— Vasya, starting from today you are creating users!
- But I’m a programmer, not a system administrator?!
— System administrators don’t know 1C, so you will create users!
- Aaaah!!!

A programmer is a person who writes programs for a computer. However, managing the list of users in 1C is usually entrusted to someone associated with 1C, namely a 1C programmer.

In principle, some programmers are not against it, since it gives them some “privileges”.

Nevertheless, the list of users in 1C differs little from the lists of users in other programs. Therefore, creating a new user or disabling an existing one is as easy as shelling pears.

1C users

So, 1C has its own list of users. It is used to regulate access to the 1C database. When entering the database, 1C will ask you to select a user from this list and enter a password.

There are options in which 1C does not ask for a username to log in. However, this doesn’t mean anything at all . It’s just that in this case, the user from the list is mapped to a Windows/domain user and is detected automatically. How

The only option when 1C does not really prompt the user is when creating a new (empty) database. In this case, the list of 1C users is empty. Until the first user is added, 1C will log in automatically. A similar system is used in Windows when there is one user without a password.

1C users differ from each other:

• Access rights
• Interface (presence of items in the menu).

There is no “superuser” or “administrator group” as such. An administrator is a user who has all configuration rights and administration rights enabled. In an empty database (when the list of users is still empty), this particular user should be added first.

Two lists of 1C users

In fact, 1C has two lists of users. One of them (the list of 1C users) is “real” from the programmer’s point of view. It's in the configurator. It is by this that 1C identifies the user.

This is the approach of old standard configurations (for example, trade management 10, accounting 1.6, etc.) - users are edited in this list, and are automatically included in the user directory upon first login.

The second (users of version 1C 8.2, “not real”) is the users directory (and the external users directory, as in UT 11). The directory existed before, but the approach of the new standard configurations is that users are added to it, and are automatically included in the “real” list.

The main problem with this approach is that those who don’t like working this way and want to do it the old way can’t do it, because when you create it, certain fields are filled in, and if you add a user to the list, they won’t be picked up automatically in the directory.

How to add a user to the list of 1C users

So, the list of 1C users is in the configurator. and open the Administration/Users menu.

To add a user, you must press the add button (or Ins from the keyboard). If the list is now empty, then the first user must have administrative rights (see below).

• Name – user name (which he will choose when logging into 1C)
• Full name - reference full name, does not appear anywhere
• Password
• Show in selection list
  o if the checkbox is checked, the user will be in the selection list when logging into 1C
  o if the checkbox is not checked, then the user will not be in the selection list (that is, you cannot select), but you can enter his name from the keyboard and log in
• Operating system authentication – can be associated with a Windows/domain user and this user will not need to enter a password (will log in automatically).

On the Other tab, you select rights and basic user settings.

• The main interface is a menu that will be available to the user (used only in the thick client)
• Russian language
• [Main] Launch mode - thick or thin client, using this parameter you can enter the configuration of the thin client - thick and vice versa
• Available roles (user rights).

User rights in configurations are usually divided into blocks (“roles”). In the approach of the old configurations, they were broken down by user position (cashier, manager, etc.). This approach has a disadvantage - since in different organizations the cashier and the manager may have different functions.

Therefore, in the approach of the new configurations, they are broken down by action (access to the end of the month, access to cash transactions). That is, for each user a set of operations is set.

In both cases there are basic access rights to enter the program. In the old approach it's:

• User
• Full Rights (for administrator).

In the new approach it is:

• Basic Rights
• BasicRightsUT
• LaunchThinClient – ​​plus LaunchXxxClient for launching others
• SubsystemХхх – a check mark for each subsystem (tab in the interface) that the user needs
• Full Rights (for the administrator, not Administration!).

PS. For external users, basic rights are not required.

How to add a 1C user - 1C 8.2 users

The list of 1C 8.2 users in the new version is located in 1C (in 1C Enterprise mode), in the Users and External Users directories (only if supported by the configuration). The difference is that you must create users not in the configurator, but in this directory, and they will get into the configurator automatically.

If you are using a thin client, then see the Administration desktop tab. Otherwise, open the Users directory, for example, through the Operations menu.

Click the Add button (or Ins from your keyboard). To be able to manage the list of users, you must have Full Rights enabled.

Unlike the first approach, here you do not directly indicate each right (role) to the user, but indicate groups of rights (user groups).

The User Groups directory contains a profile that defines a set of rights (roles). In the User Group Profiles directory, you can change or add such sets of rights (roles).

1C user settings

In some configurations (especially in the old approach configurations) it is not enough to create a user. Additionally required:

• Log in as a user for the first time
• After that, find the user in the user directory
• In the directory form, click (options “or”)
  o Menu Go/User Settings
  o Menu Additional Information/User Settings and Advanced User Rights
  o In some configurations this is a sign directly on the user form
  o In some configurations, the global menu of the program Tools/User Settings
• Configure additional settings/user rights that determine auto-filling of fields and some accesses.

How to disconnect a 1C user

[Temporary] user disconnection is not provided in most configurations. Here are variations that can be used to achieve this result.

Configurations of the old approach (via the configurator):

• Delete user
• Change password
• Remove the User role (will not be able to log in).

New Approach Configurations (via Enterprise):

• Uncheck Access to information. database allowed
• Change password
• Remove from all access groups.

Active 1C users

1C allows you to find out the list of users who are currently in the database.

To do this, in Enterprise mode, select the Tools/Active Users menu (thick client, administrative interface). In the thin client - Administration tab, Active users on the left (may be in See also).

In Configurator mode, select the Administration/Active Users menu.

Disabling 1C users

As you know, in order to update the database (configuration) it is necessary that all users log out of 1C (not in all cases, but often required).

Users don’t like to leave (this is a fact). And if you ask them over the phone, they will definitely log in again within 30 seconds. When there are 200 users, it becomes a very fun event.

Therefore, there are three ways to disconnect users from 1C:

INFORMATION BASE MANAGEMENT (IS)

I was forced to write this article by 3 circumstances: communication with familiar accountants, an article by the chief accountant, a collection of anecdotes.

A friend of mine works as a chief accountant and is fluent in 1C. But recently she moved to a new organization where there is no information technology (IT) specialist and began asking me questions like “I want to work in a program at home, how can I transfer it to my home computer?”

Communicating with professional accountants, I realized that they do not have any questions professionally. Questions arise in the area of ​​information base management.

Secondly, I remember the recently published article “Why does an accountant need Infostart?” . Author Alla (bux 2).

The third circumstance is a collection of far from new jokes “Instructions for accountants on communicating with a 1C programmer”. In fact, these stories can be called anecdotes with a big stretch; these are real stories of every IT specialist associated with accounting.

If you carefully analyze these anecdotes, you involuntarily come to the conclusion that the conflict occurs in the border area of ​​responsibility, which is not assigned to either the application user or the IT specialist.

Currently, more than 80,000 users are registered on the Infostart website. It is unlikely that these are all 1C programmers; most likely these are “advanced” users who have had problems operating 1C systems.

It seems to me that all site users can be divided into three main categories:

• 1C programmers who are narcissistically involved in ranking competitions
• “Advanced” users who are looking for more advanced tools for working with 1C
• Beginners who have encountered problems operating 1C and are looking for answers to the question “What to do?”

This article is intended for the last two categories of users. Here I would like to discuss the management of 1C information bases. The discussion is controversial and based solely on personal experience.

If we analyze the most “rated” articles, we can see that fairly simple articles on general issues of information security management are successful. These questions are understandable to IT specialists, but for 1C application users they are almost a revelation.

This is especially true for small companies that cannot afford to employ a 1C programmer or even just an IT specialist. In this case, all problems fall on the users.

Most often, such an enterprise uses the “accounting” and “salary” configurations. This is due to the fact that 1C quickly reflects changes in legislation in its configurations. For enterprises this is important from a fiscal reporting point of view.

Typical small business. 1C users: director; accountant, also the chief; secretary, who is also the head of the OK; several managers (for some reason this is what sales specialists are called).

Each user “manages” his own part of the information security, but no one is responsible for the entire database as a whole. And when problems arise, there is no one to ask. Like Raikin, “I personally sewed on the buttons. Do you have any questions about buttons? No, they’re sewn to death, you can’t tear them off!” But in general, no one is responsible for the suit.

For normal operation of the system, someone must take on the functions of general information security control. Such functions, for example, include removing duplicates from directories. On the one hand, this is an application area, on the other hand, this must be done by an IT specialist. These functions lie in the “borderline” area; both IT specialists (if any) and 1C users refuse to perform them.

This issue is relevant not only for small businesses. Recently I was updating job descriptions and was able to distribute similar functions among employees with great difficulty. And now the approach to job descriptions is very serious, because... they are the basis for various administrative penalties, including dismissal.

The system administrator angrily rejected the offer, the 1C programmer proudly declared that he was “coding” and not clearing away users’ trash. In short, in a regular enterprise there is no specialist who is responsible for the integrity of information in information security. This position is difficult to define; conditionally, it can be called something like “Information Security Manager.”

These functions are different from those of the administrator. 1C Company gives the following definition of administration tasks:

• System installation and update
• Maintaining a list of users
• Configuring access rights based on the role mechanism
• Monitoring user actions and system events
• Backup
• Testing and correcting the information base
• Setting regional settings
• Updating configurations
• Loading and unloading an information database to a file
• Maintaining and setting up a log book

As a matter of fact, the chapter “Administration” in the 1C documentation “Configuration and Administration” is devoted to this.

In reality, these administration tasks are not enough to keep the database running smoothly. Broader and more varied actions are required for the “correct” functioning of the database. “Database management” is much broader than the concept of “administration”.

In large enterprises, these information security management functions should be assigned to a full-time specialist. In small enterprises, these functions will most likely fall on the chief accountant, because he has more complete control of the information, he has to control the input and sequence of documents, upload and download data, etc.

In general, the functions of information security management come down to ensuring that the information security is “correct.” Problems with the “correctness” of the database have always existed.

In my understanding, the “correct” 1C information database in any configuration must satisfy at least the following principles:

• It should not contain objects marked for deletion. All marked objects must be deleted
• There should be no unposted documents in the database
• When re-posting documents for any period, the results should not change

Database management should lead to these results. For uninterrupted work with the database, it is necessary to perform the following actions in standard 1C configurations (using the example of ZUP):

• 1. Backup
     • Copies of all databases must be made daily at the end of each day. In this case, you can “overwrite” copies of the previous day;
     • Copies of the database are required before updating. It is advisable to save these copies under unique names.
     • It is mandatory to save copies of the database after the end of the month, also under unique names.

The site has many articles and treatments dedicated to backup.

• 1. Check reference books weekly for duplicates. If duplicates occur, delete them. How to remove duplicates
  2. Delete items marked for deletion weekly. If objects are not deleted, it means that there are references to these objects. It is necessary to find out who marked them for deletion and why. If necessary, these objects must be restored. Removal can be done using universal treatments//site/blogs/1313/ Before regulatory reporting - Technological control
  3. Express database analysis//site/public/21332/
  4. At the end of the month after the month is closed, deny access to data

Maybe you can recommend something from your experience?

For enterprises, institutions and organizations, regardless of their form of ownership, the key issue is to ensure the protection of information resources, including accounting information and reporting. The program "1C: Public Institution Accounting 8" edition 2 meets modern information security requirements. 1C experts talk about the capabilities of the information protection program in the article.

The relevance of ensuring the protection of information resources

To ensure the information security of an organization, institution, enterprise, conditions must be created under which the use, loss or distortion of any information about the state of the organization, including accounting and financial information, by employees of the organization or external persons (users) with a high degree of probability will not lead to foreseeable future to the emergence of threats to interrupt the organization's activities.

The relevance of information security problems at the state level is confirmed by the adoption of the Information Security Doctrine in the Russian Federation (approved by the President of the Russian Federation on September 9, 2000 No. Pr-1895). One of the components of the national interests of the Russian Federation in the information sphere is the protection of information resources from unauthorized access, ensuring the security of information and telecommunication systems, both already deployed and those being created in Russia.

Ensuring the information security of the Russian Federation in the economic sphere plays a key role in ensuring the national security of the Russian Federation. The following are most susceptible to the impact of threats to information security of the Russian Federation in the economic sphere:

• state statistics system;
• credit and financial system;
• information and accounting automated systems of divisions of federal executive authorities that ensure the activities of society and the state in the economic sphere;
• accounting systems for enterprises, institutions and organizations, regardless of their form of ownership;
• systems for collecting, processing, storing and transmitting financial, stock exchange, tax, customs information and information on foreign economic activity of the state, as well as enterprises, institutions and organizations, regardless of their form of ownership.

Threats to the information security of an enterprise, institution, organization related to accounting and reporting are the threats:

• integrity of accounting information and reporting;
• violation of confidentiality of accounting information and reporting;
• violations of accessibility (blocking) of accounting information and reporting;
• reliability of accounting information and reporting;
• the content of accounting information and reporting caused by the actions of personnel and other persons;
• caused by the use of poor-quality accounting information and reporting.

Information security in "1C: Public Institution Accounting 8"

The program “1C: Public Institution Accounting 8” edition 2 (hereinafter referred to as the Program) meets modern information security requirements. To increase the level of protection against unauthorized access to information stored in the Program, the following features are provided:

• authentication;

Let's take a closer look at these features of the Program.

Authentication

The authentication mechanism is one of the administration tools. It allows you to determine which of the users listed in the list of system users is currently connecting to the Program and prevent unauthorized access to the Program.

In "1C: Public Institution Accounting 8" edition 2, three types of authentication are supported, which can be used depending on the specific tasks facing the information base administrator:

• authentication 1C:Enterprise- authentication using the user and password created in the Program;
• operating system authentication- in the Program one of the operating system users is selected for the user. The Program analyzes on behalf of which operating system user the connection to the Program is made, and based on this determines the corresponding user of the Program;
• OpenID authentication- user authentication is performed by an external OpenID provider that stores a list of users.

If no type of authentication is specified for a user, such user's access to the Program is denied.

If it is necessary for the user to enter the Program with a password that will be checked, the flag should be enabled Authentication 1C:Enterprise(see Fig. 1). It is enabled by default along with the flag Login to the program is allowed.

The 1C:Enterprise authentication status is displayed under the flag.

Rice. 1

When a new user is created, the Program automatically assigns him a blank password. To change it, use the command Set password in the user card (see Fig. 1).

In the shape of Setting a password must be entered New Password to enter the Program, write it again in the field Confirmation.

A good password should be at least eight characters long, include uppercase and lowercase Latin letters, numbers, symbols (underscores, parentheses, etc.), and be vague. It is undesirable for the password to coincide with the username, consist entirely of numbers, contain understandable words, or alternating groups of characters. Examples of good passwords: "nj7(jhjibq*Gfhjkm, F5"njnGhkmNj;t(HI. Examples of bad passwords: Ivanov, qwerty, 12345678, 123123123. For more details, see the documentation "1C:Enterprise 8.3. Administrator's Guide."

The Program provides the opportunity automatic password complexity check.

By default, for security reasons, the password is not shown when entered. In order to see what characters are being entered, you should enable the flag Show new password.

To automatically generate a password, you can use the button Create a password. The password will be generated by the Program.

To save your password, click on the button Set password.

After this, the 1C:Enterprise authentication state changes to Password set. In the user card, the button changes its value to Change password.

For ease of administration and security, all users have a flag , which is needed for the user to change the password set by the administrator to his own. When this flag is enabled, the user will be required to enter his own password, which no one else will know.

If the flag Require password change upon login is not enabled, and the previously set password does not suit you for some reason, you can change it at any time in the user card.

Enabled flag The user is prohibited from changing the password prohibits a user who does not have full rights from independently setting and changing a password.

Requisites Require password change upon login And Validity can be seen in the user card and in the report User Information (Information about external users).

Program login settings

In the shape of Login Settings(chapter Administration, navigation bar command User and rights settings) separately for internal and external users of the Program you can configure the following parameters:

• setting and controlling password complexity;
• requirement to change the password on a schedule or manually. Password change - periodically or upon request;
• setting and controlling password repetition;
• limiting the validity period of accounts.

Figure 2 shows the setup for internal users.

Rice. 2

A similar setting is provided for external users.

Password complexity control

When the flag is set The password must meet complexity requirements the program checks that the new password:

• had at least 7 characters,
• contained any 3 of 4 types of characters: uppercase letters, lowercase letters, numbers, special characters,
• did not match the name (for login).

The minimum password length can be changed by checking the box next to the field of the same name and specifying the required password length (Fig. 3).

Rice. 3

Change Password

There are two settings for changing the password: periodic or at the request of the administrator.

To periodically change the password, you must limit the password expiration date using settings Minimum password validity period And Maximum password validity. After the specified period has expired, the Program will prompt the user to change the password.

The maximum password validity period is the period after the first login with a new password, after which the user will need to change the password, by default 30 days.

The minimum password validity period is the period after the first login with a new password during which the user cannot change the password, by default 1 day.

To change the password upon request, the administrator must set the flag Require a password upon login in the user card. When you first enter the Program, it will require you to change the password set by the administrator to your own.

Repeatability control

To prevent users from creating duplicate passwords, you must enable the setting Prevent password repetition among recent ones and set the number of recent passwords with which the new password will be compared.

User login restrictions

To protect against unauthorized access to the Program, you can set a restriction for users who do not work in the Program for a certain period of time, for example, 45 days.

After the specified period has expired, the program will not allow the user to enter the Program. Open user sessions will automatically terminate no more than 25 minutes after login to the Program has been denied.

In the user card, which is available in the personal settings of the Program, via the hyperlink Set restrictions You can specify additional restrictions on entering the Program (Fig. 4).

Rice. 4

Using the switch, you can set a restriction on entering the Program:

• According to general login settings- installed by default;
• No time limit;
• Entry allowed until(you must set a deadline - enter the date manually or select from the calendar using the button). To protect against unauthorized access to the Program, all users have a validity period that allows the user to be automatically disconnected upon reaching a specified date;
• Deny entry if not working anymore(the number of days must be specified) - if the user does not enter the Program for more than the specified number of days, then entry into the Program will be impossible. In this case, the user will have to contact the administrator to resume work in the Program.

User Details report

Report User Information(Fig. 5) is intended for viewing information about Program users, including login settings (infobase user properties). The need for a report arises if you need to perform a group analysis of login settings (login name, authentication types, etc.).

The report opens from the list Users (External users) on command All Actions - User Information (All actions-About external users). Depending on the type of list, the Program automatically selects the desired report option.

Information about internal and external users in one report can be opened through the section action panel Administration on command User Information.

The need for a report arises if you need to perform a group analysis of login settings (login name, authentication types, etc.).

Rice. 5

Using a button Settings... You can open the list of fields and, if necessary, add the required fields to the report. For example, you can add fields to the report Require password change upon login And Validity.

Ensuring the protection of personal data

In conclusion, it should be noted that access control to the Program is only one of the data protection elements provided by the Program.

Decree of the Government of the Russian Federation dated November 1, 2012 No. 1119 approved the Requirements for the protection of personal data during their processing in personal data information systems, which define the levels of security of personal data during their processing in personal data information systems depending on the threats to the security of this data. In accordance with these requirements, by order of the FSTEC of Russia dated February 18, 2013. No. 21 details the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems.

The norms of the current legislation on personal data impose additional requirements on software products, in particular, on software that is a means of protecting information.

To ensure the protection of personal data, the protected software package (ZPK) “1C:Enterprise, version 8.3z” is designed, which is a general-purpose software certified by the FSTEC of Russia with built-in means of protecting information from unauthorized access (NSD) to information that does not contain information that constitutes state secret.

ZPK "1C:Enterprise 8.3z" allows you to block:

• launching COM objects, external processing and reports, applications installed on the 1C:Enterprise server;
• use of external 1C:Enterprise components;
• access to Internet resources.

The combined use of the standard “1C: Public Institution Accounting” edition 2 and ZPK “1C: Enterprise 8.3z” allows you to create an information system of personal data of all security levels, and additional certification of this application solution is not required.

The use of ZPK "1C:Enterprise 8.3z" together with FSTEC-certified operating systems, DBMS and other certified tools allows you to fully comply with the requirements of the above regulatory documents.

Since “1C: Public Institution Accounting” ensures data exchange with the Federal Treasury authorities, Tax authorities, information systems on state and municipal payments (GIS GMP), accounting of federal property (ASUFI), registration and accrual of payments (IS RNIP), etc. via the Internet, to meet security requirements, the facility must be provided with certified firewall tools.

Of course, it is necessary to check the computers on which the Program is installed daily for the presence of malicious computer programs using anti-virus protection tools certified in the FSTEC certification system of Russia.

Information Security, like information protection, is a complex task aimed at ensuring security, implemented by implementing a security system. The problem of information security is multifaceted and complex and covers a number of important tasks.

Information security problems are constantly aggravated by the penetration of technical means of data processing and transmission into all spheres of society; this problem is especially acute in the field of financial accounting systems. The most popular accounting, sales, and CRM processes system in Russia is the 1C Enterprise system.

Let's consider potential security threats when using the 1C program.

	Using 1C with databases in file format. 1C file databases are the most vulnerable to physical impact. This is due to the architectural features of this type of database - the need to keep open (with full access) all configuration files and the file databases themselves for all users of the operating system. As a result, any user who has the right to work in a 1C file database can theoretically copy or even delete a 1C information database with two mouse clicks.
	Using 1C with databases in DBMS format. This type of problem arises if a DBMS (PosgreSQL, MS SQL) is used as a storage for 1C databases, and an enterprise 1C server is used as an intermediate communication service between 1C and the DBMS. This is an example - many companies practice modifying 1C configurations to suit their needs. In the process of refinement, in the conditions of project “fuss”, constant testing of new, improved functionality, responsible specialists often neglect the rules of network security. As a result, some individuals who have direct access to the DBMS database or have administrator rights on the 1C Enterprise server, even for a temporary test period, can either make a backup copy to external resources or completely delete the database in the DBMS.
	Openness and accessibility of server equipment. If there is unauthorized access to server equipment, company employees or third parties can use this access to steal or damage information. Simply put, if an attacker gains direct access to the body and console of a 1c server, the range of his capabilities expands tenfold.
	Risks of theft and leakage of personal data. Here, current threats to the security of personal data are understood as a set of conditions and factors that create the current danger of unauthorized, including accidental, access to personal data during their processing in an information system, for example, by responsible employees, PC operators, accounting departments, etc. This may result in the destruction, modification, blocking, copying, provision, distribution of personal data, as well as other unlawful actions of responsible persons.
	Network security. An enterprise information system built in violation of GOST, security requirements, recommendations, or lacking proper IT support is replete with holes, virus and spyware, and many backdoors (unauthorized access to the internal network), which directly affects the safety of corporate data in 1C. This leads to easy access for an attacker to commercially sensitive information. For example, an attacker can use free access to backup copies and the absence of a password for archives with backup copies for personal gain. Not to mention the elementary damage to the 1C database by viral activity.
	Relationship between 1C and external objects. Another potential threat is the need (and sometimes a special marketing feature) of the 1C accounting database to communicate with the “outside world.” Uploads/downloads of client banks, information exchange with branches, regular synchronization with corporate websites, portals, other reporting programs, client and sales management and much more. Since in this area of ​​1C compliance with security standards and uniformity of network information exchange is not encouraged, a leak is quite real at any point along its route. As a result of the need for non-standard improvements to process automation or budget cuts for the necessary measures to protect traffic, the number of vulnerabilities, holes, insecure connections, open ports, easily accessible exchange files in unencrypted form, etc. instantly increases in the accounting system. You can safely imagine what this could lead to - from the simple disabling of a 1C database for a certain time, to the forgery of a payment order for several million.

What can be proposed to solve such problems?

1. When working with 1C file databases It is imperative to implement a number of measures to ensure the security of bases:

• Using NTFS access restrictions, give the necessary rights only to those users who work with this database, thereby protecting the database from theft or damage by unscrupulous employees or an attacker;
• Always use Windows authorization to log into user workstations and access network resources;
• Use encrypted disks or encrypted folders that will allow you to save confidential information even if you remove the 1C database;
• Establish an automatic screen locking policy, as well as provide user training to explain the need for profile locking;
• Differentiation of access rights at the 1C level will allow users to access only the information to which they have the appropriate rights;
• It is necessary to allow the launch of the 1C configurator only to those employees who need it.

2. When working with DBMS 1C databases Please pay attention to the following recommendations:

• Credentials for connecting to the DBMS should not have administrative rights;
• It is necessary to differentiate access rights to DBMS databases, for example, create your own account for each information base, which will minimize data loss if one of the accounts is hacked;
• It is recommended to limit physical and remote access to enterprise database and 1C servers;
• It is recommended to use encryption for databases; this will save confidential data even if an attacker gains physical access to the DBMS files;
• Also, one of the important decisions is to encrypt or set a password for data backups;
• It is mandatory to create administrators for the 1C cluster, as well as the 1C server, since by default, if no users are created, absolutely all users of the system have full access to the information bases.

3. Requirements for ensuring the physical security of server equipment:
(according to GOST R ISO/IEC TO – 13335)

• Access to areas where sensitive information is processed or stored must be controlled and limited to authorized persons only;
• Authentication controls, such as an access control card plus a personal identification number , must be used to authorize and confirm any access;
• An audit trail of all access must be kept in a secure location;
• Third party support personnel should be given limited access to security areas or sensitive information processing facilities only when required;
• this access must be authorized and monitored at all times;
• Access rights to security areas should be regularly reviewed and updated, and revoked if necessary;
• Relevant safety and health regulations and standards must be taken into account;
• Key facilities should be located so as to prevent access to them by the general public;
• Where applicable, buildings and rooms should be unassuming and should give minimal indication of their purpose, with no prominent signage, outside or inside the building, indicating the presence of information processing activities;
• Signs and internal telephone books indicating the locations of sensitive information processing facilities should not be readily available to the general public.

4. Confidentiality of personal data. The main goal in organizing the protection of personal data is to neutralize current threats in the information system, defined Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” , a list of state standards and requirements of international IT security certifications (GOST R ISO/IEC 13335 2-5, ISO 27001) . This is achieved by limiting access to information by its types, delimiting access to information by user roles, structuring the process of processing and storing information.
Here are some key points:

• The processing of personal data must be limited to the achievement of specific, pre-defined and legitimate purposes;
• Consent to the processing of personal data must be specific, informed and conscious;
• Processing of personal data that is incompatible with the purposes of collecting personal data is not permitted;
• Only personal data that meets the purposes of their processing are subject to processing;
• Operators and other persons who have access to personal data are obliged not to disclose to third parties or distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law;
• Photographic, video, audio or other recording equipment such as cameras on mobile devices should not be allowed unless authorized;
• Drives with removable media should only be permitted if there is a business need for it;
• To ensure that confidential information is not tampered with, paper and electronic media must be stored in appropriately locked cabinets and/or other secure furniture when not in use, especially during non-working hours;
• Media containing important or sensitive proprietary information should be put away and locked when not required (for example, in a fireproof safe or cabinet), especially when the area is unoccupied.

5. Network Security- this is a set of requirements for the infrastructure of an enterprise’s computer network and the policies for working in it, the implementation of which ensures the protection of network resources from unauthorized access. As part of the recommended actions for organizing and ensuring network security, in addition to the basic ones, you can consider the following features:

• First of all, the company must implement a unified information security regulation with appropriate instructions;
• Users should be denied access to undesirable sites, including file hosting services, as much as possible;
• Only those ports that are necessary for the correct operation of users should be open from the external network;
• There must be a system for comprehensive monitoring of user actions and prompt notification of violations of the normal state of all publicly available resources, the operation of which is important for the Company;
• Availability of a centralized anti-virus system and policies for cleaning and removing malware;
• Availability of a centralized system for managing and updating anti-virus software, as well as policies for regular OS updates;
• The ability to run removable flash media should be limited as much as possible;
• The password must be at least 8 characters long, contain numbers, and upper and lower case letters;
• There must be protection and encryption of key information exchange folders, in particular 1c exchange files and the client-bank system;
• Power and long-distance communication lines included in information processing facilities should be underground where possible or be subject to adequate alternative protection;
• Network cables must be protected from unauthorized interception or damage, for example by using a conduit or avoiding routes through publicly accessible areas.

Summarizing all of the above, I would like to note that the main rules for protecting information are limiting the rights and capabilities of users, as well as control over them when using information systems. The fewer rights a user has when working with an information system, the less chance there is of information leakage or damage due to malicious intent or negligence.

A comprehensive solution for protecting enterprise data, including 1C databases, is the “Server in Israel” solution, which contains up-to-date tools for ensuring a high level of information confidentiality.

System integration. Consulting