizing anti-virus protection of an organization's information system, all aspects related to the operation of anti-virus software, as well as responsibility in the event of a violation of anti-virus protection.

The instructions for organizing password protection regulate the organizational and technical support for the processes of generating, changing and terminating passwords (deleting user accounts). The actions of users and maintenance personnel when working with the system are also regulated.

Thus, the basis for organizing the information protection process is the security policy, formulated in order to determine from what threats and how the information in the information system is protected.

Security policy refers to a set of legal, organizational and technical measures to protect information adopted in a specific organization. That is, the security policy contains many conditions under which users gain access to system resources without losing the information security properties of this system.

The problem of ensuring information security must be solved systematically. This means that various protections (hardware, software, physical, organizational, etc.) must be applied simultaneously and under centralized control.

Today there is a large arsenal of methods for ensuring information security:

means of identification and authentication of users;

means of encrypting information stored on computers and transmitted over networks;

firewalls;

virtual private networks;

content filtering tools;

tools for checking the integrity of disk contents;

antivirus protection tools;

network vulnerability detection systems and analyzers network attacks.

Each of the listed tools can be used either independently or in integration with others. This makes it possible to create information security systems for networks of any complexity and configuration, independent of the platforms used.

System of authentication (or identification), authorization and administration. Identification and authorization are key elements of information security. The authorization function is responsible for which resources a specific user has access to. The administration function is to provide the user with certain identification characteristics within a given network and determine the scope of actions allowed for him.

Encryption systems make it possible to minimize losses in the event of unauthorized access to data stored on a hard drive or other media, as well as interception of information when sent by email or transmitted via network protocols. Task this tool protection - ensuring confidentiality. Basic requirements for encryption systems - high level cryptographic strength and legality of use on the territory of Russia (or other states).

A firewall is a system or combination of systems that forms a protective barrier between two or more networks to prevent unauthorized data packets from entering or leaving the network.

The basic operating principle of firewalls is to check each data packet for compliance of the incoming and outgoing IP addresses with a database of allowed addresses. Thus, firewalls significantly expand the possibilities of segmentation information networks and control over the circulation of data.

When talking about cryptography and firewalls, we should mention secure virtual private networks (VPN). Their use makes it possible to solve problems of confidentiality and integrity of data when transmitted over open communication channels. Using a VPN can be reduced to solving three main problems:

protection of information flows between different offices of the company (information is encrypted only at the exit to the external network);

secure access remote users networks to the company’s information resources, usually carried out via the Internet;

protection of information flows between individual applications within corporate networks (this aspect is also very important, since most attacks are carried out from internal networks).

An effective means of protecting against the loss of confidential information is filtering the contents of incoming and outgoing Email. Screening the email messages themselves and their attachments based on the rules established by the organization also helps protect companies from liability in lawsuits and protects their employees from spam. Content filtering tools allow you to scan files of all common formats, including compressed and graphic files. Wherein throughput The network remains virtually unchanged.

All changes on a workstation or server can be monitored by the network administrator or other authorized user thanks to the technology of checking the integrity of the contents of the hard drive (integrity checking). This allows you to detect any actions with files (change, deletion, or simply open) and identify the activity of viruses, unauthorized access or data theft by authorized users. Control is carried out based on the analysis of file checksums (CRC sums).

Modern anti-virus technologies make it possible to identify almost all already known virus programs by comparing the code of a suspicious file with samples stored in the anti-virus database. In addition, behavior modeling technologies have been developed that make it possible to detect newly created virus programs. Detected objects can be treated, isolated (quarantined), or deleted. Virus protection can be installed on workstations, file and mail servers, firewalls running under almost any of the common operating systems(Windows, Unix and Linux systems, Novell) on various types of processors.

Spam filters significantly reduce unproductive labor costs associated with parsing spam, reduce traffic and server load, improve the psychological background in the team and reduce the risk of company employees being involved in fraudulent transactions. In addition, spam filters reduce the risk of infection with new viruses, since messages containing viruses (even those not yet included in the database) antivirus programs) often have signs of spam and are filtered. True, the positive effect of spam filtering can be negated if the filter, along with junk messages, removes or marks as spam and useful messages, business or personal.

Huge damage to companies caused by viruses and hacker attacks, is largely a consequence of weaknesses in the software used. They can be identified in advance, without waiting for a real attack, using vulnerability detection systems computer networks and network attack analyzers. Similar software securely model common attacks and intrusion techniques to determine what a hacker can see on a network and how they can exploit its resources.

To counter natural threats to information security, the company must develop and implement a set of procedures to prevent emergency situations (for example, to ensure physical protection of data from fire) and to minimize damage if such a situation does arise. One of the main methods of protecting against data loss is backup with strict adherence to established procedures (regularity, types of media, methods of storing copies, etc.).

The information security policy is a package of documents regulating the work of employees, describing the basic rules for working with information, information systems, databases, local networks and Internet resources. It is important to understand what place information security policy plays in common system management of the organization. The following are general organizational measures related to security policies.

At the procedural level, the following classes of measures can be distinguished:

personnel Management;

physical protection;

maintaining performance;

responding to security violations;

planning of restoration work.

Human resource management begins with hiring, but even before that, you should determine the computer privileges associated with the position. There are two general principles things to keep in mind:

segregation of duties;

minimization of privileges.

The principle of separation of duties prescribes how to distribute roles and responsibilities so that one person cannot disrupt a process critical to the organization. For example, it is undesirable for one person to make large payments on behalf of an organization. It is safer to instruct one employee to process applications for such payments, and another to certify these applications. Another example is procedural restrictions on superuser actions. You can artificially “split” the superuser password by sharing the first part of it with one employee and the second part with another. Then they can perform critical actions to administer the information system only together, which reduces the likelihood of errors and abuses.

The principle of least privilege requires that users be given only those access rights that they need to perform their job responsibilities. The purpose of this principle is obvious - to reduce damage from accidental or intentional incorrect actions.

Preliminary preparation of a job description allows you to assess its criticality and plan the procedure for screening and selecting candidates. The more responsible the position, the more carefully you need to check candidates: make inquiries about them, perhaps talk with former colleagues, etc. Such a procedure can be lengthy and expensive, so there is no point in complicating it further. At the same time, it is unreasonable to completely refuse pre-screening in order to avoid accidentally hiring someone with a criminal record or mental illness.

Once a candidate has been identified, he or she will likely need to undergo training; at the very least, he should be thoroughly familiarized with job responsibilities and information security regulations and procedures. It is advisable that he understand the security measures before taking office and before establishing his system account with login name, password and privileges.

The security of an information system depends on the environment in which it operates. It is necessary to take measures to protect buildings and surrounding areas, supporting infrastructure, computer equipment, and storage media.

Let's consider the following areas of physical protection:

physical access control;

protection of supporting infrastructure;

protection of mobile systems.

Physical access control measures allow you to control and, if necessary, restrict the entry and exit of employees and visitors. The entire building of an organization can be controlled, as well as individual premises, for example, those where servers, communication equipment, etc. are located.

Supporting infrastructure includes electrical, water and heat supply systems, air conditioning and communications. In principle, the same integrity and availability requirements apply to them as to information systems. To ensure integrity, equipment must be protected from theft and damage. To maintain availability, you should select equipment with the maximum MTBF, duplicate critical components, and always have spare parts on hand.

Generally speaking, a risk analysis should be performed when selecting physical protective equipment. Thus, when deciding to purchase an uninterruptible power supply, it is necessary to take into account the quality of the power supply in the building occupied by the organization (however, it will almost certainly turn out to be poor), the nature and duration of power failures, the cost of available sources and possible losses from accidents (breakdown of equipment, suspension of the organization’s work and so on.)

Let's consider a number of measures aimed at maintaining the functionality of information systems. It is in this area that the greatest danger lurks. Unintentional mistakes of system administrators and users can lead to loss of performance, namely damage to equipment, destruction of programs and data. This is the worst case scenario. IN best case scenario they create security holes that enable system security threats to occur.

The main problem of many organizations is the underestimation of safety factors in everyday work. Expensive security features are meaningless if they are poorly documented, conflict with other software, and the system administrator password has not been changed since installation.

For daily activities aimed at maintaining the functionality of the information system, the following actions can be distinguished:

user support;

software support;

configuration management;

backup;

media management;

documentation;

routine maintenance.

User support implies, first of all, consultation and assistance in solving various kinds of problems. It is very important to be able to identify problems related to information security in a stream of questions. Thus, many difficulties of users working on personal computers, may be a consequence of viral infection. It is advisable to record user questions in order to identify them typical mistakes and issue advisories with recommendations for common situations.

Software support is one of the most important means of ensuring information integrity. First of all, you need to keep track of what software is installed on your computers. If users install programs at their own discretion, this can lead to infection with viruses, as well as the emergence of utilities that bypass protection measures. It is also likely that the “independent activities” of users will gradually lead to chaos on their computers, and the system administrator will have to correct the situation.

The second aspect of software support is control over the absence of unauthorized changes to programs and access rights to them. This also includes support for reference copies software systems. Control is typically achieved through a combination of physical and logical access controls, as well as the use of verification and integrity utilities.

Configuration management allows you to control and record changes made to the software configuration. First of all, you need to insure yourself against accidental or ill-conceived modifications, and be able to at least return to a previous, working version. Committing changes will make it easy to restore the current version after a disaster.

The best way to reduce errors in routine work is to automate it as much as possible. Automation and security depend on each other, because the one who cares primarily about making his task easier is actually the one who optimally shapes the information security regime.

Backup is necessary to restore programs and data after disasters. And here it is advisable to automate the work, at a minimum, by creating a computer schedule for creating full and incremental copies, and, at maximum, by using the appropriate software products. It is also necessary to arrange for the placement of copies in a safe place, protected from unauthorized access, fires, leaks, that is, from anything that could lead to theft or damage to the media. It is advisable to have several copies backup copies and some of them should be stored off-site, thus protecting against major accidents and similar incidents. From time to time, for test purposes, you should check the possibility of restoring information from copies.

Media management is necessary to provide physical security and accounting for floppy disks, tapes, printed output, etc. Media management must ensure the confidentiality, integrity, and availability of information stored outside computer systems. Physical protection here means not only repelling unauthorized access attempts, but also protection from harmful environmental influences (heat, cold, moisture, magnetism). Media management must cover the entire lifecycle, from procurement to decommissioning.

Documentation is an integral part of information security. Almost everything is documented in the form of documents - from the security policy to the media log. It is important that the documentation is up-to-date and reflects the current state of affairs, and in a consistent manner.

Confidentiality requirements apply to the storage of some documents (containing, for example, an analysis of system vulnerabilities and threats), while others, such as a disaster recovery plan, are subject to integrity and availability requirements (in a critical situation, the plan must be found and read).

Routine work is a very serious safety hazard. An employee performing routine maintenance receives exclusive access to the system, and in practice it is very difficult to control exactly what actions he performs. This is where the degree of trust in those doing the work comes to the fore.

The security policy adopted by the organization must provide for a set of operational measures aimed at detecting and neutralizing violations of the information security regime. It is important that in such cases the sequence of actions is planned in advance, since measures need to be taken urgently and in a coordinated manner.

Response to security breaches has three main goals:

localizing the incident and reducing harm;

prevention of repeated violations.

Often the requirement to localize an incident and reduce harm comes into conflict with the desire to identify the offender. The organization's security policy must be prioritized early. Since, as practice shows, it is very difficult to identify an attacker, in our opinion, first of all, care should be taken to reduce the damage.

No organization is immune from serious accidents caused by natural causes, malicious actions, negligence or incompetence. At the same time, every organization has functions that management considers critical and must be performed no matter what. Planning restoration work allows you to prepare for accidents, reduce damage from them and maintain the ability to function at least to a minimum extent.

Note that information security measures can be divided into three groups, depending on whether they are aimed at preventing, detecting or eliminating the consequences of attacks. Most measures are precautionary in nature.

The restoration planning process can be divided into the following stages:

identifying critical functions of the organization, setting priorities;

identification of resources needed to perform critical functions;

determination of the list of possible accidents;

development of a restoration strategy;

preparation for the implementation of the chosen strategy;

checking the strategy.

When planning restoration work, you should be aware that it is not always possible to fully maintain the functioning of the organization. It is necessary to identify critical functions, without which the organization loses its face, and even prioritize among critical functions so that as quickly and efficiently as possible minimal costs resume work after an accident.

When identifying the resources needed to perform critical functions, remember that many of them are non-computer in nature. At this stage, it is advisable to involve specialists of different profiles in the work.

Thus, there are a large number of different methods for ensuring information security. The most effective is to use all these methods in a single complex. Today, the modern security market is saturated with information security tools. Constantly studying existing security market offerings, many companies see the inadequacy of previously invested funds in information security systems, for example, due to obsolescence of equipment and software. Therefore, they are looking for solutions to this problem. There may be two such options: on the one hand, a complete replacement of the corporate information protection system, which will require large investments, and on the other, the modernization of existing security systems. The last option for solving this problem is the least expensive, but it brings new problems, for example, it requires an answer to the following questions: how to ensure compatibility of old, retained from existing hardware and software security tools, and new elements of the information security system; how to provide centralized management of heterogeneous security tools; how to assess and, if necessary, reassess the company’s information risks.

Chapter 2. Analysis of the information security system

1 Scope of activity of the company and analysis of financial indicators

OJSC Gazprom is a global energy company. The main activities are geological exploration, production, transportation, storage, processing and sales of gas, gas condensate and oil, as well as the production and sale of heat and electricity.

Gazprom sees its mission in reliable, efficient and balanced provision of consumers with natural gas, other types of energy resources and their processed products.

Gazprom has the world's richest natural gas reserves. Its share in world gas reserves is 18%, in Russian - 70%. Gazprom accounts for 15% of global and 78% of Russian gas production. Currently, the company is actively implementing large-scale projects for the development of gas resources of the Yamal Peninsula, the Arctic shelf, Eastern Siberia and the Far East, as well as a number of projects for the exploration and production of hydrocarbons abroad.

Gazprom is a reliable gas supplier to Russian and foreign consumers. The company owns the world's largest gas transportation network - one system gas supply to Russia, the length of which exceeds 161 thousand km. Gazprom sells more than half of the gas it sells on the domestic market. In addition, the company supplies gas to 30 countries of the near and far abroad.

Gazprom is Russia's only producer and exporter of liquefied natural gas and provides about 5% of global LNG production.

The company is one of the five largest oil producers in the Russian Federation, and is also the largest owner of generating assets on its territory. Their total installed capacity is 17% of the total installed capacity of the Russian energy system.

The strategic goal is to establish OAO Gazprom as a leader among global energy companies through the development of new markets, diversification of activities, and ensuring reliability of supplies.

Let's consider the financial performance of the company over the past two years. The company's operating results are presented in Appendix 1.

As of December 31, 2010, sales revenue amounted to 2,495,557 million rubles, this figure is much lower compared to 2011 data, that is, 3,296,656 million rubles.

Sales revenue (net of excise tax, VAT and customs duties) increased by RUB 801,099 million, or 32%, for the nine months ended September 30, 2011 compared to the same period last year, amounting to RUB 3,296 656 million rubles.

Based on the results of 2011, net revenue from gas sales accounted for 60% of total net sales revenue (60% for the same period last year).

Net revenue from gas sales increased from RUB 1,495,335 million. for the year up to 1,987,330 million rubles. for the same period in 2011, or by 33%.

Net revenue from gas sales to Europe and other countries increased by RUB 258,596 million, or 34%, compared to the same period last year, and amounted to RUB 1,026,451 million. The overall increase in gas sales to Europe and other countries was due to an increase in average prices. The average price in rubles (including customs duties) increased by 21% for the nine months ended September 30, 2011 compared to the same period in 2010. In addition, gas sales volumes increased by 8% compared to the same period last year.

Net proceeds from gas sales to former countries Soviet Union increased over the same period in 2010 by 168,538 million rubles, or 58%, and amounted to 458,608 million rubles. The change was primarily driven by a 33% increase in gas sales to the former Soviet Union for the nine months ended September 30, 2011 compared to the same period last year. In addition, the average price in rubles (including customs duties, less VAT) increased by 15% compared to the same period last year.

Net revenue from gas sales in the Russian Federation increased by RUB 64,861 million, or 15%, compared to the same period last year, and amounted to RUB 502,271 million. This is mainly due to an increase in the average price of gas by 13% compared to the same period last year, which is associated with an increase in tariffs set by the Federal Tariff Service (FTS).

Net revenue from the sale of oil and gas products (less excise tax, VAT and customs duties) increased by 213,012 million rubles, or 42%, and amounted to 717,723 million rubles. compared to the same period last year. This increase is mainly explained by an increase in world prices for oil and gas products and an increase in sales volumes compared to the same period last year. Gazprom Neft Group's revenue amounted to 85% and 84% of the total net revenue from the sale of oil and gas products, respectively.

Net revenue from the sale of electrical and thermal energy (excluding VAT) increased by RUB 38,097 million, or 19%, and amounted to RUB 237,545 million. The increase in revenue from the sale of electrical and thermal energy is mainly due to an increase in tariffs for electrical and thermal energy, as well as an increase in the volume of sales of electrical and thermal energy.

Net revenue from the sale of crude oil and gas condensate (less excise tax, VAT and customs duties) increased by RUB 23,072 million, or 16%, and amounted to RUB 164,438 million. compared to RUB 141,366 million. for the same period last year. The change is mainly caused by rising prices for oil and gas condensate. In addition, the change was caused by an increase in gas condensate sales. Revenue from the sale of crude oil amounted to RUB 133,368 million. and 121,675 million rubles. in net proceeds from the sale of crude oil and gas condensate (less excise tax, VAT and customs duties) in 2011 and 2010, respectively.

Net revenue from the sale of gas transportation services (net of VAT) increased by RUB 15,306 million, or 23%, and amounted to RUB 82,501 million, compared to RUB 67,195 million. for the same period last year. This growth is mainly due to an increase in gas transportation tariffs for independent suppliers, as well as an increase in gas volumes. ѐ mov of gas transportation for independent suppliers compared to the same period last year.

Other revenue increased by RUB 19,617 million, or 22%, and amounted to RUB 107,119 million. compared to RUB 87,502 million. for the same period last year.

Expenses for trade operations without actual delivery amounted to RUB 837 million. compared to income of RUB 5,786 million. for the same period last year.

As for operating expenses, they increased by 23% and amounted to RUB 2,119,289 million. compared to RUB 1,726,604 million. for the same period last year. The share of operating expenses in sales revenue decreased from 69% to 64%.

Labor costs increased by 18% and amounted to RUB 267,377 million. compared to RUB 227,500 million. for the same period last year. The increase is mainly due to an increase in average wages.

Depreciation for the analyzed period increased by 9% or by 17,026 million rubles, and amounted to 201,636 million rubles, compared to 184,610 million rubles. for the same period last year. The increase was mainly due to the expansion of the fixed asset base.

As a result of the above factors, sales profit increased by RUB 401,791 million, or 52%, and amounted to RUB 1,176,530 million. compared to RUB 774,739 million. for the same period last year. Sales profit margin increased from 31% to 36% for the nine months ended September 30, 2011.

Thus, OJSC Gazprom is a global energy company. The main activities are geological exploration, production, transportation, storage, processing and sales of gas, gas condensate and oil, as well as the production and sale of heat and electricity. The financial condition of the company is stable. Performance indicators are showing positive dynamics.

2 Description of the company’s information security system

Let's consider the main areas of activity of the divisions of the Corporate Protection Service of OJSC Gazprom:

development of targeted programs for the development of systems and complexes of engineering and technical security equipment (ITSE), information security systems (IS) of OAO Gazprom and its subsidiaries and organizations, participation in the formation of an investment program aimed at ensuring information and technical security;

implementation of the powers of the customer for the development of information security systems, as well as ITSO systems and complexes;

consideration and approval of budget requests and budgets for the implementation of measures for the development of information security systems, ITSO systems and complexes, as well as for the creation of IT in terms of information security systems;

review and approval of design and pre-project documentation for the development of information security systems, ITSO systems and complexes, as well as technical specifications for the creation (modernization) of information systems, communication and telecommunications systems in terms of information security requirements;

organization of work to assess the compliance of ITSO systems and complexes, information security systems (as well as works and services for their creation) with the established requirements;

coordination and control of work execution technical protection information.

Gazprom has created a system to ensure the protection of personal data. However, the adoption by federal executive authorities of a number of regulatory legal acts in development of existing laws and government regulations necessitates the need to improve the current system of personal data protection. In the interests of solving this problem, within the framework of research work, a whole line documents. First of all, these are draft standards of the Gazprom Development Organization:

"Methodology for classifying information systems of personal data of OAO Gazprom, its subsidiaries and organizations";

"Model of threats to personal data during their processing in personal data information systems of OAO Gazprom, its subsidiaries and organizations."

These documents were developed taking into account the requirements of the Decree of the Government of the Russian Federation of November 17, 2007 No. 781 "On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems" in relation to the class of special systems, which include most of the OJSC ISPDn " Gazprom".

In addition, the development of “Regulations on the organization and technical support of the security of personal data processed in personal data information systems of OAO Gazprom, its subsidiaries and organizations” is currently underway.

It should be noted that within the framework of the standardization system of OJSC Gazprom, standards for the information security system have been developed, which will also make it possible to solve the problems of protecting personal data processed in the information systems of OJSC Gazprom.

Seven standards related to the information security system have been approved and are being put into effect this year.

The standards define the basic requirements for building information security systems for OAO Gazprom and its subsidiaries.

The results of the work done will make it possible to more rationally use material, financial and intellectual resources, create the necessary regulatory and methodological support, introduce effective means of protection and, as a result, ensure the security of personal data processed in the information systems of OAO Gazprom.

As a result of the analysis of information security of OJSC Gazprom, the following shortcomings in ensuring information security were identified:

the organization does not have a single document regulating a comprehensive security policy;

Taking into account the size of the network and the number of users (more than 100), it should be noted that system administration, information security and technical support one person is engaged;

there is no classification of information assets by degree of importance;

information security roles and responsibilities are not included in job descriptions;

in the employment contract concluded with the employee there is no clause on the information security responsibilities of both those employed and the organization itself;

personnel training in the field of information security is not provided;

from the point of view of protection from external threats: no typical behavior procedures have been developed for data recovery after accidents that occurred as a result of external and environmental threats;

the server room is not a separate room, the room is assigned the status of two departments (one more person, in addition to the system administrator, has access to the server room);

technical probing and physical examination for unauthorized devices connected to cables are not carried out;

despite the fact that entry is carried out using electronic passes and all information is entered into a special database, its analysis is not carried out;

in terms of protection against malware: there is no formal policy to protect against risks associated with receiving files either from or through external networks or contained on removable media;

in terms of protection against malware: there are no guidelines for protecting the local network from malicious code;

there is no traffic control, there is access to mail servers external networks;

all backups are stored in the server room;

insecure, easy-to-remember passwords are used;

receipt of passwords by users is not confirmed in any way;

passwords are stored in clear text by the administrator;

passwords do not change;

There is no procedure for reporting information security events.

Thus, based on these shortcomings, a set of regulations regarding information security policy was developed, including:

policies regarding the hiring (dismissal) and granting (deprivation) of employees of the necessary authority to access system resources;

policy regarding the work of network users during its operation;

password protection policy;

policy on the organization of physical protection;

Internet policy;

as well as administrative security measures.

Documents containing these regulations are at the stage of consideration by the management of the organization.

3 Development of a set of measures to modernize the existing information security system

As a result of the analysis of the information security system of OJSC Gazprom, significant system vulnerabilities were identified. To develop measures to eliminate identified deficiencies in the security system, we will highlight the following groups information that is subject to protection:

information about the private life of employees that allows them to be identified (personal data);

information related to professional activities and constituting banking, auditing and communications secrecy;

information related to professional activities and marked as information “for official use”;

information, the destruction or modification of which will negatively affect operational efficiency, and restoration will require additional costs.

From the point of view of administrative measures, the following recommendations were developed:

the information security system must comply with the legislation of the Russian Federation and state standards;

buildings and premises where information processing facilities are installed or stored, work is carried out with protected information, must be guarded and protected by alarm and access control means;

training of personnel on information security issues (explaining the importance of password protection and password requirements, conducting training on anti-virus software, etc.) should be organized when hiring an employee;

conduct trainings every 6-12 months aimed at improving the literacy of employees in the field of information security;

an audit of the system and adjustments to the developed regulations should be carried out annually, on October 1, or immediately after the introduction of major changes to the structure of the enterprise;

each user’s access rights to information resources must be documented (if necessary, access is requested from the manager in writing);

ensuring the information security policy must be ensured by the software administrator and the software administrator hardware, their actions are coordinated by the group leader.

Let's formulate a password policy:

do not store them in unencrypted form (do not write them down on paper, in a regular text file and so on.);

change the password if it is disclosed or suspected of disclosure;

length must be at least 8 characters;

The password must contain upper and lower case letters, numbers and special characters; the password must not include easily calculated sequences of characters (names, animal names, dates);

change once every 6 months (an unscheduled password change must be made immediately after receiving notification of the incident that triggered the change);

When changing passwords, you cannot select those that were used previously (passwords must differ by at least 6 positions).

Let's formulate a policy regarding antivirus programs and virus detection:

Licensed anti-virus software must be installed on each workstation;

update antivirus databases at workstations with Internet access - once a day, without Internet access - at least once a week;

install automatic check workstations for virus detection (frequency of checks - once a week: Friday, 12:00);

Only the administrator can interrupt the anti-virus database update or virus scan (password protection should be set for the specified user action).

Let's formulate a policy regarding physical protection:

technical probing and physical examination for unauthorized devices connected to cables should be carried out every 1-2 months;

network cables must be protected from unauthorized interception of data;

records of all suspected and actual failures that occurred with the equipment must be stored in a log

Each workstation must be equipped with an uninterruptible power supply.

Let's define a policy regarding information reservation:

for backup copies, a separate room should be allocated, located outside the administrative building (the room should be equipped electronic lock and alarm);

Information reservations should be made every Friday at 16:00.

The policy regarding the hiring/dismissal of employees should be as follows:

any personnel changes (hiring, promotion, dismissal of an employee, etc.) must be reported to the administrator within 24 hours, who, in turn, within a period of half a working day must make appropriate changes to the system for delimiting access rights to enterprise resources ;

a new employee must undergo training from the administrator, including familiarization with the security policy and all necessary instructions; the level of access to information for the new employee is assigned by the manager;

When an employee leaves the system, his ID and password are deleted, the workstation is checked for viruses, and the integrity of the data to which the employee had access is analyzed.

Policy regarding working with local internal network (LAN) and databases (DB):

when working at his workstation and on the LAN, the employee must perform only tasks directly related to his official activities;

The employee must notify the administrator about messages from anti-virus programs about the appearance of viruses;

no one other than administrators is allowed to make changes to the design or configuration of workstations and other LAN nodes, install any software, or leave them uncontrolled workstation or allow unauthorized persons to access it;

Administrators are recommended to keep two programs running at all times: an ARP-spoofing attack detection utility and a sniffer, the use of which will allow them to see the network through the eyes of a potential intruder and identify security policy violators;

You should install software that prevents programs from running other than those designated by the administrator, based on the principle: “Any person is granted the privileges necessary to perform specific tasks.” All unused computer ports must be disabled by hardware or software;

The software should be updated regularly.

Internet Policy:

administrators are assigned the right to restrict access to resources, the content of which is not related to the performance of official duties, as well as to resources, the content and focus of which are prohibited by international and Russian legislation;

the employee is prohibited from downloading and opening files without first checking for viruses;

all information about resources visited by company employees should be stored in a log and, if necessary, can be provided to department heads, as well as management

confidentiality and integrity of electronic correspondence and office documents is ensured through the use of digital signatures.

In addition, we will formulate the basic requirements for creating passwords for employees of the OJSC Gazprom company.

A password is like a house key, only it is the key to information. For ordinary keys, it is highly undesirable to be lost, stolen, or handed over to stranger. The same goes for the password. Of course, the security of information depends not only on the password; to ensure it, you need to install a number of special settings and maybe even write a program that protects against hacking. But choosing a password is exactly the action where it depends only on the user how strong this link will be in the chain of measures aimed at protecting information.

) the password must be long (8-12-15 characters);

) should not be a word from a dictionary (any dictionary, even a dictionary of special terms and slang), a proper name or a word in Cyrillic alphabet typed in the Latin layout (Latin - kfnsym);

) it cannot be associated with the owner;

) it changes periodically or as needed;

) is not used in this capacity on various resources (i.e. for each resource - to enter Mailbox, operating system or database - you must use your own password, different from others);

) it is possible to remember it.

Selecting words from the dictionary is undesirable, since an attacker conducting a dictionary attack will use programs capable of searching up to hundreds of thousands of words per second.

Any information associated with the owner (be it date of birth, dog's name, mother's maiden name, and similar “passwords”) can be easily recognized and guessed.

The use of uppercase and lowercase letters, as well as numbers, greatly complicates the attacker’s task of guessing the password.

The password should be kept secret, and if you suspect that the password has become known to someone, change it. It is also very useful to change them from time to time.

Conclusion

The study allowed us to draw the following conclusions and formulate recommendations.

It has been established that the main reason for the enterprise's problems in the field of information security is the lack of an information security policy, which would include organizational, technical, financial solutions with subsequent monitoring of their implementation and evaluation of effectiveness.

The definition of information security policy is formulated as a set of documented decisions, the purpose of which is to ensure the protection of information and associated information risks.

The analysis of the information security system revealed significant shortcomings, including:

storage of backup copies in the server room, the backup server is located in the same room as the main servers;

lack of proper rules regarding password protection (password length, rules for choosing and storing it);

network administration is handled by one person.

A generalization of international and Russian practice in the field of information security management of enterprises allowed us to conclude that to ensure it, it is necessary:

forecasting and timely identification of security threats, causes and conditions conducive to financial, material and moral damage;

creating operating conditions with the least risk of implementing security threats to information resources and causing various types of damage;

creating a mechanism and conditions for effectively responding to threats to information security based on legal, organizational and technical means.

The first chapter of the work discusses the main theoretical aspects. An overview of several standards in the field of information security is given. Conclusions are drawn for each and as a whole, and the most appropriate standard for forming information security policy is selected.

The second chapter examines the structure of the organization and analyzes the main problems associated with information security. As a result, recommendations have been formed to ensure the proper level of information security. Measures to prevent further incidents related to information security violations are also considered.

Of course, ensuring an organization's information security is a continuous process that requires constant monitoring. And a naturally formed policy is not an iron-clad guarantor of protection. In addition to the implementation of the policy, constant monitoring of its quality implementation, as well as improvement in the event of any changes in the company or precedents, is required. It was recommended for the organization to hire an employee whose activities would be directly related to these functions (security administrator).

Bibliography

information security financial harm

1. Belov E.B. Fundamentals of information security. E.B. Belov, V.P. Los, R.V. Meshcheryakov, A.A. Shelupanov. -M.: Hotline- Telecom, 2006. - 544s

Galatenko V.A. Information security standards: a course of lectures. Educational

allowance. - 2nd edition. M.: INTUIT.RU “Internet University Information technologies", 2009. - 264 p.

Glatenko V.A. Information Security Standards / Open systems 2006.- 264s

Dolzhenko A.I. Information systems management: Training course. - Rostov-on-Don: RGEU, 2008.-125 p.

Kalashnikov A. Formation of a corporate policy of internal information security #"justify">. Malyuk A.A. Information security: conceptual and methodological foundations of information protection / M.2009-280s

Mayvold E., Network Security. Self-instruction manual // Ekom, 2009.-528 p.

Semkin S.N., Belyakov E.V., Grebenev S.V., Kozachok V.I., Fundamentals of organizational support for information security of informatization objects // Helios ARV, 2008, 192 pp.

Information security is usually understood as a set of measures aimed at implementing the required level of software and hardware security from illegal and unauthorized penetration by intruders. Today, comprehensive information protection in an enterprise is gaining maximum popularity, including all possible security techniques and tools that are available for implementation. If we consider any diploma in information security, then in it we will certainly find an analysis of each such means of protecting information in IP, namely:

• Physical means of protection, consisting of installed security cameras, various locking devices (locks), doors, bars, metal cabinets, safes, etc. Designed primarily to create a natural barrier for an attacker;
• Hardware security, which includes various devices, sensors, detectors, scanners and encryptors, which most effectively contribute to maintaining data confidentiality and the security of systems and networks (the most common area of ​​application is information security in local networks, and cryptographic protection information);
• Software protection tools, which are primarily represented by various firewalls, anti-virus systems, firewalls, security policies, etc., i.e. various software that in one way or another expands the capabilities standard means security and copes with the task relatively successfully. The only nuance that is worth highlighting is that if you are pursuing a diploma in the development of a personal data protection system, then it is better to give preference to hardware protection, since they become much more effective and are not so susceptible to hacking;
• Organizational protection measures, which are represented by various charters, rules and technical regulations for working with specific categories of data. The organization and technology of information protection in this case is as follows - all employees strictly comply with the regulations and requirements that relate to work with data classified as “confidential” or “personal”. Failure to comply with requirements will result in penalties, administrative or criminal liability.

Of course, the data protection methods described above are not the only ones, but each of them plays an important role in the process of conducting an enterprise information security audit.

Let's highlight key features, which characterize almost all diplomas in information security:

• A clearly defined and justified goal of the project, the high relevance of the research being carried out and a clear desired result upon completion of all work;
• A correctly formulated main task, which contains a step-by-step list of all necessary actions, which, if successfully completed, lead to the required final result;
• Identification of several available solutions to a given problem, taking into account all the requirements and conditions of data protection, further selection of the most suitable one (in terms of time and cost) possible option and justification for the choice made. The fundamental factor in this case is efficiency and compliance with all data protection requirements;
• Determining the most accessible and understandable presentation of the research result for greater clarity during the defense.

It is not difficult to guess that diplomas in information security in an enterprise are quite complex and cover a wide variety of areas, and in order to correctly develop a personal data protection system, it is important to have good theoretical and practical knowledge. But this condition is not always met.

More than once, students wondered what to do if I myself do not have time to complete the entire amount of work. The answer is quite simple - you need to contact our online store in advance, where a huge number of different information security works are presented. Just a few examples will suffice:

• Work on organizing information security;
• Thesis on information security;
• Consideration of problems of ensuring information security.

And we are absolutely sure that each of you will be able to choose a diploma from us according to your requirements, and if there is no chosen topic, you can easily order it from our specialists.

This category presents work related to ensuring the information security of enterprises, information systems and local computer networks, including:

1. document flow security;
2. security of operating systems and databases;
3. security of computing systems;
4. security of Internet resources;
5. engineering and technical information protection.

The works have been prepared for specialists in the following specialties:

090000 INFORMATION SECURITY

090100 Information security

090101 Cryptography

090102 Computer security

E If you have not found a suitable finished work, you can order a new one to be written, which will be completed on time and in full accordance with your requirements. Order form by .