Automation of building information protection systems in accordance with the order of FSTEC №21
Hello, dear users of Habr!
I would like to share with you the project of the automated construction of an information protection system (GIS) in accordance with the Order of FSTEC No. 21.
As everyone remembers, orders FSTEC No. 17 and 21, which describe security measures in GIS and ISPD, respectively, came into force almost two years ago. Since then, we have begun to work on the analysis of these documents as part of term papers in order to develop an algorithm for constructing GIS and its subsequent automation in the graduation project.
')
Consider a chain of links:
It is these problem aspects that prompted us to develop a project for the automated construction of an ISPD GIS, the purpose of which is to create an information / advisory information security resource that will help students and beginners to competently approach the development of GIS or evaluate its effectiveness.
What is the essence of our automated algorithm? Taking into account the initial data on the information system at the entrance:
get a list of CPAWS at the exit, the functionality of which fully compensates for the requirements for SPFD.
Moreover, the set of tools in the list may vary depending on:
To automate the algorithm, a database of certified CPMS and their correspondences with measures of the Order is necessary. The basis was taken from the State Register of certified SRTSI (which can be easily found on the website of FSTEC of Russia). Initially, the most common SRMS were selected from it, and then the funds with the expired FSTEC certificate were eliminated.
Then there was the problem of expert evaluation of the functionality of all the remaining SRIS with specific measures. We requested relevant information from the developers, resorted to the help of specialists with experience in the integrator. As a result, the expert assessment, in our opinion, still has errors.
It is worth noting that the algorithm provides for the neutralization of threats to unauthorized access as the selected certified OS, and the means imposed.
At the stage of forming the SRIS list, in parallel, the total cost of implementing a GIS is calculated, which is the sum of the license cost of each asset for a certain number of hosts plus technical support.
The cost of implementation is calculated individually for each SRIS on the basis of data entered by the user and database tables.
The screenshot shows a table of price tags for SrZI.
So, upon completion of the algorithm, we get 3 options for the set of CPMS. For example:
First module. Lowest price
The second module. The smallest number of SRZI in the system
Third module. Random
Ideally, we expect to improve our project, having received a response from development companies on the adequacy of their products with information in the database.
On this, perhaps, everything. We have tried to uncover the key points of the project of automated construction of SZI in accordance with the Order of FSTEC No. 21. Hopefully, it turned out not too long.
Since the project is rather “raw”, any comments, suggestions and, of course, constructive criticism are welcome.
Thank you for attention!
I would like to share with you the project of the automated construction of an information protection system (GIS) in accordance with the Order of FSTEC No. 21.
As everyone remembers, orders FSTEC No. 17 and 21, which describe security measures in GIS and ISPD, respectively, came into force almost two years ago. Since then, we have begun to work on the analysis of these documents as part of term papers in order to develop an algorithm for constructing GIS and its subsequent automation in the graduation project.
')
Problematics
Consider a chain of links:
- After the publication of the aforementioned orders, few of the development companies made a correspondence between the measures imposed and the functions of the developed / produced SRRZI, which these measures "close";
- As a result, integrators often began to take a creative approach to conducting their own compliance while neutralizing actual threats to PD security;
- When constructing an SZI, it is difficult for specialists (with little experience in implementing SRMS) to assess the effectiveness of the means being implemented, taking into account the requirements of the Order of FSTEC No. 21 for a specific ISPD.
It is these problem aspects that prompted us to develop a project for the automated construction of an ISPD GIS, the purpose of which is to create an information / advisory information security resource that will help students and beginners to competently approach the development of GIS or evaluate its effectiveness.
Algorithm automation
What is the essence of our automated algorithm? Taking into account the initial data on the information system at the entrance:
- the level of security of ISPDN (determines the basic set of measures to ensure the safety of PDN);
- structural and functional characteristics (adapt the basic set of measures);
- already implemented in SPPN SrZI;
- the need for technical support
get a list of CPAWS at the exit, the functionality of which fully compensates for the requirements for SPFD.
Moreover, the set of tools in the list may vary depending on:
- pricing policy (the lowest total cost of all SRZI among all possible combinations);
- the limitations of the “zoo” of funds (the list with the smallest number of SRTSI);
- random sampling.
To automate the algorithm, a database of certified CPMS and their correspondences with measures of the Order is necessary. The basis was taken from the State Register of certified SRTSI (which can be easily found on the website of FSTEC of Russia). Initially, the most common SRMS were selected from it, and then the funds with the expired FSTEC certificate were eliminated.
Then there was the problem of expert evaluation of the functionality of all the remaining SRIS with specific measures. We requested relevant information from the developers, resorted to the help of specialists with experience in the integrator. As a result, the expert assessment, in our opinion, still has errors.
It is worth noting that the algorithm provides for the neutralization of threats to unauthorized access as the selected certified OS, and the means imposed.
At the stage of forming the SRIS list, in parallel, the total cost of implementing a GIS is calculated, which is the sum of the license cost of each asset for a certain number of hosts plus technical support.
The cost of implementation is calculated individually for each SRIS on the basis of data entered by the user and database tables.
The screenshot shows a table of price tags for SrZI.
- As can be seen from the example, the cost of buying a license unit will cost 1800 cu.
- Purchase of a license for 15 hosts, according to the table, will cost 1600 USD etc.
- The cost of product technical support for 1 year will cost $ 25,000.
So, upon completion of the algorithm, we get 3 options for the set of CPMS. For example:
First module. Lowest price
The second module. The smallest number of SRZI in the system
Third module. Random
Ideally, we expect to improve our project, having received a response from development companies on the adequacy of their products with information in the database.
Conclusion
On this, perhaps, everything. We have tried to uncover the key points of the project of automated construction of SZI in accordance with the Order of FSTEC No. 21. Hopefully, it turned out not too long.
Since the project is rather “raw”, any comments, suggestions and, of course, constructive criticism are welcome.
Thank you for attention!
Source: https://habr.com/ru/post/247953/
All Articles