entranceHow to prepare for a scheduled FSB check on personal data? The use of certified cryptographic information - the point of view of the FSB Means of cryptographic protection of information FSB.
Use cryptographic means protection (CIPF) topic is very controversial and slippery. However, the PD Operator has such a right, in the event of actual threats, to apply CIPF to ensure protection. But it is not always clear how to use this right. And now the FSB makes life easier, a document of methodological recommendations applicable both to state IS and to all other PD Operators has been released. Let's take a closer look at this document.
And so, it happened, the 8th Center of the FSB posted describing recommendations in the field of development of regulatory legal acts for the protection of PD. At the same time, the same document is recommended to be used by ISPD operators when developing particular threat models.
So what does the FSB think about how and where to apply CIPF?
It is important enough that this document published only on the FSB website,has no registrationin the Ministry of Justice andbears no signatureand- that is, its legal significance and binding stays within the guidelines. It's important to remember this.
Let's look inside, the preamble of the document defines that recommendations “for federal executive authorities ... other state bodies ... that ... adopt regulatory legal acts that define threats to the security of personal data that are relevant when processing personal data in information systems ah of personal data (hereinafter referred to as ISPD) exploited in the course of the relevant types of activities”. Those. explicit reference is made to state information systems.
However, at the same time, these same norms “it is also advisable to be guided by the development private threat models operators of information systems of personal data who have made a decision on the use of funds cryptographic protection information(hereinafter referred to as CIPF) to ensure the security of personal data”. Those. the document in this case becomes universal for all users.
When is it necessary to use SKZI?
The use of CIPF to ensure the security of personal data is necessary in the following cases:
- if personal data is subject to cryptographic protection in accordance with the law Russian Federation;
- if there are threats in the information system that can only be neutralized with the help of CIPF.
- transfer of personal data over communication channels that are not protected from interception by the offender of the information transmitted through them or from unauthorized influences on this information (for example, when transferring personal data over public information and telecommunication networks);
- storage of personal data on storage media, unauthorized access to which the offender cannot be excluded using non-cryptographic methods and methods.
And that's where we come. If the second point is also quite logical, then the first one is not so obvious. The fact is that, according to the current version of the law "On Personal Data" name, surname and patronymic are already personal data. Accordingly, any correspondence or registration on the site (taking into account how much data is currently required during registration) formally falls under this definition.
But, as they say, there are no rules without exceptions. There are two tables at the end of the document. Here is just one line Apps #1.
Current threat:
1.1. carrying out an attack while within the controlled zone.
Reason for absence (the list is slightly shortened):
- employees who are users of ISPD, but who are not users of CIPF, are informed about the rules of work in ISPD and responsibility for non-compliance with the rules for ensuring information security;
- CIPF users are informed about the rules for working in ISPD, the rules for working with CIPF and responsibility for non-compliance with the rules for ensuring information security;
- the premises in which the cryptographic information protection system is located are equipped with entrance doors with locks, ensuring that the doors of the premises are permanently locked and opened only for authorized passage;
- approved the rules for access to the premises where the CIPF is located, during working and non-working hours, as well as in emergency situations;
- a list of persons entitled to access to the premises where the CIPF is located was approved;
- differentiation and control of user access to protected resources;
- registration and accounting of user actions with PD;
on workstations and servers on which CIPF is installed:
certified means of protecting information from unauthorized access are used;- certified anti-virus protection tools are used.
That is, if users are informed about the rules and responsibilities, and protective measures are applied, then it turns out that there is nothing to worry about.
- to ensure the security of personal data during their processing in ISPD, cryptographic information protection tools that have passed the conformity assessment procedure in the prescribed manner should be used.
True, it says a little lower that a list of certified cryptographic information protection tools can be found on the website of the TsLSZ FSB. The fact that conformity assessment is not certification has been said repeatedly.
- in the absence of CIPF conformity assessment procedures that have passed in accordance with the established procedure ... at the stage of a preliminary design or draft (sketch-technical) project, the information system developer with the participation of the operator (authorized person) and the proposed CIPF developer prepares a justification for the expediency of developing a new type of CIPF and determines the requirements for its functional properties.
It really pleases. The fact is that certification the process is very long - up to six months or more. Often, customers use the latest operating systems that are not supported by the certified version. According to this document, customers can use products that are in the process of certification.
The document states that:
When using communication channels (lines) from which it is impossible to intercept the protected information transmitted through them and (or) in which it is impossible to carry out unauthorized actions on this information, in the general description of information systems, it is necessary to indicate:
- description of methods and means of protecting these channels from unauthorized access to them;
- conclusions based on the results of studies of the security of these communication channels (lines) from unauthorized access to protected information transmitted through them by an organization entitled to conduct such studies, with reference to the document containing these conclusions.
Commenting...
Alexey, good afternoon!
In the response of the 8th Center, nothing is indicated about the need to use certified cryptographic information protection tools. But there are "Methodological recommendations ..." approved by the leadership of the 8th Center of the FSB of Russia dated March 31, 2015 No. 149/7/2/6-432, in which there is such a paragraph in the second part:
To ensure the security of personal data during their processing in ISPD, CIPF should be used that have passed the conformity assessment procedure in the prescribed manner. The list of CIPF certified by the FSB of Russia is published on the official website of the Center for Licensing, Certification and Protection of State Secrets of the FSB of Russia (www.clsz.fsb.ru). Additional information it is recommended to obtain information about specific information security tools directly from the developers or manufacturers of these tools and, if necessary, from specialized organizations that have conducted case studies of these tools;
Why is this not a requirement to use certified CIPF?
There is an order of the FSB of Russia dated July 10, 2014 No. 378, in which subparagraph "d" of paragraph 5 states: "the use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such tools is necessary to neutralize current threats."
A little confusing is this "when the use of such means is necessary to neutralize actual threats." But all this necessity should be described in the intruder model.
But in this case, again, in Section 3 of the "Methodological recommendations ..." of 2015, it is indicated that "When using communication channels (lines) from which it is impossible to intercept the protected information transmitted over them and (or) in which it is impossible to carry out unauthorized actions to this information, in the general description of information systems, it is necessary to indicate:
- description of methods and means of protecting these channels from unauthorized access to them;
- conclusions based on the results of studies of the security of these communication channels (lines) from unauthorized access to the protected information transmitted through them by an organization entitled to conduct such studies, with reference to the document containing these conclusions.
I’m all this for what - yes, there is no need to use cryptographic information protection always and everywhere while ensuring the security of processing personal data. But for this it is necessary to form a model of the violator, where all this is described and proved. You wrote about two cases when you need to use them. But the fact that in order to ensure the security of processing PD over open communication channels, or if the processing of these PD goes beyond the boundaries of the controlled zone, you can use uncertified cryptographic information protection tools - it's not so simple. And it may happen that it is easier to use certified cryptographic information protection tools and comply with all requirements during their operation and storage than to use uncertified means and butt heads with the regulator, who, seeing such a situation, will try very hard to poke his nose.
unknown comments...The case when the use of such means is necessary to neutralize current threats: the requirement of the Order of the FSTEC of Russia No. 17 of February 11, 2013 (requirements for state and municipal ISPDs),
clause 11. To ensure the protection of information contained in the information system, information security tools are used that have passed conformity assessment in the form of mandatory certification for compliance with information security requirements in accordance with Article 5 of Federal Law No. 184-FZ of December 27, 2002 "On technical regulation".
Alexey Lukatsky comments...Proximo: FSB recommendations are illegitimate. Order 378 is legitimate, but must be considered in the context of all legislation, and it says that the specifics of conformity assessment are established by the Government or the President. Neither one nor the other such NPA did not release t
Alexey Lukatsky comments...Anton: in the state, the certification requirement is established by law, the 17th order simply repeats them. And we are talking about PDN
unknown comments...Alexey Lukatsky: No. FSB recommendations are illegitimate "How illegitimate? I'm talking about the document dated 05/19/2015 No. %40fsbResearchart.html), but not about the document dated February 21, 2008 No. 149/54-144.
Another specialist also previously made a request to the FSB on a similar topic, and he was told that the "Methodology ..." and "Recommendations ..." of the FSB of 2008 should not be used if you are talking about these documents. But again, these documents have not been officially canceled. And these documents are legitimate or not, I believe, will be decided by the inspectors from the FSB already in place during the inspection.
The law says that you need to protect PD. By-laws from the Government, the FSB, the FSTEC determine exactly how they need to be protected. The NPA from the FSB says: "Use certified. If you do not want certified, prove that you can use it. And please, attach a conclusion to this from a company that has a license to issue such conclusions." Something like this...
Alexey Lukatsky comments...1. Any recommendation is a recommendation, not a mandatory requirement.
2. The manual of 2015 has nothing to do with PD operators - it applies to states that write threat models for subordinate institutions (subject to clause 1).
3. The FSB does not have the right to conduct checks on commercial operators of PD, and for governments, the issue of using uncertified cryptographic information protection is not worth it - they are required to use certified solutions, regardless of the presence of PD - these are the requirements of FZ-149.
4. Bylaws say how to protect and that's okay. But they cannot determine the form of assessment of remedies - this can only be done by the NPA of the Government or the President. FSB is not authorized to do this
According to Regulation 1119:
4. The choice of information security tools for the personal data protection system is carried out by the operator in accordance with the regulatory legal acts adopted Federal Service Security of the Russian Federation and the Federal Service for Technical and Export Control pursuant to Part 4 of Article 19 of the Federal Law "On Personal Data".
13.y. The use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such tools is necessary to neutralize current threats.
How to justify the non-relevance of the threat when transmitting PD through the channels of the telecom operator?
Those. if not SKZI, then apparently
- terminal access and thin clients, but at the same time the data of the information security system of the terminal
access must be certified.
- protection of channels by the telecom operator, responsibility on the telecom operator (provider).
Irrelevance is determined by the operator and he does not need anyone for this
Registration N 33620
In accordance with Part 4 of Article 19 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" 1 I order:
approve the attached Scope and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems using cryptographic information protection tools necessary to fulfill the requirements established by the Government of the Russian Federation for the protection of personal data for each of the security levels.
Director A. Bortnikov
1 Collection of Legislation of the Russian Federation, 2006, N 31 (part I), art. 3451; 2009, N 48, art. 5716; N 52 (part I), art. 6439; 2010, N 27, Art. 3407; N 31, art. 4173, Art. 4196; No. 49, art. 6409; N 52 (part I), art. 6974; 2011, N 23, art. 3263; N 31, art. 4701; 2013, N 14, art. 1651; N 30 (part I), art. 4038.
Appendix
The composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems using cryptographic information protection tools necessary to fulfill the requirements for the protection of personal data established by the Government of the Russian Federation for each of the security levels
I. General provisions
1. This document defines the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems (hereinafter referred to as the information system) using cryptographic information protection tools (hereinafter referred to as CIPF) necessary to comply with those established by the Government of the Russian Federation requirements for the protection of personal data for each of the security levels.
2. This document is intended for operators using CIPF to ensure the security of personal data during their processing in information systems.
3. The application of the organizational and technical measures defined in this document is provided by the operator, taking into account the requirements of operational documents for cryptographic information protection used to ensure the security of personal data during their processing in information systems.
4. The operation of the CIPF should be carried out in accordance with the documentation for the CIPF and the requirements established in this document, as well as in accordance with other regulatory legal acts regulating relations in the relevant field.
II. Composition and content of organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to the protection of personal data for 4 security levels
5. In accordance with clause 13 of the Requirements for the protection of personal data during their processing in personal data information systems approved by Decree of the Government of the Russian Federation of November 1, 2012 N1119 1 (hereinafter referred to as the Requirements for the protection of personal data), to ensure the 4th level of personal data security data during their processing in information systems, the following requirements must be met:
a) organization of a regime for ensuring the security of the premises in which the information system is located, preventing the possibility of uncontrolled entry or stay in these premises of persons who do not have the right to access these premises;
b) ensuring the safety of personal data carriers;
c) approval by the head of the operator of a document defining the list of persons whose access to personal data processed in the information system is necessary for the performance of their official (labor) duties;
d) use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such tools is necessary to neutralize current threats.
6. To fulfill the requirement specified in subparagraph "a" of paragraph 5 of this document, it is necessary to provide a regime that prevents the possibility of uncontrolled entry or stay in the premises where the used CIPF is located, CIPF and (or) carriers of key, authenticating and password information CIPF are stored ( hereinafter - the Premises), persons who do not have the right to access the Premises, which is achieved by:
a) equipping the Premises with entrance doors with locks, ensuring that the doors of the Premises are permanently locked and opened only for authorized passage, as well as sealing the Premises at the end of the working day or equipping the Premises with appropriate technical devices, signaling the unauthorized opening of the Premises;
b) approval of the rules for access to the Premises during working and non-working hours, as well as in emergency situations;
c) approval of the list of persons entitled to access to the Premises.
7. To fulfill the requirement specified in subparagraph "b" of paragraph 5 of this document, it is necessary:
a) to store removable personal data media in safes (metal cabinets) equipped with internal locks with two or more duplicate keys and devices for sealing keyholes, or combination locks. If only personal data is stored on a removable machine medium of personal data in a form encrypted using CIPF, it is allowed to store such media outside safes (metal cabinets);
b) carry out instance-by-instance accounting of machine media of personal data, which is achieved by maintaining a register of personal data media using registration (serial) numbers.
8. To fulfill the requirement specified in subparagraph "c" of paragraph 5 of this document, it is necessary:
a) develop and approve a document defining the list of persons whose access to personal data processed in the information system is necessary for the performance of their official (labor) duties;
b) keep up to date the document defining the list of persons whose access to personal data processed in the information system is necessary for the performance of their official (labor) duties.
9. To fulfill the requirement specified in subparagraph "d" of paragraph 5 of this document, it is necessary for each of the levels of personal data protection to use cryptographic information protection tools of the appropriate class, which allow ensuring the security of personal data when implementing targeted actions using hardware and (or) software tools for the purpose of violating the security of personal data protected by CIPF or creating conditions for this (hereinafter referred to as the attack), which is achieved by:
a) obtaining initial data to form a set of assumptions about the possibilities that can be used in creating methods, preparing and conducting attacks;
b) formation and approval by the head of the operator of a set of assumptions about the possibilities that can be used in creating methods, preparing and conducting attacks, and determining on this basis and taking into account the type of actual threats of the required class of cryptographic information protection;
c) use to ensure the required level of security of personal data during their processing in the CIPF information system of class KS1 and higher.
10. CIPF of class KS1 is used to neutralize attacks, when creating methods, preparing and carrying out which, capabilities from among the following are used:
a) creating methods, preparing and carrying out attacks without involving specialists in the development and analysis of cryptographic information protection;
b) creation of methods, preparation and implementation of attacks at various stages of the life cycle of cryptographic information protection 2 ;
c) carrying out an attack while outside the space within which control over the stay and actions of persons and (or) vehicles is carried out (hereinafter referred to as the controlled zone) 3 ;
d) carrying out the following attacks at the stages of development (modernization), production, storage, transportation of CIPF and the stage of commissioning of CIPF (commissioning works):
introduction of unauthorized changes to the CIPF and (or) to the components of hardware and software, together with which the CIPF functions normally and in the aggregate representing the environment for the functioning of the CIPF (hereinafter referred to as the SF), which can affect the fulfillment of the requirements for the CIPF, including with the use of malicious programs;
introduction of unauthorized changes to the documentation for CIPF and components of the SF;
e) carrying out attacks at the stage of CIPF operation on:
personal data;
key, authenticating and password information of CIPF;
software components CIPF;
hardware components of CIPF;
SF software components, including BIOS software;
SF hardware components;
data transmitted over communication channels;
other objects that are established during the formation of a set of proposals on capabilities that can be used to create methods, prepare and conduct attacks, taking into account the information technologies used in the information system, hardware (hereinafter referred to as AS) and software(hereinafter referred to as software);
f) obtaining from freely available sources (including information and telecommunication networks, access to which is not limited to a certain circle of persons, including the Internet information and telecommunication network) information about the information system that uses CIPF. In this case, the following information can be obtained:
general information about the information system in which the CIPF is used (purpose, composition, operator, objects in which the resources of the information system are located);
information about information technology, databases, AS, software used in the information system in conjunction with CIPF, with the exception of information contained only in the design documentation for information technologies, databases, AU, software used in the information system in conjunction with CIPF;
general information about the protected information used during the operation of the CIPF;
information about communication channels through which personal data protected by CIPF are transmitted (hereinafter referred to as the communication channel);
all possible data transmitted in open form through communication channels that are not protected from unauthorized access to information by organizational and technical measures;
information about all violations of the rules for the operation of CIPF and SF that appear in communication channels that are not protected from unauthorized access to information by organizational and technical measures;
information about all manifested in communication channels that are not protected from unauthorized access to information by organizational and technical measures, malfunctions and failures of the hardware components of the CIPF and SF;
information obtained as a result of the analysis of any signals from the hardware components of the CIPF and SF;
g) application:
freely available or used outside the controlled area AS and software, including hardware and software components of CIPF and SF;
specially designed AS and software;
h) use at the stage of operation as a medium for transferring from the subject to the object (from the object to the subject) of the attack the actions carried out during the preparation and (or) conduct of the attack:
communication channels that are not protected from unauthorized access to information by organizational and technical measures;
distribution channels of signals accompanying the functioning of the CIPF and SF;
i) carrying out an attack at the operational stage from information and telecommunication networks, access to which is not limited to a certain circle of persons, if information systems that use CIPF have access to these networks;
j) use at the stage of operation of AS and software located outside the controlled area from the composition of the information system tools used at the places of operation of the CIPF (hereinafter referred to as standard tools).
11. CIPF of class KS2 is used to neutralize attacks, when creating methods, preparing and carrying out which, the capabilities of those listed in paragraph 10 of this document and at least one of the following additional features are used:
a) carrying out an attack while within the controlled zone;
b) carrying out attacks at the stage of CIPF operation on the following objects:
documentation for CIPF and SF components.
Premises containing a combination of software and technical elements data processing systems capable of functioning independently or as part of other systems (hereinafter - SVT), on which cryptographic information protection and SF are implemented;
c) obtaining, within the framework of the powers granted, as well as as a result of observations, the following information:
information about the physical protection measures of the objects in which the resources of the information system are located;
information on measures to ensure a controlled area of objects in which information system resources are located;
information on measures to restrict access to the Premises in which the computer equipment is located, on which the CIPF and SF are implemented;
d) use regular funds limited by measures implemented in the information system that uses CIPF and aimed at preventing and suppressing unauthorized actions.
12. CIPF of class KS3 are used to neutralize attacks, when creating methods, preparing and carrying out which, the capabilities of those listed in clauses 10 and 11 of this document and at least one of the following additional capabilities are used:
a) physical access to SVT, on which CIPF and SF are implemented;
b) the ability to have hardware components of CIPF and SF, limited by measures implemented in the information system that uses CIPF and aimed at preventing and suppressing unauthorized actions.
13. CIPF of class KB are used to neutralize attacks, when creating methods, preparing and carrying out which, the possibilities from among those listed in paragraphs 10 - 12 of this document and at least one of the following additional features are used:
a) creating methods, preparing and carrying out attacks with the involvement of specialists in the field of signal analysis accompanying the operation of the CIPF and SF, and in the field of using undocumented (undeclared) capabilities of application software to implement attacks;
b) carrying out laboratory studies of CIPF used outside the controlled area, limited by measures implemented in the information system in which CIPF is used and aimed at preventing and suppressing unauthorized actions;
c) carrying out work on the creation of methods and means of attacks in research centers specializing in the development and analysis of cryptographic information protection tools and SF, including using the source code of the application software included in the SF, directly using calls to the CIPF software functions.
14. CIPF of the KA class are used to neutralize attacks, when creating methods, preparing and carrying out which, the possibilities from among those listed in paragraphs 10 - 13 of this document and at least one of the following additional features are used:
a) creating methods, preparing and carrying out attacks with the involvement of specialists in the field of using undocumented (undeclared) capabilities of system software to implement attacks;
b) the ability to have information contained in the design documentation for the hardware and software components of the SF;
c) the ability to have all the hardware components of the CIPF and SF.
15. In the process of forming a set of assumptions about the possibilities that can be used in creating methods, preparing and conducting attacks, additional features, not included in those listed in paragraphs 10 - 14 of this document, do not affect the procedure for determining the required class of CIPF.
III. Composition and content of organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to the protection of personal data for security level 3
16. In accordance with paragraph 14 of the Requirements for the protection of personal data, in order to ensure the 3rd level of protection of personal data during their processing in information systems, in addition to fulfilling the requirements provided for in paragraph 5 of this document, it is necessary to fulfill the requirement to appoint an official (employee) responsible for ensuring security personal data in the information system.
17. To fulfill the requirement specified in paragraph 16 of this document, it is necessary to appoint an operator officer (employee) with sufficient skills responsible for ensuring the security of personal data in the information system.
18. To fulfill the requirement specified in subparagraph "d" of paragraph 5 of this document, instead of the measure provided for by subparagraph "c" of paragraph 9 of this document, it is necessary to use to ensure the required level of protection of personal data during their processing in the information system:
IV. Composition and content of organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to the protection of personal data for security level 2
19. In accordance with paragraph 15 of the Requirements for the protection of personal data, in order to ensure the 2nd level of protection of personal data during their processing in information systems, in addition to fulfilling the requirements provided for in paragraphs 5 and 16 of this document, it is necessary to fulfill the requirement that access to the content of the electronic message log was possible only for officials (employees) of the operator or an authorized person who needs the information contained in the specified log to perform their official (labor) duties.
20. To fulfill the requirement specified in paragraph 19 of this document, it is necessary:
a) approval by the head of the operator of the list of persons admitted to the content of the electronic message log, and maintaining the specified list up to date;
b) providing the information system with automated means that register the requests of users of the information system for obtaining personal data, as well as the facts of providing personal data on these requests in the electronic message log;
c) providing the information system with automated means that exclude access to the content of the electronic message log of persons not indicated in the list of persons approved by the head of the operator who are admitted to the content of the electronic message log;
d) ensuring periodic monitoring of the performance of the automated means specified in subparagraphs "b" and "c" of this paragraph (at least once every six months).
21. To fulfill the requirement specified in subparagraph "d" of paragraph 5 of this document, instead of the measures provided for in subparagraph "c" of paragraph 9 and paragraph 18 of this document, it is necessary to use to ensure the required level of protection of personal data during their processing in the information system:
CIPF class KB and higher in cases where type 2 threats are relevant for the information system;
CIPF class KS1 and higher in cases where type 3 threats are relevant for the information system.
V. Composition and content of organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to the protection of personal data for 1 security level
22. In accordance with paragraph 16 of the Requirements for the protection of personal data, in order to ensure the 1st level of protection of personal data during their processing in information systems, in addition to meeting the requirements provided for in paragraphs 5, 16 and 19 of this document, the following requirements must be met:
a) automatic registration in the electronic security log of a change in the authority of the operator's employee to access personal data contained in the information system;
b) the creation of a separate structural unit responsible for ensuring the security of personal data in the information system, or the assignment of its functions to one of the existing structural units.
23. To fulfill the requirement specified in subparagraph "a" of paragraph 22 of this document, it is necessary:
a) providing the information system with automated means that allow automatic registration in the electronic security log of changes in the authority of the operator's employee to access personal data contained in the information system;
b) reflection in the electronic security log of the authority of the employees of the personal data operator to access personal data contained in the information system. The specified powers must correspond to the official duties of the operator's employees;
c) appointment by the operator of a person responsible for periodically monitoring the maintenance of an electronic security log and the compliance of the authorities of the operator's employees reflected in it with their official duties (at least once a month).
24. To fulfill the requirement specified in subparagraph "b" of paragraph 22 of this document, it is necessary:
a) analyze the feasibility of creating a separate structural unit responsible for ensuring the security of personal data in the information system;
b) create a separate structural unit responsible for ensuring the security of personal data in the information system, or assign its functions to one of the existing structural units.
25. To fulfill the requirement specified in subparagraph "a" of paragraph 5 of this document, to ensure the 1st level of security, it is necessary:
a) equip the windows of the Premises located on the first and (or) last floors of the buildings, as well as the windows of the Premises located near fire escapes and other places from where it is possible for unauthorized persons to enter the Premises, with metal bars or shutters, burglar alarms or other means that prevent uncontrolled entry of unauthorized persons into the premises;
b) equip the windows and doors of the Premises where the information system servers are located with metal bars, burglar alarms or other means that prevent uncontrolled entry of unauthorized persons into the premises.
26. To fulfill the requirement specified in subparagraph "d" of paragraph 5 of this document, instead of the measures provided for in subparagraph "c" of paragraph 9, paragraphs 18 and 21 of this document, it is necessary to use to ensure the required level of protection of personal data during their processing in the information system :
CIPF of the KA class in cases where type 1 threats are relevant for the information system;
CIPF of class KB and higher in cases where type 2 threats are relevant for the information system.
1 Collection of Legislation of the Russian Federation, 2012, N 45, 6257.
2 The stages of the CIPF life cycle include the development (modernization) of these tools, their production, storage, transportation, commissioning (commissioning), operation.
3 The boundary of the controlled zone may be the perimeter of the protected territory of the enterprise (institution), the enclosing structures of the protected building, the protected part of the building, the allocated premises.
The main tasks of protecting information during its storage, processing and transmission through communication channels and on various media, solved with the help of CIPF, are: 1.Ensuring secrecy (confidentiality) of information. 2.
Ensuring the integrity of information. 3.
Authentication of information (documents). To solve these problems, it is necessary to implement the following
processes: 1.
Implementation of the actual information security functions, including:
encryption/decryption; creation/verification of EDS; creating/testing mock inserts. 2.
Monitoring the state and managing the functioning of the means of KPI (in the system):
status control: detection and registration of cases of violation of the operability of means of KPI, attempts of unauthorized access, cases of compromise of keys;
operation management: taking measures in case of the listed deviations from the normal functioning of the KPI means. 3.
Carrying out maintenance of KZI facilities: implementation of key management;
execution of procedures related to the connection of new network subscribers and / or the exclusion of retired subscribers; elimination of identified shortcomings of the CIPF; commissioning of new versions of CIPF software;
modernization and replacement technical means CIPF for more advanced and / or replacement of funds whose resource has been depleted.
Key management is one of the most important functions of cryptographic information protection and consists in the implementation of the following main functions:
key generation: defines a mechanism for generating keys or key pairs with a guarantee of their cryptographic qualities;
key distribution: defines the mechanism by which keys are reliably and securely delivered to subscribers;
key retention: defines the mechanism by which keys are securely and securely stored for future use;
key recovery: defines the mechanism for recovering one of the keys (replacement with a new key);
key destruction: defines the mechanism by which obsolete keys are securely destroyed;
key archive: a mechanism by which keys can be securely stored for later notarized recovery in conflict situations.
In general, in order to implement the listed functions of cryptographic information protection, it is necessary to create a system of cryptographic information protection that combines the actual means of CSI, service personnel, premises, office equipment, various documentation (technical, regulatory), etc.
As already noted, in order to obtain guarantees of information protection, it is necessary to use certified means of KPI.
Currently, the most widespread is the issue of protecting confidential information. To solve this issue, under the auspices of FAPSI, a functionally complete set of cryptographic protection of confidential information has been developed, which allows solving the listed tasks of protecting information for a wide variety of applications and conditions of use.
This complex is based on the cryptographic cores "Verba" (system of asymmetric keys) and "Verba-O" (system of symmetric keys). These cryptocores provide data encryption procedures in accordance with the requirements of GOST 28147-89 "Information processing systems.
Cryptographic protection" and digital signature in accordance with the requirements of GOST R34.10-94 "Information technology. Cryptographic protection of information. Procedures for the development and verification of an electronic digital signature based on an asymmetric cryptographic algorithm.
The tools included in the CIPF complex allow you to protect electronic documents and information flows using certified encryption mechanisms and electronic signature practically in all modern information technologies, including allow to carry out: the use of CIPF in offline mode;
secure information exchange in off-line mode; secure information exchange in on-line mode; protected heterogeneous, i.e. mixed information exchange.
To solve systemic issues of the use of cryptographic information protection tools, under the leadership of D. A. Starovoitov, the Vityaz complex cryptographic information protection technology was developed, which provides for cryptographic data protection in all parts of the system at once: not only in communication channels and system nodes, but also directly at user workplaces in the process of creating a document, when the document itself is protected. In addition, within the framework common technology"Vityaz" provides a simplified, easily accessible to users technology for embedding licensed cryptographic information protection tools into various applied systems, which makes the range of use of these CIPF very wide.
Below is a description of the means and methods of protection for each of the listed modes.
Use of CIPF offline.
When working autonomously with CIPF, the following types of cryptographic information protection can be implemented: creation of a protected document; file protection;
creation of a protected file system; creation of a protected logical drive. At the request of the user, the following types of cryptographic protection of documents (files) can be implemented:
encryption of a document (file), which makes its content inaccessible both when storing a document (file) and when it is transmitted via communication channels or by courier;
development of an insert imitator, which provides control over the integrity of the document (file);
the formation of an EDS, which ensures control of the integrity of the document (file) and authentication of the person who signed the document (file).
As a result, the protected document (file) turns into an encrypted file containing, if necessary, an EDS. The digital signature, depending on the organization of the information processing process, can also be represented by a file separate from the signed document. Further, this file can be output to a floppy disk or other medium, for delivery by courier, or sent via any available e-mail, for example over the Internet.
Accordingly, upon receipt of an encrypted file by e-mail or on one or another medium, the cryptographic protection actions performed are performed in the reverse order (decryption, verification of imitate insertion, verification of digital signature).
For implementation battery life The following certified means can be used with CIPF:
text editor "Lexicon-Verba", implemented on the basis of CIPF "Verba-O" and CIPF "Verba";
software complex CIPF "Autonomous workplace", implemented on the basis of CIPF "Verba" and "Verba-O" for Windows 95/98/NT;
cryptographic disk driver PTS "DiskGuard".
Protected word processor "Lexicon-Verba".
The Lexicon-Verba system is a full-featured text editor with support for document encryption and electronic digital signature. To protect documents, it uses the Verba and Verba-O cryptographic systems. The uniqueness of this product lies in the fact that the functions of encryption and text signing are simply included in the functions of a modern text editor. Encryption and signing of the document in this case turns from special processes into simply standard actions when working with a document.
At the same time, the Lexicon-Verba system looks like a regular text editor. Text formatting options include full customization fonts and paragraphs of the document; tables and lists; footers, footnotes, sidebars; the use of styles and many other functions of a text editor that responds modern requirements. "Lexicon-Verba" allows you to create and edit documents in Lexicon, RTF, MS Word 6/95/97, MS Write formats.
Autonomous workplace.
The CIPF "Autonomous Workplace" is implemented on the basis of the CIPF "Verba" and "Verba-O" for Windows 95/98/NT and allows the user to perform the following functions in interactive mode:
encryption / decryption of files on keys; encryption / decryption of files with a password; affixing/removal/verification of electronic digital signatures (EDS) under files;
checking encrypted files;
EDS affixing + encryption (in one action) of files; decryption + removal of EDS (in one action) under files;
hash file calculation.
CIPF "Autonomous Workplace" is advisable to use for the daily work of employees who need to provide:
transfer of confidential information to in electronic format by hand or courier;
sending confidential information over a public network, including the Internet;
protection against unauthorized access to confidential information on personal computers employees.
As practice shows, few organizations remember and are guided by the order of FAPSI (the successor of which is the FSB of Russia) dated June 13, 2001 N 152 "On approval of the Instruction on organizing and ensuring the security of storage, processing and transmission over communication channels using cryptographic information protection tools with limited access, not containing information constituting a state secret.
But the Instruction is mandatory when using certified CIPF to ensure the security of information limited access(subject to protection in accordance with the legislation of the Russian Federation).And this is PD, all kinds of secrets, GIS, NPCs, future CIIs.
From 2008 to 2012, there was an indulgence for PD in the form of “Standard requirements for the organization and operation of encryption (cryptographic) means designed to protect information that does not contain information constituting a state secret if they are used to ensure the security of personal data during their processing in personal data information systems”, approved by the leadership of the 8th Center of the FSB of Russia on February 21, 2008 No. 149/6/6-622. But after the release of RF PP No. 1119, this document lost its relevance and the FSB of Russia said that it was necessary to be guided by the Instruction.
Within the state control over the implementation of the provisions of this Instruction, there are a large number of violations.
There are many questions regarding the application of the Instruction, because it was written at a time when certified cryptographic information protection tools were used in rare organizations in single copies. Now, when sert. cryptography is becoming ubiquitous, making it difficult to follow the Instruction verbatim.
Immediately I want to draw attention to the fact that the Instructions in conjunction with 99-FZ give unambiguous results on the need to obtain a license from the FSB of Russia or conclude an agreement with a licensee:
Article 12 of 99-FZ: "one. In accordance with this Federal Law, the following types of activities are subject to licensing:
1) ... performance of work ... in the field of information encryption, Maintenance encryption (cryptographic) means, information systems and telecommunication systems protected using encryption (cryptographic) means (except if the maintenance of encryption (cryptographic) means, information systems and telecommunication systems protected using encryption (cryptographic) means is carried out for own needs legal entity or individual entrepreneur);
Decree of the Government of the Russian Federation No. 313. Annex to the regulation: “LIST OF WORK TO BE PERFORMED AND SERVICES TO BE PROVIDED CONSTITUTING THE LICENSED ACTIVITY IN REGARD TO ENCRYPTION (CRYPTOGRAPHIC) MEANS
12. Installation, installation (installation), adjustment of encryption (cryptographic) means, with the exception of encryption (cryptographic) means of protecting fiscal data, designed for use as part of cash register equipment certified by the Federal Security Service of the Russian Federation.
13. Installation, installation (installation), adjustment of information systems protected using encryption (cryptographic) means.
14. Installation, installation (installation), adjustment of telecommunication systems protected using encryption (cryptographic) means.
15. Mounting, installation (installation), adjustment of the means of production of key documents.
20. Maintenance of encryption (cryptographic) tools provided for by the technical and operational documentation for these tools ( except for the case if the specified work is carried out to ensure own needs legal entity or individual entrepreneur).
28. Production and distribution of key documents and (or) initial key information for the development of key documents using hardware, software and firmware, systems and complexes for the production and distribution of key documents for encryption (cryptographic) means.”
But the Instruction contains more stringent requirements.
FAPSI Instruction No. 152: “ 4. Security of storage, processing and transmission through communication channels using CIPF of confidential information, the owners of which do not have FAPSI licenses, FAPSI licensees organize and provide ... on the basis of contracts for the provision of services for the cryptographic protection of confidential information.
6. To develop and implement measures to organize and ensure the security of storage, processing and transmission of confidential information using CIPF, the FAPSI licensee creates one or more cryptographic protection authorities ...”
Key takeaway next: an organization without a license from the FSB cannot independently organize work on the correct operation of the cryptographic information protection system. To do this, the organization must contact the licensee, conclude a service agreement with him. The FSB licensee has a OKZI in its structure, which organizes security work in the customer organization and controls their implementation (and sometimes performs it himself).
PS : I also had a lot of questions regarding the application of individual points of the Instruction, the most interesting ones I asked the regulator and in the next article I will share the most interesting information ...
It is also interesting to see what difficulties you, colleagues, had, or vice versa, the positive experience of using the Instruction.