Introduction

Chapter 1. Theoretical aspects of acceptance and information security

1.1The concept of information security

3 Information security practices

Chapter 2. Analysis of the information security system

1 The scope of the company and the analysis of financial performance

2 Description of the company's information security system

3 Development of a set of measures to modernize the existing information security system

Conclusion

Bibliography

Application

Annex 1. Balance sheet for 2010

Annex 1. Balance sheet for 2010

Introduction

The relevance of the topic of the thesis is determined by the increased level of information security problems, even in the context of the rapid growth of technologies and tools for data protection. It is impossible to provide a 100% level of protection of corporate information systems, while correctly prioritizing data protection tasks in the context of a limited share of the budget allocated to information technology.

Reliable protection of computing and network corporate infrastructure is a basic task in the field of information security for any company. With the growth of the enterprise's business and the transition to a geographically distributed organization, it begins to go beyond a single building.

Effective protection of IT infrastructure and applied corporate systems today is impossible without the introduction modern technologies network access control. Increasing cases of theft of media containing valuable information of a business nature are increasingly forcing organizational measures.

The purpose of this work will be to evaluate the information security system existing in the organization and develop measures to improve it.

This goal determines the following tasks of the thesis:

) consider the concept of information security;

) consider the types of possible threats to information systems, options for protecting against possible threats of information leakage in the organization.

) identify a list of information resources, violation of the integrity or confidentiality of which will cause the greatest damage to the enterprise;

) develop on their basis a set of measures to improve the existing information security system.

The work consists of an introduction, two chapters, a conclusion, a list of references and applications.

The introduction substantiates the relevance of the research topic, formulates the purpose and objectives of the work.

The first chapter deals with the theoretical aspects of the concepts of information security in the organization.

The second chapter gives a brief description of activities of the company, key performance indicators, describes the current state of the information security system and proposes measures to improve it.

In conclusion, the main results and conclusions of the work are formulated.

The methodological and theoretical basis of the thesis work was the work of domestic and foreign experts in the field of information security. Russian Federation governing the protection of information, international standards on information security.

The theoretical significance of the thesis research is the implementation of an integrated approach in the development of information security policy.

The practical significance of the work is determined by the fact that its results make it possible to increase the degree of information protection in an enterprise through the competent design of an information security policy.

Chapter 1. Theoretical aspects of acceptance and information security

1.1 The concept of information security

Information security is understood as the protection of information and the infrastructure supporting it from any accidental or malicious influences, the result of which may be damage to the information itself, its owners or the supporting infrastructure. The tasks of information security are reduced to minimizing damage, as well as to predicting and preventing such impacts.

The parameters of information systems that need to be protected can be divided into the following categories: ensuring the integrity, availability and confidentiality of information resources.

availability is the possibility of obtaining, in a short period of time, the required information service;

integrity is the relevance and consistency of information, its protection from destruction and unauthorized changes;

confidentiality - protection against unauthorized access to information.

Information systems are primarily created to receive certain information services. If for some reason it becomes impossible to obtain information, this causes damage to all subjects of information relations. From this it can be determined that the availability of information is in the first place.

Integrity is the main aspect of information security when accuracy and truthfulness will be the main parameters of information. For example, prescriptions for medical drugs or a set and characteristics of components.

The most developed component of information security in our country is confidentiality. But the practical implementation of measures to ensure the confidentiality of modern information systems is facing great difficulties in Russia. Firstly, information about the technical channels of information leakage is closed, so that most users are unable to form an idea of ​​the potential risks. Second, there are numerous legal and technical challenges that stand in the way of custom cryptography as a primary privacy tool.

Actions that can damage an information system can be divided into several categories.

purposeful theft or destruction of data on a workstation or server;

damage to data by the user as a result of careless actions.

. "Electronic" methods of influence carried out by hackers.

Hackers are people who engage in computer crimes both professionally (including as part of a competitive struggle) and simply out of curiosity. These methods include:

unauthorized penetration into computer networks;

The purpose of unauthorized penetration into the enterprise network from the outside can be to harm (destroy data), steal confidential information and use it for illegal purposes, use the network infrastructure to organize attacks on third-party nodes, steal funds from accounts, etc.

A DOS-type attack (abbreviated from Denial of Service - "denial of service") is an external attack on the network nodes of an enterprise responsible for its security and efficient work(file, mail servers). The attackers organize a massive sending of data packets to these nodes in order to cause them to overload and, as a result, disable them for some time. This, as a rule, entails violations in the business processes of the victim company, loss of customers, damage to reputation, etc.

Computer viruses. A separate category of electronic methods of influence is computer viruses and other malicious programs. They are a real danger to modern business, widely using computer networks, the Internet and e-mail. Penetration of the virus to the nodes of the corporate network can lead to disruption of their functioning, loss of working time, loss of data, theft of confidential information and even direct theft of funds. A virus program that has penetrated a corporate network can give attackers partial or complete control over the company's activities.

Spam. In just a few years, spam has gone from a minor annoyance to one of the biggest security threats:

e-mail has recently become the main channel for the distribution of malicious programs;

spam takes a lot of time to view and then delete messages, causes employees a feeling of psychological discomfort;

both individuals and organizations become victims of fraudulent schemes implemented by spammers (the victims often try not to disclose such events);

along with spam, important correspondence is often deleted, which can lead to the loss of customers, the failure of contracts, and other unpleasant consequences; The risk of losing mail is especially high when using RBL blacklists and other "rough" spam filtering methods.

"Natural" threats. A variety of external factors can affect the information security of a company: improper storage, theft of computers and media, force majeure, etc. can cause data loss.

The information security management system (ISMS or Information Security Management System) allows you to manage a set of measures that implement a certain conceived strategy, in this case - in relation to information security. Note that we are talking not only about managing an existing system, but also about building a new / redesigning an old one.

The set of measures includes organizational, technical, physical and others. Information security management is a complex process, which makes it possible to implement the most efficient and comprehensive information security management in a company.

The purpose of information security management is to maintain the confidentiality, integrity and availability of information. The only question is what kind of information needs to be protected and what efforts should be made to ensure its safety.

Any management is based on awareness of the situation in which it occurs. In terms of risk analysis, awareness of the situation is expressed in the inventory and assessment of the assets of the organization and their environment, that is, everything that ensures the conduct of business activities. From the point of view of information security risk analysis, the main assets include directly information, infrastructure, personnel, image and reputation of the company. Without an inventory of assets at the business activity level, it is impossible to answer the question of what needs to be protected. It is very important to understand what information is processed in an organization and where it is processed.

In a large modern organization, the number of information assets can be very large. If the organization's activities are automated using an ERP system, then we can say that almost any material object used in this activity corresponds to some information object. Therefore, the primary task of risk management is to identify the most significant assets.

It is impossible to solve this problem without the involvement of managers of the main activity of the organization, both middle and top managers. The optimal situation is when the top management of the organization personally sets the most critical areas of activity, for which it is extremely important to ensure information security. The opinion of senior management on the priorities in ensuring information security is very important and valuable in the process of risk analysis, but in any case, it should be clarified by collecting information about the criticality of assets at the middle level of company management. At the same time, it is advisable to carry out further analysis precisely in the areas of business activity designated by top management. The information received is processed, aggregated and transmitted to top management for a comprehensive assessment of the situation.

Information can be identified and localized based on the description of business processes in which information is considered as one of the types of resources. The task is somewhat simplified if the organization has adopted a business regulation approach (for example, for the purpose of quality management and business process optimization). Formalized business process descriptions serve as a good starting point for asset inventory. If there are no descriptions, you can identify the assets based on the information received from the organization's employees. Once assets are identified, their value must be determined.

The work of determining the value of information assets in the context of the entire organization is both the most significant and complex. It is the assessment of information assets that will allow the head of the information security department to choose the main areas of activity to ensure information security.

But the economic efficiency of the information security management process largely depends on the awareness of what needs to be protected and what efforts will be required for this, since in most cases the amount of effort applied is directly proportional to the amount of money spent and operating costs. Risk management allows you to answer the question of where you can take risks and where you can not. In the case of information security, the term “risk” means that in a certain area it is possible not to make significant efforts to protect information assets, and at the same time, in the event of a security breach, the organization will not suffer significant losses. Here you can draw an analogy with the protection classes automated systems: the greater the risks, the more stringent the requirements for protection should be.

To determine the consequences of a security breach, one must either have information about recorded incidents of a similar nature, or conduct a scenario analysis. Scenario analysis examines the causal relationships between asset security breach events and the impact of those events on an organization's business. The consequences of scenarios should be evaluated by several people, iteratively or deliberatively. It should be noted that the development and evaluation of such scenarios cannot be completely divorced from reality. One must always remember that the scenario must be probable. Criteria and scales for determining value are individual for each organization. Based on the results of the scenario analysis, it is possible to obtain information about the value of assets.

If the assets are identified and their value is determined, we can say that the goals of ensuring information security are partially established: the objects of protection and the importance of maintaining them in a state of information security for the organization are defined. Perhaps, it remains only to determine who needs to be protected from.

After defining the goals of information security management, it is necessary to analyze the problems that prevent approaching the target state. At this level, the risk analysis process descends to the information infrastructure and traditional concepts of information security - violators, threats and vulnerabilities.

To assess risks, it is not enough to introduce a standard offender model that separates all offenders according to the type of access to the asset and knowledge about the structure of assets. This separation helps to determine what threats can be directed to an asset, but does not answer the question of whether these threats can in principle be realized.

In the process of risk analysis, it is necessary to assess the motivation of violators in the implementation of threats. At the same time, the violator is not meant to be an abstract external hacker or insider, but a party interested in obtaining benefits by violating the security of an asset.

Initial information about the model of the intruder, as in the case of the choice of initial areas of activity to ensure information security, should be obtained from top management, who understands the position of the organization in the market, has information about competitors and what methods of influence can be expected from them. The information necessary to develop a violator model can also be obtained from specialized studies on violations in the field of computer security in the business area for which risk analysis is being carried out. A well-designed intruder model complements the objectives of ensuring information security, defined in the assessment of the organization's assets.

The development of a threat model and the identification of vulnerabilities are inextricably linked with an inventory of the organization's information asset environment. By itself, the information is not stored or processed. Access to it is provided using the information infrastructure that automates the business processes of the organization. It is important to understand how the information infrastructure and information assets of an organization are related. From the perspective of information security management, the significance of the information infrastructure can only be established after determining the relationship between information assets and infrastructure. In the event that the processes of maintaining and operating the information infrastructure in an organization are regulated and transparent, the collection of information necessary for identifying threats and assessing vulnerabilities is greatly simplified.

Developing a threat model is a job for security professionals who have a good idea of ​​how an intruder can gain unauthorized access to information by violating the security perimeter or using social engineering methods. When developing a threat model, one can also talk about scenarios as successive steps according to which threats can be implemented. It very rarely happens that threats are implemented in one step by exploiting a single vulnerability in the system.

The threat model should include all threats identified as a result of related information security management processes, such as vulnerability and incident management. It must be remembered that threats will need to be ranked relative to each other according to the level of probability of their implementation. To do this, in the process of developing a threat model for each threat, it is necessary to indicate the most significant factors, the existence of which affects its implementation.

The security policy is based on the analysis of risks that are recognized as real for the organization's information system. When the risks are analyzed and the protection strategy is defined, an information security program is drawn up. Resources are allocated for this program, responsible persons are appointed, the procedure for monitoring the implementation of the program, etc. is determined.

In a broad sense, security policy is defined as a system of documented management decisions to ensure the security of an organization. In a narrow sense, a security policy is usually understood as a local regulatory document that defines security requirements, a system of measures, or an order of actions, as well as the responsibility of employees of the organization and control mechanisms for a specific area of ​​​​security.

Before starting to form the information security policy itself, it is necessary to understand the basic concepts with which we will operate.

Information - information (messages, data) regardless of the form of their presentation.

Confidentiality of information is a mandatory requirement for a person who has access to certain information not to transfer such information to third parties without the consent of its owner.

Information security (IS) is the state of protection of the information environment of society, ensuring its formation, use and development in the interests of citizens, organizations, states.

The concept of "information" today is used quite widely and versatile.

Ensuring information security cannot be a one-time act. This is a continuous process, which consists in substantiating and implementing the most rational methods, ways and means of improving and developing the protection system, continuously monitoring its condition, identifying its weaknesses and illegal actions.

Information security can be ensured only with the integrated use of the entire range of available protection tools in all structural elements of the production system and at all stages of the technological cycle of information processing. The greatest effect is achieved when all the means, methods and measures used are combined into a single holistic mechanism of the information protection system. At the same time, the functioning of the system should be monitored, updated and supplemented depending on changes in external and internal conditions.

According to the GOST R ISO / IEC 15408:2005 standard, the following types of security requirements can be distinguished:

functional, corresponding to the active aspect of protection, imposed on the security functions and the mechanisms that implement them;

assurance requirements, corresponding to the passive aspect, imposed on the technology and the process of development and operation.

It is very important that security in this standard is not considered statically, but in relation to the life cycle of the object of assessment. The following stages are distinguished:

determination of the purpose, conditions of use, goals and safety requirements;

design and development;

testing, evaluation and certification;

implementation and operation.

So, let's take a closer look at the functional security requirements. They include:

user data protection;

protection of security functions (the requirements relate to the integrity and control of these security services and the mechanisms that implement them);

security management (the requirements of this class relate to the management of security attributes and parameters);

security audit (identification, registration, storage, analysis of data affecting the security of the object of assessment, response to a possible security breach);

privacy (protection of the user from disclosure and unauthorized use of his identification data);

use of resources (requirements for the availability of information);

communication (authentication of the parties involved in the data exchange);

trusted route/channel (for communication with security services).

In accordance with these requirements, it is necessary to form the information security system of the organization.

The information security system of an organization includes the following areas:

regulatory;

organizational (administrative);

technical;

software;

For a complete assessment of the situation at the enterprise in all areas of security, it is necessary to develop an information security concept that would establish a systematic approach to the problem of the security of information resources and be a systematic presentation of the goals, objectives, design principles and a set of measures to ensure information security at the enterprise.

The corporate network management system should be based on the following principles (tasks):

ensuring the protection of the existing information infrastructure of the enterprise from the intervention of intruders;

providing conditions for localization and minimization of possible damage;

exclusion of the appearance at the initial stage of the causes of the emergence of sources of threats;

ensuring the protection of information on the three main types of emerging threats (availability, integrity, confidentiality);

The solution of the above tasks is achieved by;

regulation of actions of users of work with information system;

regulation of actions of users of work with the database;

unified requirements for the reliability of technical means and software;

procedures for monitoring the operation of the information system (logging of events, analysis of protocols, analysis of network traffic, analysis of the operation of technical means);

The information security policy includes:

the main document is the "Security Policy". It generally describes the security policy of the organization, general provisions, as well as relevant documents for all aspects of the policy;

instructions for regulating the work of users;

job description of the local network administrator;

job description of the database administrator;

instructions for working with Internet resources;

instructions for organizing password protection;

instructions for organizing anti-virus protection.

The document "Security Policy" contains the main provisions. Based on it, an information security program is built, job descriptions and recommendations are built.

Instructions for regulating the work of users of the organization's local network governs the procedure for allowing users to work in the local computer network organization, as well as the rules for handling protected information processed, stored and transmitted in the organization.

The job description of the local network administrator describes the duties of the local network administrator regarding information security.

The job description of a database administrator defines the main duties, functions and rights of a database administrator. It describes everything in great detail. official duties and functions of the database administrator, as well as rights and responsibilities.

The instruction for working with Internet resources reflects the basic rules for safe work with the Internet, and also contains a list of permissible and unacceptable actions when working with Internet resources.

Instructions for the organization of anti-virus protection defines the main provisions, requirements for the organization of anti-virus protection of an organization's information system, all aspects related to the operation of anti-virus software, as well as responsibility in case of violation of anti-virus protection.

The instruction on the organization of password protection regulates the organizational and technical support for the processes of generating, changing and terminating passwords (deleting user accounts). It also regulates the actions of users and maintenance personnel when working with the system.

Thus, the basis for organizing the process of information protection is a security policy formulated in order to determine from what threats and how information is protected in the information system.

A security policy is a set of legal, organizational and technical measures to protect information adopted in a particular organization. That is, the security policy includes a set of conditions under which users gain access to system resources without losing the information security properties of this system.

The task of ensuring information security should be addressed systematically. This means that various protections (hardware, software, physical, organizational, etc.) must be applied simultaneously and under centralized control.

To date, there is a large arsenal of methods for ensuring information security:

means of identification and authentication of users;

means of encrypting information stored on computers and transmitted over networks;

firewalls;

virtual private networks;

content filtering tools;

tools for checking the integrity of the contents of disks;

means of anti-virus protection;

network vulnerability detection systems and network attack analyzers.

Each of these tools can be used both independently and in integration with others. This makes it possible to create systems information protection for networks of any complexity and configuration, regardless of the platforms used.

Authentication (or identification), authorization and administration system. Identification and authorization are key elements of information security. The authorization function is responsible for what resources a particular user has access to. The administration function is to provide the user with certain identification features within a given network and determine the scope of actions allowed for him.

Encryption systems allow minimizing losses in case of unauthorized access to data stored on a hard drive or other media, as well as interception of information when it is sent by e-mail or transmitted over network protocols. Task this tool protection - ensuring confidentiality. The main requirements for encryption systems are a high level of cryptographic strength and legality of use in Russia (or other states).

A firewall is a system or combination of systems that forms a protective barrier between two or more networks that prevents unauthorized data packets from entering or leaving the network.

The basic principle of firewalls is to check each data packet for the correspondence of the incoming and outgoing IP address to the base of allowed addresses. Thus, firewalls significantly expand the possibilities of segmenting information networks and controlling the circulation of data.

Speaking of cryptography and firewalls, we should mention secure virtual private networks (Virtual Private Network - VPN). Their use allows solving the problems of data confidentiality and integrity during their transmission over open communication channels. Using a VPN can be reduced to three main tasks:

protection of information flows between different offices of the company (information is encrypted only at the exit to the external network);

secure access for remote network users to information resources companies are usually carried out via the Internet;

protection of information flows between individual applications within corporate networks (this aspect is also very important, since most attacks are carried out from internal networks).

An effective means of protecting against the loss of confidential information - filtering the content of incoming and outgoing Email. Validating email messages and their attachments based on the rules set by the organization also helps to protect companies from legal liability and protect their employees from spam. Content filtering tools allow you to scan files of all common formats, including compressed and graphic. Wherein throughput the network remains virtually unchanged.

All changes on a workstation or server can be tracked by a network administrator or other authorized user thanks to content integrity verification technology hard drive(integrity checking). This allows you to detect any actions with files (modification, deletion or just opening) and identify virus activity, unauthorized access or data theft by authorized users. Control is based on the analysis of file checksums (CRC-sums).

Modern anti-virus technologies make it possible to detect almost all already known virus programs through code comparison suspicious file with samples stored in the anti-virus database. In addition, behavior modeling technologies have been developed to detect newly created virus programs. Detected objects can be disinfected, isolated (quarantined), or deleted. Virus protection can be installed on workstations, file and mail servers, firewalls running under almost any of the common operating systems (Windows, Unix and Linux systems, Novell) on various types of processors.

Spam filters significantly reduce unproductive labor costs associated with parsing spam, reduce traffic and server load, improve the psychological background in the team and reduce the risk of company employees being involved in fraudulent transactions. In addition, spam filters reduce the risk of being infected with new viruses, since messages containing viruses (even those not yet included in the databases) antivirus programs) often show signs of spam and are filtered out. True, the positive effect of spam filtering can be crossed out if the filter, along with junk, removes or marks as spam and useful messages, business or personal.

The huge damage to companies caused by viruses and hacker attacks is largely a consequence of weaknesses in the software used. You can identify them in advance, without waiting for a real attack, using computer network vulnerability detection systems and network attack analyzers. Such software safely simulates common attacks and intrusions and determines what exactly a hacker can see on the network and how he can use its resources.

To counter natural threats to information security, a company should develop and implement a set of procedures to prevent emergency situations (for example, to ensure the physical protection of data from a fire) and minimize damage if such a situation does occur. One of the main methods of protection against data loss is backup with strict adherence to established procedures (regularity, media types, copy storage methods, etc.).

An information security policy is a package of documents that regulates the work of employees, describing the basic rules for working with information, an information system, databases, a local network and Internet resources. It is important to understand what place the information security policy occupies in the overall management system of the organization. The following are general organizational measures related to security policy.

At the procedural level, the following classes of measures can be distinguished:

personnel Management;

physical protection;

maintaining performance;

response to security breaches;

restoration planning.

Human resource management begins with hiring, but even before that, you should define the computer privileges associated with the position. There are two general principles to keep in mind:

segregation of duties;

privilege minimization.

The principle of segregation of duties prescribes how to distribute roles and responsibilities so that one person cannot disrupt a process that is critical to the organization. For example, a situation where large payments on behalf of the organization is made by one person is undesirable. It is safer to entrust one employee with processing applications for such payments, and another to certify these applications. Another example is procedural restrictions on superuser actions. It is possible to artificially "split" the superuser password by giving the first part of it to one employee and the second part to another. Then critical important actions only two of them will be able to administer the information system, which reduces the likelihood of errors and abuses.

The principle of least privilege dictates that users should be granted only those access rights that they need to perform their duties. The purpose of this principle is obvious - to reduce the damage from accidental or deliberate incorrect actions.

Preliminary preparation of a job description allows you to assess its criticality and plan the procedure for checking and selecting candidates. The more responsible the position, the more carefully you need to check candidates: make inquiries about them, perhaps talk with former colleagues, etc. Such a procedure can be lengthy and expensive, so there is no point in further complicating it. At the same time, it is unwise to completely refuse a preliminary check in order not to accidentally hire a person with a criminal past or a mental illness.

Once a candidate has been identified, they are likely to be trained; at the very least, he should be thoroughly familiarized with the duties of the job, as well as with the rules and procedures of information security. It is desirable that the security measures be learned by him before taking office and before setting up his system account with a login name, password and privileges.

The security of an information system depends on the environment in which it operates. It is necessary to take measures to protect buildings and the surrounding area, supporting infrastructure, computers, data carriers.

Consider the following areas of physical protection:

physical access control;

protection of the supporting infrastructure;

protection of mobile systems.

Physical access control measures allow you to control and, if necessary, restrict the entry and exit of employees and visitors. The entire building of the organization, as well as individual premises, for example, those where servers, communication equipment, etc. are located, can be controlled.

Supporting infrastructure includes power, water and heat supply systems, air conditioners and communications. In principle, the same integrity and availability requirements apply to them as to information systems. To ensure integrity, equipment must be protected from theft and damage. To maintain availability, you should choose equipment with the maximum time between failures, duplicate critical nodes, and always have spare parts on hand.

Generally speaking, when selecting physical protection means, a risk analysis should be carried out. Thus, when deciding on the purchase of an uninterruptible power supply, it is necessary to take into account the quality of the power supply in the building occupied by the organization (however, it will almost certainly turn out to be poor), the nature and duration of power failures, the cost of available sources and possible losses from accidents (breakdown of equipment, suspension of the organization’s work). and so on.)

Consider a number of measures aimed at maintaining the health of information systems. It is in this area that the greatest danger lurks. Inadvertent errors of system administrators and users can lead to loss of performance, namely, damage to equipment, destruction of programs and data. This is the worst case. At best, they create security holes that allow the implementation of threats to the security of systems.

The main problem of many organizations is the underestimation of security factors in daily work. Expensive security tools are worthless if they are poorly documented, conflict with other software, and the system administrator password has not changed since installation.

For daily activities aimed at maintaining the health of the information system, the following actions can be distinguished:

user support;

software support;

configuration management;

backup;

media management;

documentation;

regulatory work.

User support implies, first of all, consulting and assistance in solving various kinds of problems. It is very important in the flow of questions to be able to identify problems related to information security. Thus, many of the difficulties of users working on personal computers can be the result of virus infection. It is advisable to record user questions in order to identify them typical mistakes and issue leaflets with recommendations for common situations.

Software support is one of the most important means of ensuring the integrity of information. First of all, you need to keep track of what software is installed on the computers. If users install programs on their own, this can lead to virus infection, as well as the appearance of utilities that bypass security measures. It is also likely that the "initiative" of users will gradually lead to chaos on their computers, and the system administrator will have to correct the situation.

The second aspect of software support is control over the absence of unauthorized changes to programs and access rights to them. This also includes support for master copies. software systems. Typically, control is achieved by a combination of physical and logical access control, as well as the use of verification and integrity utilities.

Configuration management allows you to control and capture changes made to the software configuration. First of all, it is necessary to insure against accidental or ill-conceived modifications, to be able to at least return to the previous working version. Committing changes will make it easy to restore the current version after a crash.

The best way to reduce errors in routine work is to automate it as much as possible. Automation and security depend on each other, because the one who cares first of all about facilitating his task, in fact, optimally forms the information security regime.

Backup is necessary to restore programs and data after disasters. And here it is advisable to automate the work, at least by creating a computer schedule for creating full and incremental copies, and as a maximum, using the appropriate software products. It is also necessary to organize the placement of copies in safe place protected from unauthorized access, fires, leaks, that is, from anything that could lead to theft or damage to media. Good to have multiple copies. backups and store some of them outside the organization's premises, thus protecting against major accidents and similar incidents. From time to time, for test purposes, you should check the possibility of recovering information from copies.

Media management is necessary to provide physical protection and accountability for floppy disks, tapes, printouts, and the like. Media management must ensure the confidentiality, integrity, and availability of information stored outside of computer systems. Physical protection here is understood not only as a reflection of unauthorized access attempts, but also protection from harmful environmental influences (heat, cold, moisture, magnetism). Media management should cover the entire life cycle, from procurement to decommissioning.

Documentation is an integral part of information security. Almost everything is documented - from the security policy to the media inventory log. It is important that the documentation is up to date, reflecting the current state of affairs, and in a consistent form.

For the storage of some documents (containing, for example, an analysis of system vulnerabilities and threats), confidentiality requirements are applicable, for others, such as a disaster recovery plan, integrity and availability requirements (in a critical situation, the plan must be found and read).

Maintenance work is a very serious security threat. The employee who performs routine maintenance gets exclusive access to the system, and in practice it is very difficult to control exactly what actions he performs. Here, the degree of trust in those who perform the work comes to the fore.

The security policy adopted by the organization should provide for a set of operational measures aimed at detecting and neutralizing violations of the information security regime. It is important that in such cases the sequence of actions is planned in advance, since the measures must be taken urgently and in a coordinated manner.

The response to security breaches has three main objectives:

localization of the incident and reduction of the harm caused;

prevention of repeat violations.

Often the requirement to localize the incident and reduce the harm caused conflicts with the desire to identify the offender. The organization's security policy should be prioritized in advance. Since, as practice shows, it is very difficult to identify an intruder, in our opinion, first of all, you should take care of reducing the damage.

No organization is immune from serious accidents caused by natural causes, malicious actions, negligence or incompetence. At the same time, every organization has functions that management considers critical, they must be performed no matter what. Recovery planning allows you to prepare for accidents, reduce damage from them and maintain at least a minimal amount of ability to function.

Note that information security measures can be divided into three groups, depending on whether they are aimed at preventing, detecting or eliminating the consequences of attacks. Most of the measures are preventive in nature.

The recovery planning process can be divided into the following steps:

identification of critical functions of the organization, setting priorities;

identification of resources needed to perform critical functions;

determination of the list of possible accidents;

development of a recovery strategy;

preparation for the implementation of the chosen strategy;

strategy check.

When planning restoration work, one should be aware that it is not always possible to fully preserve the functioning of the organization. It is necessary to identify critical functions without which the organization loses its face, and even among critical functions to prioritize in order to quickly and efficiently minimal cost resume work after an accident.

When identifying the resources needed to perform critical functions, remember that many of them are non-computer in nature. At this stage, it is desirable to involve specialists of various profiles in the work.

Thus, there is a large number of various methods ensuring information security. The most effective is the use of all these methods in a single complex. Today, the modern security market is saturated with information security tools. Constantly studying the existing proposals of the security market, many companies see the inadequacy of previously invested funds in information security systems, for example, due to obsolescence of equipment and software. Therefore, they are looking for solutions to this problem. There can be two such options: on the one hand, this is a complete replacement of the corporate information protection system, which will require large investments, and on the other hand, the modernization of existing security systems. The last solution to this problem is the least expensive, but it brings new problems, for example, it requires answering the following questions: how to ensure the compatibility of the old, left from the available hardware and software security tools, and new elements of the information security system; how to provide centralized management of heterogeneous security tools; how to assess and, if necessary, reassess the company's information risks.

Chapter 2. Analysis of the information security system

1 The scope of the company and the analysis of financial performance

OAO Gazprom is a global energy company. The main activities are exploration, production, transportation, storage, processing and sale of gas, gas condensate and oil, as well as the production and sale of heat and electricity.

Gazprom sees its mission in the reliable, efficient and balanced supply of natural gas, other types of energy resources and products of their processing to consumers.

Gazprom has the richest natural gas reserves in the world. Its share in world gas reserves is 18%, in Russian - 70%. Gazprom accounts for 15% of global and 78% of Russian gas production. The company is currently actively implementing large-scale projects to develop the gas resources of the Yamal Peninsula, the Arctic shelf, Eastern Siberia and the Far East, as well as a number of projects for the exploration and production of hydrocarbons abroad.

Gazprom is a reliable gas supplier to Russian and foreign consumers. The company owns the world's largest gas transmission network - one system gas supply to Russia, the length of which exceeds 161 thousand km. On the domestic market, Gazprom sells over half of the gas it sells. In addition, the company supplies gas to 30 countries near and far abroad.

Gazprom is the only producer and exporter of liquefied natural gas in Russia and provides about 5% of the world's LNG production.

The company is in the top five largest manufacturers oil in the Russian Federation, and is also the largest owner of generating assets in its territory. Their total installed capacity is 17% of the total installed capacity of the Russian energy system.

The strategic goal is to establish OAO Gazprom as a leader among global energy companies through the development of new markets, diversification of activities, and ensuring the reliability of supplies.

Consider the financial performance of the company over the past two years. The results of the company's activities are presented in Appendix 1.

As of December 31, 2010, the sales proceeds amounted to 2495557 million rubles, this figure is much lower compared to the data of 2011, that is, 3296656 million rubles.

Sales revenue (net of excise, VAT and customs duties) increased by RUB 801,099 million, or 32%, for the nine months ended September 30, 2011, compared to the same period last year, and amounted to RUB 3,296 656 million rubles

Based on 2011 results, net sales of gas accounted for 60% of total net sales (60% in the same period last year).

Net proceeds from the sale of gas increased from RUB 1,495,335 mln. for the year up to 1,987,330 million rubles. for the same period in 2011, or by 33%.

Net proceeds from the sale of gas to Europe and other countries increased by 258,596 million rubles, or 34%, compared to the same period last year, and amounted to 1,026,451 million rubles. The overall increase in gas sales to Europe and other countries was due to an increase in average prices. The average price in rubles (including customs duties) increased by 21% in the nine months ended September 30, 2011 compared to the same period in 2010. In addition, gas sales increased by 8% compared to the same period last year.

Net proceeds from the sale of gas to the countries of the former Soviet Union increased over the same period in 2010 by 168,538 million rubles, or 58%, and amounted to 458,608 million rubles. The change was mainly driven by a 33% increase in gas sales to the former Soviet Union in the nine months ended 30 September 2011 year-on-year. In addition, the average price in rubles (including customs duties, excluding VAT) increased by 15% compared to the same period last year.

Net proceeds from the sale of gas in the Russian Federation increased by 64,861 million rubles, or 15%, compared to the same period last year, and amounted to 502,271 million rubles. This is mainly due to a 13% increase in the average gas price compared to the same period last year, which is associated with an increase in tariffs set by the Federal Tariff Service (FTS).

Net proceeds from the sale of oil and gas products (net of excise, VAT and customs duties) increased by 213,012 million rubles, or 42%, and amounted to 717,723 million rubles. compared to the same period last year. This increase is mainly due to the increase in world prices for oil and gas products and the increase in volumes sold compared to the same period last year. Gazprom Neft Group's revenue accounted for 85% and 84% of total net revenue from the sale of refined petroleum products, respectively.

Net proceeds from the sale of electricity and heat (net of VAT) increased by 38,097 million rubles, or 19%, and amounted to 237,545 million rubles. The increase in revenue from the sale of electricity and heat is mainly due to an increase in tariffs for electricity and heat, as well as an increase in the volume of sales of electricity and heat.

Net proceeds from the sale of crude oil and gas condensate (net of excise, VAT and customs duties) increased by RUB 23,072 million, or 16%, to RUB 164,438 million. compared to 141,366 million rubles. for the same period last year. Basically, the change was caused by an increase in the price of oil and gas condensate. In addition, the change was caused by an increase in gas condensate sales. The proceeds from the sale of crude oil amounted to 133,368 million rubles. and 121,675 million rubles. in net proceeds from the sale of crude oil and gas condensate (net of excise, VAT and customs duties) in 2011 and 2010, respectively.

Net revenue from the sale of gas transportation services (net of VAT) increased by RUB 15,306 million, or 23%, and amounted to RUB 82,501 million, compared to RUB 67,195 million. for the same period last year. This growth is mainly due to an increase in gas transportation tariffs for independent suppliers, as well as an increase in ѐ m of gas transportation for independent suppliers compared to the same period last year.

Other revenue increased by RUB 19,617 million, or 22%, and amounted to RUB 107,119 million. compared to 87,502 million rubles. for the same period last year.

Expenditure on trading operations without actual delivery amounted to 837 million rubles. compared to revenue of RUB 5,786 mln. for the same period last year.

As for operating expenses, they increased by 23% and amounted to 2,119,289 million rubles. compared to 1,726,604 million rubles. for the same period last year. The share of operating expenses in sales revenue decreased from 69% to 64%.

Labor costs increased by 18% and amounted to 267,377 million rubles. compared to 227,500 million rubles. for the same period last year. The increase is mainly due to an increase in average wages.

Depreciation for the analyzed period increased by 9% or by 17,026 million rubles, and amounted to 201,636 million rubles, compared with 184,610 million rubles. for the same period last year. The increase was mainly due to the expansion of the base of fixed assets.

As a result of the above factors, sales profit increased by RUB 401,791 million, or 52%, and amounted to RUB 1,176,530 million. compared to 774,739 million rubles. for the same period last year. Profit margin on sales increased from 31% to 36% in the nine months ended September 30, 2011.

Thus, OAO Gazprom is a global energy company. The main activities are exploration, production, transportation, storage, processing and sale of gas, gas condensate and oil, as well as the production and sale of heat and electricity. The financial condition of the company is stable. Performance indicators have a positive trend.

2 Description of the company's information security system

Let's consider the main activities of the divisions of the Corporate Security Service of JSC "Gazprom":

development of targeted programs for the development of systems and complexes of engineering and technical means of protection (ITSO), information security systems (IS) of OAO Gazprom and its subsidiaries and organizations, participation in the formation of an investment program aimed at ensuring information and technical security;

implementation of the powers of the customer of work on the development of information security systems, as well as ITSO systems and complexes;

consideration and approval of budget requests and budgets for the implementation of measures for the development of information security systems, ITSO systems and complexes, as well as for the creation of IT in terms of information security systems;

consideration and approval of design and pre-project documentation for the development of information security systems, ITSO systems and complexes, as well as technical specifications for the creation (modernization) of information systems, communication and telecommunications systems in terms of information security requirements;

organization of work to assess the conformity of ITSO systems and complexes, IS support systems (as well as works and services for their creation) to the established requirements;

coordination and control of work on technical protection information.

Gazprom has created a system that ensures the protection of personal data. However, the adoption by the federal executive authorities of a number of regulatory legal acts in the development of existing laws and government decrees necessitates the improvement of the current system of personal data protection. In the interests of solving this problem, a number of documents have been developed and are being coordinated within the framework of research work. First of all, these are draft standards of the Gazprom Development Organization:

"Methodology for classifying personal data information systems of OAO Gazprom, its subsidiaries and organizations";

"Model of threats to personal data during their processing in information systems of personal data of OAO Gazprom, its subsidiaries and organizations".

These documents have been developed taking into account the requirements of Decree of the Government of the Russian Federation dated November 17, 2007 No. 781 "On Approval of the Regulations on Ensuring the Security of Personal Data during their Processing in Personal Data Information Systems" in relation to the class special systems, which include most of the ISPD of OAO Gazprom.

In addition, the "Regulations on the organization and technical support of the security of personal data processed in the information systems of personal data of OAO Gazprom, its subsidiaries and organizations" are currently being developed.

It should be noted that, within the framework of OAO Gazprom's standardization system, standards for the information security system have been developed, which will also allow solving the tasks of protecting PD processed in OAO Gazprom's information systems.

Seven standards related to the information security system have been approved and are being put into effect this year.

The standards define the main requirements for building information security systems for OAO Gazprom and its subsidiaries.

The results of the work done will make it possible to more rationally use material, financial and intellectual resources, form the necessary regulatory and methodological support, introduce effective means of protection and, as a result, ensure the security of personal data processed in Gazprom's information systems.

As a result of the information security analysis of OAO Gazprom, the following shortcomings in ensuring information security were identified:

the organization does not have a single document regulating a comprehensive security policy;

given the size of the network and the number of users (more than 100), it should be noted that one person is responsible for system administration, information security and technical support;

there is no classification of information assets according to the degree of importance;

information security roles and responsibilities are not included in job descriptions;

the employment contract concluded with the employee does not contain a clause on information security responsibilities of both those who are employed and the organization itself;

training of personnel in the field of information security is not carried out;

in terms of protection against external threats: there are no typical procedures for data recovery after accidents resulting from external and environmental threats;

the server room is not a separate room, the status of two departments is assigned to the room (in addition to the system administrator, one more person has access to the server room);

technical probing and physical examination for unauthorized devices connected to the cables are not carried out;

despite the fact that the entrance is carried out by electronic passes and all information is entered into a special database, its analysis is not carried out;

in terms of protection against malware: there is no formal policy to protect against the risks associated with receiving files both from or through external networks, and contained on removable media;

in terms of protection against malware: there are no guidelines for protecting the local network from malicious code;

there is no traffic control, there is access to mail servers external networks;

all backups are stored in the server room;

insecure, easy-to-remember passwords are used;

the receipt of passwords by users is not confirmed in any way;

passwords in clear text are stored by the administrator;

passwords do not change;

there is no order for reporting information security events.

Thus, based on these shortcomings, a set of regulations regarding information security policy was developed, including:

policy regarding hiring (dismissal) and vesting (deprivation) of employees with the necessary authority to access system resources;

policy regarding the work of network users during its operation;

password protection policy;

physical protection policy;

Internet policy;

and administrative security measures.

Documents containing these regulations are under consideration by the management of the organization.

3 Development of a set of measures to modernize the existing information security system

As a result of the analysis of the information security system of OAO Gazprom, significant system vulnerabilities were identified. To develop measures to eliminate the identified deficiencies in the security system, we single out the following groups of information that are subject to protection:

information about the private life of employees, allowing to identify their identity (personal data);

information related to professional activities and constituting banking, auditing and communications secrecy;

information related to professional activities and marked as information "for official use";

information, the destruction or modification of which will adversely affect the efficiency of work, and the restoration will require additional costs.

In terms of administrative measures, the following recommendations have been developed:

the information security system must comply with the legislation of the Russian Federation and state standards;

buildings and premises where information processing facilities are installed or stored, work is carried out with protected information, must be guarded and protected by means of signaling and access control;

personnel training on information security issues (explaining the importance of password protection and password requirements, briefing on anti-virus software, etc.) should be organized when an employee is hired;

every 6-12 months to conduct trainings aimed at improving the literacy of employees in the field of information security;

an audit of the system and adjustment of the developed regulations should be carried out annually, on October 1, or immediately after the introduction of major changes in the structure of the enterprise;

the access rights of each user to information resources must be documented (if necessary, access is requested from the manager in a written statement);

the information security policy should be provided by the software administrator and the hardware administrator, their actions are coordinated by the head of the group.

Let's formulate a password policy:

do not store them in unencrypted form (do not write them down on paper, in a normal text file and so on.);

change the password in case of its disclosure or suspicion of disclosure;

length must be at least 8 characters;

password characters must contain letters in the upper and lower case, numbers and special characters, the password should not include easily calculated character sequences (names, animal names, dates);

change once every 6 months (an unscheduled password change must be made immediately after receiving notification of the incident that initiated the change);

when changing the password, you cannot select those that were previously used (passwords must differ by at least 6 positions).

Let's formulate a policy regarding antivirus programs and virus detection:

licensed anti-virus software must be installed on each workstation;

updating anti-virus databases on workstations with Internet access - once a day, without Internet access - at least once a week;

set up an automatic scan of workstations for viruses (frequency of scans - once a week: Friday, 12:00);

only the administrator can stop updating anti-virus databases or scanning for viruses (password protection should be set for the specified user action).

Let's formulate a policy regarding physical protection:

technical sounding and physical examination for unauthorized devices connected to the cables, to be carried out every 1-2 months;

network cables must be protected from unauthorized interception of data;

records of all suspected and actual failures that have occurred with the equipment should be kept in a log

Each workstation must be equipped with an uninterruptible power supply.

Let's define a policy regarding the reservation of information:

for backups, a separate room should be allocated, located outside the administrative building (the room should be equipped with an electronic lock and alarm);

reservation of information should be made every Friday at 16:00.

The policy regarding the hiring / dismissal of employees should have the following form:

any personnel changes (hiring, promotion, dismissal of an employee, etc.) must be reported to the administrator within 24 hours, who, in turn, must make appropriate changes to the system for delimiting access rights to enterprise resources within a period of half a working day ;

a new employee must be instructed by the administrator, including familiarization with the security policy and all necessary instructions, the level of access to information for a new employee is assigned by the manager;

when an employee leaves the system, his ID and password are removed from the system, the workstation is checked for viruses, and the integrity of the data to which the employee had access is analyzed.

Policy regarding work with the local internal network (LAN) and databases (DB):

when working at his workstation and in the LAN, the employee must perform only tasks that are directly related to his official activities;

the employee must notify the administrator about messages from anti-virus programs about the appearance of viruses;

no one, except administrators, is allowed to make changes to the design or configuration of workstations and other LAN nodes, install any software, leave the workstation unattended or allow unauthorized persons to access it;

administrators are advised to keep two programs running at all times: the ARP-spoofing attack detection utility and the sniffer, the use of which will allow you to see the network through the eyes of a potential intruder and identify violators of security policies;

you should install software that prevents the launch of programs other than those assigned by the administrator, based on the principle: "Any person is granted the privileges necessary to perform specific tasks." All unused computer ports must be hardware or software disabled;

The software should be updated regularly.

Internet Policy:

administrators are assigned the right to restrict access to resources, the content of which is not related to the performance of official duties, as well as to resources, the content and orientation of which are prohibited by international and Russian legislation;

the employee is prohibited from downloading and opening files without first checking for viruses;

all information about the resources visited by company employees should be kept in a log and, if necessary, can be provided to department heads, as well as management

confidentiality and integrity of electronic correspondence and office documents is ensured through the use of EDS.

In addition, we will formulate the basic requirements for compiling passwords for employees of OAO Gazprom.

A password is like the keys to a house, only it is the key to information. For ordinary keys, it is extremely undesirable to be lost, stolen, or transferred into the hands of a stranger. The same goes for the password. Of course, the safety of information depends not only on the password, but to ensure it, you need to set a number of special settings and, perhaps, even write a program that protects against hacking. But choosing a password is exactly the action where it depends only on the user how strong this link will be in the chain of measures aimed at protecting information.

) the password must be long (8-12-15 characters);

) should not be a word from a dictionary (any, even a dictionary of special terms and slang), a proper name or a Cyrillic word typed in the Latin layout (Latin - kfnsym);

) it cannot be associated with the owner;

) it changes periodically or as needed;

) is not used in this capacity on various resources (i.e. for each resource - to enter Mailbox, operating system or database - a different password must be used);

) can be remembered.

Selecting words from a dictionary is undesirable, since an attacker, carrying out a dictionary attack, will use programs that can sort through up to hundreds of thousands of words per second.

Any information related to the owner (be it the date of birth, the dog's name, the mother's maiden name, and similar "passwords") can be easily recognized and guessed.

The use of uppercase and lowercase letters, as well as numbers, makes it much more difficult for an attacker to guess a password.

The password should be kept secret, and if you suspect that the password has become known to someone, change it. It is also very useful to change them from time to time.

Conclusion

The study made it possible to draw the following conclusions and formulate recommendations.

It has been established that the main reason for the problems of the enterprise in the field of information security is the lack of an information security policy that would include organizational, technical, financial solutions with subsequent monitoring of their implementation and evaluation of effectiveness.

The definition of information security policy is formulated as a set of documented decisions, the purpose of which is to ensure the protection of information and information risks associated with it.

The analysis of the information security system revealed significant shortcomings, including:

storage of backups in the server room, the backup server is located in the same room as the main servers;

lack of proper rules regarding password protection (password length, rules for choosing and storing it);

The network is administered by one person.

The generalization of international and Russian practice in the field of information security management of enterprises has led to the conclusion that to ensure it, it is necessary:

forecasting and timely identification of security threats, causes and conditions that contribute to the infliction of financial, material and moral damage;

creating conditions for activities with the least risk of implementing security threats to information resources and various kinds damage;

creation of a mechanism and conditions for effective response to information security threats based on legal, organizational and technical means.

In the first chapter of the work, the main theoretical aspects are considered. An overview of several standards in the field of information security is given. Conclusions are drawn for each and in general, and the most appropriate standard for the formation of an information security policy is chosen.

The second chapter considers the structure of the organization, analyzes the main problems associated with information security. As a result, recommendations were formed to ensure the proper level of information security. Measures were also considered to prevent further incidents related to information security violations.

Of course, ensuring the information security of an organization is an ongoing process that requires constant monitoring. And a naturally formed policy is not an iron guarantor of protection. In addition to the implementation of the policy, constant monitoring of its quality implementation is needed, as well as improvement in case of any changes in the company or precedents. It was recommended for the organization to hire an employee whose activities will be directly related to these functions (protection administrator).

Bibliography

information security financial harm

1. Belov E.B. Fundamentals of information security. E.B. Belov, V.P. Elk, R.V. Meshcheryakov, A.A. Shelupanov. -M.: Hotline- Telecom, 2006. - 544s

Galatenko V.A. Information security standards: a course of lectures. Educational

allowance. - 2nd edition. M.: INTUIT.RU "Internet University of Information Technologies", 2009. - 264 p.

Glatenko V.A. Information Security Standards / Open Systems 2006.- 264c

Dolzhenko A.I. Management of information systems: Training course. - Rostov-on-Don: RGEU, 2008.-125 p.

Kalashnikov A. Formation of the corporate policy of internal information security #"justify">. Malyuk A.A. Information security: conceptual and methodological foundations of information security / M.2009-280s

Maywald E., Network security. Tutorial // Ekom, 2009.-528 p.

Semkin S.N., Belyakov E.V., Grebenev S.V., Kozachok V.I., Fundamentals of organizational support of information security of informatization objects // Helios ARV, 2008, 192 p.

How to choose a relevant topic of the thesis in the specialty of information security systems. The relevance of the topic of the diploma on information security systems, recommendations of experts, examples of topics of the thesis.

Themes diploma in the specialty of information security systems devoted to solving various research and practical problems aimed at ensuring the information security of the object under study. The problem of such work is due to the growing number of information security attacks on Information Systems various directions and their components.

The object of study can be a computer system, a system component, a business process, an enterprise, a room, or circulating data.

As a subject of research, one can single out information security methods, threat analysis methods, or an assessment of the effectiveness of an information security system.

As a target thesis in the specialty of information security systems one can single out the construction or study of the possibility of using risk models and a protection algorithm (more on this).

Tasks of works related to themes of diploma works in the specialty of information security systems, can be defined by the following list:

1. Selection and study of statistical data, including hypotheses and their proof regarding random variables.

2. Substantiation of damage types and functions, development of an analytical risk model.

3. Formation of a dynamic risk model based on sensitivity coefficients.

The following main points can be defended diploma theses in the specialty of information security systems:

1. Reliability of the proof of the put forward hypotheses about the areas of effective application of the law for information security tasks.

2. Analytical risk models for system components in which losses have a given distribution.

3. Analytical risk models for systems whose components are subject to joint or non-joint effects of identified attacks.

4. Dynamic Models, system sensitivity functions.

5. Algorithms for system risk management.

The scientific novelty of the study of diplomas on such topics can be formalized in the following list.

1. For the first time, the areas of effective application of the law for information security tasks were studied.

2. Previously unexplored analytical risk models of components in which damages have a given distribution are considered.

3. Analytical risk models of distributed systems exposed to identified information security attacks have been studied.

4. Algorithmization of risk management systems for dedicated distribution and information security attacks was carried out for the first time.

The practical value may be as follows:

1. The proof of the hypotheses put forward makes it possible to reasonably apply the results of the study to solve information security problems.

2. The obtained analytical risk models in the future will make it possible to develop complex models capable of analyzing the entire range of information security attacks.

3. Dynamic models, sensitivity functions of computer systems allow solving information security problems with a variation in the level of risk.

The most relevant topics of final qualifying works (WQR) and scientific research works (R&D), as well as diploma topics in the specialty of information security systems can be shown in the following table.

1. Protection of information in terms of control channels of the automated system of the airport	2. Implementation of an intrusion detection system on the example of false information systems
3. Design and development of information security systems	4. Protection against DDOS attacks
5. Protecting enterprise information at the email level	6. Information security of a geographically distributed enterprise
7. Comprehensive information protection at an industrial enterprise	8. Information security of a computer system in the implementation of threats of unauthorized access
9. Development of a risk model for an information security management system under conditions of uncertainty	10. Modernization of the protection system of information and telecommunication networks
11. Ensuring information security of mobile workstations	12. Organization of protection of personal data in the context of the implementation of virus attacks
13. Organization of counteraction to security threats of the organization based on Petri nets	14. Main directions, principles and methods of ensuring information security in computer networks
15. Building a typical model of actions of an attacker implementing remote attacks	16. Problems of information security of banks based on discretionary models
17. Development of an algorithm to counter the use of covert communication channels	18. Development of a set of security measures for the safety of information in the interaction of M2M components
19. Development of an information security system for a sensitive strategic enterprise	20. Development of a system for protecting confidential information in banking systems
21. WRC: Automation and information security of the workplace of the client manager of the company	22. Thesis: Organization of information security electronic archive real estate register in BTI
23. Bachelor's thesis: Development of an information security policy in a trading and manufacturing company	24. Thesis: Development of a company's information security policy
25. Diploma: Ensuring information security in an investment company	26. Diploma: Audit of information security in the information security system of the bank
27. Graduation bachelor's work: Development and provision of information security of the automated workplace of the secretary	28. Thesis: Development of a set of measures for information security and data protection in state departments. institutions
29. Thesis: Implementation integrated system information security in the company	30. Thesis: Modernization of the information security system in the company
31. Master's thesis: Modernization of the existing information security system in order to increase its security	32. Diploma: Modernization of the existing system in order to improve information security
33. Diploma: Ensuring information security in the implementation and operation of electronic payment processing systems	34. Master's thesis: Increasing the level of information security of an enterprise through the implementation of ACS
35. Diploma: Development of information security policy in the company	36. Diploma: Ensuring information security in a commercial organization

Methodological recommendations are intended for students of all forms of specialty education 10.02.01 (090905) and represent a set of requirements for the organization, implementation and defense of final qualification works (WQR).

• federal state educational standard for basic and advanced training in the specialty 10.02.01 (090905) Organization and technology of information security,
• Federal Law of December 29, 2012 No. 273-FZ "On Education in the Russian Federation",
• the procedure for conducting the state final certification for educational programs of secondary vocational education, approved. by order of the Ministry of Education and Science of the Russian Federation of August 16, 2013 No. 968 (hereinafter referred to as the Procedure for conducting the GIA),
• provisions of GBPOU "Technological College No. 34" "On the procedure for conducting state final certification for educational programs of secondary vocational education",
• quality management systems.

1. GENERAL PROVISIONS

State final certification of a graduate of GBPOU of Moscow "Technological College No. 34" in specialties 10.02.01(090905) Organization and technology of information securityincludes the preparation and defense of the final qualifying work.

Quality control Graduates are trained in two main areas:

• assessment of the level of mastering academic disciplines, MDT and PM;
• assessment of the level of mastery of competencies.

Area of ​​professional activitygraduates. Information security specialist 10.02.01(090905) performs work related to ensuring the comprehensive protection of information based on the developed programs and methods. It collects and analyzes materials from institutions, organizations and enterprises of the industry in order to develop and make decisions and measures to ensure the protection of information and the effective use of automatic control tools, detect possible channels for leaking information representing state, military, official and commercial secrets. Analyzes the existing methods and means used to control and protect information, and develops proposals for their improvement and increasing the effectiveness of this protection. Participates in the examination of objects of protection, their certification and categorization. Develops and prepares for approval draft regulatory and methodological materials governing the work on information protection, as well as regulations, instructions and other organizational and administrative documents. Organizes the development and timely submission of proposals for inclusion in the relevant sections of long-term and current work plans and programs of measures to control and protect information. Gives feedback and opinions on projects for newly built and reconstructed buildings and structures and other developments on issues of information security. Participates in the review of technical specifications for design, draft, technical and working projects, ensures their compliance with current regulatory and methodological documents, as well as in the development of new circuit diagrams of control equipment, control automation tools, models and information security systems, assessment of the technical and economic level and the effectiveness of the proposed and implemented organizational and technical solutions: organizing the collection and analysis of materials in order to develop and take measures to ensure data protection and identify possible channels for leaking information representing official, commercial, military and state secrets.

Objects of professional activityalumni are:

• participation in the planning and organization of work to ensure the protection of the facility;
• organization of work with documentation, including confidential;
• application of software, hardware and technical means of information protection;
• participation in the implementation of an integrated system for protecting the facility;
• participation in the collection and processing of materials to develop solutions to ensure the protection of information and the effective use of means for detecting possible channels for the leakage of confidential information;
• participation in the development of programs and methods for organizing information security at the facility;
• monitoring compliance by personnel with the requirements of the information protection regime;
• participation in the preparation of organizational and administrative documents regulating the work on information protection;
• organization of document circulation, including electronic, taking into account the confidentiality of information.

Final qualifying workinformation security specialist aims to systematize and deepen knowledge, improve the skills and abilities of the graduate in solving complex complex scientific and technical problems with elements of scientific research, as well as to demonstrate the degree of professional preparedness of the graduate, its compliance with this educational standard. WRCs for the qualification "information security specialist" are carried out in the form of a thesis or a graduation project. The subject of the WRC for the basic form of education assumes compliance with the content of one or more professional modules.

Professional cycle of the specialty10.02.01(090905) Organization and technology of information securityincludes 4 professional modules:

1. Participation in the planning and organization of work to ensure the protection of the facility.
2. Organization and technology of work with confidential documents.
3. Application of hardware-software and technical means of information protection.
4. Performance of work in one or more professions of workers, positions of employees.

The final qualifying work must meet a number of mandatory requirements:

• demonstrate the level of formation of general and professional competencies;
• be relevant and practice-oriented;
• correspond to the developed task;
• include an analysis of sources on the topic with generalizations and conclusions, comparisons and evaluation of different points of view;
• demonstrate the level of readiness of the graduate for one/several type(s) of professional activity;
• consistency of presentation, persuasiveness of the presented factual material;
• argumentation of conclusions and generalizations.

In the final qualifying work, the student must demonstrate the development of general and professional competencies, including the ability to:

OK 1. Understand the essence and social significance of your future profession, be highly motivated to perform professional activities in the field of information security.

OK 2. Organize their own activities, choose standard methods and methods for performing professional tasks, evaluate their effectiveness and quality.

OK 3. Make decisions in standard and non-standard situations and be responsible for them.

OK 4. Search and use the information necessary for the effective implementation of professional tasks, professional and personal development.

OK 5.

OK 6. Work in a team and team, communicate effectively with colleagues, management, consumers.

OK 7. Take responsibility for the work of team members (subordinates), the result of completing tasks.

OK 8. Independently determine the tasks of professional and personal development, engage in self-education, consciously plan advanced training.

OK 9. Navigate in conditions of frequent change of technologies in professional activity.

OK 10.

OK 11. Apply mathematical apparatus to solve professional problems.

OK 12. Assess the significance of documents used in professional activities.

OK 13. Navigate the structure of the federal executive authorities that ensure information security.

PM 01 Participation in the planning and organization of work to ensure the protection of the facility.

PC 1.1. Participate in the collection and processing of materials to develop solutions to ensure the protection of information and the effective use of means for detecting possible channels of leakage of confidential information.

PC 1.2. Participate in the development of programs and methods for organizing information security at the facility.

PC 1.3. Plan and organize the implementation of measures to protect information.

PC 1.4. Participate in the implementation of the developed organizational solutions at the objects of professional activity.

PC 1.5. Keep records, processing, storage, transfer, use of various media of confidential information.

PC 1.6. Provide safety precautions when carrying out organizational and technical measures.

PC 1.7. Participate in the organization and conduct of inspections of informatization objects to be protected.

PC 1.8. Monitor the compliance of personnel with the requirements of the information security regime.

PC 1.9. Participate in the assessment of the quality of object protection.

PM 02 Organization and technology of work with confidential documents.

PC 2.1. Participate in the preparation of organizational and administrative documents regulating the work on information protection.

PC 2.2. Participate in the organization and ensure the technology of conducting office work, taking into account the confidentiality of information.

PC 2.3. Organize document flow, including electronic, taking into account the confidentiality of information.

PC 2.4. Organize archival storage of confidential documents.

PC 2.5. Prepare documentation on the operational management of information security tools and personnel.

PC 2.6. Keep records of works and objects to be protected.

PC 2.7. Prepare reporting documentation related to the operation of information control and protection tools.

PC 2.8. Document the progress and results of the internal investigation.

PC 2.9. Use regulatory legal acts, regulatory and methodological documents on information protection.

PM 03 Application of software, hardware and technical means of information protection.

PC 3.1. Apply software, hardware and technical means of information protection at protected objects.

PC 3.2. Participate in the operation of systems and means of protecting information of protected objects.

PC 3.3. Carry out routine maintenance and fix failures of protective equipment.

PC 3.4. Identify and analyze possible threats to the information security of objects.

PM 04 Performance of work in one or more professions of workers, positions of employees.

21299 Clerk

OK 1.
OK 2.
OK 3.
OK 4.
OK 5.	Use information and communication technologies in professional activities.
OK 6.
OK 7.	Perform military duty, including with the application of acquired professional knowledge (for young men).
PC 4.1	Receive and register incoming correspondence, send it to the structural divisions of the organization.
PC 4.2	Consider documents and submit them for execution, taking into account the resolution of the heads of the organization.
PC 4.3	Issue registration cards and create a data bank.
PC 4.4	Keep a file of records of the passage of documentary materials.
PC 4.5	Monitor the flow of documents.
PC 4.6.	Send completed documentation to recipients using modern types of organizational technology.
PC 4.7.	Compile and execute official documents, materials using forms of documents of specific types.
PC 4.8	Form cases.
PC 4.9	Provide a quick search for documents in the scientific reference apparatus (file cabinets) of the organization
PC 4.10	Ensure the safety of passing service documentation.

16199 "Operator of electronic computers and computers"

OK 1.	Understand the essence and social significance of your future profession, show a steady interest in it.
OK 2.	Organize your own activities, based on the goal and ways to achieve it, determined by the leader.
OK 3.	Analyze the working situation, carry out current and final control, evaluate and correct their own activities, be responsible for the results of their work.
OK 4.	Search for information necessary for the effective performance of professional tasks.
OK 5.	Use information and communication technologies in professional activities.
OK 6.	Work in a team, communicate effectively with colleagues, management, customers.
OK 7.	Perform military duty, including with the application of acquired professional knowledge (for young men).
PC 4.1	Prepare for operation and configure hardware, peripherals, personal computer operating system and multimedia equipment.
PC 4.2	Perform input of digital and analog information into a personal computer from various media.
PC 4.3	Convert files with digital information to various formats.
PC 4.4	Process audio and visual content using sound, graphic and video editors.
PC 4.5	Create and play videos, presentations. slide shows, media files and other final products from the original audio, visual and multimedia components by means of a personal computer and multimedia equipment.
PC 4.6	Form media libraries for structured storage and cataloging of digital information.
PC 4.7	Manage the placement of digital information on the disks of a personal computer, as well as disk storages of a local and global computer network.
PC 4.8	Replicate multimedia content on various removable media information.
PC 4.9	Publish multimedia content on the Internet.

1. PERFORMANCE OF THE FINAL QUALIFICATION WORK

Final qualifying work (WQR) - the final work of an educational and research nature in the course of college education.Preparation of the final qualifying workis the final stage of the student's education and at the same time a test of his ability to independently solve educational problems. Independent work of the student on the chosen topic begins at pre-diploma practice. At the same time, there is a further deepening of his theoretical knowledge, their systematization, the development of applied skills and practical skills, and an increase in general and professional erudition.

WRC (thesis) has some similarities with course work, for example, work with theoretical sources or their design. However, WRC (thesis) is a theoretical and (or) experimental study of one of the topical problems of information security in the specialty of a graduate student. The study may include the development of various methods, methods, software and hardware, models, systems, techniques, etc., which serve to achieve the goals of the thesis. The results of the thesis work are drawn up in the form of the text of an explanatory note with the application of graphs, tables, drawings, maps, diagrams, etc.

When performing WRC, information on the latest domestic and foreign achievements of science and technology in the field of information security should be used. The period of preparation and defense of the WRC (thesis) is preceded by pre-diploma practice. The terms of undergraduate practice, as well as the terms of preparation and defense of the WQR, are determined by the schedule for organizing the educational process, approved by the order of the college before the start of the current academic year. The WRC should be carried out by a graduate using materials collected by him personally during the period of undergraduate practice, as well as while writing a term paper.

The subject of final qualifying works is determined during the development of the GIA Program. When determining the theme of the WRC, it should be taken into account that its content may be based on:

• on the generalization of the results of the course work performed earlier by students;
• on the use of the results of previously completed practical tasks.

Assignment of topics of final qualifying works for students is made outno later than the first of Novemberlast year of study. At the same time there is a distribution of students by supervisors. The supervisor helps the student in developing areas of research, determining the range of theoretical questions for study, and developing the practical part of the study. No more than 8 students can be attached to each leader.

1. STRUCTURE OF THE FINAL QUALIFICATION WORK

The structure of the theoretical part of the qualifying thesis: introduction, theoretical section, practical section, conclusion, list of references, applications.

The volume of the graduation project is 40-50 pages of printed text and includes:

1. Title page (Appendix 1).
2. Content. The content of the WRC is created automatically in the form of links for the convenience of working witha large amount of textual material. The use of the electronic table of contents also demonstrates the mastery of the general competence of GC 5 (Use information and communication technologies in professional activities).
3. Introduction. It is necessary to substantiate the relevance and practical significance of the chosen topic, formulate the goal and objectives, the object and subject of the WRC, and the range of problems under consideration.

4. The main part of the WRCincludes sections according to logical structure presentation. The title of the section should not duplicate the title of the topic, and the title of the paragraphs should not duplicate the title of the sections.

The main part of the WRC should contain two sections.

• Section I is devoted to the theoretical aspects of the studied object and subject. It contains an overview of the sources of information used, the regulatory framework on the subject of the WRC, and can also find a place for statistical data in the form of tables and graphs.

Section II is devoted to the analysis of practical material obtained during the production (undergraduate) practice. This section contains:

analysis of specific material on a chosen topic;

• description of the identified problems and trends in the development of the object and subject of study;
• description of ways to solve the identified problems using calculations, analysis of experimental data, product of creative activity.

Analytical tables, calculations, formulas, diagrams, charts and graphs can be used during the analysis.

5. Conclusion - should contain conclusions and recommendations on the possibility of using or practical application of the results of the study. Should be no more than 5 pages of text.

6. Referencesissued in accordance with GOST.

7. Applications are located at the end of the work and are drawn up in accordance with With

Introduction, each chapter, conclusion, as well as the list of sources used begin on a new page.

Handout.The presentation is accompanied by a demonstration of materials from the appendices.

To do this, you need to prepare an electronic presentation. But there can also be a presentation on paper - handouts for the commission in separate folders or posters posted before performances.

During the student's speech, the commission gets acquainted with the thesis, handouts issued by the student, and a video presentation.

Electronic version of workattached to the WRC on paper. The disc must be placed in an envelope and signed.

2.2. STAGES OF PREPARATION OF THE FINAL QUALIFICATION WORK

Stage I: Involvement in activities - involves:

• choice of research topic;
• selection, study, analysis and generalization of materials on the topic;
• working plan development.

Stage II: Determining the level of work - involves a theoretical study of the literature and the formulation of the problem.

Stage III: Building the research logic. The data of this stage are reflected in the introduction.

The introduction can be compared with an annotation to a book: it discusses the theoretical foundations of the diploma, its structure, stages and methods of work. Therefore, the introduction should be written as competently and concisely as possible (2-3 pages). The introduction should prepare the reader for the perception of the main text of the work. It consists of mandatory elements that must be correctly formulated.

1. The relevance of research- an explanation of why your topic is important, who is in demand. (Answers the question: why should this be studied?) In this paragraph, it is necessary to reveal the essence of the problem under study. This point of introduction is logical to begin with the definition of the economic phenomenon, which is aimed at research activities. Here you can also list the sources of information used for the study. ( Information base research can be placed in the first chapter). However, you need to understand that there are some objective difficulties that are just resolved by writing your diploma. These difficulties, that is, the disadvantages that exist from the outside, reflect diploma problem.
2. Research problem(answers the question: what should be studied?) The research problem shows a complication, an unsolved problem or factors that interfere with its solution. Defined by 1 - 2 terms. (Exampleresearch problems: "... the contradiction between the organization's need for reliable information protection and the actual organization of work to ensure information protection in the organization").

3. Purpose of the study- this is what you should get in the end, that is, the final result of the diploma. (The goal implies an answer to the question: what result will be obtained?) The goal should be to solve the problem under study through its analysis and practical implementation. The target is always directed towards the object. For example:

• Develop a project (recommendations)...
• Identify the conditions, the relationship ...
• Determine the dependence of something on something ...

4. Object of study(what will be investigated?). Involves working with concepts. This paragraph defines the economic phenomenon to which the research activity is directed. An object can be a person, environment, process, structure, economic activity of an enterprise (organization).

1. Subject of study(how, and through what will the search go?) Here it is necessary to define the specific properties of the object planned for research or ways to study the economic phenomenon. The subject of the study is aimed at practice and is reflected through the results of the practice.

6. Research objectives- these are steps to achieve the goals (show how to get to the result?), Ways to achieve the goal. They are consistent with the hypothesis. Determined based on the objectives of the work. The formulation of tasks should be done as carefully as possible, since the description of their solution should form the content of subsections and paragraphs of the work. As a rule, 3-4 tasks are formulated.

Each task must begin with an indefinite verb. Tasks are described through a system of sequential actions, For example:

• analyze...;
• explore...;

• research...;
• reveal...;
• define...;
• develop...

As a rule, 5-7 tasks are distinguished in the WRC (thesis).

Each task should be reflected in one of the subsections of the theoretical or practical part. Tasks should be reflected in the table of contents. If the task is stated in the introduction, but it is not visible in the table of contents and in the text of the diploma, this is a serious mistake.

List of required tasks:

1. “On the basis of a theoretical analysis of the literature to develop ...” (key concepts, basic concepts).
2. “Determine ...” (highlight the main conditions, factors, causes that affect the object of study).
3. “Reveal ...” (highlight the main conditions, factors, causes that affect the subject of research).
4. "Develop ..." (means, conditions, forms, programs).
5. “To test (what was developed) and make recommendations ...

8. Theoretical and practical significance of the study:
“The results of the study will make it possible to implement...; will contribute

development...; will improve... The presence of formulated directions for the implementation of the findings and proposals gives the work a great practical significance. Not mandatory.

9. Research methods:a short listing is given.Research Methodology- these are the methods used by the student in the process of writing the diploma. The methods of research activity include: theoretical methods (method of analysis, synthesis, comparison) and empirical methods (observation, survey method, experiment).

1. Research Base- this is the name of the enterprise, organization on the basis of which the study was carried out. Most often, the base of the study is the place of the student's undergraduate practice.

The final phrase of the introduction is a description of the structure and number of pages in the WRC: "The structure of the work corresponds to the logic of the study and includes an introduction, a theoretical part, a practical part, a conclusion, a list of references, applications." Here it is permissible to give a more detailed structure of the WRC and briefly outline the content of the sections.

Thus, the introduction should prepare the reader for the perception of the main text of the work.

IV stage: work on the main part of the WRC.

The main part of the WRC should contain sections, subsections and paragraphs that set out the theoretical and practical aspects of the topic based on an analysis of the published literature, consider debatable issues, formulate the position, point of view of the author; the observations and experiments carried out by the student, the research methodology, calculations, analysis of experimental data, and the results obtained are described. When dividing the text into subsections and paragraphs, it is necessary that each paragraph contains complete information.

The theoretical part involves the analysis of the object of study and should contain key concepts, the history of the issue, the level of development of the problem in theory and practice. In order to competently write a theoretical part, it is necessary to work out a sufficiently large number of scientific, scientific, methodological and other sources on the topic.diploma. As a rule - not less than 10.

Section 1 should be devoted to the description of the object of research, Section 2 - to the description of the subject of research, constitute the main part of the WRC and should be logically interconnected.

The main part of the WRC should contain tables, diagrams, graphs with relevant links and comments. Sections should have headings that reflect their content. The headings of sections should not repeat the title of the work. Let us consider in more detail the content of each of the sections of the WRC.

Section 1 is theoretical, educational in nature and is devoted to the description of the main theoretical provisions, methods, methods, approaches and hardware and software used to solve the task or tasks similar to the one. This section includes only what is necessary as an initial theoretical basis for understanding the essence of the research and development described in the following sections. Theoretical issues are outlined: methods, methods, algorithms for solving the problem, information flows are analyzed, etc. The last of the main sections usually contains a description of the results of experimentation with the proposed (developed) methods, methods, hardware and software and systems, is carried out comparative analysis the results obtained. The discussion of the results obtained in the WRC and their illustration should be given special attention. Outlining the content of publications of other authors, it is necessary Necessarily give links to them with indication of page numbers of these information sources. In the first section, it is recommended to analyze the current state of the problem and identify trends in the development of the process under study. For this, the current regulatory documents, official statistics, analytical reviews and journal articles are used. Consequenceanalysis of regulations should be conclusions about their impact on the problem under study and recommendations for their improvement. When preparing statistical material in the text of the work in mandatory order, references are made to the data source.

In the first section, it is advisable to pay attention to the history (stages) of the development of the process under study and the analysis of the foreign experience of its organization. The result of the analysis of foreign practice should be a comparison of the process under study with domestic practice and recommendations on the possibilities of its application in Russia.

In this section, a comparative analysis of existing approaches and methods for solving the problem should also be carried out. It is necessary to justify the choice of a method for solving the problem under study and to state it in detail. You can also offer your own method.

In the process of working out theoretical sources, it is necessary to highlight and mark the text that is significant for this section of the diploma. These fragments of the text can be placed in the thesis as a quote, as an illustration for your analysis, comparison. In the theoretical part of the WRC, it is impossible to place entirely sections and chapters from textbooks, books, articles.

Any work should contain theoretical, methodological and practical aspects of the problem under study.

Section 2 must be purely practical. It is necessary to quantitatively describe a specific object of study, present the results of practical calculations and directions for their use, and also formulate directions for improving the organization and technology of information protection. To write the second section, as a rule, materials collected by the student during the industrial practice are used. This section of the WRC contains a description of the practical results of the study. It can describe the experiment and the methods used to conduct it, the results obtained, the possibility of using the results of the study in practice.

Approximate structure of the practical part of the WRC

In the title of the practical part, as a rule, the research problem is formulated using the example of a particular organization.

1. Purpose of the study- given in the first sentence.

Technical and economic characteristics of the enterprise,on the basis of which the study is carried out (status of the enterprise, morphological features of the organization, organizational and managerial structure, features of the technological process, etc.).

1. Research methods.
2. Research progress.After formulating the name of each method, the purpose is given. his usage and a description. Further, the application of the research method in a particular organization is disclosed. All materials on the application of research methods (forms of questionnaires, internal documents for ensuring data protection of an organization / enterprise) are placed in the Applications. An analysis of the results obtained is carried out, a conclusion is made. To obtain more accurate results, use not one, butseveral research methods.
3. General conclusions. At the end of the study, general results (conclusions) on the entire topic are summed up. The methodology used should confirm or refute the research hypothesis. In case of refutation of the hypothesis, recommendations are given on the possible improvement of the organization's activities and the organization's/enterprise's data protection technology in the light of the problem under study.
4. In custody a short list of the results obtained in the work should be presented. The main purpose of the conclusion is to summarize the content of the work, to summarize the results of the study. In the conclusion, the findings are presented, their correlation with the purpose of the work and the specific tasks set and formulated in the introduction is analyzed, itunderlies the student's defense report and should not exceed 5 pages of text.

3. GENERAL RULES FOR REGISTRATION OF THE FINAL QUALIFICATION WORK

3.1 DESIGN OF TEXT MATERIAL

The text part of the work must be executed in a computer version on A4 paper on one side of the sheet. Font - Times New Roman, font size - 14, style - regular, one and a half spacing, justified alignment. Pages should have margins (recommended): bottom - 2; top - 2; left - 2; right - 1. The volume of the WRC should be 40-50 pages. The following proportion of the main listed elements in the total volume of the final qualification work is recommended: introduction - up to 10%; sections of the main part - 80%; conclusion - up to 10%.

The entire text of the WRC should be broken down into its component parts. The breakdown of the text is done by dividing it into sections and subsections. In the content of the WRC there should not be a coincidence of the wording of the title of one of the constituent parts with the title of the work itself, as well as the coincidence of the titles of sections and subsections. The titles of sections and subsections should reflect their main content and reveal the theme of the WRC.

Sections and subsections should have headings. Items usually do not have headings. Headings of sections, subsections and paragraphs should be printed with a paragraph indent of 1.25 cm with a capital letter without a dot at the end, without underlining, font No. 14 "Times New Roman". If the heading consists of two sentences, they are separated by a dot. Headings should clearly and concisely reflect the content of sections, subsections.

When dividing the WRC into sections according to GOST 2.105-95, the designation is made by serial numbers - Arabic numerals without a dot. If necessary, subsections can be divided into paragraphs. The paragraph number must consist of section, subsection and paragraph numbers separated by dots. Do not put a dot at the end of the section (subsection), paragraph (subparagraph) number. Each section must begin on a new sheet (page).

If a section or subsection consists of one paragraph, then it should not be numbered. Paragraphs, if necessary, can be divided into subparagraphs, which must have serial numbering within each paragraph, for example:

1 Types and main dimensions

Enumerations may be given within clauses or subclauses. Each listing must be preceded by a hyphen or a lowercase letter followed by a parenthesis. For further detailing of enumerations, it is necessary to use Arabic numerals, after which a bracket is placed.

Example:

A)_____________

b) _____________

1) ________

2) ________

V) ____________

The pagination of the main text and appendices should be continuous. The page number is placed in the center of the bottom of the sheet without a dot. The title page is included in the general pagination of the WRC. The page number on the title page and content is not affixed.

The thesis work should use scientific and special terms, designations and definitions established by the relevant standards, and in their absence - generally accepted in the special and scientific literature. If specific terminology is adopted, then a list of accepted terms with appropriate explanations should be given before the list of references. The list is included in the content of the work.

3.2 DESIGN OF ILLUSTRATIONS

All illustrations placed in the final qualifying work must be carefully selected, clearly and precisely executed. Figures and diagrams should be directly related to the text, without unnecessary images and data that are not explained anywhere. The number of illustrations in the WRC should be sufficient to explain the text presented.

Illustrations should be placed directly after the text in which they are mentioned for the first time, or on the next page.

Illustrations placed in the text should be numbered with Arabic numerals, For example:

Figure 1, Figure 2

It is allowed to number illustrations within a section (chapter). In this case, the number of the illustration must consist of the number of the section (chapter) and the serial number of the illustration, separated by a dot.

Illustrations, if necessary, may have a name and explanatory data (figure text).

The word "Figure" and the name are placed after the explanatory data, in the middle of the line, for example:

Figure 1 - Document route

3. 3 GENERAL RULES FOR PRESENTING FORMULA

In formulas and equations, symbolic symbols, images or signs must comply with the symbols adopted in the current state standards. In the text, before the designation of the parameter, its explanation is given, for example:Temporary tear resistance.

If necessary, use symbols, images or signs not established by the current standards, they should be explained in the text or in the list of symbols.

Formulas and equations are separated from the text into a separate line. There must be at least one free line above and below each formula or equation.

An explanation of the meanings of symbols and numerical coefficients should be given directly below the formula in the same sequence in which they are given in the formula.

Formulas should be numbered sequentially throughout the work with Arabic numerals in parentheses in the extreme right position at the formula level.

For example:

If the organization is upgrading an existing system, then when calculating the efficiency, the current costs of its operation are taken into account:

E p \u003d (P1-P2) + ΔP p , (3.2)

where P1 and P2 are, respectively, operating costs before and after the implementation of the program being developed;

ΔР p - savings from increased productivity of additional users.

It is allowed to number formulas and equations within each section with double numbers separated by a dot, indicating the section number and the ordinal number of the formula or equation, for example: (2.3), (3.12) etc.

Transfers of part of the formulas to another line are allowed on equal signs, multiplication, addition, subtraction and on ratio signs (>;), and the sign at the beginning of the next line is repeated. The order of presentation of mathematical equations is the same as formulas.

Numerical values ​​of quantities with the designation of units of physical quantities and counting units should be written in numbers, and numbers without designation of units of physical quantities and counting units from one to nine - in words, for example:test five pipes, each 5 m long.

Bringing the largest or smallest values values, the phrase “should be no more (no less)” should be used.

3.4 DESIGN OF TABLES

Tables are used for better clarity and ease of comparison of indicators. The title of the table, if any, should reflect its content, be precise, and concise. The name of the table should be placed above the table on the left, without paragraph indentation, in one line with its number separated by a dash.

When transferring a part of a table, the title is placed only above the first part of the table; the bottom horizontal line that bounds the table is not drawn.

The table should be placed immediately after the text in which it is mentioned for the first time, or on the next page.

table with big amount lines can be transferred to another sheet (page). When transferring part of the table to another sheet, the word "Table" and its number are indicated once to the right above the first part of the table, the word "Continuation" is written above the other parts and the table number is indicated, for example: "Continuation of table 1". When transferring a table to another sheet, the heading is placed only above its first part.

If numerical or other data in any line of the table is not given, then a dash is put in it.

Table layout example:

Tables within the entire explanatory note are numbered in Arabic numerals through numbering, before which the word "Table" is written.. It is allowed to number the tables within the section. In this case, the table number consists of the section number and the ordinal number of the table, separated by a dot "Table 1.2".

The tables of each application are designated by separate numbering in Arabic numerals with the addition of the application designation before the number.

The headings of the columns and rows of the table should be written with a capital letter in the singular, and the subheadings of the columns should be written with a lowercase letter if they form one sentence with the heading, or with a capital letter if they have an independent meaning. Do not put dots at the end of headings and subheadings of tables.

It is allowed to use a smaller font size in the table than in the text.

Column headings are written parallel or perpendicular to the rows of the table. In the columns of tables, it is not allowed to draw diagonal lines with the posting of headings of vertical chapters on both sides of the diagonal.

1. 5 LIST OF REFERENCES

The list of references is compiled taking into account the rules for the design of the bibliography(Appendix 5). The list of used literature should contain at least 20 sources (at least 10 books and 10-15 periodicals) with which the author of the thesis worked. The literature in the list is arranged by sections in the following sequence:

• Federal laws (in order from the last year of adoption to the previous ones);
• decrees of the President of the Russian Federation (in the same sequence);
• Decrees of the Government of the Russian Federation (in the same order)
• other regulatory legal acts;
• other official materials (resolutions-recommendations of international organizations and conferences, official reports, official reports, etc.)
• monographs, textbooks, study guides(In alphabet order);
• foreign literature;
• Internet resources.

Sources in each section are placed in alphabetical order. Continuous numbering is used for the entire list of references.

When referring to literature in the text of the explanatory note, one should write down not the title of the book (article), but the serial number assigned to it in the index "References" in square brackets. References to the literature are numbered in the course of their appearance in the text of the WRC. Continuous numbering or numbering by sections (chapters) is used.

The procedure for selecting literature on the topic of the WRC and drawing up a list of used literature

IN the list of used literature includes sources studied by the student in the process of preparing the thesis, including those to which he refers.

The writing of the WRC is preceded by a deep study of literary sources on the topic of the work. To do this, you must first contact the college library. Here, the reference and search apparatus of the library comes to the aid of the student, the main part of which is catalogs and file cabinets.

The catalog is a list of documentary sources of information (books) available in the library's collections.

If the student knows exactly the titles of the required books, or at least the names of their authors, it is necessary to use the alphabetical catalog.

If it is necessary to find out what books on a particular issue (topic) are available in a given library, the student should also refer to the systematic catalog.

The systematic catalog reveals the library fund by content. For the convenience of using the systematic catalog, it has an alphabetical subject index (ASU). In the listed catalogs, the student can only find the title of the books, while in order to write the WRC, he also needs material printed in magazines, newspapers, and various collections. For this purpose, bibliographic card indexes are organized in libraries, where descriptions of magazine and newspaper articles, materials from collections are placed.

When writing a WRC, a student widely uses reference literature to clarify and clarify various options, facts, concepts, terms. Reference literature includes various encyclopedias, dictionaries, reference books, statistical collections.

Making bibliographic references

When writing a WRC, a student often has to refer to the citation of the works of various authors, the use of statistical material. In this case, it is necessary to draw up a link to a particular source.

In addition to observing the basic rules of quoting (you can’t extract phrases from the text, distort it with arbitrary abbreviations, quotes must be in quotation marks, etc.), you should also pay attention to the exact indication of the sources of citations.

1. IN footnotesreferences (footnotes) are placed at the bottom of the page on which the cited material is located. To do this, at the end of the quotation, a number is placed that indicates the ordinal number of the quotation on this page. At the bottom of the page, under the line separating the footnote (reference) from the text, this number is repeated, followed by the title of the book from which the quotation is taken, with the obligatory indication of the number of the quoted page. For example:

"Shipunov M.Z. Fundamentals of management activity. - M .: INFRA - M, 2012, p. 39.

1. Intratext linksare used in cases where information about the analyzed source is an organic part of the main text. They are convenient because they do not take attention away from the text. The description in such links begins with the initials and surname of the author, the title of the book or article is indicated in quotation marks, the output data is given in brackets.
2. Beyond text links- these are indications of sources of quotations with a reference to a numbered list of references placed at the end of the thesis. A reference to a literary source is made at the end of a phrase by putting down the serial number of the document used in straight brackets, indicating the page.

For example: “Currently, the main document regulating the privatization of state and municipal property on the territory of the Russian Federation is the Law “On the Privatization of State and Municipal Property” of December 21, 2001 No. 178-FZ (as amended on December 31, 2005, as amended on 01/05/2006) .

At the end of the work (on a separate page), an alphabetical list of the literature actually used should be given.

3.6 REGISTRATION OF APPS

Applications issued if necessary. Applications to the work may consist of additional reference materials of auxiliary value, for example: copies of documents, excerpts from reporting materials, statistical data, diagrams, tables, charts, programs, regulations, etc.

Applications also include those materials that can specify the practical or theoretical parts of the diploma. For example, the application may include: texts of questionnaires, questionnaires and other methods that were used in the research process, examples of respondents' answers, photographic materials, charts and tables that are not related to the theoretical conclusions in the diploma.

References should be given in the main text to all appendices.

For example: Derived units of the SI system (Appendices 1, 2, 5).

Applications are arranged in a sequence of references to them in the text. Each application must begin on a new sheet (page) with the words Application in the upper right corner of the page.and its designations in Arabic numerals, excluding the number 0.

4. DEFENSE OF THE FINAL QUALIFICATION WORK

4.1 WRC READINESS MONITORING

Each student is assigned a reviewer of the final qualification work from among external specialists who are well versed in issues related to this topic.

According to the approved topics, scientific supervisors of the final qualifying work developindividual tasksfor students, which are considered by the PCC "Information Technologies", signed by the supervisor and chairman of the PCC.

Assignments for final qualifying works are approved by the Deputy Director for Academic Affairs and issued to students no later than two weeks before the start of pre-diploma practice.

According to the approved topics, scientific supervisors draw up individual consultation schedules,according to which the process of performance of final qualifying works is controlled.

The control of the degree of readiness of the WRC is carried out according to the following schedule:

Table 3

No. p / p	readiness		Term	Note
	Level readiness WRC, in %	It is indicated which component of the WRC, which of its structural elements should be ready by this moment.	Control period	The form of control is indicated
			Control period

Upon completion of the preparation of the WRC, the head checks the quality of the work, signs it and, together with the assignment and his written review, transfers it to the deputy head for the area of ​​activity.

In order to determine the degree of readiness of the final qualifying work and identify existing shortcomings, teachers of special disciplines conduct a preliminary defense in the last week of preparation for the GIA. The results of preliminary protection are recorded.

4.2 WRC PROTECTION REQUIREMENTS

The defense of the final qualifying work is carried out at an open meeting of the State Attestation Commission in the specialty, which is created on the basis of the Regulation on the final state attestation of graduates of educational institutions of secondary vocational education in the Russian Federation (Resolution of the State Committee for Higher Education of Russia dated December 27, 1995 No. 10).

The following requirements are imposed on the defense of the WRC:

• deep theoretical study of the problems under study based on the analysis of the literature;
• skillful systematization of digital data in the form of tables and graphs with the necessary analysis, generalization and identification of development trends;
• a critical approach to the studied factual materials in order to find areas for improving activities;
• argumentation of conclusions, validity of proposals and recommendations;

• logically consistent and independent presentation of the material;
• design of the material in accordance with the established requirements;

• the obligatory presence of a supervisor's review of the thesis and reviews of a practical worker representing a third-party organization.

When compiling abstracts, it is necessary to take into account the approximate time of the report at the defense, which is 8-10 minutes.The report should be builtnot by presenting the content of the work chapter by chapter, but by tasks, - revealing the logic of obtaining meaningful results. The report should contain an appeal to illustrative material that will be used during the defense of the work. The volume of the report should be 7-8 pages of text in Word format, font size 14, one and a half spacing.

Table 4

	Report Structure	Volume	Time
	Presentation of the topic of work.	Up to 1.5 pages	Up to 2 minutes
	Relevance of the topic.
	Goal of the work.
	Statement of the problem, the results of its solution and the conclusions drawn (for each of the tasks that were set to achieve the goal of the thesis).	Up to 6 pages	Up to 7 minutes
	Prospects and directions for further research on this topic.	Up to 0.5 pages	Up to 1 minute

To speak at the defense, students must independently prepare and agree with the leader the abstracts of the report and illustrative material.

Illustrations should reflect the main results achieved in the work and be consistent with the abstracts of the report.

Forms of presentation of illustrative material:

1. Printed material for each member of the SEC(at the discretion of the supervisor of the WRC). Printed material for SAC members may include:

• empirical data;
• excerpts from normative documents on the basis of which the research was carried out;

• excerpts from the wishes of employers, formulated in contracts;

• other data not included in the slide presentation, but confirming the correctness of the calculations.

1. slide presentations(for projector demonstration).

Accompanying the presentation of the results of the work with presentation materials is a prerequisite for the defense of the WRC.

The supervisor writes a review for the final qualifying work done by the student.

The defense of final qualification works is held at an open meeting of the State Attestation Commission in a specially designated auditorium equipped with the necessary equipment for demonstrating presentations. Up to 20 minutes are allotted for the defense of the qualification work. The defense procedure includes a report by the student (no more than 10 minutes), reading reviews and reviews, questions from members of the commission, answers from the student. The presentation of the head of the final qualification work, as well as the reviewer, if they are present at the meeting of the SEC, may be heard.

Decisions of the SEC are taken at closed meetings by a simple majority of votes of the members of the commission participating in the meeting. In case of an equal number of votes, the chairman's vote is decisive. The results are announced to students on the day of the defense of the WRC.

4.3 WRC EVALUATION CRITERIA

The defense of the final qualifying work ends with grading.

Rating "Excellent" for the WRC is exhibited if the thesis is of a research nature, has a well-written theoretical chapter, a deep theoretical analysis, a critical review of practice, a logical, consistent presentation of the material with relevant conclusions and reasonable proposals; has positive reviews of the supervisor and reviewer.

When defending the WRC for "excellent", the student - the graduate shows a deep knowledge of the issues of the topic, freely operates with research data, makes reasonable suggestions, and during the report uses visual aids (Power Point presentation, tables, charts, graphs, etc.) or handout material, easily answers the questions posed.

Rated "Good" for the WRC is exhibited if the thesis is of a research nature, has a well-written theoretical chapter, it presents a fairly detailed analysis and critical analysis of practical activities, a consistent presentation of the material with relevant conclusions, but the student's proposals are not sufficiently substantiated. WRC has a positive review of the supervisor and reviewer. When defending it, the student-graduate shows knowledge of the topic, operates with research data, makes suggestions on the research topic, during the report uses visual aids (Power Point presentation, tables, charts, graphs, etc.) or handouts, without much difficulty answers the questions asked.

Grade "Satisfactorily"WRC is awarded if the thesis is of a research nature, has a theoretical chapter, is based on practical material, but has a superficial analysis and insufficiently critical analysis, an inconsistency in the presentation of the material is found in it, unreasonable proposals are presented. The reviews of the reviewers contain comments on the content of the work and the methodology of analysis. When defending such a WRC, a student-graduate shows uncertainty, shows poor knowledge of the issues of the topic, does not always give exhaustive reasoned answers to the questions asked.

Grade "Unsatisfactory"for the WRC is exposed if the thesis is not of a research nature, does not have an analysis, does not meet the requirements set forth in these guidelines. There are no conclusions in the work, or they are declarative in nature. There are critical remarks in the reviews of the supervisor and the reviewer. When defending the WRC, the student-graduate finds it difficult to answer the questions posed on her topic, does not know the theory of the question, and makes significant mistakes when answering. Visual aids and handouts were not prepared for the defense.

Thus, when determining the final grade for the WRC, the members of the SEC take into account:

• the quality of the graduate report;
• the illustrative material presented by him;
• mobility of the graduate and his literacy when answering questions;
• WRC evaluation by a reviewer;
• feedback from the head of the WRC.

ANNEX 1

(Example of title page design)

DEPARTMENT OF EDUCATION OF THE CITY OF MOSCOW

STATE BUDGET PROFESSIONAL EDUCATIONAL INSTITUTION

"TECHNOLOGICAL COLLEGE №34"

GRADUATE WORK

Subject:

Group student / /

Speciality

Supervisor / /

Allow for protection:

Deputy Director for UPR/ _ /

Grade Date

Chairman of the State

attestation commission/ /

Moscow 2016

APPENDIX 2

Agreed

Chairman of the PCC "Information Technologies"

Dziuba T.S.

Exercise

for graduation work

student(s)__________________________________________________________________

(name in full)

Topic of the thesis _______________________________________________________________

_______________________________________________________________________________

Deadline for submission of the thesis for defense (date)______________________________

1. Introduction

Relevance of the chosen topic;

Purpose, tasks of writing a thesis;

The name of the enterprise, organization, sources of writing the work.

2. - Section I (theoretical part)

Section II (practical part)

(deadline for submission for verification) __________________________________________

Conclusion ______________________________________________________________

Head ___________________ __________ "___" _______ 20__

Full name Signature

Student ____________________ __________ "____" ________ 20___

Full name Signature

APPENDIX 3

(review form for the supervisor of the thesis)

GBPOU "Technological College No. 34"

Review

For the student's thesis (full name)

1. Relevance of the topic.

2. Scientific novelty and practical significance.

3. Characteristics of the student's business qualities.

4. Positive aspects of work.

5. Disadvantages, comments.

Supervisor _______________________________________

"_____" __________ 2016

APPENDIX 4

(review form)

Review

For the thesis of the student (full name) ____________________________

Performed on the topic _________________________________________________

1. Relevance, novelty
2. Evaluation of the content of the work

1. Distinctive, positive aspects of work
2. The practical significance of the work
3. Drawbacks, remarks

1. Recommended assessment of the work performed ____________________________

_________________________________________________________________________

Reviewer (full name, academic title, position, place of work)

APPENDIX 5

(An example of a list of used literature)

List of used literature

Regulatory materials

1. "Constitution of the Russian Federation" (adopted by popular vote on 12/12/1993)
2. Federal Law "On Information, Information Technologies and Information Protection" dated July 27, 2006 N 149-FZ (as amended on December 28, 2013)

Scientific, technical and educational publications

1. Automated workplaces and computer systems in the activities of internal affairs. M., 2010.
2. Andreev B. V., Bushuev G. I. Modeling in solving criminal law and criminological problems. M., 2012.
3. Paperwork in educational institutions (using information technology): textbook. allowance for high schools rivers. MO Rep. Belarus / E.M. Kravchenya, T.A. Tsesarskaya. - Minsk: TetraSystems, 2013
4. Information security and information protection: textbook. allowance / Stepanov E.A., Korneev I.K. - M.: INFRA-M, 2011. -
5. Information systems in economics: textbook. for universities, training according to special economics and management (060000) rec. MO RF / G.A. Titorenko, B.E. Odintsov, V.V. Braga and others; ed. G.A. Titorenko. - 2nd ed., revised. and additional - M. : UNITI, 2011. - 463 p.
6. Information systems and their security: textbook. allowance d / Vasilkov A.V. Vasilkov A.A., Vasilkov I.A. - M: FORUM, 2010.
7. Information technology management: textbook. allowance for high schools rivers. MO RF / G.A. Titorenko, I.A. Konoplev, G.L. Makarova and others; ed. G.A. Titorenko. - 2nd ed., add. - M.: UNITI, 2009.
8. Corporate document flow. Principles, technologies, implementation methodologies. Michael J. D. Sutton. Azbuka publishing house, St. Petersburg, 2012
9. Ostreikovsky V.A. Informatics: Proc. For universities. - M .: Higher. school, 2008.
10. Electronic documents in corporate networks Klimenko S. V., Krokhin I. V., Kushch V. M., Lagutin Yu. L. M.: Radio and Communications, ITC Eco-Trends, 2011

Internet resources

http://www.security.ru/ - Means of cryptographic information protection: website of the Moscow branch of PNIEI;

www.fstec.ru – official website of the FSTEC of Russia

APPENDIX 6

Approximate structure of the report on the defense of the thesis

Requirements for the report on the defense of the thesis

1. The urgency of the problem.
2. Purpose, object, subject of research.
3. Research objectives (3 main).
4. Research algorithm (sequence of research).
5. Brief economic characteristics of the enterprise (organizations, institutions, etc.).
6. Brief results of the analysis of the problem under study.
7. Weaknesses identified during the analysis.
8. Directions (ways) for solving the identified shortcomings of the problem under study.
9. Economic evaluation, efficiency, practical significance of the proposed measures.

APPENDIX 6

(Form calendar plan for writing a thesis)

I approve

Thesis Supervisor

"_____" ______20 __

PLAN-SCHEDULE

writing a thesis on the topic __________________________________________

Compilation of the content of the thesis and its coordination with the supervisor.

supervisor

Introduction with justification of the relevance of the chosen topic, goals and objectives of the work.

supervisor

Completion of the theoretical section and submission for verification.

Consultant

Implementation of the practical section and submission for verification.

Consultant

Coordination with the head of conclusions and proposals

supervisor

Registration of the thesis

supervisor

Getting feedback from the manager

supervisor

Get a review

reviewer

10.

Pre-defense of the thesis

Head, consultant

11.

Defense of the thesis

supervisor

Student-(graduate student) _________________________________________________

(signature, date, transcript of the signature)

Head of Diploma ________________________________________________________________

APPENDIX 8

(Example of the content of the thesis)

Content

Introduction …………………………………………………………………………………..3

1. Technical and economic characteristics of the subject area and the enterprise ... ... 5

1. General characteristics of the subject area …………………………………...5
2. Organizational and functional structure of the enterprise……………………6
3. Information security risk analysis………………………………...8

2. Justification of the need to improve the system for ensuring information security and information protection at the enterprise………..25

1. Selection of a set of tasks for ensuring information security………29
2. Determining the place of the designed set of tasks in the complex of tasks of the enterprise, detailing the tasks of information security and information protection……………………………………………………………………………35
3. Selection of protective measures……………………………………………………………….39

3. A set of organizational measures to ensure information security and protection of enterprise information……………………………………………………..43

1. A complex of designed software and hardware for ensuring information security and protecting information of an enterprise…….…48
2. The structure of the hardware-software complex of information security and enterprise information protection…………………………………………………………………………………………………………………………………………………………………………………………………………………………………
3. An example of a project implementation and its description…………………………………...54
4. Calculation of indicators of economic efficiency of the project…………………57

4. Conclusion…………………………………………………………………………...62
5. List of used literature…………………………………………………..65

How to choose a relevant topic of the thesis on information security. The relevance of the topic of the diploma in information security, recommendations of experts, examples of topics of the thesis.

Topics of thesis on information security usually associated with the study of information security of automated systems, computer systems, as well as information and telecommunication systems.

As the subject of such research, a threat or a group of information security threats is chosen, the implementation of which can harm the system in question (more on this). When preparing a thesis, you should investigate the system and build an attack implementation algorithm according to Figure 1.

Figure 1 - Algorithm for conducting analysis when writing a diploma on the topic of information security

The system of a specific enterprise or a geographically distributed network of an organization is chosen as the object of study.

The relevance of the choice thesis topics on information security is due to a wide range of threats to information security and the continuous growth in the number of intruders and the attacks they implement.

The most relevant topics of final qualifying works (WQR) and scientific research works (R&D), as well as topics of diplomas in information security can be shown in the following table.

1. Development of the information security system of the system under study	2. Risk analysis of the systems under study, in respect of which the identified threats to information security are implemented
3. Designing an intrusion detection system (false information systems)	4. Protection of information from identified threats to information security
5. Assessing the risks of implementing identified attacks on the system under study	6. Development mathematical model intruder/revealed information security attack
7. Organization of protection of personal data of the system under study	8. Organization of protection of confidential information of the system under study
9. Analysis of information security threats in the enterprise/organization system under study	10. Modernization of the existing information security system of the system under study
11. Development of a protection profile of the enterprise under study	12. Risk assessment of the implementation of epidemiological processes in social networks
13. Risk management for the implementation of identified information security attacks in the system under study	14. Evaluation of the effectiveness of means and methods of information protection in the enterprise
15. Evaluation of the effectiveness of information protection measures in the system under study	16. WRC: The use of DLP-systems as a tool for ensuring the information security of the company
17. Thesis: Analysis and improvement of information security in the enterprise	18. Research: Development of information security policy on the example of a computer company
19. Thesis: Automation and information security of warehouse accounting in the company	20. Diploma: Development of information security policy in a commercial bank
21. Bachelor's thesis: Organization of information security of the electronic archive of payment documents payment by the population	22. Final bachelor's work: Development of a set of protective measures to ensure information security of databases
23. Diploma: Development of regulations for the audit of information security of a state budgetary institution	24. Master's thesis: Development of a set of organizational measures to ensure information security and information protection
25. Thesis: Modernization of the existing system in order to improve information security in the company	26. Master's work: Increasing the level of security of the information security system in the company
27. Research work: Development and implementation of an information security system in a company	28. Diploma: Development and implementation of an information security system in a transport company
29. Thesis: Automation and information security of the Service Desk system	30. Final qualification work: Development of an information security system for the LAN of an SEO company