Confidential information

Ruslan Rakhmetov, Security Vision

In everyday life and in work related to information technologies, one can often encounter the term confidential information. Even IT specialists often find it difficult to give a precise definition of confidential information. In this article we will find out what confidential information is, how it is defined and what it includes.

So, in order to understand what confidential information is, it is necessary to refer to the key legal act containing the main definitions and listing the types of information - to the Federal Law No. 149 of 27.07.2006 ‘On Information, Information Technologies and Information Protection’. This document contains basic concepts and terms that are used in all official documents related to information technologies and information protection. In particular, it defines information confidentiality as the requirement not to transfer certain information to third parties without the consent of its owner, and this requirement is mandatory for those who have access to such information. Thus, within the meaning of the legislative definition, confidential information is that information whose owner has established a mandatory requirement of non-disclosure (without the owner's consent) for all persons who have access to it.

Federal Law 149 defines information as information (messages, data) regardless of the form in which it is presented, and defines the owner of information as a person who has independently created the information or has obtained the right to authorise or restrict access to the information on the basis of law or contract. The 149-FZ also states that, depending on the category of access, information is divided into publicly available information and restricted information, access to which is limited by federal laws. The law also emphasises that for information, access to which is restricted by federal laws, it is mandatory to respect its confidentiality. For example, personal data is classified as restricted information, as access to such information is restricted by the Federal Law No. 152 of 27.07.2006 ‘On Personal Data’; accordingly, observance of confidentiality of personal data is mandatory, and the state establishes mandatory norms and rules for its processing. The situation is similar with many other types of information categorised as restricted by one or another Federal Law: at the moment there are 122 types of information categorised as restricted in the Russian Federation, including:

• State Secret
  
• Commercial secret
  
• Personal data
  
• Tax secrecy
  
• Banking secrecy
  
• Doctor's secret
  
• Notarial secrecy
  
• Lawyer's secret
  
• Auditor's secret
  
• Insurance secret
  
• Pawnshop secret
  
• Secrecy of communication
  
• Secrecy of Wills
  
• Secrecy of adoption
  
• Mystery of confession
  
• Mystery of enquiry
  
• The secrecy of a meeting of judges.
  
• etc.
  

In addition, there is the Decree of the President of the Russian Federation No. 188 of 06.03.1997 ‘On Approval of the List of Confidential Information’, the latest version of which was approved in 2015. In accordance with this Decree, a list of confidential information is defined, consisting of 7 items:

• Personal Data;
  
• Secrecy of investigation and legal proceedings, as well as information about persons who are under state protection;
  
• Official secrets;
  
• Information related to professional activities, access to which is restricted in accordance with the law;
  
• Commercial Secret;
  
• Information on the essence of an invention, utility model or industrial design prior to its official publication;
  
• Information contained in the personal files of convicted persons, as well as information on the enforcement of judicial acts, acts of other bodies and officials, except for information that is publicly available.

Thus, if a company is subject to federal legislation on the protection of one or another type of information, then compliance with the requirements of confidentiality of information is dictated by mandatory legislative requirements - this is typical for personal data, banking secrecy, doctor-patient confidentiality, etc., depending on the sphere of activity of a particular organisation. However, any company has a legislative opportunity to protect its interests to ensure confidentiality of information - this can be realised by introducing a trade secret regime in the company in accordance with the requirements of 98-FZ ‘On Trade Secrets’ and creating a list of information that constitutes a trade secret in the company.

In practice, ensuring confidentiality of information means taking organisational, technical and physical measures to protect information from unauthorised access to it. Unauthorised access (abbreviated to ‘unauthorised access’) is the access of a subject (user, service, programme) to an object (document, file, database record) in violation of the access control rules established in the information system. Let us remind the definition given in the previous article: information confidentiality is a state of information, when only those who have rights to it have access to it. Thus, ensuring the confidentiality of information means preventing unauthorised access to it, which in practice is realised by forming and establishing rules for differentiating access to data. To protect confidential information can be implemented discretionary, mandate, role models of access, the purpose of which is to form a list of subjects of access with the indication of their rights to access to certain data (i.e. to the objects of access). Example: only the IT administrator has full (administrative) access to the file ‘Clients.xlsx’ on the network folder, the head of the sales department has read and modify access, and all employees of this department have read access. When implementing measures to protect confidential information, the principle of authority minimisation, granting access only in case of official necessity and with the approval of the head of the subject, as well as granular separation of user access rights to different data is of fundamental importance. The principle of authority minimisation implies granting a user only such a limited set of access rights that he needs to perform his official duties: for example, an ordinary employee of the sales department does not need the rights to change the list of clients or to delete files on the network folder, so it will be correct to grant him the rights only to read the corresponding files. Granular division of access rights is especially useful in case of branched hierarchical structures in a company. Example: when a company works only in one city and there are only 2-3 employees in the sales department who deal with all the clients at once, in this case all the employees of the department can be given the same rights to read the file with the list of clients. However, if the company is a large federal retailer and works all over the country, it will most likely have a whole sales department divided into divisions in different federal districts, each of which will have separate sales managers. In the latter case, it would be correct to divide the list of customers by federal districts and give employees access only to those records that are relevant to their area of responsibility (their division). In the above example, giving all employees of the sales department access to read the data of all customers is a direct way to possible information leakage.

As we have already stressed, measures to ensure the confidentiality of information can be organisational, technical and physical. In the given example with the sales department, the organisational measures to protect confidential information (in the example - customer data) will be the introduction and maintenance of trade secret regime in the company, the division of responsibility zones of sales managers in different regions (as a result of which, for example, the replacement of one manager by another will be possible only within one division), as well as the formation and familiarisation of all employees with a set of internal regulatory documents (abbreviated as IRD), in which the rules of processing will be prescribed Technical measures to ensure confidentiality of information will be the formation of access groups in the corporate directory service (for example, in Active Directory), assigning access rights for folders with client data on network resources, setting up the delimitation of access rights in the CRM-system used in the company, as well as the introduction of a system of protection against data leaks (DLP-system, from the English Data Leak Prevention). Measures of physical protection of confidential information will be, for example, setting up an ACS (access control and management system) to exclude access of unauthorised persons to the premises where confidential information is processed, setting up video surveillance to monitor what is happening in the offices (including at the workplaces of employees), as well as controlling work with paper media - for example, there is often a situation when after working meetings in the meeting rooms there are printouts of confidential documents left in the rooms.

Another important task is to ensure the security of confidential information when exchanging data with counterparties (suppliers, contractors, outsourcers, partners): it is important not only to draw up a legally competent confidentiality agreement, provide for liability for breach of confidential information and comply with the requirements of the law on protection of trade secrets, but also to check the state of the information security management system in the counterparty company. In practice, it often happens that a counterparty company is ready to sign any documents on the secure exchange and processing of confidential information, but does not provide adequate protection of the received information, which may eventually lead to unauthorised access and possible information leakage.