Trade secret. Software Certification
From the moment I received 3 on information security for the essay “Legal regulation of information protection”, and then spoke on this topic with a teacher, I thought very much about commercial secrets (hereinafter KT).
The essence of the question is as follows.
Since CT is not regulated by the state, the software (hereinafter referred to as software) is not subject to mandatory certification for introduction into a company (a large company with a large number of computer equipment is considered) of the CT mode.
We outline a little situation.
On the computers of our company, since it is large and has a large amount of information falling under the heading of CT, there is a DHL system, which is engaged in that it simply scans all traffic, both incoming and outgoing. That is, if information that makes up the CT was sent from a device to a company, the system can easily notify the location of the device by the system administrators of the company.
')
Imagine the following situation:
1. DHL system signals data leakage from Vasya Pupkin’s computer
2. Vasya Pupkin is called and asked: “Vasily, you are an excellent employee. We are at a loss, explain to us the reasons for your action. Why did you send such an important document to another company? ”
3. Vasya replies that he did not send. (Then Vasya, of course, will simply be fired, and the situation will not go beyond the company)
4. The company sues Vasya.
5. Vasya eventually pays a huge fine, as he cannot prove that he did not do this. And earlier in court practice such cases have always won companies for the same reasons, the accused cannot prove anything, since the letter of the law does not say that software providing the CT mode must undergo mandatory certification and meet any standards.
But most of all I was struck by the following fact. The certificate of the software manufacturer does not guarantee the stable operation of this software itself, which in itself already looks absurd.
That is what I want to say. By my profession I am a programmer. If I have a certificate in my hands that I am a good programmer (for example, certificates from Oracle), then this gives the employer to understand which tasks I can be assigned and which ones are not. If I cannot cope with them, then for what then they gave me a certificate. That is, in this case, my certificate is a guarantee of my work. And in the case of software, no one bears any responsibility and makes no guarantees.
So, we have:
- In case of a malfunction in software, no one can prove this malfunction (experts, too, most likely will not help, since the search for an error in the code of such software is a search for a needle in a haystack)
- The company loses a qualified employee and secrecy on certain data
- An employee loses his job and guarantees are built on a new one (fame spreads very quickly)
- The company will be forced to change software.
That's the question, how to deal with this?
It seems to me that it is worthwhile simply to take CT under the control of state bodies, draw up a list of software that should be installed in the company, and also make a list of requirements that the software must meet, and introduce software certification so that you can ask for losses. which the company bears due to a software malfunction.
The essence of the question is as follows.
Since CT is not regulated by the state, the software (hereinafter referred to as software) is not subject to mandatory certification for introduction into a company (a large company with a large number of computer equipment is considered) of the CT mode.
We outline a little situation.
On the computers of our company, since it is large and has a large amount of information falling under the heading of CT, there is a DHL system, which is engaged in that it simply scans all traffic, both incoming and outgoing. That is, if information that makes up the CT was sent from a device to a company, the system can easily notify the location of the device by the system administrators of the company.
')
Imagine the following situation:
1. DHL system signals data leakage from Vasya Pupkin’s computer
2. Vasya Pupkin is called and asked: “Vasily, you are an excellent employee. We are at a loss, explain to us the reasons for your action. Why did you send such an important document to another company? ”
3. Vasya replies that he did not send. (Then Vasya, of course, will simply be fired, and the situation will not go beyond the company)
4. The company sues Vasya.
5. Vasya eventually pays a huge fine, as he cannot prove that he did not do this. And earlier in court practice such cases have always won companies for the same reasons, the accused cannot prove anything, since the letter of the law does not say that software providing the CT mode must undergo mandatory certification and meet any standards.
But most of all I was struck by the following fact. The certificate of the software manufacturer does not guarantee the stable operation of this software itself, which in itself already looks absurd.
That is what I want to say. By my profession I am a programmer. If I have a certificate in my hands that I am a good programmer (for example, certificates from Oracle), then this gives the employer to understand which tasks I can be assigned and which ones are not. If I cannot cope with them, then for what then they gave me a certificate. That is, in this case, my certificate is a guarantee of my work. And in the case of software, no one bears any responsibility and makes no guarantees.
So, we have:
- In case of a malfunction in software, no one can prove this malfunction (experts, too, most likely will not help, since the search for an error in the code of such software is a search for a needle in a haystack)
- The company loses a qualified employee and secrecy on certain data
- An employee loses his job and guarantees are built on a new one (fame spreads very quickly)
- The company will be forced to change software.
That's the question, how to deal with this?
It seems to me that it is worthwhile simply to take CT under the control of state bodies, draw up a list of software that should be installed in the company, and also make a list of requirements that the software must meet, and introduce software certification so that you can ask for losses. which the company bears due to a software malfunction.
Source: https://habr.com/ru/post/147079/
All Articles