Security certification and personal data
Certification of information security tools caused, causes and will cause a huge number of questions to the IT-people. And unfortunately, not only with him: the “lawmakers” and “methodologists” themselves can not always really answer the question of certification. Here we can distinguish perhaps two sub-questions:
1. What do the “controlling authorities” (FSTEC, FSB, Roskomnadzor) “hereafter“ KO ”;
2. And what "wants" the law and methods.
Partially written in response to Information Security and Certification. If there is no difference - why pay more? where, I think, the current state of affairs is not quite correctly represented ... although I am giving a look at it from personal experience with KOs, certifying authorities, clients and experience in implementing protection systems.
You should not take this article as a scientific work on the legislation in the field of protection of the Persian. data. Rather, as a short essay on this topic.
Before the Resolution of the Government of the Russian Federation dated November 1, 2012 No. 1119 “On the approval of requirements for the protection of personal data when processing them in personal data information systems,” the situation was approximately the following:
Certification was the only really feasible form of conformity assessment of information security tools .
There were other methods, but with them it was all the more fun: there were no technical regulations on conformity assessment for specific types of remedies. Requirements were, and there was no assessment guide. And for the state, everything is simple: there is no verification procedure (that is, it does not describe which specific processes are verifiable to fulfill the requirement), which means that there is no verification.
Perhaps it would be possible to independently write a “Program and methods of conformity assessment”, coordinate it with the FSTEC or a certification authority (which is very unlikely) and write a “Protocol ...”. But this question did not investigate, because in most cases it was too laborious and did not pay off. It was easier to buy a certified product or escape from the threat in the "Threat Model ...".
It would look quite simple from a technical point of view, if it was required to provide GIS 5 with a protection class of SVT, which in most cases was enough (which, at a quick glance, is testing the authorization functions of the product as a blackbox system), but, for example, if the product was system class K1, it was still required to provide control of NDV (lack of undeclared capabilities). And the control of NDV level 4 is essentially the absence of code redundancy, which must again be confirmed using AK-VS or Aist, such as several hundred thousand rubles, with certified means.
Yes, you could have done it manually, but when do you have a product with a closed code? Or is the product so complex that manually this work will take a huge amount of time? And again, the question of harmonization "Programs and techniques ...".
And I will reveal a little secret: at present, there are no assessment methods and procedures for certification laboratories, and many laboratories create them according to experience. And experience more comes down to whether the methodology will be approved by the certification body, and not to the quality of the assessment of protective functions.
With the release of Resolution No. 1119, the situation has slightly changed.
Paragraph 12 states:
I will voice my vision: now certified GIS are required to close current threats, respectively, in your hands to competently create a "Model of threats ...", minimizing the use of GIS data. The measures indicated in the Appendix to the Regulations remain. But there is no indication in the resolution or in other regulatory documents on the use of GIS for the implementation of the required measures.
Also, now “conformance assessment” is modestly indicated, rather than “certification”. But I examined this point above: yes, this is not necessarily a “de jure” certification, but a “de facto” certification. And why it is so necessary to perceive, below.
I think there are two points worth noting:
1. First of all, it is worth noting that KOs often have their own intricate view of what is written in the law. At the same time, they are not going to comment on their approach. It is enough to recall the “discussion” of Resolution 1119, to which the KOs invited everyone, but did not listen to anyone and did not comment on anyone. There are two assumptions: either they simply did not understand what they were told, or the “discussion” was started for a tick. My opinion: just a little bit.
Our organization also tried several times to get comments on some points that we, as integrators, have to do, but in response only was: “And it’s not our business to comment on what we came up with” (as a joke, “I’ve invented offended ").
Indicative was the notification on the official FSTEC website (full text here ):
2. In connection with clause 1, when checking all the cards will be in the hands of the FSTEC (when checking the FSTEC). It is still aggravated by the fact that in each federal district their FSTEC, Roskomnadzor, the FSB and for some reason their points of view in this connection may be completely different from the neighboring federal district.
')
1. Try to minimize the list of actual threats, here nobody is particularly limited by the good of you. Give reasonable arguments, list them in the "Threat Model ...". But impudent, too, is not worth it.
2. Based on the model, determine the list of GIS.
It should be borne in mind that in order to close a threat, it is not necessary to certify all software, it is necessary to certify the protection mechanism: if you have logged into the processing software using NTLM authentication (Kerberos) and all rights are differentiated at the domain level, certify the domain mechanisms, and not the software itself (unless an NDV is required), any Secret Net, Dallas Lock, Windows certification package.
In this regard, it is up to the reader to “get into a pose” or, with a minimum of risks and costs, achieve the goal.
Fortunately, it is worth noting that most of the most used products have been certified and not the entire market is Russian student crafts. If there is interest, I can write a small overview of the remedies for minimal damage to performance.
1. What do the “controlling authorities” (FSTEC, FSB, Roskomnadzor) “hereafter“ KO ”;
2. And what "wants" the law and methods.
Partially written in response to Information Security and Certification. If there is no difference - why pay more? where, I think, the current state of affairs is not quite correctly represented ... although I am giving a look at it from personal experience with KOs, certifying authorities, clients and experience in implementing protection systems.
You should not take this article as a scientific work on the legislation in the field of protection of the Persian. data. Rather, as a short essay on this topic.
What does "want" the law and methods
Before the Resolution of the Government of the Russian Federation dated November 1, 2012 No. 1119 “On the approval of requirements for the protection of personal data when processing them in personal data information systems,” the situation was approximately the following:
Certification was the only really feasible form of conformity assessment of information security tools .
There were other methods, but with them it was all the more fun: there were no technical regulations on conformity assessment for specific types of remedies. Requirements were, and there was no assessment guide. And for the state, everything is simple: there is no verification procedure (that is, it does not describe which specific processes are verifiable to fulfill the requirement), which means that there is no verification.
Perhaps it would be possible to independently write a “Program and methods of conformity assessment”, coordinate it with the FSTEC or a certification authority (which is very unlikely) and write a “Protocol ...”. But this question did not investigate, because in most cases it was too laborious and did not pay off. It was easier to buy a certified product or escape from the threat in the "Threat Model ...".
It would look quite simple from a technical point of view, if it was required to provide GIS 5 with a protection class of SVT, which in most cases was enough (which, at a quick glance, is testing the authorization functions of the product as a blackbox system), but, for example, if the product was system class K1, it was still required to provide control of NDV (lack of undeclared capabilities). And the control of NDV level 4 is essentially the absence of code redundancy, which must again be confirmed using AK-VS or Aist, such as several hundred thousand rubles, with certified means.
Yes, you could have done it manually, but when do you have a product with a closed code? Or is the product so complex that manually this work will take a huge amount of time? And again, the question of harmonization "Programs and techniques ...".
And I will reveal a little secret: at present, there are no assessment methods and procedures for certification laboratories, and many laboratories create them according to experience. And experience more comes down to whether the methodology will be approved by the certification body, and not to the quality of the assessment of protective functions.
With the release of Resolution No. 1119, the situation has slightly changed.
Paragraph 12 states:
To ensure ... the level of protection of personal data when processing them in information systems, the following requirements must be met: ...
d) the use of information security tools that have undergone a procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the event that the use of such tools is necessary to neutralize actual threats.
I will voice my vision: now certified GIS are required to close current threats, respectively, in your hands to competently create a "Model of threats ...", minimizing the use of GIS data. The measures indicated in the Appendix to the Regulations remain. But there is no indication in the resolution or in other regulatory documents on the use of GIS for the implementation of the required measures.
Also, now “conformance assessment” is modestly indicated, rather than “certification”. But I examined this point above: yes, this is not necessarily a “de jure” certification, but a “de facto” certification. And why it is so necessary to perceive, below.
What do "want" regulatory authorities
I think there are two points worth noting:
1. First of all, it is worth noting that KOs often have their own intricate view of what is written in the law. At the same time, they are not going to comment on their approach. It is enough to recall the “discussion” of Resolution 1119, to which the KOs invited everyone, but did not listen to anyone and did not comment on anyone. There are two assumptions: either they simply did not understand what they were told, or the “discussion” was started for a tick. My opinion: just a little bit.
Our organization also tried several times to get comments on some points that we, as integrators, have to do, but in response only was: “And it’s not our business to comment on what we came up with” (as a joke, “I’ve invented offended ").
Indicative was the notification on the official FSTEC website (full text here ):
At the same time, we inform that the FSTEC of Russia is not empowered to clarify the Requirements for the protection of personal data when processing them in personal data information systems approved by the Government of the Russian Federation of 11 November 2012 N 1119, including in terms of determining the types of personal data threats and the procedure for determining the levels of protection of personal data.
2. In connection with clause 1, when checking all the cards will be in the hands of the FSTEC (when checking the FSTEC). It is still aggravated by the fact that in each federal district their FSTEC, Roskomnadzor, the FSB and for some reason their points of view in this connection may be completely different from the neighboring federal district.
')
So what to do
1. Try to minimize the list of actual threats, here nobody is particularly limited by the good of you. Give reasonable arguments, list them in the "Threat Model ...". But impudent, too, is not worth it.
2. Based on the model, determine the list of GIS.
It should be borne in mind that in order to close a threat, it is not necessary to certify all software, it is necessary to certify the protection mechanism: if you have logged into the processing software using NTLM authentication (Kerberos) and all rights are differentiated at the domain level, certify the domain mechanisms, and not the software itself (unless an NDV is required), any Secret Net, Dallas Lock, Windows certification package.
In this regard, it is up to the reader to “get into a pose” or, with a minimum of risks and costs, achieve the goal.
Fortunately, it is worth noting that most of the most used products have been certified and not the entire market is Russian student crafts. If there is interest, I can write a small overview of the remedies for minimal damage to performance.
Source: https://habr.com/ru/post/201058/
All Articles