How to prepare for the planned audit of the FSB on personal data? Classification of means of protecting information from FSTEC and FSB of Russia FSB and cryptographic protection of information.

The main tasks of the protection of information during its storage, processing and transmission through communication channels and on various carriers, solved by SKZI, are: 1.

Providing secrecy (confidentiality) of information. 2.

Ensuring the integrity of information. 3.

Confirmation of the authenticity of information (documents). To solve these tasks, the following needs

processes: 1.

Implementation of information security features, including:

encryption / decryption; creating / checking EDS; Creating / checking the imitava. 2.

Monitoring the condition and management of the functioning of the KZI (in the system):

condition monitoring: Detection and registration of cases of violation of the performance of KZZ funds, NSD attempts, cases of compromising keys;

function Management: Taking measures in the case of listed deviations from the normal functioning of the KZI funds. 3.

Conducting maintenance of the KZI funds: implementation of key management;

execution of procedures related to the connection of new subscribers of the network and / or the exception of retired subscribers; elimination of the identified deficiencies of SPZI; commissioning new versions of SPJ software;

modernization and replacement of technical equipment SPI to more advanced and / or replacement of funds whose resource has been developed.

Key management is one of the most important functions of cryptographic information protection and is to implement the following basic functions:

key generation: Defines the mechanism for generating keys or pairs of keys with a guarantee of their cryptographic qualities;

distribution of keys: Determines the mechanism by which the keys are secure and safely delivered to subscribers;

saving keys: Determines the mechanism by which the keys are secure and safely saved for further use;

key recovery: Determines the mechanism for recovering one of the keys (replacement for a new key);

destruction of keys: Determines the mechanism for which the reliable destruction of the keys coming out;

key Archive: The mechanism in which the keys can be reliably maintained for their further notarized recovery in conflict situations.

In general, to implement the listed functions of cryptographic information protection, it is necessary to create a system of cryptographic protection of information that combines the actual means of KZI, service personnel, premises, office equipment, various documentation (technical, regulatory and regulatory), etc.

As already noted, the use of certified KZI certified information is needed to obtain information protection.

Currently, the most popular is the issue of protecting confidential information. To solve this issue, under the auspices of FAPSI, a functionally complete complex of cryptographic protection of confidential information was developed, which allows you to solve the listed tasks for protecting information for a wide variety of applications and conditions of application.

This complex is based on the cryptographic kernels "Verba" (the system of asymmetric keys) and the "Verba-O" (system of symmetric keys). These Cryptra Images provide data encryption procedures in accordance with the requirements of GOST 28147-89 "Information processing system.

Protection Cryptographic "and digital signature in accordance with the requirements of GOST P34.10-94" Information technology. Cryptographic information protection. Procedures for developing and verifying an electronic digital signature based on an asymmetric cryptographic algorithm. "

The funds included in the SPJ complex make it possible to protect electronic documents and information flows using certified encryption and electronic signature mechanisms in almost all modern information technologies, including allowing: Using SKZI offline;

protected information exchange in OFF-LINE mode; Protected information exchange in ON-LINE mode; Protected heterogeneous, i.e. Mixed, informational exchange.

To solve systemic use of SCJOs under the leadership of D. A. Starovoitov, the technology of integrated cryptographic protection of information "Vityaz" has been developed, which provides for cryptographic data protection at once in all parts of the system: not only in communication channels and system nodes, but also directly on user workplaces In the process of creating a document, when the document itself is protected. In addition, within the framework of the general technology, "Vityaz" provides a simplified, easily accessible technology to the embedding technology of licensed SPJU to various application systems, which makes a very wide range of use of these SCJ.

Below is a description of the tools and protection methods for each of the listed modes.

Using SCJW offline.

In autonomous work with SKZi, the following types of cryptographic information protection can be implemented: Creating a secure document; File protection;

creating a secure file system; Creating a secure logical disk. At the request of the user, the following types of cryptographic protection of documents (files) can be implemented:

encryption of the document (file), which makes it inaccessible to its content both when storing the document (file) and when it is transmitted via communication channels or a disregard;

development of imitaving, which ensures control of the integrity of the document (file);

formation of EDS, which ensures control of the integrity of the document (file) and the authentication of the person signed by the document (file).

As a result, the protected document (file) turns into an encrypted file containing, if necessary, the EDS. EDS, depending on the organization of the information processing process, can be presented and separate from the file subscribed. Next, this file can be displayed on a floppy disk or other carrier, for delivery to the disregard, or shipped for any available email, for example, on the Internet.

Accordingly, upon receipt of an encrypted file by e-mail either on one or another carrier, the actions for cryptographic protection are made in reverse order (decryption, checking the imitava, checking the EDS).

The following certified funds can be used to perform autonomous work with SKZU:

text editor "Lexicon Verba", implemented on the basis of SPI "Verba-O" and Skzi "Verba";

software Complex Skusi "Autonomous Workplace", implemented on the basis of SPI "Verba" and "Verba-O" for Windows 95/98 / NT;

cryptographic disk driver PTS "DiskGuard".

Protected text processor "Lexicon Veda".

The "Lexicon Veda" system is a full-featured text editor with support for document encryption and electronic digital signature. To protect the documents, it uses the Cryptographic Systems "Verba" and "Verba-O". The uniqueness of this product is that the encryption functions and text signatures are simply included in the functions of the modern text editor. Encryption and signature of the document in this case are simply transformed into standard actions when working with the document.

At the same time, the lexicon-willb system looks like an ordinary text editor. Text formatting features include full configuration of the fonts and paragraphs of the document; Tables and lists; footers, footnotes, sings; Using styles and many other functions of a text editor that meets modern requirements. Lexicon Verba allows you to create and edit documents in Lexicon formats, RTF, MS WORD 6/95/97, MS Write.

Autonomous workplace.

Ski "Autonomous Workplace" is implemented on the basis of SKZi "Verba" and "Verba-O" for Windows 95/98 / NT and allows the user in the dialog to perform the following functions:

encryption / decryption of files on the keys; Encryption / decryption files on a password; Sparation / removal / verification of electron-digital signatures (EDS) under the files;

checking encrypted files;

eDP \u200b\u200bstirring + encryption (for one action) files; decryption + removal of EDS (for one action) under the files;

calculation of the hash file.

Skusi "Autonomous Workplace" It is advisable to apply for the daily work of employees who need to provide:

transmission of confidential information in electronic form by a disregard or courier;

sending confidential information on public network, including the Internet;

protection from unauthorized access to confidential information on personal computer computers.

Valery Konavsky
Scientific leader of VNIIPWTI,
Scientific consultant OKB CAD

Any operation with a random number will give a random number. A random sequence, folded with the open text, will give a random cryptotext. The better the quality of the gamma, the less chances to decipher the cryptotext. If the gamma is really random, then it is impossible to decipher the cryptotext.

Cipher Vernama

Cryptographic information protection (SCJ) can be divided into encryption tools and electronic signature (PEP).

Transmit the gamma in the form of huge coils punched was not very comfortable and quite expensive. Therefore, sometimes there have been problems with its reuse and, therefore, with leaks of important information.

In order not to transmit a punched coil into expensive channels, invented ways to generate a long gamma from a random, but short key. At that time, pass a short random key was easier than long.

Certified SPZi.

With the advent of modern media, the situation has changed straight, and now there is no problem to make and transfer gamma gigabytes - just to DSCs were good. The software generators of the pseudo-random sequence (PSPs) can be used here only from despair that there is no good physical generator.

Cryptographic standards define the sequences of operations that make it possible to obtain reliably encrypted outdoor text based on a good key. At the same time, the keys should be made on good sensors.

The regulator establishes the rules, testing laboratories check whether the requirements for operations, keys and lack of influence on these processes of other processes are being performed - this is how certified SCJi appear.

Encryption and electronic signature

Gamma must have the following properties:

• be really random, that is, to form at the expense of physical, analog, not digital processes;
• coincide in size with specified open text or exceed it;
• apply for each message only once, and then destroyed.

Such a cipher is called the Vernama cipher - and this is the only cipher that has absolute cryptographic resistance. It is not necessary to prove his persistence now, as it did K. Shannon back in 1945. The large length of the gamma, the formation of it on the basis of physical processes and guaranteed destruction - here are the conditions of the cipher resistance conditions.

Encryption is necessary in order for access to information only those who can. EP is used in order to fix the will of a person. And if the SPJ should be correctly in the proven environment to perform cryptographic transformations, then it is not enough for an electronic signature. Need to take all measures that provide fixation free willing of man. This is directed to this FZ-63, which is why one of its most important requirements is the requirement of the correctness of the visualization of the document that the person signs. Thus, in contrast to SKZi for qualified SEP, visualization tools are added. Of course, all necessary checks of cryptographic algorithms are performed.

Analyzing this or that scheme of EP, usually put the question like this: "Is it possible to quickly choose two different (meaningful) messages that will have the same EP". The answer here is usually negative. If a good hash function is used, for which the effective search mechanism of collisions is not found, such an attack is almost always doomed to failure. Mikhail Gruntovich (see p. 48) raised a question differently: "Is it possible, having two messages, pick up the signature keys so that the eP coincides?". And it turned out that it is extremely easy to do it!

Attack Gruntovich

Specific conditions for the implementation of the specified attack will be considered (in a very simplified version) on the example of a signature according to the EL-Gamal scheme. Vera in the resistance of this scheme is based on (hypothetical) complexity of the task of discrete logarithmation, but here the attack is not at all the task of discrete mathematics.

Ski must be hardware. They must contain physical DSH of the right quality and provide an unetegrapability of not only the signature key, but also other cryptographic elements affecting the resistance of algorithms.

We introduce the following notation:

• H - cryptographic hash function;
  Zn - set numbers (0.1, ..., n - 1), n \u200b\u200b- natural number;
  A (MOD P) - the residue from the division of an integer A per natural number P.

For the diagram of the formation of the signature of El Gamal:

• a simple number p is fixed and G is a primitive element MOD P;
• personal signature key is any number X from ZP.

Calculation of signature message M:

• hash code H \u003d H (M) is calculated;
• the random number k is selected, mutually simple with P - 1: 1< k < p - 1;
• r \u003d g k (mod p) is calculated;
• s \u003d k -1 (H - XR) (MOD P - 1) is calculated;
• the signature is a pair C \u003d (R, S).

Now consider what you need to do an attacker to implement the attack. It should generate hash codes:

• h 1 \u003d H (M 1), H 2 \u003d H (M 2)

and coinciding signatures with the same random number K:

• s \u003d k -1 (H 1 - x 1 R) (MOD P - 1) and
  S \u003d k -1 (H 2 - x 2 R) (MOD P - 1).

And this means that:

h 1 - X 1 R (MOD P - 1) \u003d H 2 - X 2 R (MOD P - 1).

Some features to be paid to pay when applying SKZI.
1. If the documentation for SPI is specified in which OS it can be used, then use it in this system and necessary. Otherwise, even if the SPI will work, then you will have to conduct research on the correctness of embedding a known SCJ in a new environment. It is easy (relatively) for hardware SCJ, but quite difficult for software.
2. If there is no proven DSH in the hardware SKZI and there are no proven means of self-testing (and otherwise it cannot be in the SCJ, performed on universal smart card chips), then pay attention to the documents for embedding and operation. Since entropy from somewhere should be added, and testing should be done, it may turn out that this SCJ can be used autonomously not long, for example, two to three days. It is not always convenient.
3. If you are offered any token and say that it is certified by the CC2 class and above, do not believe. Most likely, the documentation has a requirement to use this token in an environment protected by an electronic lock. Without this, the class will not be higher than the COP1.

As can be seen when choosing keys x 1 and x 2, such that the above condition is performed, the signatures coincide, despite the fact that the signed messages are different! Note that for calculating X 2 for known x 1, the required calculations are minimal compared to the subecponential task of discrete logarithmation.

Nevertheless, not everything is so scary. The fact is that the results obtained do not discredit itself cryptustomy EP.. They show a possible vulnerability when improper applicationeP mechanisms.

This example clearly demonstrates vulnerabilities arising from improper implementation of SCJ. The described attack is possible if the user knows its signature key and can find out a random number.

There is a radical way to combat attacks of this kind - for this, just need to have a device in which:

• the sign of the signature is generated;
• the signature check key is calculated;
• public key is exported, including certification in the Certification Center;
• the signature key is used to develop an EP only inside the device, its export is impossible! Recently, such devices have been called devices with an unetected key;
• a random number never appears in the computer environment, it is generated and destroyed after applying inside the device.

This is what it is clear that the variant of the SEP and SCJi, made in the form of equipment, is more reliable. In this case, sufficient DSH quality can be provided and the reliability of the storage of the signature key.

Encryption

Let us return now to the encryption and talk about when and why it should be applied to both individuals and legal.

We highlight the basic encryption types, and this is subscriber and channel. As follows from the names, in the case of subscriber encryption, the subscriber first encrypts the information (file, document), and then in the closed form transmits it to the channel. When channeling with cryptographic methods, the channel itself is protected, and the subscriber does not have to take care of encrypt information before transferring it to the channel. If the channel is a dot point connection, channel encoders are used. If the channel is not a wire, but an active structure of the Internet type, then not all is needed to encrypt, but only data. You can not distort the addresses, otherwise the packages simply will not get to the addressee. The mechanisms of virtual private networks (VPN) are used here. The most famous protocols - IPsec and SSL. Almost all available VPN tools are implementing one of these protocols.

VPN.

In order to consciously choose this or that means, you need to understand how they differ and with what difficulties will have to face during the operation of these funds. That's what at least you need to keep in mind:

• cryptographic channel protection should be used if there is a threat that the data transmitted is so interesting for the violator that it will join the channel and will "listen" all your exchange. Of course, it is necessary to start protecting the channels after the internal network is securely protected, since the insider is usually cheaper than the attack on the channel; 1 Both protocols - these protocols are intended to interact not customers, and networks, so they are configured with difficulty. Thus, network security management tools are essential - and need to be chosen primarily;
• the TCP / IP IPSec protocol stack operates at the IP level, and SSL is at the TCP level. That is, if IPsec provides protection rather at the system level, then SSL is on applied. Since IPSec functions significantly "below", it thereby "encapsulates" in the area of \u200b\u200bprotection a much larger number of protocols than SSL, which, of course, is better;
• when using a VPN, your main task is keys. The keys must be issued in a timely manner, change - in one word, they need to be controlled. Each SKZI has its own system for generating and managing keys. If you already have any key system, continue to use it. Do not start the "zoo" - it is difficult to accompany even one system, and there are almost a few - almost a lacking task;
• if your task is associated with the activities of many information distributed in the space of informatization objects, then use VPN. This applies only to those objects between which intensive information interaction is carried out by protected data, which may be interesting to the violator so that it is ready to "listen" channels. If everything is not so running - try to limit yourself to subscriber ski.

Subscriber Scycles

They are not characterized by algorithms (defined by standards), and utilities that allow these SPIs to apply, and the conditions that must be executed. It is desirable to apply these funds conveniently.

And most importantly - remember the adequacy of the means of protection. There is no need to apply expensive Ski where you can do without them.

And yet: Skusi and PPE, who satisfy all the requirements we have discussed, is. Up to class KV2. I do not call them only so that the article does not become advertising.

Literature

1. Konavsky V.A. Computer crime. T. II. - M., 2008.
2. Yashchenko V.V. Introduction to cryptography. New mathematical disciplines. - M., 2001.

The use of cryptographic means of protection (SPJ) Theme is very ambiguous and slippery. Thus, the operator PDN has such a right in the case of current threats to apply SPI to ensure protection. Only here it is not always clear how to use this right. And the FSB facilitates life, the document was released methodical recommendations Applicable as for state IS and all other PD operators. Consider this document in more detail.

And so, it happened, the 8th center of the FSB laid out Describing recommendations in the development of regulatory and legal acts to protect PDNs. At the same time, it is recommended to use the operators of the CDN in the development of private threat models.

So what does FSB think about how and where to apply SKZi?

It is quite important that this document is published only on the website of the FSB,no registration In the Ministry of Justice I.not carries a drawand - that is, his legal significance and obligation it remains only within the framework of recommendations.. This is important to remember.

Let's look inside, in the preamble of the document it is determined that recommendations "For federal executive bodies ... other state bodies ... which ... adopt regulatory legal acts, which determine the threats to the security of personal data, relevant in the processing of personal data in personal data information systems (hereinafter referred to), operated in the implementation of the relevant activities". Those. It is clearly given to sending state information systems.

However, at the same time the same standards "it is also advisable to be guided in the development private threat modelsoperators of information systems of personal data that made a decision on the use of funds cryptographic information protection (hereinafter - SKZI) to ensure the security of personal data. " Those. The document in this case becomes universal for all users.

When should I use Ski?

Using SCJi to ensure personal data security is necessary in the following cases:

1. if personal data is subject to cryptographic protection in accordance with the legislation of the Russian Federation;
2. if in the information system there are threats that can be neutralized only with the help of SCJ.

1. transferring personal data on communication channels that are not protected from intercepting the violator of information transmitted on them or from unauthorized impacts on this information (for example, when transferring personal data on information and telecommunication networks of common use);
2. storage of personal data on media information, unauthorized access to which from the intruder cannot be excluded using non-typographic methods and methods.

And so what we come to. If the second item is just as logical, then the first is not so obvious. The fact is that according to the current version of the Law "On Personal Data" name, surname and middle name Already are personal data. Accordingly, any correspondence or registration on the site (taking into account how much data is required during registration) fall formally for this definition.

But, as they say, there is no rules without exception. At the end of the document there are two tables. We give only one line Appendices number 1..

Actual threat:

1.1. Attack while finding within the controlled zone.

Justification of the absence (the list is slightly reduced):

1. employees who are by users are impudent, but not by users of SCJi, are informed about the rules of work in PM and responsibility for non-compliance with information security rules;
2. users SKZZi are informed about the rules of work in the Code, the rules for working with SCJ and responsibility for non-compliance with the rules for ensuring the safety of information;
3. the rooms in which Skzi are located are equipped with entrance doors with locks, ensuring the constant closure of the doors of the premises on the castle and their opening only for a sanctioned pass;
4. approved the rules for access to the premises, where SPJs are located, in working and non-working time, as well as in emergency situations;
5. approved a list of persons with the right to access the premises where Skzi are located;
6. there is a distinction and control of user access to protected resources;
7. registration and accounting of user actions with PDN are carried out;

8. at AWP and servers on which SCJi is installed:

   certified means of protecting information from unauthorized access;
9. certified anti-virus protection means are used.

That is, if users are informed about the rules and responsibilities, and the protection measures are applied, it turns out and worry about what.

• to ensure the safety of personal data, when they are processed, the SKI must be used in the prescribed manner, which have passed in the prescribed manner, the compliance assessment procedure.

True, a little later states that the list of certified SPJs can be found on the website of the TSLS FSB. About the fact that the assessment of conformity is not certification, it was said repeatedly.

• in the absence of the procedure for assessing the compliance of the SPJU in the prescribed manner ... at the stage of an external projection or sketch (sketting-technical) project, the developer of the information system with the participation of the operator (authorized person) and the alleged SCJO developer is preparing the rationale for the design of a new type of SCJ type and defines the requirements for its functional properties.

It really makes it happy. The fact is that certification The process is very long - until six months and more. Often customers use the latest OS, not supported by a certified version. In accordance with this document, customers can use products in the process of certification.

The document indicates that:

When using communication channels (lines), which is not possible to intercepted the protected information transmitted over them and (or) in which unauthorized impacts cannot be implemented, with the general description of the information systems, it is necessary to indicate:

1. description of methods and methods for the protection of these channels from unauthorized access to them;
2. conclusions According to the results of the research of the security of these channels (lines) of communication from unauthorized access to the protected information transmitted on them, an organization that has the right to conduct such studies with reference to the document containing these conclusions.

security features (confidentiality, integrity, availability, authenticity) that must be provided for personal data processed;

used in each subsystem or in the information system as a whole channels (lines) of communication, including cable systems, and measures to limit unauthorized access to protected information transmitted over these links (lines), indicating communication channels (lines) in which it is impossible unauthorized access to the protected information transmitted on them, and implemented to ensure this quality measure;

media of protected information used in each subsystem of the information system or in the information system as a whole (with the exception of link channels (lines).

In the safety requirements of information in the design of information systems, features indicate the characterizing the applied tools for information protection. They are identified by various acts of regulators in the field of information security, in particular - FSTEC and FSB of Russia. Which protected classes are, types and types of protection, as well as where to learn more about this, reflected in the article.

Introduction

Today, information security issues are subject to close attention, since universally implemented technology without providing information security becomes a source of new serious problems.

The severity of the situation is reported by the FSB of Russia: the amount of damage caused by intruders over several years around the world amounted to $ 300 billion to $ 1 trillion. According to the information provided by the Prosecterier of the Russian Federation, only for the first half of 2017 in Russia, the number of high-tech crimes increased six times, the total damage exceeded $ 18 million. The growth of target attacks in the industrial sector in 2017 is marked worldwide . In particular, in Russia, the increase in the number of attacks in relation to 2016 amounted to 22%.

Information technologies began to be used as weapons in military-political, terrorist purposes, for interference in the internal affairs of sovereign states, as well as to commit other crimes. The Russian Federation advocates the creation of a system of international information security.

On the territory of the Russian Federation, information owners and information system operators are required to block attempts to unauthorized access to information, as well as monitor the status of the IT infrastructure security status on a permanent basis. At the same time, the protection of information is ensured by the adoption of various measures, including technical.

Information protection tools, or qi ensure the protection of information in information systems, in fact, which are a set of information in the databases of information, information technologies that ensure its processing, and technical means.

For modern information systems, the use of various hardware and software platforms is characterized, the territorial distribution of components, as well as interaction with open data transmission networks.

How to protect information in such conditions? Relevant requirements are imposed by authorized bodies, in particular, FSTEC and FSB of Russia. As part of the article, we will try to reflect the main approaches to the SZI classification, taking into account the requirements of the specified regulators. Other ways to describe the SZI classification, reflected in the regulatory documents of Russian departments, as well as foreign organizations and agencies, go beyond the scope of this article and are not considered.

The article may be useful to novice information security specialists as a source of structured information on the methods of classifying the SZI on the basis of the requirements of FSTEC of Russia (more) and, briefly, the FSB of Russia.

The structure that determines the procedure and coordinating actions to ensure the overaptographic methods of the IB is the FSTEC of Russia (earlier - the State Technical Commission under the President of the Russian Federation, the State General Commission).

If the reader had to see the state register of certified tools for the protection of information, which forms FSTEC of Russia, he certainly paid attention to the presence in the descriptive part of the purpose of SSI such phrases as the "Class of the RD SVT", "The level of lack of NDV", etc. (Figure 1) .

Figure 1. Fragment of the registry certified зи

Classification of cryptographic information protection tools

The FSB of Russia has defined cryptographic SZI classes: KS1, KS2, KS3, kV and ka.

The main features of the SZIN class KS1 include their ability to confront attacks conducted from outside the controlled zone. At the same time, it is understood that the creation of methods of attacks, their preparation and conduct is carried out without the participation of specialists in the field of developing and analyzing cryptographic SZI. It is assumed that information about the system in which the specified qi can be obtained from open sources.

If the cryptographic qi can be withstanding attacks that are blocked by the CS1 class facilities, as well as conducted within the controlled zone, then such a SIZ corresponds to the CO2 class. At the same time, it is allowed, for example, that when preparing an attack could be available information on physical measures for the protection of information systems, providing a controlled zone, etc.

If possible, confront attacks in the presence of physical access to the means of computing technology with the established cryptographic SZI speaks of the compliance of such a CO3 class.

If the cryptographic qi is opposed to attacks, when creating specialists in the field of development and analysis of these funds participated, including research centers, there was the possibility of conducting laboratory research tools, then it is a compliance with the class of sq.

If specialists in the field of use of the system software were attracted to the development of methods of attacks, the corresponding design documentation was available and there was access to any hardware components of cryptographic SZI, the protection against such attacks can provide funds for the Class.

Classification of electronic signature protection

Electronic signature means, depending on the ability to confront attacks, is customary to compare with the following classes: KS1, KS2, KS3, kV1, kV2 and ka1. This classification is similar to the cryptographic SZI considered above.

conclusions

The article covered some ways to classify SZI in Russia, the basis of which constitutes the regulatory framework of information protection regulators. Credited classification options are not exhaustive. Nevertheless, we hope that the submitted summary information will allow the novice specialist in the field of IB to be faster.

Comments ...

Alexey, good afternoon!
In response of the 8th center, nothing is specified about the need to use precisely certified SCJ. But after all, there are "Methodical recommendations ..." of the leadership of the 8th center of the FSB of Russia from 31.03.2015 No. 149/7/2/6-432, in which there is such a paragraph in the second part:

To ensure the safety of personal data, when they are processed, the SKI must be used in the prescribed manner, which have passed in the prescribed manner, the compliance assessment procedure. The list of SCJi, certified FSB of Russia, published on the official website of the Center for Licensing, Certification and the Protection of State Secrets of the FSB of Russia (www.clsz.fsb.ru). Additional information on specific information protection funds is recommended to be obtained directly from developers or manufacturers of these funds and, if necessary, from specialized organizations who conducted thematic studies of these funds;

What is this not the requirement to use certified SCJ?

There is an order of the FSB of Russia of July 10, 2014 No. 378, in which in subparagraph "G" of clause 5 indicated: "The use of information protection tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such funds is necessary To neutralize current threats. "

A little confusing this "when the use of such funds is necessary to neutralize current threats." But all this need must be described in the violator model.

But in this case, again, in section 3 "Methodical Recommendations ..." from 2015 it is indicated that "when using links (lines) of communication, with which the interception is not allowed to be transmitted on them and (or) in which unauthorized impacts are impossible To this information, with the general description of the information systems, it is necessary to indicate:
- description of methods and methods for the protection of these channels from unauthorized access to them;
- conclusions based on the results of the research of the security of these channels (lines) of communication from unauthorized access to the protected information transmitted on them by the Organization with the right to conduct such research, with reference to the document containing these conclusions. "

I have all this - yes, there is no need to use SKZI always and everywhere when ensuring the safety of PD processing. But for this you need to form a violators model where it is all described and prove. About two cases when you need to use you wrote. But the fact that to ensure the safety of PD processing on open communication channels, or if the processing of these PDs goes beyond the boundaries of the controlled zone, you can use non-certified SCJi - everything is not so simple. And it may happen that it is easier to use certified SKZJi and comply with all the requirements when operating and stored than using unattended means and beats with a regulator, which seeing such a situation, will try to poke the nose.

Unknown comments ...

Clear when the use of such funds is necessary for neutralizing current threats: the requirement of the Order of the FSTEC of Russia No. 17 of February 11, 2013 (requirements for state and munitz. Caiden),

clause 11. To ensure the protection of information contained in the information system, the means of protecting information that have completed conformity assessment in the form of mandatory certification for compliance with the requirements for the safety of information in accordance with Article 5 of the Federal Law of December 27, 2002 No. 184-FZ "On Technical regulation. "

Alexey Lukatsky comments ...

Proximo: Recommendations of the FSB of illegitimate. The 378th order legitimen, but should be considered in the context of all legislation, and it says that the features of the assessment of compliance are established by the government or the president. None, neither other such NPUs issued T

Alexey Lukatsky comments ...

Anton: In the state, the certification requirement was established by law, the 17th order simply repeats them. And we talk about PDN

Unknown comments ...

Alexey Lukatsky: Lessonation of the FSB of illegitimate "How illegitres? I am about the document from 19.05.2015 №149 / 7/2/6-432 (http://www.fsb.ru/fsb/science/single.htm!id%3D10437608 % 40fsbrersearchart.html), but not about the document of 21.02.2008 No. 149/54-144.

Another specialist also had previously requested a request to the FSB on a similar topic, and he was answered that "the Methodology ..." and "Recommendations ..." FSB from 2008 should not be used if you are talking about these documents. But again - officially these documents were not canceled. And these documents are legitimate or not, I suppose will be solved by FSB already in place during the inspection.

The law says it is necessary to protect PD. Regional acts from the government, FSB, FSTEC determine exactly how to protect them. In NPA from the FSB, it is said: "Use the certified. If you do not want a certified one, prove that you can use it. And be kind - make a conclusion on this from the company that has a license for the right to issue such conclusions." Something like this...

Alexey Lukatsky comments ...

1. Any recommendation is a recommendation, and not compulsory requirement.
2. The methodology of 2015 is not related to PD operators - it refers to the states that are writing threat models for subordinate institutions (including claim 1).
3. The FSB does not have the right to check the commercial operators of PDNs, and for the states the question of the use of non-certified SCJ and do not cost - they are obliged to apply certified decisions, regardless of the availability of PDs - these are the requirements of FZ-149.
4. Summer acts say how to protect and this is normal. But the formal assessment of the means of protection cannot determine - this can only be done by the NPU of the government or the president. FSB is not authorized to do it

Unknown comments ...

In accordance with Decree 1119:

4. The choice of information protection tools for the personal data protection system is carried out by the operator in accordance with regulatory legal acts adopted by the Federal Security Service of the Russian Federation and the Federal Service for Technical and Export Control Page 4 of Article 19 of the Federal Law "On Personal Data".
13.G. The use of information protection tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such funds is necessary to neutralize current threats.

How to justify not the relevance of the threat when transmission of PDNs through the channel operator channels?

Those. If not SPI, then apparently
- Terminal access and subtle customers, but at the same time the SZI terminal data
access must be certified.
- protection of channels by operator of communication, responsibility on the telecom operator (provider).

Alexey Lukatsky comments ...

Irrelevance determines the operator and no one for it is needed for this