Why is the assessment of compliance of information security tools and there is certification
In the previous post, the Certification of Security Means and Personal Data lacked specificity on the issue of certification as such.
This time, I’ll present not my vision of the issue, but excerpts from the laws leading to the thesis that Certification is the only form for assessing the compliance of protection tools with information protection requirements .
The article turned out a bit messy, but I hope it is understandable.
We will consider the requirements for remedies in accordance with the latest regulatory documents: Order FSTEC No. 21, Government Decree No. 1119, - they set the requirement for the need to assess conformity.
Paragraph 4 of Order No. 21
Paragraph 13 of Resolution No. 1119
Thus, when neutralizing threats with the use of protective equipment, it is necessary to use GIS that have passed the conformity assessment.
For many, the question arises at this point, since direct documents on data protection do not give a clear definition of conformity assessment.
In order to understand what it is, one should refer to the latest version of the Federal Law of December 27, 2002 N 184- “On Technical Regulation” with amendments from September 1, 2013 (hereinafter Federal Law No. 184)
First, we define the concepts:
Following article 20 FZ №184:
In turn, compulsory can take place in two forms: declaration of conformity and compulsory certification .
In fact, we get 3 ways to confirm compliance:
- voluntary certification
- mandatory certification
- declaration of conformity
We will not consider mandatory certification: it is of no interest to us on this topic. Consider the remaining.
')
I will not strongly emphasize this form, as there are no certification bodies at the moment (I can be mistaken). The only one that comes to mind is Gazpromsert, and that one is more for the use of products within the company.
In accordance with article 21:
At one time there was a movement to create a voluntary certification system in the context of PD protection, but it seems that it did not go well.
And the difference in the waste of time and resources in comparison with the mandatory certification is insignificant (if at all).
The following paragraph of the law may seem most attractive:
and especially soul-warming lines of the same article:
Especially with regard to paragraph 3 of Article 23:
But let's pay attention to the last sentence of paragraph 2 of Article 24: “The composition of the evidence materials is determined by the relevant technical regulations.” , As well as paragraph 5 of Chapter 24:
Also (and first of all) it is worth considering paragraph 1 of article 23:
To sum up all of the above, the following is obtained: The law in no way limits our right in declaring the compliance of information security tools with information protection requirements (in accordance with paragraph 1 of Article 28 "The applicant ... has the right ... to choose the form and conformity assessment scheme provided for certain types of products "), but this procedure should be carried out in accordance with the technical regulations (in accordance with paragraph 2 of Article 28“ The applicant shall ... ensure that product compliance with technical regulations requirements ”) .
But what is a technical regulation? In accordance with the definition described above, this is a regulatory document issued at the Government level and defining product requirements.
I note that this statement is true in part ... it is better to make a postscript: at the present time .
Above, we found out that the declaration of conformity should be carried out in accordance with the technical regulations that, in our case, must be developed by the FSTEC staff. But ... "things are still there."
During the entire existence of the law on PD, not a single technical regulation has been issued. The only thing that exists at the moment is the security profiles, but they are intended for the developers of security tools (and, by the way, seem to be stripped from NIST). You can get acquainted with them here: Package of projects of protection profiles .
The Federal Law 184 "On Technical Regulation" can be found on the official FSTEC of Russia website:
Federal Law of December 27, 2002 N 184-
If you are interested in protection profiles, then the regulatory documents can be found here .
This time, I’ll present not my vision of the issue, but excerpts from the laws leading to the thesis that Certification is the only form for assessing the compliance of protection tools with information protection requirements .
The article turned out a bit messy, but I hope it is understandable.
Where do legs grow from?
We will consider the requirements for remedies in accordance with the latest regulatory documents: Order FSTEC No. 21, Government Decree No. 1119, - they set the requirement for the need to assess conformity.
Paragraph 4 of Order No. 21
4. Measures to ensure the security of personal data are implemented, including through the use of information security tools in the information system, which pass the conformity assessment procedure in the prescribed manner in cases where the use of such tools is necessary to neutralize actual threats to the security of personal data.
Paragraph 13 of Resolution No. 1119
To ensure ... the level of protection of personal data when processing them in information systems, the following requirements must be met: ...
d) the use of information security tools that have undergone a procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the event that the use of such tools is necessary to neutralize actual threats.
Thus, when neutralizing threats with the use of protective equipment, it is necessary to use GIS that have passed the conformity assessment.
For many, the question arises at this point, since direct documents on data protection do not give a clear definition of conformity assessment.
What is a "conformity assessment"?
In order to understand what it is, one should refer to the latest version of the Federal Law of December 27, 2002 N 184- “On Technical Regulation” with amendments from September 1, 2013 (hereinafter Federal Law No. 184)
First, we define the concepts:
declaration of conformity - a form of confirmation of product compliance with the requirements of technical regulations;
declaration of conformity - a document certifying the compliance of the product being released into circulation with the requirements of technical regulations;
conformity assessment - direct or indirect determination of compliance with the requirements for the object;
conformity assessment - documentary certification of the conformity of products or other objects, processes of production, operation, storage, transportation, sale and disposal, execution of works or the provision of services to the requirements of technical regulations, provisions of standards or contract terms;
technical regulation - a document that was adopted by an international treaty of the Russian Federation, ratified in accordance with the procedure established by the legislation of the Russian Federation, or by federal law, or by a decree of the President of the Russian Federation, or by a decree of the Government of the Russian Federation, and establishes the requirements for technical regulation ( products, including buildings, structures and structures, processes of production, operation, storage, transportation, sale and recycling);
A form of confirmation of conformity is a specific procedure for documentary certification of conformity of products or other objects, processes of production, operation, storage, transportation, sale and disposal, performance of works or provision of services to requirements of technical regulations, provisions of standards or contract terms.
Following article 20 FZ №184:
Compliance confirmation forms, - we find out that there is a voluntary certification and a mandatory confirmation of compliance .
1. Confirmation of conformity on the territory of the Russian Federation may be voluntary or mandatory.
2. Voluntary confirmation of compliance is carried out in the form of voluntary certification.
3. Mandatory confirmation of compliance is carried out in the forms:
- adoption of a declaration of conformity (hereinafter - the declaration of conformity);
- mandatory certification.
In turn, compulsory can take place in two forms: declaration of conformity and compulsory certification .
In fact, we get 3 ways to confirm compliance:
- voluntary certification
- mandatory certification
- declaration of conformity
We will not consider mandatory certification: it is of no interest to us on this topic. Consider the remaining.
')
Voluntary certification
I will not strongly emphasize this form, as there are no certification bodies at the moment (I can be mistaken). The only one that comes to mind is Gazpromsert, and that one is more for the use of products within the company.
In accordance with article 21:
Article 21. Voluntary conformity assessment, - it is clear that it is more used to meet corporate standards.
1. Voluntary confirmation of compliance is carried out on the initiative of the applicant on the terms of the contract between the applicant and the certification body. Voluntary confirmation of compliance can be carried out to establish compliance with national standards, preliminary national standards, standards of organizations, sets of rules, voluntary certification systems, contract terms.…
2. A voluntary certification system can be created by a legal entity and (or) an individual entrepreneur or several legal entities and (or) individual entrepreneurs.
At one time there was a movement to create a voluntary certification system in the context of PD protection, but it seems that it did not go well.
And the difference in the waste of time and resources in comparison with the mandatory certification is insignificant (if at all).
Declaration of Conformity
The following paragraph of the law may seem most attractive:
Section 24. Declaration of Conformity
1. Declaration of conformity is carried out according to one of the following schemes:
- adoption of a declaration of compliance on the basis of own evidence ;
- adoption of a declaration of compliance on the basis of its own evidence, evidence obtained with the participation of the certification body and (or) an accredited testing laboratory (center) (hereinafter - a third party).
and especially soul-warming lines of the same article:
2. When declaring compliance on the basis of their own evidence, the applicant independently generates evidentiary materials in order to confirm the compliance of products with the requirements of technical regulations. Technical documents, the results of own research (tests) and measurements and (or) other documents that served as a motivated basis for confirming the compliance of products with technical regulations are used as evidence materials. The composition of evidentiary materials is determined by the relevant technical regulations.
Especially with regard to paragraph 3 of Article 23:
3. The declaration of conformity and the certificate of conformity have equal legal force regardless of the mandatory conformity assessment schemes and are valid throughout the entire territory of the Russian Federation.
But let's pay attention to the last sentence of paragraph 2 of Article 24: “The composition of the evidence materials is determined by the relevant technical regulations.” , As well as paragraph 5 of Chapter 24:
The composition of evidentiary materials is determined by the relevant technical regulations .
Also (and first of all) it is worth considering paragraph 1 of article 23:
1. Mandatory confirmation of compliance is carried out only in cases established by the relevant technical regulations, and exclusively for compliance with the requirements of technical regulations .
To sum up all of the above, the following is obtained: The law in no way limits our right in declaring the compliance of information security tools with information protection requirements (in accordance with paragraph 1 of Article 28 "The applicant ... has the right ... to choose the form and conformity assessment scheme provided for certain types of products "), but this procedure should be carried out in accordance with the technical regulations (in accordance with paragraph 2 of Article 28“ The applicant shall ... ensure that product compliance with technical regulations requirements ”) .
But what is a technical regulation? In accordance with the definition described above, this is a regulatory document issued at the Government level and defining product requirements.
So why is “certification” = “conformity assessment”?
I note that this statement is true in part ... it is better to make a postscript: at the present time .
Above, we found out that the declaration of conformity should be carried out in accordance with the technical regulations that, in our case, must be developed by the FSTEC staff. But ... "things are still there."
During the entire existence of the law on PD, not a single technical regulation has been issued. The only thing that exists at the moment is the security profiles, but they are intended for the developers of security tools (and, by the way, seem to be stripped from NIST). You can get acquainted with them here: Package of projects of protection profiles .
The Federal Law 184 "On Technical Regulation" can be found on the official FSTEC of Russia website:
Federal Law of December 27, 2002 N 184-
If you are interested in protection profiles, then the regulatory documents can be found here .
Source: https://habr.com/ru/post/201124/
All Articles