The Department of Information Technology, Communications and Information Protection of the City of N requires ...

The sphere of state IT often becomes a subject for jokes and criticism. However, it cannot be denied that in recent years work on the development of the information society, and in particular work to increase the availability of government e-services, has yielded results.

In the Russian Federation, the following elements of the electronic government system are created:

2008 - a network of multifunctional service centers (MFC);
2009 - a unified portal for the provision of state and municipal services (EPGU), regional portals and portals of municipalities (EPGU) related to the system of inter-agency electronic interaction (SMEV);
2011 - open government system;
2013 - integrated government (MFC + EPGU + SMEV).
')
Government agencies are interested in highly qualified personnel, reducing risks and costs, and combining efforts with the private sector in the provision of services. Perhaps you are an IT specialist who is thinking about working in the information technology department of your city, or an employee of an IT company with a private form of ownership who would like to provide its services to government organizations. What you need to know and why be ready for such work?

For our part, we offer cloud infrastructure to host government information systems and have experience in implementing such projects.

The most relevant for government customers is the issue of compliance with legal requirements. The purpose of this article is to increase the awareness of professionals in matters of work in the field of public IT. This article is devoted to one of the main regulatory legal acts in the field of information security in the State and Municipal Information Systems - the 17th order of the FSTEC.

During the adoption, during the amendment of Order No. 17 of February 11, 2013, “On Approving Requirements to Protect Information Not Containing State Secrets Contained in State Information Systems”, many copies were broken.

Let me remind you that the latest version of this order is now in the wording of February 15, 2017. But let's be fair, most of the claims were related to Annex 2 of this order, namely to the composition of the protective measures. Initial questions about the application of measures were dropped after the release of the methodological document dated February 11, 2014 “Measures to protect information in state information systems” , which answered “how” to implement the requirements of the Order.

We would also like to consider the basic tenets of the 17th order, without going over to the options for implementing and applying specific protective measures.

So, let's proceed to the theoretical creation of our information system, taking into account the requirements of the order No. 17.

It should immediately be noted that

"The document does not consider information security requirements associated with the use of cryptographic methods for protecting information and encrypting (cryptographic) information protection tools."

So we will not consider cryptography.

For ease of perception, I recommend an example of a leak from the article "And so it will come down ... or how the data of 14 million Russians were in my hands . " It will be much easier to perceive the “dry” norms of legislation if you think about something more specific. Let's see how we can help order number 17 in this situation.

Omitting the non-essential and banal parts of the Order, we proceed to its second section, namely to item 9. We begin the creation of protection from the assignment of the “guilty”:

“To ensure the protection of information contained in the information system, an operator is assigned a structural unit or official (employee) responsible for protecting information”

Someone has to make decisions and be responsible for the various blunders of development that lead to leaks. The order also clarifies that the person in charge must take part in all phases of the information system life cycle, which is quite logical in general. We cite paragraph 12.

“The protection of information contained in an information system is an integral part of work on the creation and operation of an information system and is ensured at all stages (stages) of its creation, during operation and decommissioning ...”

Protection activities are reduced to the following points:

• formation of requirements for the protection of information contained in the information system;
• development of information security information system;
• implementation of information system information protection system;
• certification of information systems for information protection requirements (hereinafter - certification of information systems) and putting it into action;
• ensuring the protection of information during the operation of a certified information system;
• ensuring the protection of information during the decommissioning of a certified information system or after the decision to end information processing.

Formation of requirements

This stage, however, like the other stages, are divided into several sub-steps, but we will try to explain all of this more succinctly.

Forming requirements begins with deciding that our information system needs to be protected. After we have made such a decision, we must classify this system, and to do this, understand the purpose of creating the system, examine the information being processed in the information system, and also understand which legal acts our information system falls under.

In addition to the fact that IP is state-owned and is subject to the 17th order, it can also be a public information system, which means that it also applies to other regulatory acts. In particular, probably already forgotten by all of the Order of the Federal Security Service of the Russian Federation N 416, FSTEC of the Russian Federation N 489 dated August 31, 2010 “On approval of the Requirements for the protection of information contained in public information systems”.

We will omit the rules of this order in this article. But I would like to note that the reduction of the requirements of various documents to a single denominator, sometimes almost contradictory, is a separate topic when working with our legislation.

Having clarified all of the above, we need to classify our IP and proceed to the modeling of threats. In the current edition of the Order there are three classes of GIS out of four in its first edition, but this does not hurt us. The classification is quite well described and there should be no difficulties with this. What you should pay attention to is the following text:

"The security class is determined for the information system as a whole and, if necessary, for its individual segments"

Thus, we can break our information system into its component parts and classify each of them separately. For example, separately classify the server information system and its jobs.

In the future, respectively, a separate set of protection measures will be applied to each of the segments, which is very convenient. It is also necessary to remember that the GIS class value is not constant and may vary depending on the circumstances (changing the scale of IP, the significance of the processed information, etc.).

Threat modeling is in itself a rather extensive topic, so here we limit ourselves to mentioning this stage. For a detailed review of it, it is advisable to refer you to our previous article “On the modeling of threats . ”

Directly requirements for the protection system are determined depending on the class of information system security and information security threats that we identified in the previous stages. These requirements are included in the TOR for the creation of a protection system.

As the Order tells us, they should include the following:

• the purpose and objectives of ensuring the protection of information in the information system;
• information system security class;
• the list of normative legal acts, methodological documents and national standards to which the information system must comply;
• list of objects of protection of the information system;
• requirements for measures and means of protecting information used in the information system;
• stages (stages of work) of creating an information system protection system;
• requirements for supplied hardware, software, information security tools;
• the functions of the customer and the operator to ensure the protection of information in the information system;
• requirements for the protection of tools and systems that ensure the functioning of the information system (supporting infrastructure);
• information security requirements for information interaction with other information systems and information and telecommunication networks, including information systems of an authorized person, as well as the use of computing resources (power) provided by an authorized person for information processing.

As you can see, in these clauses all that we had to determine in the previous stages is listed. So, if earlier we passed all the points in good faith, then there should be no problems with filling the TK.

Development of information security systems

The protection system is developed in accordance with the TK formed earlier. The development includes three major stages:

• directly design;
• development of operational documentation;
• prototyping and testing.

As you can see, three stages are quite long in time and labor. The design phase is actually very important and allows you to avoid most of the problems that arise during the subsequent stages.

Unfortunately, many people do not pay enough attention to this stage, and many factors push them to this. So much work is built in a huge number of medium-sized offices. Serious performance of all three points is typical mainly only for large organizations and projects. That is why there are no surprises in leaks from the systems, during the development of which these stages were ignored or performed "slipshod". I will explain a little how this happens with this approach.

When we talk about state information systems, we can with a high probability assert that the owner of these systems is a state institution with all that follows. Let us remember about public procurement, limited budget, add the probability that it is autumn outside the window, you need to play and return the project before the end of the new year and get ... We will get at least 70% probability that in fact there will only be enough time for design. In the process of “prototyping and testing,” yeah, someone else would have laid the finances on the layout, the operational documentation will be completed. Testing will be reduced to verifying that the system will not crash when installing protection. Well, at the output - the expected result: it works and it’s all right!

This is how it should not be. And if this happens, then the possibility of leaks should not be surprising afterwards.

Of the three points, I would like to focus on the design. So, at the design stage:

• types of subjects of access and objects of access which are objects of protection are defined;
• methods of access control, types of access and rules of access control of subjects of access to objects of access are determined;
• selects information security measures to be implemented in the information system information protection system;
• identifies the types and types of information security tools that ensure the implementation of technical measures to protect information;
• the structure of the information security system is determined, including the composition and location of its elements;
• the selection of information security tools certified for compliance with information security requirements is carried out, taking into account their cost , compatibility with information technologies and hardware, the security functions of these tools and their implementation features, as well as the security class of the information system;
• defines the requirements for software configuration parameters, including software for information security tools, ensuring the implementation of information protection measures, as well as addressing possible information system vulnerabilities leading to information security threats;
• measures of information protection are determined in case of information interaction with other information systems and information and telecommunication networks, including information systems of an authorized person, as well as in the use of computing resources provided by an authorized person for information processing.

All of the above is made in the form of a technical project or a similar document. The final version of the technical project - only after the stage of prototyping and testing. The order allows the test results to make changes to the technical design.

Implementation of the protection system

So, the protection system is developed, tested and ready for implementation. The implementation of the protection system includes:

• installation and configuration of information security tools;
• development of documents defining the rules and procedures implemented by the operator to ensure the protection of information;
• implementation of organizational measures to protect information;
• preliminary tests of the information security system;
• trial operation of the information security system;
• analysis of information system vulnerabilities and taking measures to protect information to eliminate them;
• acceptance tests of the information system information protection system.

Installation and setup of protection means is made on the basis of previously developed documentation.

The documents developed at this stage clarify the rules and procedures on various aspects of the operation of the system being created (incident response, configuration management, monitoring, etc.).

The introduction of organizational measures also includes the control of the possibility of their implementation and completeness of coverage. In fact, at this stage conflicts between the measures being implemented and existing business processes are tracked.

After the installation of protective equipment and the introduction of organizational protection measures, preliminary tests are carried out and the trial operation phase begins.

During trial operation, a very important stage is carried out - vulnerability analysis. Based on the results of this analysis, both the threat model and the adopted technical decisions can be adjusted. The last edition of the Order added that

“According to the results of the vulnerability analysis, it should be confirmed that there are no vulnerabilities in the information system contained in the FSTEC of Russia information security threats database, as well as in other sources, or their use (operation) by the violator is impossible.”

As is clear from the name, it is at this stage that the state of the so-called “real security” is checked and the result directly depends on the qualifications of the inspectors.

After conducting checks and adjustments (if necessary) of the applied solutions, we proceed to acceptance testing.

Certification Information System

After successful acceptance testing, you can proceed to certification.

Certification is certification, it is difficult to clarify something here, so I will simply list the methods of inspections (tests), during certification tests:

• expert documentary method providing for verification of compliance of the information protection system of the information system with the established information protection requirements, based on the evaluation of operational documentation, organizational and administrative documents on information protection, as well as the operating conditions of the information system;
• analysis of information system vulnerabilities, including those caused by improperly configured (configured) software and information security tools;
• testing information protection systems by attempting unauthorized access (impact) to an information system bypassing its information protection system.

Raising the question about certification, I would like to draw attention to the following text of the Order:

“It is allowed to certify an information system based on the results of certification tests of a dedicated set of information system segments that implement the full information processing technology.

In this case, the distribution of the certificate of conformity to other segments of the information system is subject to their compliance with the segments of the information system that have passed certification tests.

Thus, in the presence of, say, hundreds of typical jobs, the Order allows for attestation of not all hundreds, for example, 3-5 jobs. Under the condition of full compliance of the applied means and measures of protection, the validity of the certificate may apply to workplaces that have not passed the full certification process. , , .

. :

« , , , .»

.., , , , , , .

, , .

:

• () ;
• ;
• ;
• () , .

- , .. , . , , , , . .

, , :

• , ;
• () () .

, , , , . , , .

IT
→ « »
→ FAQ
→
→ — , —
→ , ( )


→ “C” GDPR
→ 2018
→ ,
→ ,
→ FAQ N 242-