head of the Department of Information Systems
It is important that companies protect their data by using data security systems. Here, we will consider some ways of assuring data security.
It is an important requirement of the times that any company, be it a large corporation or a medium size or small company, has its system of data protection. Unless a company pays enough attention to assuring data protection, it may lose important data or even make a gift of them to competitors. In cases when the lost data, such as accounting and financial, belong to commercial secrets, the penalty for its loss may even be criminal.
Data security hazards may not be due to just competitors or light-minded employees. At this time, practically no company can work without using corporate mail and accessing the Internet. This creates the possibility of infesting the working computer with viruses. In a case like this, the company may get hurt not just by data loss. Viruses may temporarily disable equipment, such as individual computers or whole networks, which means downtime costs for the enterprise.
The going into force of the Federal Law No. 152 FZ dated July 26, 2006, "On Personal Data", hereinafter referred to as No. 152 FZ, made the creation of data protection systems a vital issue for any company: they all employ people whose personal data must be protected. Accounting and financial data mostly contain information about employees, clients and suppliers. These data qualify as both personal and commercial secrets. The documents created for the purpose of certification as to conformance to No. 152 FZ include the newly compiled model of threats. Its creators did their best to consider all possible versions of violations that may result in the loss of personal data. Organizations' data protection is based on that document.
Let us consider various way of protecting companies' data. It is important that people understand that comprehensive approach to the matter is the most effective while various tools of protection must be used simultaneously. Every company must issue documents regulating the handling of data by each employee. It is important that all employees be informed of possible threats and ways of protection. This is because hardware and software means may not always eliminate human factor. For instance, special attention must be paid to using various Internet resources, downloading files, following links received in mail and using such storage devices as flash disks, optical discs, players, memory cards, etc. These all may be the source of computer viruses and harmful programs.
A useful tool is the discriminative access of users to certain programs and databases. Modern means of protection may assure that only properly authorized and identified users may gain access to data. That involves the use of passwords, etc. Users may be divided into categories with different rights, like the right of accessing, reading, editing, deleting, copying, processing data, etc.
Access to the Internet may also be restricted. Certain users may not be allowed to enter certain websites, using suspicious links, downloading files and installing certain software, such as added web browsers or fast communication programs, such as ICQ, Skype, etc.
Serious hazards may be posed by files stored on such devices as flash disks, optical discs, players, memory cards, etc. Modern technologies allow to restrict the use of such devices. For instance, users' computers may reject the use of any memory cards or removable data storages, etc., except those provided by the employer. The system may prohibit or, at least, note all and any attempts to copy any data from work computers to any such devices. Should any data loss occur, the breach may be found. Certain files may be protected against copying or being sent by mail.
The use of antivirus programs and periodically scanning all computers is also good for the safety of companies' data. Many offices use magnetic card keys for entering and leaving the premises. The same devices may be programmed to be used on printers and other digital equipment. This is good when it takes time for employees to get to shared printers when their data is sent there. Otherwise, while an employee walks to a shared printer he or she sends their data to, his or her printed sheets may be mistakenly or deliberately picked up by someone else. When magnetic keys are used, one's files will not be printed unless the correct card key is inserted in the printer's card reader. This will prevent printed data from being leaked. Information about every document printed out by every employee may be used by security services to identify leaks. Keys may be used for two-way identification of users who, beside entering passwords at their keyboards, also need to insert a key, such as a flash disk or another device containing a program generating one-time passwords.
All companies should use backup systems to prevent accidental deletions of or damage to important files. Lost data may be restored by replaying several database operations. Correct internal control systems will help to find out at what stage data protection errors are made and who makes them.
The above data security tools may be used throughout companies but they are especially useful in financial and accounting departments where, as previously mentioned, employees mostly work with commercial or personal data whose protection is the most important. All this may be implemented on the bases of software or hardware solutions of various makes. At this time, the selection of such programs and devices on the market is tremendous. This is why security experts must clearly understand what data they have to protect and, based on that, select their protection tools.
Source: The magazine "Aktualnaya buhalteriya" 7, July 2012
