How to catch what is not. Part Five: The Myth of the Need for Certified Software

Beyond the previous article, in which we considered the myths in the field of personal data protection ( habrahabr.ru/post/255595 ), there remains the most interesting question about the need to use certified products. Traditionally, if a company wants to implement the requirements of regulators, then it buys (but not the fact that it uses :-)) certified products. This is the current practice.

At the same time, the majority perfectly understands all the problems associated with the use of such products - but dutifully goes to the general mass. And what if you look into the laws and orders and determine the requirements yourself?

Traditionally it is believed that the use of certified products is required according to many regulatory documents. It is impossible to consider all such documents in one article. Therefore, we illustrate the depth of delusion by the example of documents of regulators related to Federal Law No. 152-, namely, in order to comply with this law, in most cases certified versions are purchased.
')
We start with the quotations of the Federal Law No. 152- (as amended by the Federal Law of 25.07.2011 No. 261-), because it is primary.

Article 18.1. Measures aimed at ensuring that the operator performs the duties stipulated by this Federal Law
1. The operator is obliged to take measures that are necessary and sufficient to ensure the fulfillment of the obligations provided for by this Federal Law and the regulatory legal acts adopted in accordance with it. The operator shall independently determine the composition and the list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by this Federal Law and the regulatory legal acts adopted in accordance with it, unless otherwise provided by this Federal Law or other federal laws. Such measures may include, in particular:
3) the application of legal, organizational and technical measures to ensure the security of personal data in accordance with article 19 of this Federal Law;
Article 19. Measures to ensure the security of personal data during their processing
2. Ensuring the security of personal data is achieved, in particular :
2) the use of organizational and technical measures to ensure the security of personal data when processing them in personal data information systems necessary to meet the requirements for the protection of personal data, the execution of which ensures the levels of personal data protection established by the Government of the Russian Federation;
3) the use of the information security measures passed in the prescribed manner;

Based on the written:

1. The operator chooses protection measures independently - within the limits imposed by this or other federal laws, as well as acts of regulators (FSTEC of Russia, FSB of Russia, Roskomnadzor).
2. The words “in particular” mean that the list of measures included in the law is a list of what can be, but not necessarily, applied. And (looking ahead) the lack of obligation to use the means of certification is also visible in the by-laws!
   

And immediately the problem. Federal Law No. 152-FZ does not contain a glossary, does not refer to a glossary, and is not included in any package of laws that include a glossary. Accordingly, what is in the law “the established procedure for assessing compliance,” and by whom it is established — is not said anywhere. Therefore, next we enter the unsteady road:

• Leading bloggers and experts can argue (and argue) that a certain document / law / standard says that the conformity assessment procedure is ... But neither experts, nor regulators can interpret laws in our country only the State Duma and the court. Preferably the Supreme Court of the Russian Federation. But such comments of the Supreme Court of the Russian Federation can be counted on the fingers. So as long as the law does not prescribe that there is a conformity assessment, or the Supreme Court of the Russian Federation will not clarify this issue - no one can define a concept with its weighty word.
• The regulators defined in the Law cannot narrow down any concept - they have no right to adjust the law in the direction of narrowing or expanding any concepts. This follows from the general concepts of the rule of law, and from the Federal Law No. 152- itself:
  
  

  Article 4. Legislation of the Russian Federation in the field of personal data
  2. On the basis of and pursuant to federal laws, state bodies , the Bank of Russia, local governments within their powers can adopt regulatory legal acts, regulatory acts, legal acts (hereinafter referred to as regulatory legal acts) on specific issues relating to the processing of personal data. Such acts may not contain provisions restricting the rights of subjects of personal data, establishing restrictions on the activities of operators not provided for by federal laws, or imposing obligations on operators not provided for by federal laws.
  

In fact - yes, regulators release their interpretations, but in very streamlined formulations. However, consider another example. For example, the Constitution of the Russian Federation spelled freedom of speech and assembly. Formally, we have the right to meet, where we want and when we want, but in fact for a mass event you need to get permission.

Now let's see who can clarify the requirements for protection measures.

Article 13. Features of the processing of personal data in state or municipal personal data information systems
2. Federal laws may establish the specifics of personal data registration in state and municipal information systems of personal data, including the use of various ways of identifying the identity of personal data contained in the corresponding state or municipal information system of personal data to a specific subject of personal data.
Article 19. Measures to ensure the security of personal data during their processing
3. The Government of the Russian Federation , taking into account the possible harm to the subject of personal data, the volume and content of the personal data being processed, the type of activity in which personal data are processed, the relevance of threats to the security of personal data establishes :
2) requirements for the protection of personal data when they are processed in personal data information systems, the execution of which ensures the established levels of personal data security;
4. The composition and content of the requirements for the protection of personal data for each level of security, organizational and technical measures to ensure the security of personal data required for the implementation of personal data protection systems for personal data, are set by the federal authority in accordance with part 3 of this article. executive authorities authorized in the field of security, and the federal executive body authorized in countering technical intelligence and technical protection of information within their authority.
5. Federal executive authorities that carry out functions for the development of state policy and legal regulation in the established field of activity, public authorities of the constituent entities of the Russian Federation, the Bank of Russia, state extra-budgetary funds, other state bodies, within their authority, adopt regulatory legal acts, in which they determine threats to the security of personal data that are relevant in the processing of personal data in personnel information systems data used in the implementation of relevant activities, taking into account the content of personal data, the nature and methods of their processing.

Based on this, the Government of the Russian Federation and regulators can and must issue protection requirements. Other bodies can only determine the list of threats, as well as the procedure for the registration of personal data. And everything would be fine if not:

Article 18.1. Measures aimed at ensuring that the operator performs the duties stipulated by this Federal Law
3. The Government of the Russian Federation establishes a list of measures aimed at ensuring the fulfillment of duties provided for by this Federal Law and the regulatory legal acts adopted in accordance with it, by operators that are state or municipal bodies .

That is, the government is obliged to issue a list of measures only for state bodies! Many copies of the battles on the issue of whether or not the government could establish protection requirements for commercial organizations were also broken around this point.

We will not try to understand the logic and proceed to PP 1119, issued by the government pursuant to the provisions of Federal Law No. 152-:

13. To ensure the 4th level of security of personal data when processing them in information systems, the following requirements must be met:
d) the use of information security tools that have undergone a procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security in the event that the use of such tools is necessary to neutralize actual threats.

For higher levels of protection, the requirements for conformity assessment do not change, so we will not list them here.
It would seem the same conformity assessment. But the attentive eye sees the difference with the requirements of the Law:

• “Compliance with the requirements of the legislation of the Russian Federation”. The law did not require this, and it turns out that the product you choose may meet international - not Russian - safety criteria - you cannot extend the requirements of the law!
• requirements should be in the field of information security. This is also a limitation, albeit a logical one. Perhaps it arose due to the fact that one of the vendors prescribed in the certificate “compliance with GOST”, not to mention which GOST the product corresponds to.
• “Such funds should be used only to neutralize actual threats.” Very fun requirement. You can understand it in two ways. Say, for detection / restriction of penetration, etc., it turns out that you can use products that have not passed the conformity assessment. This, by the way, is important: in the order of the FSTEC of Russia, the antivirus only needs detection, but not neutralization.
  

So PP 1119 allows us to use non-certified means to detect threats and prevent the introduction of malicious files. And what's more, it is not written that these tools should be an antivirus. Fun.

Well, the Order of the FSTEC of Russia No. 21:

4. Measures to ensure the security of personal data are implemented, including through the use of information security tools in the information system, which pass the conformity assessment procedure in the prescribed manner in cases where the use of such tools is necessary to neutralize actual threats to the security of personal data.

There is a significant difference between the order and PP 1119. There is no indication of compliance with the requirements of the legislation of the Russian Federation and an indication that the requirements should be in the field of information security.

No less interesting is the difference with Federal Law No. 152-. On the one hand, the non-obligatory use of the words “in particular” is confirmed, on the other hand, it is written that “Security measures <...> are implemented <...> in cases where the use of such tools is necessary to neutralize actual threats to the security of personal data ". Oil oily. And what else do you need to implement protection? To protect against irrelevant threats?

And the most interesting thing: measures should be taken only to neutralize - that is, to remove, but not, for example, control.

Thus, it follows from the above that we can use certified means to neutralize the threats that we have recognized as relevant , and other means in all other cases that correspond to anyone of our choice in other cases.

But what kind of document without mutually exclusive requirements? Do not deprive experts of the ability to move their brains!

8.6. Anti-virus protection measures should ensure detection of computer programs or other computer information in the information system intended for unauthorized destruction, blocking, modification, copying of computer information or neutralization of information protection tools, as well as response to the detection of these programs and information.

Wait a minute! Simple notification may also be a response, but it is not necessarily neutralization. But certified information security tools should be used only for neutralization. It turns out that antiviruses should not be certified?

Let's continue reading the Order of the FSTEC of Russia No. 21:

12. When using information security certified information security systems:
a) to ensure 1 and 2 levels of security of personal data are used:
computer equipment not lower than grade 5;
intrusion detection systems and anti-virus protection tools of at least class 4;
firewalls of at least class 3 in the case of the relevance of threats of type 1 or 2 or interaction of an information system with information and telecommunication networks of international information exchange and firewalls of at least class 4 in the case of relevance of threats of type 3 and the lack of interaction of information systems with information and telecommunication networks of international information exchange;

Since antiviruses are not certified below the 4th grade, we do not cite quotes for lower levels.

What is interesting in this quote:

• The first time the word "certified" occurs. But certification is not equal to conformity assessment. Conformity assessment may be in the form of tests, registration ... In turn, certification may be voluntary, mandatory or in the form of declaration of compliance. Based on this item, anti-virus protection tools and firewalls should be subject to mandatory certification, but no other means necessary to neutralize the threats - no? But the system software that is not related to the Order of anti-virus tools - also can be a lot.
• The key phrase: “when using”! That is, if we do not use certified funds, then there are no questions.
  

Well, to make it worse, another quote from Federal Law No. 152-FZ:

1. This Federal Law regulates relations connected with the processing of personal data carried out by <...> and individuals using automation equipment, including in information and telecommunication networks, or without the use of such means ...

The pleasure of private owners to use certified funds, as well as licensing of encryption tools, is left for those who like to be encrypted by the state.

Let's draw the line:

1. Federal Law No. 152-FZ does not define requirements for the products used to protect personal data or for the procedure for their conformity assessment / certification.
2. Since regulators do not have the right to expand the requirements of the law, then (theoretically!) All such extensions can be ignored.
3. Certification is not equal to conformity assessment.
4. Certified protections are optional.
5. Anti-virus tools should be used to detect and respond to threats. Conformity assessment tools should be used to neutralize threats.
   

The pleasure of combining these requirements is provided to readers.

Due to the fact that the use of certified products raises a lot of questions, the following article plans (including) to answer such questions:

• "Does your product meet the requirements of 152-?"
• "Where can I download the distribution?"
• “When can I get a certified version?”
• “Is your firewall certified for compliance with protection profiles?” - and many others. If you have questions that are not included in the list - ask!