Most likely, you know that CIPF accounting is regulated by the “Instruction on the organization and security of storage, processing and transmission via communication channels using cryptographic protection of information with limited access that does not contain information constituting a state secret.” This document of unprecedented power was approved by order of the Federal Agency for Government Communications and Information under the President of the Russian Federation (FAPSI) dated 13.06.2001 No. 152.
Then, 20 years ago, certified cryptographic information protection tools were used extremely rarely, and most organizations did not have such a disparate and distributed IT infrastructure throughout the country. As a result, the instruction, for example, still does not provide for the possibility of remote transmission of encryption keys, and the accounting log must be kept in a separate room. It is possible to keep records in electronic form, but only with the use of a qualified electronic signature (accounting of cryptographic information protection tools in electronic form is a topic for a separate article, and we will talk about this next time), or accompany each action with appropriate acts.
By the way, FAPSI itself was disbanded in 2003. Its functions were distributed between the FSO, FSB, SVR and the Special Communications and Information Service under the FSO. But the document written by the agency has not lost its force.
Who keeps records and how
If an organization is the owner of confidential information, then it most likely needs to ensure the safe transfer, processing and storage of this information using the cryptographic information protection tool. By the way, the instruction refers to the latter as the software or hardware and software themselves, as well as the information necessary for their operation, keys, technical documentation.
The cryptographic protection body (OKZ) organizes and controls all work with the cryptographic protection system. This can be either a structural unit (or a specific employee) within the organization (the owner of confidential information) or an external contractor (for example, a service provider).
In the first case, the organization must issue an order on the creation of an OKZ, determine its structure and the responsibilities of employees. For example:
the head of the department is engaged in organizing and improving the system of managing the work of his employees;
the security administrator ensures the safety of information processed, transmitted and stored using computer technology.
All employees who are engaged in the installation and configuration of the cryptographic information protection system and, in principle, have access to them, must be included in the order and familiarized with it. For each position, you need to develop a job description and familiarize users with the procedure for using the CIPF.
As a result, the list of required documents consists of:
order on the creation of OKZ;
approved forms of accounting journals;
templates of statements, acts;
instructions for users on working with cryptographic information protection tools.
We remember that for all CIPFs, one-by-one accounting must be kept, and their movement (formation, issuance, installation, transfer, destruction) must be documented. For this, both the owner of confidential information and the cryptographic protection body must keep logs (each their own) of the CIPF instance accounting, operational and technical documentation for them, key documents.
But if the body for cryptographic protection of information is a structural unit of the organization, it is on its shoulders to keep both journals. The fact is that in this case the organization is not only the owner of confidential information, but also performs part of the functions of the OKZ. For example, large holdings, as a rule, single out an IT company, which is also responsible for information security using cryptographic information protection tools. She maintains all magazines and related documentation and is a service provider for her holding.
If the services are provided by a service provider, then he fills in the register for the cryptographic protection authority, and the organization – the journal for the owner of confidential information.
Are you still here? We hope you are not confused!
Accounting logs are kept for 5 years. The CIPF themselves and their documentation must be
behind seven locks in a special room, and only OKZ employees can have access there.
Operations with CIPF: registration
Consider the accounting procedure for a specific example (the data in the tables below are fictitious
all matches are random). Organization N – the owner of confidential information – wants to use the cryptographic information protection system of the CryptoPro company. At the same time, organization N is not ready to create an OKZ and turns to a service provider who will provide it with the appropriate services. So, to begin with, the PAC vendor must provide the organization N with the initial data for accounting. It looks like this:
s / n licenses of CIPF
t / n No. 44313 dated 22.02.2020
CIPF form “CryptoPro CSP” version 4.2
ZHTY.00002-02 30 10
CD-ROM with CIPF distribution
Inv. No. 5421
Columns 1-6 of the journal of single-item accounting should contain information about:
· Disk with distribution kit;
· The serial number of the CIPF license.
After filling in all these data, cryptographic data protection tools are issued to users, that is, to those employees in the organization for whom they were purchased. It can be either an accounting officer who uses electronic signature to sign and send documents, or another responsible specialist who has undertaken obligations for the safety of SZKI.
At this stage, columns 7 and 8 of the journal are filled in (to whom and when the CIPF is issued – with a mandatory signature of the user). If there is no opportunity to sign in the journal, then you can fill out the transfer certificate, where it is indicated in free form who (the security administrator) and to whom (the user) transfers the cryptographic information protection tool. In this case, both parties sign, and the number of the act is entered in column 8 (“Date and number of the covering letter”).
In column 9, the name of the employee who installed the CIPF is written. This is most often done by a technical support specialist who is also a security administrator. But it can also be a user if he has the appropriate skills and network access rights. Column 11 indicates the serial number of the motherboard or the number of the system unit’s sealing seal.
If the employee who carried out the installation quit, then the cryptographic information protection tool must be withdrawn and an act must be drawn up, which indicates the subject and method of withdrawal (for example, removal of key information from the media). All this is recorded in columns 12, 13, 14.
When the CIPF is destroyed, an appropriate act is also drawn up. It must indicate the object and method of destruction. Software cryptographic information protection tools are erased from the storage medium of key information (registry cleaning), and the software is uninstalled. It is possible to delete key information from hardware cryptographic protection devices or destroy them physically.
Below is an example of a journal filled out by an organization that owns confidential information. LLC “Company” is a service provider that performs the functions of a cryptographic protection authority for an organization.
Look in the log book
The CIPF accounting log for the cryptographic protection authority in many points overlaps with a similar document for the organization and is filled in according to the same principle, therefore we will not dwell on its analysis in detail. In the example below, LLC “Organization” is the owner of confidential information who used the services of a service provider.
Look in the magazine again
What’s the bottom line?
It is difficult to disagree with the fact that all these requirements are outdated for a long time and the Instruction needs actual corrections, but so far we are forced to comply with the requirements of its current edition. Please note that in order to maintain a copy-by-copy register of cryptographic information protection tools in electronic form, it is required to sign documents only with a qualified electronic signature or to accompany each action with appropriate acts. If we are talking about a physical document, then all the data and signatures must be entered into it by all responsible personally.
Of course, accounting for cryptographic information protection systems is only one of the many mandatory processes described in the document. In the future, we will try to describe in detail the process of sealing the CIPF, the technology for their destruction and much more.
We hope you found this checklist helpful.
Author: Nikita Nikitochkin, Registry Administrator, CIPF Solar JSOC Rostelecom-Solar“