Information security and certification. If there is no difference - why pay more?

Brief introduction

The infamous 152 FZ caused a lot of headache for our brother, the sysadmin. Even on paper, the Russian legislation in the field of information security raises many questions, and when it comes to solving some problems in practice ... Everything becomes quite sad here.

I personally consider this article as a small ray of light in this huge dark realm of regulations, taxiway and other scary words that are not completely clear to a simple techie. To read, in my opinion, it makes sense both to technicians in order to convey useful information to management, as well as for decent managers who care about saving money and know the real price of all kinds of papers.

Familiar topic? Then welcome under cat.

Give us certification for each product!

Thanks merced2001 , he gave a sensible comment on the article.

Immediately, I note that this article does not consider the subtle points of encryption certification and does not apply to state and municipal information systems. The article is introductory and is intended to give the reader food for thought, which may lead him to understanding this topic. So, now with a clear conscience, you can continue.



From the very beginning, the idea of ​​certificates was quite understandable: in order to somehow guarantee compliance with technical conditions or specific requirements of regulators, it was necessary to undergo an initiation ceremony of certification. A knowledgeable person will immediately want to correct me, “Not certification, but conformity assessment!” And will be right, but more on that later. Indeed, the law says that all personal data protection means must pass the conformity assessment procedure. And somehow, so imperceptibly, we were all convinced that this is nothing more than certification. It was meant that all manufacturers quickly certify their products and happiness, peace and communism will come. But as you know, the devil is always in the details. He did not wait long and immediately crawled to the surface. For reference - to certify a product costs about 1,500,000 - 2,000,000 of our rubles. By the time about a year. And all this is automatically included in the cost of the product. At the same time, manufacturers consider certification as an investment, which is quite logical. The most negative role in pricing was played by the lack of competition. But high prices are not the worst of all evils. The bottom line is that all updates also had to be certified. Faster than two weeks to do it is simply impossible. Just imagine that you have a service with a critical vulnerability, a ready exploit has already appeared in public, good people have already included it in the Metasploit database, and the supplier of a certified product has just begun to scratch in this direction and will issue a solution in less than two weeks (this is the best). Can you sleep well? I definitely can not. But the law is the law, nothing can be done. So our brother had to endure a sea of ​​headaches, sometimes turning into another place. This I have not yet mentioned the quality of the hastily crammed "SZI". And with that I had to somehow live.

')

PP 1119 turned out. What has changed?

In fact, government agencies that actively promote full infrastructure coverage with certified products have become the number one threat. And since there is such a threat, it is necessary to neutralize it or minimize the damage.

Here it should be noted that the norms of PP 1119 slightly softened and untied the hands of ordinary enterprises, which FSTEC and the FSB beautifully call “Personal Data Operators”.

The first way to resist these state organizations, by the way, is the cleanest, most legitimate and least costly - it is depersonalization and lowering the level of protection of the most personal data. Here both the mathematicians who invented the algorithms for mixing these data in the database , and the auditors who suggested, for example, replacing the “disability” field with a “privilege” in 1C, tried to move away from biometric data.

Indirectly, this even puts the infrastructure in order, which of course pleases.

But this is only the top, the most "meat" - the rationale for the use of certified products. As I have already said, in our legislation there is such wording as a “conformity assessment procedure” for FZ 152 and PP 1119 FSTEC joyfully reported that, they say, this is nothing more than certification . But actually it is not. Legally they are right, certification is indeed a conformity assessment procedure, but it is only a subset of it.

If we turn to the Federal Law 184, it reads:

Conformity assessment - direct or indirect determination of compliance with the requirements for the object;

Conformity assessment is carried out in the forms of state control (supervision), accreditation, testing, registration, confirmation of conformity, acceptance and commissioning of the facility, the construction of which is completed, and in another form.

So, acceptance and commissioning, provided that they have worked out techniques for IS, are quite a procedure for assessing compliance. And since they all pass in any case, why not use existing tools as efficiently as possible!

This approach gives quite tangible advantages:

Using exactly those products that are most suitable for you, and not the choice of a small number of certified products.

The lack of binding to a specific supplier, because you can always go to something new, just drove the standard procedure.

This gives everyone a free hand to justify the use of free software and those products that are able to effectively solve the problem, and not just to wave like a flag with a piece of paper. Especially the ACT of the latest lately, after the statements of Snowden.

By the way, food for thought, the former head of privacy protection at Microsoft now trusts only free software .



In the next article I will talk about how you can use SPO to ensure information security in the enterprise, based on the new norms of our legislation. Perhaps even with document templates, if there is time.