Why is everything so difficult?
This question is asked by everyone who for the first time tries to go through a quest called “certification” in practice. There are enough difficulties here, and one of them is related to the fact that today in the Russian Federation a large number of norms and requirements have been adopted for the protection of various information resources. It can be considered that information law has finally been separated into a separate branch, and in order to understand all the intricacies and peculiarities of these laws, a narrow-profile lawyer is needed who works in this particular area. However, not every company can afford to have such a specialist on its staff.
Another difficulty is the appointment of IT department specialists responsible for information security issues, who work part-time in information security and, accordingly, have neither specialized education, nor proper training, nor sufficient working time to systematically perform work to ensure information security. All this has a negative impact on the quality of certification of information systems. Without proper qualifications, the inspection of systems is often carried out superficially, information security requirements are set incorrectly, and the result of such work is often errors in the design and implementation of an information security system.
From June 1, 2021, another difficulty has appeared. According to the new requirements of the FSTEC of Russia, the owner of the informatization object is now obliged to send electronic copies of the technical passport, classification act, technical specifications for the creation of an information security system, other design and operational documentation defined by state standards to the organization performing work on the certification of automated systems. It is also necessary to provide organizational and administrative documents for the technical protection of information that regulate the rules for operating the facility, including for managing the information security system, managing the configuration of the facility, etc. Further, the FSTEC Russia licensee is obliged to redirect the above documents to the territorial body of the state regulator. At the moment, this refers to the systems in which the processing of state secrets is carried out, but there are prerequisites to believe that such requirements will be mandatory for the owners of information systems processing restricted data that do not constitute a state secret. Consequently, the likelihood of a detailed review and assessment of the work in the field by the regulator increases significantly, which means that high-quality preparation for this process acquires more weight, and it will be more difficult to carry out it on our own.
Where are they most often mistaken?
In the course of certification activities on the side of customers, we identified a large number of both minor flaws and gross violations in the preparation of information systems for certification. The most common are the following:
– errors in organizational and administrative documents for the protection of objects (inconsistency of the information specified in the documents with the actual operating conditions of the systems), and sometimes the complete absence of such documents;
– errors in determining the class (level) of security of information systems;
– use of documents of the FSTEC of Russia that have lost their force;
– errors in determining the actual technical channels of information leakage;
– incorrectly chosen measures to protect information from unauthorized access;
– inconsistency of the settings of information security tools with the requirements for information security and operational documentation.
If such errors are found during certification, it will be necessary to eliminate them and organize repeated tests, which naturally “results” in additional costs and loss of time.
Therefore, if the organization does not have its own qualified personnel dealing with information security issues, we recommend resorting to the assistance of an organization-licensee of the FSTEC of Russia to carry out activities for the technical protection of confidential information, which has clauses “a”, “b” and “d” in the license ( a complete list of organizations authorized to provide services is posted on the official website regulator). Such a solution will provide an integrated approach to the protection of the information system and a guaranteed positive result of certification tests.
But if you nevertheless decided to do everything yourself, we want to give some important recommendations.
How to prepare an object of informatization for certification
Here is an approximate algorithm of actions in preparation for certification tests.
The first thing that needs to be done is to carry out a primary analysis of the objects of informatization: to assess the initial data (survey of the object), to analyze and formulate safety requirements and to analyze the risks. Next, you need to determine whether employees have the necessary competencies and assign responsibilities when carrying out work (including when preparing organizational and administrative documents, setting up software and hardware for information protection, operating an information security system, managing work and organizing control over their implementation). The next step is to determine the security mechanisms, the composition and structure of the complex of information security tools, depending on the established class (level) of security of the object. You will also need to estimate the time and resources required to prepare objects for certification. At the end of the preparation, it will be necessary to choose an organization that, having carried out a set of measures, will confirm the compliance of the information protection system of the informatization object with security requirements.
We talked about two approaches to certification and we hope that our recommendations will help you when preparing objects of informatization for it.
The material was prepared by Stanislav Babkin, head of the attestation testing department of LLC Gazinformservice.