Certified Skusi - What you need to know to choose them correctly. Classification of funds for the protection of information from FSTEC and FSB of Russia Siberian Federal University Check FSB Skzi
However, the mass of the nuances lies here: accounting and storage of encryption tools, tolerances for SKZI, the regulations for their use should be carried out in strict accordance with the requirements of the legislation.
Violation of the information protection rules, according to Article 13.12 of the Administrative Code of the Russian Federation, may entail a number of sanctions: fines for officials and organizations, as well as confiscation of funds themselves. The consequence may be the impossibility of sending electronic reporting or blocking the work of the institution in the data exchange system.
Regular control of the use of encryption tools used to ensure the safety of personal data (hereinafter referred to as PDN) is carried out on the basis of the requirements of the following regulatory acts:
- Federal Law of 27.07.2006 No. 152-FZ "On Personal Data";
- Order of the FSB of Russia of July 10, 2014 No. 378;
- Instruction of the FAPSI from 13.06.2001 No. 152;
- and a number of other regulatory documents.
The FSB inspection plan is published on the official website of the Prosecutor General's Office of the Russian Federation. Here, any organization in its Inn or OGRN can learn about the upcoming checks in the current year, their duration and period.
In order to prepare for the FSB verification, it is necessary to conduct a number of organizational measures, to develop and approve the documents related to work with SCJ.
Answers to the following questions will help to systematize work on the preparation for verification and focus on the necessary measures:
- Is there a means of means of cryptographic information protection? Are there any documents on their acquisition, is it possible to record? What documents regulate the transfer of SPI to alienation and use?
- Which department at the enterprise is responsible for working with SKZi, namely: drawing up conclusions on the possibility of exploiting SCJOs, developing measures to ensure the functioning and safety of applicable SPJs in accordance with the conditions of certificates issued for them, the aforementioned account of the SPI, operational and technical documentation for them, Accounting for services serviced by confidential information, monitoring compliance with the conditions for using SPJs, investigation and making conclusions on the facts of violation of the conditions of use of SPJU, the development of the scheme of the organization of cryptographic protection of confidential information?
- What documents are the creation of the creation of the designated above, and also what documents are the persons responsible for the implementation of actions within this unit?
- Is the regulation of accounting and storage of SPJ?
- Are the forms of journaling journals are approved? How are they underway?
- Is the circle of responsible persons and responsibility in case of violation of the rules of work with SKZI?
- How is storing and providing access to freezing?
All documents must be approved by the head or an authorized person of the organization, the prigid of secrecy is not required, but the documents should be intended only for employees of the organization and inspectors.
The experience of customer support during the FSB checks allowed us to allocate the most typical blocks that the control body draws attention.
1. Organization of the system of organizational measures for the protection of personal data
|
What is verified |
Council | |
|---|---|---|
|
Scope SKZI in personal data information systems; Availability of departmental documents and orders for the organization of cryptographic protection |
Departmental documents and orders for the organization of cryptographic information protection | It is necessary to refer to the documents that determine the mandatory use of SCJ for processing and transmitting information. In terms of protection of PDNs in state systems, this is 17 and 21 FSTEC orders |
2. Organization of a system of cryptographic information protection measures
3. Permits and operational documentation
|
What is verified |
What documents should be provided | Council |
|---|---|---|
|
The presence of the necessary licenses for using SCJ in information systems of personal data; Availability of certificates of conformity for used SCJ; Availability of operational documentation for SPJ (formulas, rules of work, operator management, etc.); The procedure for accounting for SPI, operational and technical documentation for them |
Licenses and certificates for used SPJs; Operational documentation for SPJ |
What documents are meant: 1) licenses for software 2) the presence of distributions to these licenses obtained by legal means |
4. Requirements for service personnel
|
What is verified |
What documents should be provided | Council |
|---|---|---|
|
The procedure for accounting for persons admitted to work with SCJ; Availability of functional duties of responsible users SKZI; Staffing staff and his adequacy for solving problems in organizing cryptographic information protection; Organization of the learning process of persons using SCJ |
Approved lists; Documents confirming the functional responsibilities of employees; Journal of accounting for users of cryptographic drugs; Documents confirming the passage of employees |
It is necessary to have the following documents: 1) Instructions for working with SKZi, 2) the appointment of internal orders of those responsible for work with SPJ |
5. Operation SPJ
|
What is verified |
What documents should be provided | Council |
|---|---|---|
|
Checking the correctness of commissioning; Assessment of the technical state of SPJ; Compliance with the timing and completeness of maintenance; Checking compliance with the rules for use of SPII and the procedure for handling key documents to them |
Acts of entry SCJ in operation; Magazine of Present Public Accounting SCJ; Accounting and issuing media with key information |
The following documents must be developed: 1) SPJA installation acts, 2) order approving forms of accounting logs |
6. Organizational measures
|
What is verified |
What documents should be provided | Council |
|---|---|---|
|
Fulfillment of the placement requirements, special equipment, protection and organization of the regime in the premises where the SCJ is installed or key documents are stored; Compliance of the storage mode of SCJ and key documentation with the requirements; Assessment of the degree of provision of operator with cryptocluches and the organization of their delivery; Checking the availability of instructions for restoring communication in the case of compromising the current keys to SPJ |
Operational documentation for SPJ; Premises allocated to install SPI and storing key documents to them; Instructions for compromising the current keys SPI |
1) Performing the requirement of the FAPSI instruction 152. Depends on the specific conditions, it may require installation of protection, installation of curtains on the windows, buying a safe, etc. 2) Instructions for working with SPJ |
All listed requirements arise from the regulations for conducting FSB checks. Specific activities are held according to the order of FAPSI of June 13, 2001 No. 152.
Execution of at least part of the requirements will significantly raise the likelihood of passing all regulatory procedures without fine. In general, there is no redundancy in the requirements, all actions are really important and work to protect the interests of the organization.
Nikita Brarka, Head of the Licensing Group of SCB Contour, Project "Contour-Security"
Comments ...
Alexey, good afternoon!
In response of the 8th center, nothing is specified about the need to use precisely certified SCJ. But after all, there are "Methodical recommendations ..." of the leadership of the 8th center of the FSB of Russia from 31.03.2015 No. 149/7/2/6-432, in which there is such a paragraph in the second part:
To ensure the safety of personal data, when they are processed, the SKI must be used in the prescribed manner, which have passed in the prescribed manner, the compliance assessment procedure. The list of SCJi, certified FSB of Russia, published on the official website of the Center for Licensing, Certification and the Protection of State Secrets of the FSB of Russia (www.clsz.fsb.ru). Additional information on specific information protection funds is recommended to be obtained directly from developers or manufacturers of these funds and, if necessary, from specialized organizations who conducted thematic studies of these funds;
What is this not the requirement to use certified SCJ?
There is an order of the FSB of Russia of July 10, 2014 No. 378, in which in subparagraph "G" of clause 5 indicated: "The use of information protection tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such funds is necessary To neutralize current threats. "
A little confusing this "when the use of such funds is necessary to neutralize current threats." But all this need must be described in the violator model.
But in this case, again, in section 3 "Methodical Recommendations ..." from 2015 it is indicated that "when using links (lines) of communication, with which the interception is not allowed to be transmitted on them and (or) in which unauthorized impacts are impossible To this information, with the general description of the information systems, it is necessary to indicate:
- description of methods and methods for the protection of these channels from unauthorized access to them;
- conclusions based on the results of the research of the security of these channels (lines) of communication from unauthorized access to the protected information transmitted on them by the Organization with the right to conduct such research, with reference to the document containing these conclusions. "
I have all this - yes, there is no need to use SKZI always and everywhere when ensuring the safety of PD processing. But for this you need to form a violators model where it is all described and prove. About two cases when you need to use you wrote. But the fact that to ensure the safety of PD processing on open communication channels, or if the processing of these PDs goes beyond the boundaries of the controlled zone, you can use non-certified SCJi - everything is not so simple. And it may happen that it is easier to use certified SKZJi and comply with all the requirements when operating and stored than using unattended means and beats with a regulator, which seeing such a situation, will try to poke the nose.
Unknown comments ...Clear when the use of such funds is necessary for neutralizing current threats: the requirement of the Order of the FSTEC of Russia No. 17 of February 11, 2013 (requirements for state and munitz. Caiden),
clause 11. To ensure the protection of information contained in the information system, the means of protecting information that have completed conformity assessment in the form of mandatory certification for compliance with the requirements for the safety of information in accordance with Article 5 of the Federal Law of December 27, 2002 No. 184-FZ "On Technical regulation. "
Alexey Lukatsky comments ...Proximo: Recommendations of the FSB of illegitimate. The 378th order legitimen, but should be considered in the context of all legislation, and it says that the features of the assessment of compliance are established by the government or the president. None, neither other such NPUs issued T
Alexey Lukatsky comments ...Anton: In the state, the certification requirement was established by law, the 17th order simply repeats them. And we talk about PDN
Unknown comments ...Alexey Lukatsky: Lessonation of the FSB of illegitimate "How illegitres? I am about the document from 19.05.2015 №149 / 7/2/6-432 (http://www.fsb.ru/fsb/science/single.htm!id%3D10437608 % 40fsbrersearchart.html), but not about the document of 21.02.2008 No. 149/54-144.
Another specialist also had previously requested a request to the FSB on a similar topic, and he was answered that "the Methodology ..." and "Recommendations ..." FSB from 2008 should not be used if you are talking about these documents. But again - officially these documents were not canceled. And these documents are legitimate or not, I suppose will be solved by FSB already in place during the inspection.
The law says it is necessary to protect PD. Regional acts from the government, FSB, FSTEC determine exactly how to protect them. In NPA from the FSB, it is said: "Use the certified. If you do not want a certified one, prove that you can use it. And be kind - make a conclusion on this from the company that has a license for the right to issue such conclusions." Something like this...
Alexey Lukatsky comments ...1. Any recommendation is a recommendation, and not compulsory requirement.
2. The methodology of 2015 is not related to PD operators - it refers to the states that are writing threat models for subordinate institutions (including claim 1).
3. The FSB does not have the right to check the commercial operators of PDNs, and for the states the question of the use of non-certified SCJ and do not cost - they are obliged to apply certified decisions, regardless of the availability of PDs - these are the requirements of FZ-149.
4. Summer acts say how to protect and this is normal. But the formal assessment of the means of protection cannot determine - this can only be done by the NPU of the government or the president. FSB is not authorized to do it
In accordance with Decree 1119:
4. The choice of information protection tools for the personal data protection system is carried out by the operator in accordance with regulatory legal acts adopted by the Federal Security Service of the Russian Federation and the Federal Service for Technical and Export Control Page 4 of Article 19 of the Federal Law "On Personal Data".
13.G. The use of information protection tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such funds is necessary to neutralize current threats.
How to justify not the relevance of the threat when transmission of PDNs through the channel operator channels?
Those. If not SPI, then apparently
- Terminal access and subtle customers, but at the same time the SZI terminal data
access must be certified.
- protection of channels by operator of communication, responsibility on the telecom operator (provider).
Irrelevance determines the operator and no one for it is needed for this
In the safety requirements of information in the design of information systems, features indicate the characterizing the applied tools for information protection. They are identified by various acts of regulators in the field of information security, in particular - FSTEC and FSB of Russia. Which protected classes are, types and types of protection, as well as where to learn more about this, reflected in the article.
Introduction
Today, information security issues are subject to close attention, since universally implemented technology without providing information security becomes a source of new serious problems.
The severity of the situation is reported by the FSB of Russia: the amount of damage caused by intruders over several years around the world amounted to $ 300 billion to $ 1 trillion. According to the information provided by the Prosecterier of the Russian Federation, only for the first half of 2017 in Russia, the number of high-tech crimes increased six times, the total damage exceeded $ 18 million. The growth of target attacks in the industrial sector in 2017 is marked worldwide . In particular, in Russia, the increase in the number of attacks in relation to 2016 amounted to 22%.
Information technologies began to be used as weapons in military-political, terrorist purposes, for interference in the internal affairs of sovereign states, as well as to commit other crimes. The Russian Federation advocates the creation of a system of international information security.
On the territory of the Russian Federation, information owners and information system operators are required to block attempts to unauthorized access to information, as well as monitor the status of the IT infrastructure security status on a permanent basis. At the same time, the protection of information is ensured by the adoption of various measures, including technical.
Information protection tools, or qi ensure the protection of information in information systems, in fact, which are a set of information in the databases of information, information technologies that ensure its processing, and technical means.
For modern information systems, the use of various hardware and software platforms is characterized, the territorial distribution of components, as well as interaction with open data transmission networks.
How to protect information in such conditions? Relevant requirements are imposed by authorized bodies, in particular, FSTEC and FSB of Russia. As part of the article, we will try to reflect the main approaches to the SZI classification, taking into account the requirements of the specified regulators. Other ways to describe the SZI classification, reflected in the regulatory documents of Russian departments, as well as foreign organizations and agencies, go beyond the scope of this article and are not considered.
The article may be useful to novice information security specialists as a source of structured information on the methods of classifying the SZI on the basis of the requirements of FSTEC of Russia (more) and, briefly, the FSB of Russia.
The structure that determines the procedure and coordinating actions to ensure the overaptographic methods of the IB is the FSTEC of Russia (earlier - the State Technical Commission under the President of the Russian Federation, the State General Commission).
If the reader had to see the state register of certified tools for the protection of information, which forms FSTEC of Russia, he certainly paid attention to the presence in the descriptive part of the purpose of SSI such phrases as the "Class of the RD SVT", "The level of lack of NDV", etc. (Figure 1) .
Figure 1. Fragment of the registry certified зи
Classification of cryptographic information protection tools
The FSB of Russia has defined cryptographic SZI classes: KS1, KS2, KS3, kV and ka.
The main features of the SZIN class KS1 include their ability to confront attacks conducted from outside the controlled zone. At the same time, it is understood that the creation of methods of attacks, their preparation and conduct is carried out without the participation of specialists in the field of developing and analyzing cryptographic SZI. It is assumed that information about the system in which the specified qi can be obtained from open sources.
If the cryptographic qi can be withstanding attacks that are blocked by the CS1 class facilities, as well as conducted within the controlled zone, then such a SIZ corresponds to the CO2 class. At the same time, it is allowed, for example, that when preparing an attack could be available information on physical measures for the protection of information systems, providing a controlled zone, etc.
If possible, confront attacks in the presence of physical access to the means of computing technology with the established cryptographic SZI speaks of the compliance of such a CO3 class.
If the cryptographic qi is opposed to attacks, when creating specialists in the field of development and analysis of these funds participated, including research centers, there was the possibility of conducting laboratory research tools, then it is a compliance with the class of sq.
If specialists in the field of use of the system software were attracted to the development of methods of attacks, the corresponding design documentation was available and there was access to any hardware components of cryptographic SZI, the protection against such attacks can provide funds for the Class.
Classification of electronic signature protection
Electronic signature means, depending on the ability to confront attacks, is customary to compare with the following classes: KS1, KS2, KS3, kV1, kV2 and ka1. This classification is similar to the cryptographic SZI considered above.
conclusions
The article covered some ways to classify SZI in Russia, the basis of which constitutes the regulatory framework of information protection regulators. Credited classification options are not exhaustive. Nevertheless, we hope that the submitted summary information will allow the novice specialist in the field of IB to be faster.
Registration N 33620.
In accordance with Part 4 of Article 19 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" 1 order:
approve the accompanying composition and content of organizational and technical measures to ensure the safety of personal data when they are processed in personal data information systems using the process of cryptographic information necessary to fulfill the requirements established by the Government of the Russian Federation for the protection of personal data for each of the levels of security.
Director A. Bortnikov
1 Meeting of the legislation of the Russian Federation, 2006, N 31 (Part I), Art. 3451; 2009, N 48, Art. 5716; N 52 (Part I), Art. 6439; 2010, N 27, Art. 3407; N 31, Art. 4173, Art. 4196; N 49, Art. 6409; N 52 (Part I), Art. 6974; 2011, N 23, Art. 3263; N 31, Art. 4701; 2013, N 14, Art. 1651; N 30 (Part I), Art. 4038.
application
The composition and maintenance of organizational and technical measures to ensure the safety of personal data when they are processed in personal data information systems using the funds of cryptographic information required to fulfill the requirements established by the Government of the Russian Federation for the protection of personal data for each of the levels of security
I. General provisions
1. This document determines the composition and content of organizational and technical measures to ensure the safety of personal data when processing in information systems of personal data (hereinafter referred to as the information system) using the Cryptographic Information Protection tools (hereinafter referred to as SCZA) necessary to fulfill the Government Requirements for protecting personal data for each of the levels of security.
2. This document is intended for operators using SCJW to ensure the safety of personal data when processing them in information systems.
3. The application of the organizational and technical measures defined in this document provides an operator taking into account the requirements of operating documents on the SPI used to ensure the safety of personal data when processing them in information systems.
4. The operation of SCJC should be carried out in accordance with the documentation for SCJ and the requirements established in this document, as well as in accordance with other regulatory legal acts regulating relations in the relevant area.
II. The composition and content of the organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to protect personal data for 4 levels of security
5. In accordance with clause 13 of the requirements for the protection of personal data when they are processed in the information systems of personal data approved by Decree of the Government of the Russian Federation of November 1, 2012 N1119 1 (hereinafter - Requirements for personal data protection), to provide 4 levels of personal security requirements Data when they are processed in information systems, it is necessary to fulfill the following requirements:
a) the organization of the safety regime of the premises in which the information system is posted that prevents the possibility of uncontrolled penetration or stay in these premises of persons who do not have access to these premises;
b) ensuring the safety of carriers of personal data;
c) approval by the head of the operator of the document determining the list of persons whose access to personal data processed in the information system is necessary to fulfill their service (labor) duties;
d) use of information protection tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such funds is necessary for neutralizing current threats.
6. To fulfill the requirement specified in subparagraph "A" of paragraph 5 of this document, it is necessary to ensure the regime that prevents the possibility of uncontrolled penetration or stays in the premises where the SCJi used is located, the SPJI and (or) carriers of key, authenticating and password information SPJ ( Next - premises), persons who do not have access to the room, which is achieved by:
a) equipping the premises inlet doors with locks, ensuring constant closure of the doors of rooms on the lock and opening them only for authorized passage, as well as sealing rooms at the end of the working day or equipment of the premises with relevant technical devices that signal the unauthorized opening of the premises;
b) approval of the rules of access to the premises in working and non-working time, as well as in emergency situations;
c) approval of the list of persons with the right to access the premises.
7. To fulfill the requirement specified in subparagraph "b" of paragraph 5 of this document, it is necessary:
a) carry out the storage of removable machine carriers of personal data in safes (metal cabinets) equipped with internal locks with two or more duplicate keys and devices for sealing of key wells or code locks. If the removable machine carrier of personal data is stored only by personal data in encrypted using SCJ form, such carriers are allowed outside safes (metal cabinets);
b) to implement the phactimy accounting of machine carriers of personal data, which is achieved by maintaining a personal data accounting magazine using registration (factory) numbers.
8. To fulfill the requirement specified in subparagraph "in" of paragraph 5 of this document, it is necessary:
(a) Develop and approve a document that determines the list of persons whose access to personal data processed in the information system is needed to fulfill their service (labor) duties;
b) Support a document that determines the list of persons whose access to personal data processed in the information system is needed to fulfill their service (labor) duties.
9. To fulfill the requirement specified in subparagraph "G" of paragraph 5 of this document, it is necessary for each of the levels of security of personal data. Application of an appropriate class Skusi, allowing to ensure the safety of personal data when implementing targeted actions using hardware and (or) software tools to ensure purposes. Violations of the security of the protected skinus of personal data or the creation of conditions for this (hereinafter - the attack), which is achieved by:
a) obtaining source data for the formation of a set of assumptions about the possibilities that can be used in creating methods, prepare and carry out attacks;
b) the formation and approval by the head of the operator of the set of assumptions about the possibilities that can be used in creating methods, prepare and conduct attacks, and the definition of this basis and taking into account the type of current threats to the required SCJO class;
c) use to ensure the required level of personal data protection when they are processed in the SPI information system of the CS1 class and higher.
10. SKI CS1 SPIs are used to neutralize attacks, when creating methods, prepare and conducting the following features:
a) the creation of methods, preparation and holding of attacks without attracting specialists in the development and analysis of SPJU;
b) the creation of methods, preparation and holding of attacks at various stages of the SCZi 2 life cycle;
c) holding an attack, being out of space, within which monitoring of the stay and actions of persons and (or) vehicles (hereinafter referred to as the controlled zone) 3;
d) holding on the stages of development (modernization), production, storage, transportation SCJ and the commissioning stage of the SPJ (commissioning) of the following attacks:
making unauthorized changes in SCJ and (or) in the components of hardware and software, jointly with which the SCJ is minimized and together representing the functioning of the SCJ (hereinafter referred to as the SF), which are able to influence the fulfillment of the requirements of the requirements, including the use of malicious programs;
introduction of unauthorized changes to the documentation for SPJ and the SF components;
e) Conduct attacks at the stage of operation SPZI on:
personal Information;
key, authenticating and password information SKZI;
software components SKZI;
hardware components SKZI;
software components, including BIOS software;
hardware components of the SF;
data transmitted via communication channels;
other objects that are established in the formation of a set of proposals for opportunities that can be used in creating methods, prepare and carry out attacks, taking into account the information technology applications used in the information system, hardware (hereinafter - AC) and software (hereinafter referred to as);
e) obtaining sources from free access (including information and telecommunication networks, access to which is not limited to a certain circle of persons, including the information and telecommunications network "Internet") information about the information system in which SCJ is used. In this case, the following information can be obtained:
general information about the information system in which the SCJ is used (assignment, composition, operator, objects in which the resources of the information system are posted;
information about information technology, databases, the ACs, used in the information system, together with SCJ, with the exception of information contained only in design documentation for information technology, databases, ACs, used in the information system in conjunction with SKZI;
general information about the protected information used during the operation of SMZI;
information about communication channels for which the protected SPJs are transmitted. Personal data (hereinafter referred to as the communication channel);
all possible data transmitted in the open form through communication channels, not protected from unauthorized access to information by organizational and technical measures;
information about all communication channels that are not protected from unauthorized access to information by organizational and technical measures, violations of the operations of the SCJ and SF;
information about all communication channels that are not protected from unauthorized access to information by organizational and technical measures, faults and malfunctions of hardware components SKZI and SF;
information obtained as a result of the analysis of any signals from the hardware components of SPJ and SF;
g) Application:
in free access or used outside the controlled area of \u200b\u200bAC and software, including hardware and software components SKZI and SF;
specially designed AC and software;
h) use at the stage of operation as a transfer medium from the subject to the object (from the object to the subject) attacking actions carried out in the preparation and (or) attack:
communication channels that are not protected from unauthorized access to information by organizational and technical measures;
signal distribution channels accompanying the functioning of SCJ and SF;
and) at the stage of operation of an attack from information and telecommunication networks, access to which is not limited to a certain circle of individuals, if the information systems in which SKZi are used, have access to these networks;
k) Using at the stage of operation located outside the controlled AC and software of the information system used in the field of operation SCJ (hereinafter referred to as standard).
11. SKI CS2 class apply to the neutralization of attacks, when creating methods, prepare and conducting the possibilities from among those listed in paragraph 10 of this document and at least one of the following additional features:
a) carrying out attack when found within the controlled zone;
b) Conducting attacks at the stage of operation of SCJ in the following objects:
documentation for SCJ and components of the SF.
The premises in which there is a set of software and technical elements of data processing systems capable of functioning independently or as part of other systems (hereinafter referred to as SVT), on which SCJ and SF are implemented;
c) obtaining within the framework of the authority provided, as well as as a result of the observations of the following information:
information on physical measures to protect facilities in which the resources of the information system are posted;
information on measures to ensure the controlled area of \u200b\u200bthe objects in which the resources of the information system are posted;
information about measures to distinguish between access to premises in which the SVTs are located on which SCJ and SF are implemented;
d) the use of regular means limited to measures implemented in the information system in which SPJs are used, and aimed at preventing and preventing unauthorized actions.
12. SKI CS3 class is used to neutralize attacks, when creating methods, prepare and conducting the possibilities from among those listed in paragraphs 10 and 11 of this document and at least one of the following additional features:
a) physical access to SVT, on which SCJ and SF are implemented;
b) the ability to have the hardware components of SCJ and SF, limited by measures implemented in the information system in which SPJs are used, and aimed at preventing and preventing unauthorized actions.
13. SKI Class KB are used to neutralize attacks, when creating methods, prepare and conducting the possibilities from among those listed in paragraphs 10 - 12 of this document and at least one of the following additional features:
a) the creation of methods, preparation and holding of attacks with the involvement of specialists in the field of signal analysis, accompanying the functioning of SCJ and SF, and in the field of use for the implementation of attacks of undocumented (non-declated) capabilities of applied software;
b) Conducting laboratory studies of SCJi used outside the controlled zone, limited by measures implemented in the information system in which SPJs are used, and aimed at preventing and preventing unauthorized actions;
c) carrying out work on the creation of methods and means of attacks in research centers specializing in the development and analysis of SCJ and SF, including using the source texts of the applied software that directly uses the calls of software functions of SCJ.
14. SKII Class Class are used to neutralize attacks, when creating methods, prepare and conducting the possibilities of listed in paragraphs 10 - 13 of this document and at least one of the following additional features:
a) the creation of methods, preparation and holding of attacks with the involvement of specialists in the field of use for the implementation of attacks of undocumented (non-declated) capabilities of system software;
b) the ability to have information contained in the design documentation for hardware and software components of the SF;
c) the ability to have all the hardware components of SCJ and SF.
15. In the process of forming a set of assumptions about the possibilities that can be used in creating methods, prepare and carry out attacks, additional features that are not included in paragraphs 10 - 14 of this document do not affect the procedure for determining the required class SCJ.
III. The composition and content of the organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to protect personal data for 3 levels of security
16. In accordance with clause 14 of the requirements for the protection of personal data to provide 3 levels of the security of personal data when they are processed in information systems, in addition to fulfilling the requirements provided for by paragraph 5 of this document, it is necessary to fulfill the requirements for the appointment of an official (employee) responsible for ensuring security. Personal data in the information system.
17. To fulfill the requirement specified in paragraph 16 of this document, it is necessary to appoint a sufficient skills of an official (employee) of the operator responsible for ensuring the security of personal data in the information system.
18. To fulfill the requirement specified in subparagraph "G" of paragraph 5 of this document, instead of the measure provided for by subparagraph "in" paragraph 9 of this document, use to ensure the required level of security of personal data when processing in the information system:
IV. The composition and content of the organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to protect personal data for 2 levels of security
19. In accordance with paragraph 15 of the requirements for the protection of personal data to provide 2 levels of security of personal data when processing in information systems, in addition to fulfilling the requirements provided for by paragraphs 5 and 16 of this document, it is necessary to comply with access to the content of the electronic message log. It was possible exclusively for officials (employees) of the operator or an authorized person who information contained in the said journal is necessary for the performance of official (labor) duties.
20. To fulfill the requirement specified in paragraph 19 of this document, it is necessary:
a) approval by the operator by the list of persons admitted to the content of the electronic message log, and maintain the specified list as current state;
b) providing an information system by automated tools that register requests for users of the information system to receive personal data, as well as the facts of providing personal data on these requests in the electronic message journal;
c) providing an information system by automated tools that exclude access to the content of the electronic messaging of the persons not specified in the list approved by the list of persons admitted to the content of the electronic messaging log;
d) providing periodic control of the health of the automated funds specified in subparagraphs "b" and "in" of this clause (no less than 1 time in six months).
21. To fulfill the requirement specified in subparagraph "G" of paragraph 5 of this document, it is necessary instead of the measures provided for by subparagraph "in" paragraph 9 and paragraph 18 of this document, to ensure the required level of personal data security during their processing in the information system:
Ski class Kb and higher in cases where the influence of type 2 is relevant for the information system;
Ski class KS1 and higher in cases where the type 3 threats are relevant for the information system.
V. The composition and content of the organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to protect personal data for 1 level of protection
22. In accordance with clause 16 of the Protection of Personal Data Protection of Personal Data to ensure 1 of the security of personal data when they are processed in information systems, in addition to fulfilling the requirements provided for by paragraphs 5, 16 and 19 of this document, it is necessary to fulfill the following requirements:
(a) Automatic registration in an electronic security journal Changes in the powers of an employee of an operator for access to personal data contained in the information system;
b) the creation of a separate structural unit responsible for ensuring the safety of personal data in the information system, or the imposition of its functions on one of the existing structural units.
23. To fulfill the requirement specified in subparagraph "A" of paragraph 22 of this document, it is necessary:
a) providing an information system by automated tools that allow you to automatically register in the electronic security journal Changes to the powers of an operator officer for access to personal data contained in the information system;
b) Reflection in the electronic security journal of the powers of employees of the operator of personal data on access to personal data contained in the information system. These powers must comply with official duties of employees of the operator;
c) the appointment by the person operator responsible for the periodic control of the conduct of the electronic security journal and the compliance of the powers reflected in it by the operator's staff their official duties (at least 1 time per month).
24. To fulfill the requirement specified in subparagraph "b" of paragraph 22 of this document, it is necessary:
a) conduct an analysis of the feasibility of creating a separate structural unit responsible for ensuring the security of personal data in the information system;
b) Create a separate structural unit responsible for ensuring the safety of personal data in the information system, or to entrust its functions to one of the existing structural units.
25. To fulfill the requirement specified in subparagraph "A" of paragraph 5 of this document, to provide 1 level of security, it is necessary:
a) equip the windows of the premises located on the first and (or) of the last floors of buildings, as well as the windows of the premises located near fire stairs and other places, from where it is possible to penetrate into the premises of unauthorized persons, metal lattices or shutters, security alarms or other means that impedes uncontrolled penetration of unauthorized persons in the premises;
b) Equip the windows and doors of rooms where the servers of the information system are posted, metal lattices, security alarms or other means that impede the uncontrolled penetration of unauthorized persons in the room.
26. To fulfill the requirement specified in subparagraph "G" of paragraph 5 of this document, instead of measures provided for by sub-clause "in" paragraph 9, paragraphs 18 and 21 of this document, use to ensure the required level of security of personal data when processing in the information system :
Ski class in cases where the type 1 threats are relevant for the information system;
Ski class Kb and above in cases where the influence of type 2 is relevant for the information system.
1 Meeting of the legislation of the Russian Federation, 2012, N 45, 6257.
2 To the stages of the SCJi life cycle include the development (modernization) of these funds, their production, storage, transportation, commissioning (commissioning), operation.
3 borders of the controlled zone can be the perimeter of the protected area of \u200b\u200bthe enterprise (institution), which protect the construction of a protected building, a protected part of the building, a highlighted room.
As practice shows, few organizations are remembered and guided by the order of the FAPSI (the successor of which is the FSB of Russia) of June 13, 2001 N 152 "On approval of the instructions for organizing and ensuring storage, processing and transmission channels using the Cryptographic Information Channels with Limited access that does not contain information constituting the state secret. "
But the instruction is mandatory when using certified SCJ systems to ensure the safety of limited access information (to be protected in accordance with the legislation of the Russian Federation).And this is PDN, all types of secrets, GIS, NPs, future kii.
From 2008 to 2012, a reflection in the form of "typical requirements for the organization and to ensure the functioning of encryption (cryptographic) funds intended to protect information that does not contain information constituting the state secret in case of their use to ensure the safety of personal data when they are processed in Information systems of personal data ", approved by the leadership of the 8th center of the FSB of Russia on February 21, 2008 No. 149/6/6-622. But after the release of PP of the Russian Federation №1119, this document has lost the relevance and FSB of Russia reported that it is necessary to be guided by the instruction.
Within the framework of the state. Control precisely on the implementation of the provisions of this instruction there is a large number of violations.
For the application of the instructions there are many questions, because it was written in those days when certified SPJs were used in rare organizations in single specimens. Now, when sut. Cryptography becomes widespread, causes the complexity of the verbal execution of the instruction.
Immediately, I want to pay attention to the fact that the instruction in conjunction with 99-FZ give unambiguous results about the need to obtain a license of the FSB of Russia or the conclusion of a contract with a licensee:
Article 12 99-FZ: "one. In accordance with this federal law, the following activities are subject to licensing:
1) ... Performance of work ... in the field of information encryption, technical maintenance of encryption (cryptographic) funds, information systems and telecommunication systems protected using encryption (cryptographic) funds (except for the case, if maintenance of encryption (cryptographic) funds, information systems and Telecommunication systems protected using encryption (cryptographic) funds are carried out to ensure their own needs of a legal entity or an individual entrepreneur); "
Decree of the Government of the Russian Federation №313. Annex to the Regulation: "The list of work performed and the services provided that are licensed in relation to encryption (cryptographic) funds
12. Installation, installation (installation), adjustment of encryption (cryptographic) tools, with the exception of encryption (cryptographic) means of protecting fiscal data developed for use in the composition of cash register certified by the Federal Security Service of the Russian Federation.
13. Installation, installation (installation), commissioning protected using encryption (cryptographic) means of information systems.
14. Installation, installation (installation), commissioning protected using encryption (cryptographic) means of telecommunication systems.
15. Installation, installation (installation), adjusting the means of making key documents.
20. Works on the maintenance of encryption (cryptographic) funds provided for by the technical and operational documentation for these funds ( except for the caseif the specified works are held to provide own needs legal entity or individual entrepreneur).
28. Production and distribution of key documents and (or) source key information to develop key documents using hardware, software and hardware and hardware, systems and complexes of manufacturing and distribution of key documents for encryption (cryptographic) funds. "
But the instruction contains more stringent requirements.
Instruction FAPSI №152: “ 4. Security of storage, processing and transmission through communication channels using confidential information, whose holders do not have FAPSI licenses, FAPSI licensees are organized and provided ... on the basis of contracts for the provision of services for the cryptographic protection of confidential information.
6. For the development and implementation of measures to organize and ensure the safety of storage, processing and transmission using SCJ, the licensee of FAPSI creates one or more cryptographic protection organs ... "
The main output Next: The organization without a license of the FSB cannot independently organize work on the proper operation of SCJ. For this organization, it is necessary to contact the licensee, to conclude a service agreement with it. The FSB licensee in the structure allocates oxi, which organizes security work in the organization-to-customer and controls their execution (and sometimes performs it).
PS: On the use of individual items of instructions, I also had many questions, the most interesting I asked the regulator and in the next article I will share the most interesting information ...
It is also interesting to see what you, colleagues, were difficulties or on the contrary, the positive experience of applying the instructions.