Analyzing the new orders of the FSTEC of Russia No. 17 and No. 21

About the orders of the FSTEC of Russia No. 17 and No. 21, probably, all the community experts already spoke, washed the bones and laid out all the innovations of our regulator. Therefore, planning a webinar on this topic, we relied on the traditional number of 150-200 participants.

Reality significantly exceeded our expectations. More than 600 registered participants are an objective indicator that there is still not enough information on this topic, our partners and customers need additional clarification of the new provisions.

The presentation itself did not contain any super-revelations; the same systematic "folding on the shelves" and our position on some controversial provisions. But the question and answer session was a real test for me that lasted longer than the presentation itself. We received more than 50 questions of the most diverse directions: from a simple interpretation of various protection measures to an attempt to understand the intricacies of licensing information protection activities.

For those who could not take part in the webinar, the presentation and recording of the webinar are available on the site.

Here I want to give explanations on the three most frequently raised questions that I did not have time to give detailed answers during the webinar.

The information message of the FSTEC of Russia dated May 30, 2012 No. 240/22/2222 “Concerning the need to obtain a license from the FSTEC of Russia for technical protection of confidential information” allows for the possibility of working without a license for TKKI if the organization’s activities are not aimed at making profit from works or the provision of services for the technical protection of confidential information.

Details and other conditions under which this opportunity is realized are listed in detail in the message, albeit with very ambiguous formulations.

In accordance with this position, the FSTEC of Russia does not require a license for TZKI for a PD operator if the personal data protection activity is ancillary for its own needs.

Unfortunately, after the launch of the new FSTEC of Russia website in January 2013, this document could not be found there, so look for it in the legal information systems (for example, http://www.garant.ru/products/ipo/prime/doc/ 70104166 / ).

In accordance with the general rules, the regulation applies to relations that took place after its entry into force and prior to its loss of force. Therefore, the action of order number 21 will apply to the newly created protection systems in personal data information systems.

Separate remarks deserve the situation when the previously created system of SPDN protection is being upgraded. In this case, in order to legalize a new version of the protection system, one should follow the norms of the new order. But the depth of modernization is not regulated by anything, so each operator will most likely interpret this situation in his own favor, postponing the transition to new requirements.

Although it may be useful to classify the existing ISPD according to new criteria without waiting for modernization, because in many cases the former K1 class can turn into UZ2, UZ3 or even UZ4.

Of course, all software development companies have their own vision of what is meant by “secure programming methods” designed to increase the security of products and reduce the number of vulnerabilities in them.

One of the best-known models in the industry is the Microsoft secure development life cycle , based on several key principles: security in development, security with default settings, security in deployment, and security in communication. So, the Security Code carries out all its developments in accordance with this model.

Another interesting paper on this topic is the NIST Special Publication 800-64 Security Consideration , which covers not only programming, but a much wider area. NIST offers a five-step model to ensure that security requirements are met in information systems that are built from existing products and products that are developed on demand.

There is no list of products created according to the methods of protected programming. You can focus on the declarations of developers, although following these methods does not mean the complete absence of errors or vulnerabilities in their products. But they are guaranteed to be significantly less than the developers who do not use such methods.

Stepanenko Andrei, director of marketing for Security Code