G.P. Akimova - Ph. D. (Eng.), Leading Research Scientist, Institute for Systems Analysis of FRC CSC RAS (Moscow) E-mail: akimova@isa.ru A.M. Arlazarov - Deputy Director of Institute for Systems Analysis of FRC CSC RAS (Moscow) E-mail: alex_a@frccsc.ru A.Yu. Danilenko - Ph. D. (Phys.-Math.), Head of Laboratory, Institute for Systems Analysis of FRC CSC RAS (Moscow) E-mail: danilenko@isa.ru M.A. Pashkin - Research Scientist, Institute for Systems Analysis of FRC CSC RAS (Moscow) E-mail: pashkin@isa.ru I.V. Tumanova - Leading Programmer, Institute for Systems Analysis of FRC CSC RAS (Moscow) E-mail: tumanova-irin@mail.ru

This work completes a series of articles under the title «Information security of electronic trading platforms» and devoted to the defi-nition of information protection measures. AIS Class of protection in accordance with the existing regulatory framework is determined by the level of importance of the information being processed and the scale of the system, and the importance of information is determined by assessing customer potential damage from the violation of its integrity, confidentiality or availability. In the case of trading platforms (ETP) of the maximum possible degree of damage caused by a breach of confidentiality or integrity of information can be assessed as low. This assessment is due to the fact that the site can continue to operate, but the execution of a series of operations will not be available, for example, it is impossible to conclude separate contracts or hold separate bids due to the distortion of data organization. The extent of the damage caused by violation of access to information is low because ETP may continue to work after the restoration of work. Class rank scale systems ETP is ambiguous, because such systems are registered users across the country and often abroad. At the same time servers are usually located in the same building, thus within a controlled area. In this regard, the scale of the ETP can be counted as the object, as well as federal. However, as users work sites through Internet browsers, and segments outside the controlled area are not available, the scale of such systems should be considered as the object. As a result, for a typical ETP K3 protection class required according to the classification of government information systems. According to the requirements of personal data protection, taking into account the findings of potential offenders and characteristics of processed information trading platforms must have the 4 levels of security. For electronic trading platforms are the following relevant data security risks: theft of computers and server computers; actions of malicious programs; undeclared capabilities of system and application software; loss of access attributes; disclosure, modification, destruction of the employees admitted to its processing; revealing passwords unauthorized access to data using standard system functions as well as by targeted programs; threat network scanning; the threat of remote start applications; the threat of the introduction of malware on a network, as well as several others. The use of traditional defense mechanisms in the case of the ETP has a number of features. This applies to electronic signatures, the processing of network traffic, password policy, trusted boot and a number of others.

 

1. Akimova G.P., Danilenko A.JU., Pashkin M.A., Pashkina E.V., Podrabinovich A.A. Informacionnaja bezopasnost ehlektronnykh torgovykh ploshhadok. CHast 1. Rol chelovecheskogo faktora // Sistemy vysokojj dostupnosti. 2016. T. 12. № 3. S. 19−24.
2. Akimov V.P., Danilenko A.JU., Pashkin M.A., Pashkina E.V. Informacionnaja bezopasnost ehlektronnykh torgovykh ploshhadok. CHast 2. Osobennosti programmnogo obespechenija // Sistemy vysokojj dostupnosti. 2016. T. 12. № 4. S. 12−19.
3. Akimova G.P., Danilenko A.JU., Pashkina E.V., Podrabinovich A.A., Solovev D.V. Informacionnaja bezopasnost ehlektronnykh torgovykh ploshhadok. CHast 3. Politika bezopasnosti // Sistemy vysokojj dostupnosti. T. 12. № 4. S. 20−25.
4. O kontraktnojj sisteme v sfere zakupok tovarov, rabot, uslug dlja obespechenija gosudarstvennykh i municipalnykh nuzhd. Federalnyjj zakon № 44-FZot 05 aprelja 2013 g.
5. Ob ehlektronnojj podpisi. Federalnyjj zakon № 63-FZot 06 aprelja 2011 goda.
6. O personalnykh dannykh. Federalnyjj zakon № 152-FZ ot 27 ijulja 2006 g.
7. Ob utverzhdenii trebovanijj o zashhite informacii, ne sostavljajushhejj gosudarstvennuju tajjnu, soderzhashhejjsja v gosudarstvennykh informacionnykh sistemakh. Prikaz FSTEHK Rossii ot 11 fevralja 2013 g. № 17.
8. Ob utverzhdenii trebovanijj k zashhite personalnykh dannykh pri ikh obrabotke v informacionnykh sistemakh personalnykh dannykh. Postanovlenie Pravitelstva Rossijjskojj Federacii ot 1 nojabrja 2012 g. № 1119.
9. Ob utverzhdenii sostava i soderzhanija organizacionnykh i tekhnicheskikh mer po obespecheniju bezopasnosti personalnykh dannykh pri ikh obrabotke v informacionnykh sistemakh personalnykh dannykh. Prikaz FSTEHK Rossii ot 18 fevralja 2013 g. № 21.
10. Bazovaja model ugroz bezopasnosti personalnykh dannykh pri ikh obrabotke v informacionnykh sistemakh personalnykh dannykh. Utverzhdena FSTEHK Rossii 15 fevralja 2008 g.
11. Metodika opredelenija aktualnykh ugroz bezopasnosti personalnykh dannykh pri ikh obrabotke v informacionnykh sistemakh personalnykh dannykh. Utverzhdena FSTEHK Rossii 14 fevralja 2008 g.
12. Danilenko A.JU. Bezopasnost sistem ehlektronnogo dokumentooborota: Tekhnologija zashhity ehlektronnykh dokumentov. Serija «Osnovy zashhity informacii». № 13. M.: URSS. 2015. 232 s.