FSTEC gives "good"
Recently , the RUVDS data processing center in Korolev was certified for compliance with the requirements of the FSTEC of Russia . The Rucloud data center is designed in accordance with the TIER III reliability category according to the TIA-942 standard (N + 1 redundancy with a fault tolerance level of 99.98%). Obtaining a certificate FSTEK was a logical step in line with the policy of RUVDS: ensuring the protection of customer data remains one of the most important areas of our development. What is FSTEC and why do we need certification? What does this mean for us and our clients? About this - below.
Information security in the current turbulent time is given special attention. IS issues are an important part of the tasks solved by government agencies and organizations, commercial companies in the development and operation of information systems, personal data bases. In this regard, it is necessary to take into account the requirements of international and Russian legislation for information systems designed to work with such information.
Every year the requirements of domestic regulators are tightened: the Federal Service for Technical and Export Control, the Federal Security Service, the Ministry of Defense, the Foreign Intelligence Service, the Federal Guard Service, the Ministry of Communications and Mass Communications, the Bank of Russia. Each of them operates in its field of competence, as described by law.
')
If, for example, the FSB is “responsible” for cryptography, and the FSTEC is “responsible for everything else” (firewalls, antiviruses, intrusion prevention systems, etc.).
Why certification FSTEK? It is the FSTEC of Russia, in addition to other activities, that exercises the following powers: “organizes, in accordance with the legislation of the Russian Federation, the work on conformity assessment (including certification work) of means of countering technical intelligence, technical information protection, ensuring the security of information technologies used to form state information resources, as well as information objects and key information infrastructure systems. ”
Certification is a form of confirmation of compliance of objects with the requirements of technical regulations, provisions of standards, sets of rules or contract terms by a certification body. In this case, we are talking about ROSS RU.0001.01IBOU - “The system of certification of information security tools for information security requirements.”
There are various FSTEC requirements for the protection of certain types of confidential information. According to the results of the procedure for confirming the compliance of a software or hardware product with the safety requirements, a certificate is issued. Or not issued - depends on the result.
Conformity assessment is used in many areas, and information security is no exception. In international practice, there is an ISO IEC 15408: 2009 standard specifically designed to describe the criteria for evaluating IT from an information security point of view. Russia has its own system of certification of protection.
There are special requirements for the software that is used to build the key systems of the information infrastructure, and for these systems themselves. In addition, the data center hosts valuable information assets of companies and organizations, the protection of which must be ensured at the proper level and taking into account the threats to information security, the requirements of Russian legislation and regulators.
The data center is subject to the requirements of 152- “On personal data” , the 21st, 17th, 31st orders of the FSTEC of Russia, the requirements of the Federal Security Service of Russia for cryptographic protection of information, the requirements of the Bank of Russia, FZ-256 “On the security of fuel and energy objects complex ". And these are just basic requirements.
For example, according to 152- “About personal data”, the systems of processing and storing personal information of Russians should not only be located on the territory of our state, but also comply with the security requirements imposed by law. This is especially true for operators of commercial data centers, for whom the safety and security of customer information is one of the key criteria for assessing quality.
Since the entry into force of 152-FZ, the processing of personal data included in information systems is carried out in accordance with this law, which implies that operators fulfill all the requirements for the software used.
According to federal law 149-, all software in state, law enforcement, financial and other structures that process service information is subject to FSTEC certification. The law allows such organizations to use only certified software.
If personal data is stored in a commercial, corporate or state data center, the requirements of the legislation, among other things, also imply the necessary measures for their physical protection. The specific set of such measures depends on the level of confidentiality established for the data being processed. Based on this, the data center protection class is selected according to the standards of the Federal Law and the Federal Service for Technical and Export Control and the necessary protection is provided, including physical protection . The most balanced way to ensure the physical security of the data center is to implement multi-level protection (with multiple security perimeters). As with echelon defense, a single level breakthrough will not mean a security system breakthrough.
Along with organizational measures and documenting a set of measures to protect personal data involves the introduction of technical means of protection. According to the established practice, this is a round-the-clock presence in the data center and on its territory with specially trained armed guards, as well as video surveillance equipment covering the external perimeter of the data center and internal premises.
Organizations that own personal data of citizens are also responsible for the safety of this data. The necessary physical protection measures directly or indirectly also follow from other standards and regulations - international and national, such as TIA-942, Sarbanes-Oxley, SSAE 16 / SAS 70, etc.
With regard to physical security, the following requirements are distinguished: the organization of the security regime for the premises, the control of physical access to the infrastructure, including the premises and facilities, the control of equipment introduction and removal, including engine carriers. Important attention is paid to unauthorized access to information. Proper construction and documentation of access control procedures ensure that the necessary physical security requirements are met.
Which systems and tools are certified in our data center?
In the RUVDS data center, employees' automated workstations are certified (anti-virus protection, protection against hacking of the information system), output media (printer), access control to the room, anti-listening protection. In particular, the certificate of access control systems (ACS) ensures the reliability of the physical security of data center servers.
All actions are constantly logged, activity behind the workplace is checked for suspicious and, if necessary, it can be blocked with notifications to the responsible persons. Certified software is used, starting with FSTEC-certified Windows OS and specialized software for access control and traffic filtering, up to anti-virus protection and hypervisor.
This protects the workspace, which is directly related to customer data. This is done by OS tools on workstations, databases, specialized protective and anti-virus products, firewalls, access control (ACS), backup and recovery, data destruction and information deletion control.
If a client asks to bring his infrastructure to a separate machine, you can fully protect it and, for example, install VipNet, SecretNet, some special anti-virus software there. And at the same time, the services we provide will be certified, and our conclusion on the work done to protect the client’s infrastructure will be enough for him to report to the regulatory authorities.
The stage of attestation of the customer's IT infrastructure is excluded, thereby reducing the amount of labor required and time by 50%, the required amount of investment is significantly reduced, and the process of attestation of information systems is greatly facilitated.
As for personal data, our servers are physically located in the Russian Federation, RUVDS also has licenses of the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications No. 137295 of 10/30/2015 ("Telematic Communication Services") and No. 137296 of 30.10. 2015 (“Communication services for data transmission, with the exception of communication services for data transmission for voice transmission purposes”), so that you can be calm about the implementation of this federal law.
Obtaining supporting documents indicates the reliability of the provider and the services offered to them. Certification, first of all, confirms the company's responsibility to all clients (not only those who work with confidential information). The licensing process itself according to FSTEC regulations is a long and rather costly process. It just can not afford the small market participants or participants interested in short-term benefits from the project.
Obtaining a license FSTEC is an investment in the strategic development of the company. The FSTEC license not only confirms the competence of the company to work with personal data, but also provides an opportunity to offer services to companies, including those from the public sector, who are obliged to comply with the requirements for the protection of confidential information, for example, they themselves have a license from the FSTEC and send us data as a service provider which are subject to protection according to FSTEC standards.
In addition to serious protection and redundancy at the level of data center and FSTEC certification, RUVDS has entered into an agreement on the insurance of personal data and corporate information of third parties. In addition to general insurance, RUVDS together with AIG plans to offer its customers unique conditions for individual insurance of their activities and data on the company's virtual servers .
And, of course, in our data center, your resources will be protected from DDoS attacks : network traffic analysis is performed 24/7, and protection allows you to consistently withstand attacks up to 1500 Gbit / s. The analytical system filters incoming traffic to your address, removes malicious information, passing only legitimate secure traffic to your side.
Information security in the current turbulent time is given special attention. IS issues are an important part of the tasks solved by government agencies and organizations, commercial companies in the development and operation of information systems, personal data bases. In this regard, it is necessary to take into account the requirements of international and Russian legislation for information systems designed to work with such information.
Every year the requirements of domestic regulators are tightened: the Federal Service for Technical and Export Control, the Federal Security Service, the Ministry of Defense, the Foreign Intelligence Service, the Federal Guard Service, the Ministry of Communications and Mass Communications, the Bank of Russia. Each of them operates in its field of competence, as described by law.
')
If, for example, the FSB is “responsible” for cryptography, and the FSTEC is “responsible for everything else” (firewalls, antiviruses, intrusion prevention systems, etc.).
FSTEC certification
Why certification FSTEK? It is the FSTEC of Russia, in addition to other activities, that exercises the following powers: “organizes, in accordance with the legislation of the Russian Federation, the work on conformity assessment (including certification work) of means of countering technical intelligence, technical information protection, ensuring the security of information technologies used to form state information resources, as well as information objects and key information infrastructure systems. ”
Certification is a form of confirmation of compliance of objects with the requirements of technical regulations, provisions of standards, sets of rules or contract terms by a certification body. In this case, we are talking about ROSS RU.0001.01IBOU - “The system of certification of information security tools for information security requirements.”
There are various FSTEC requirements for the protection of certain types of confidential information. According to the results of the procedure for confirming the compliance of a software or hardware product with the safety requirements, a certificate is issued. Or not issued - depends on the result.
Conformity assessment is used in many areas, and information security is no exception. In international practice, there is an ISO IEC 15408: 2009 standard specifically designed to describe the criteria for evaluating IT from an information security point of view. Russia has its own system of certification of protection.
Data Center Security
There are special requirements for the software that is used to build the key systems of the information infrastructure, and for these systems themselves. In addition, the data center hosts valuable information assets of companies and organizations, the protection of which must be ensured at the proper level and taking into account the threats to information security, the requirements of Russian legislation and regulators.
The data center is subject to the requirements of 152- “On personal data” , the 21st, 17th, 31st orders of the FSTEC of Russia, the requirements of the Federal Security Service of Russia for cryptographic protection of information, the requirements of the Bank of Russia, FZ-256 “On the security of fuel and energy objects complex ". And these are just basic requirements.
For example, according to 152- “About personal data”, the systems of processing and storing personal information of Russians should not only be located on the territory of our state, but also comply with the security requirements imposed by law. This is especially true for operators of commercial data centers, for whom the safety and security of customer information is one of the key criteria for assessing quality.
Since the entry into force of 152-FZ, the processing of personal data included in information systems is carried out in accordance with this law, which implies that operators fulfill all the requirements for the software used.
According to federal law 149-, all software in state, law enforcement, financial and other structures that process service information is subject to FSTEC certification. The law allows such organizations to use only certified software.
If personal data is stored in a commercial, corporate or state data center, the requirements of the legislation, among other things, also imply the necessary measures for their physical protection. The specific set of such measures depends on the level of confidentiality established for the data being processed. Based on this, the data center protection class is selected according to the standards of the Federal Law and the Federal Service for Technical and Export Control and the necessary protection is provided, including physical protection . The most balanced way to ensure the physical security of the data center is to implement multi-level protection (with multiple security perimeters). As with echelon defense, a single level breakthrough will not mean a security system breakthrough.
Along with organizational measures and documenting a set of measures to protect personal data involves the introduction of technical means of protection. According to the established practice, this is a round-the-clock presence in the data center and on its territory with specially trained armed guards, as well as video surveillance equipment covering the external perimeter of the data center and internal premises.
Organizations that own personal data of citizens are also responsible for the safety of this data. The necessary physical protection measures directly or indirectly also follow from other standards and regulations - international and national, such as TIA-942, Sarbanes-Oxley, SSAE 16 / SAS 70, etc.
With regard to physical security, the following requirements are distinguished: the organization of the security regime for the premises, the control of physical access to the infrastructure, including the premises and facilities, the control of equipment introduction and removal, including engine carriers. Important attention is paid to unauthorized access to information. Proper construction and documentation of access control procedures ensure that the necessary physical security requirements are met.
Which systems and tools are certified in our data center?
What is certified?
In the RUVDS data center, employees' automated workstations are certified (anti-virus protection, protection against hacking of the information system), output media (printer), access control to the room, anti-listening protection. In particular, the certificate of access control systems (ACS) ensures the reliability of the physical security of data center servers.
All actions are constantly logged, activity behind the workplace is checked for suspicious and, if necessary, it can be blocked with notifications to the responsible persons. Certified software is used, starting with FSTEC-certified Windows OS and specialized software for access control and traffic filtering, up to anti-virus protection and hypervisor.
This protects the workspace, which is directly related to customer data. This is done by OS tools on workstations, databases, specialized protective and anti-virus products, firewalls, access control (ACS), backup and recovery, data destruction and information deletion control.
If a client asks to bring his infrastructure to a separate machine, you can fully protect it and, for example, install VipNet, SecretNet, some special anti-virus software there. And at the same time, the services we provide will be certified, and our conclusion on the work done to protect the client’s infrastructure will be enough for him to report to the regulatory authorities.
The stage of attestation of the customer's IT infrastructure is excluded, thereby reducing the amount of labor required and time by 50%, the required amount of investment is significantly reduced, and the process of attestation of information systems is greatly facilitated.
As for personal data, our servers are physically located in the Russian Federation, RUVDS also has licenses of the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications No. 137295 of 10/30/2015 ("Telematic Communication Services") and No. 137296 of 30.10. 2015 (“Communication services for data transmission, with the exception of communication services for data transmission for voice transmission purposes”), so that you can be calm about the implementation of this federal law.
Why do they certify data centers
Obtaining supporting documents indicates the reliability of the provider and the services offered to them. Certification, first of all, confirms the company's responsibility to all clients (not only those who work with confidential information). The licensing process itself according to FSTEC regulations is a long and rather costly process. It just can not afford the small market participants or participants interested in short-term benefits from the project.
Obtaining a license FSTEC is an investment in the strategic development of the company. The FSTEC license not only confirms the competence of the company to work with personal data, but also provides an opportunity to offer services to companies, including those from the public sector, who are obliged to comply with the requirements for the protection of confidential information, for example, they themselves have a license from the FSTEC and send us data as a service provider which are subject to protection according to FSTEC standards.
In addition to serious protection and redundancy at the level of data center and FSTEC certification, RUVDS has entered into an agreement on the insurance of personal data and corporate information of third parties. In addition to general insurance, RUVDS together with AIG plans to offer its customers unique conditions for individual insurance of their activities and data on the company's virtual servers .
And, of course, in our data center, your resources will be protected from DDoS attacks : network traffic analysis is performed 24/7, and protection allows you to consistently withstand attacks up to 1500 Gbit / s. The analytical system filters incoming traffic to your address, removes malicious information, passing only legitimate secure traffic to your side.
Source: https://habr.com/ru/post/330964/
All Articles