How and where should SKZI be used - FSB point of view

The 8th FSB Center posted a rather unexpected document . The document describes recommendations for the development of regulatory acts in the field of PD protection. But the same document is recommended to use ISPDN operators when developing private models of threats.

What does the FSB think about how and where should be used SKZI?

The document has the full title: “Methodological recommendations on the development of regulatory legal acts defining threats to the security of personal data that are relevant to the processing of personal data in personal data information systems that are used in the implementation of relevant activities”. The document was approved by the leadership of the 8th Center of the FSB of Russia on March 31, 2015.

It is quite important that this document is published only on the website of the FSB, has no registration with the Ministry of Justice and does not bear a signature - that is, its legal significance and mandatory use are questionable.
')
The preamble of the document defines that recommendations “for federal executive bodies ... other state bodies ... which ... adopt regulatory legal acts that define personal data security threats that are relevant to the processing of personal data in personal data information systems (hereinafter referred to as ISPDn) operated by in the implementation of relevant activities. "

The same standards “should also be guided in the development of private models of threats to operators of personal data information systems, who have decided to use cryptographic information protection tools (hereinafter referred to as SKZI) to ensure the security of personal data.”

When is it necessary to use SKZI?

The use of SKZI to ensure the security of personal data is necessary in the following cases:

• if personal data are subject to cryptographic protection in accordance with the legislation of the Russian Federation;
• if there are threats in the information system that can be neutralized only with the help of the CMIS.
  

This is logical. But when can threats be neutralized only with the help of SKZI "?

• transfer of personal data via communication channels that are not protected from interception by the violator of information transmitted through it or from unauthorized impacts on this information (for example, when transmitting personal data over public information and telecommunication networks);
• storage of personal data on storage media, unauthorized access to which by the offender cannot be excluded using non-cryptographic methods and techniques.
  

If the second paragraph is also quite logical, then the first one is not so clear. The fact is that according to the current edition of the Law on Personal Data, the name, surname and patronymic are already personal data. Accordingly, any correspondence or registration on the site (taking into account how much data is now required at registration) fall formally under this definition.

But as they say, there are no rules without exception. There are two tables at the end of the document. We present only one line of Appendix No. 1.

Current threat:

1.1. conducting an attack while staying within the controlled area.

Justification for absence (list is a bit abbreviated):

• Employees who are users of SPDD but are not users of the IHRD, are informed about the rules of work in SPDH and responsibility for non-compliance with the rules for ensuring the security of information;
• CPSP users are informed about the rules of work in ISPDN, rules of work with the CIPF and responsibility for non-compliance with the rules of information security;
• the premises in which SKZI are located are equipped with entrance doors with locks, ensuring the permanent closing of the doors of the rooms to the lock and opening them only for an authorized passage;
• approved the rules of access to the premises where SKZI, during working and non-working hours, as well as in emergency situations;
• approved a list of persons entitled to access the premises where SKZI are located;
• the differentiation and control of user access to protected resources;
• registration and accounting of users' actions with PD is carried out;
• on workstations and servers on which SKZI are installed:
  
  • certified information security measures against unauthorized access are used;
  • certified antivirus protection is used.

That is, if users are informed about the rules and responsibilities, and the doors are locked, then there is nothing to worry about. Blessed is he who believes. The need to monitor compliance with the rules is not even discussed in the document.

What else is interesting in the document?

• in order to ensure the security of personal data when processing them in ISPD, SKZI should be used, having undergone the conformity assessment procedure in the prescribed manner.
  

The truth is slightly below that the list of certified CIPPs can be found on the Central Public Health Information Center of the FSB. About the fact that conformity assessment is not certification, it was said repeatedly.

• in the absence of the procedure for assessing the compliance of the CIPS in the prescribed manner ... at the stage of an advance project or a draft (draft technical) project, the developer of the information system with the participation of the operator (authorized person) and the proposed developer of the CIPP develops a justification for the feasibility of developing a new type of TESIS and defines the requirements for its functional properties.
  

Very nice item. The fact is that the certification process is very long - up to six months and more (for example, in the case of our company, the previous certification took us 8 months). Often, customers use the latest OS, not supported by a certified version. According to this document, customers can use products that are in the process of certification.

The document states that:

When using channels (lines) of communication, from which interception of the protected information transmitted through them is impossible and (or) in which unauthorized actions on this information are impossible, it is necessary to specify in the general description of information systems:

• description of methods and ways to protect these channels from unauthorized access to them;
• conclusions on the results of studies of the security of these channels (lines) of communication from unauthorized access to the protected information transmitted through them by an organization that has the right to conduct such studies, with reference to the document containing these conclusions.
  

Accordingly, it is necessary to have a document analyzing channel security. It does not indicate which organizations have the right to issue such conclusions.

The document contains a list of information that must be specified when describing information systems. For example:

• security characteristics (confidentiality, integrity, availability, authenticity) that must be ensured for the personal data being processed;
• communication channels (lines), including cable systems, used in each subsystem or in the information system as a whole, and measures to restrict unauthorized access to protected information transmitted through these communication channels (lines), indicating communication channels (lines) in which it is impossible unauthorized access to the protected information transmitted through them, and measures implemented to ensure this quality;
• protected information carriers used in each subsystem of the information system or in the information system as a whole (except for communication channels (lines)).
  

Well, in conclusion, we say that:

Coordination with the FSB of Russia of private threat models of operators prepared in accordance with these guidelines is not required.