Automation of building an information security system in accordance with the order of FSTEC No. 21
Hello, dear users of Habr!
I would like to share with you a project for the automated construction of an information security system (ISS) in accordance with the Order of the FSTEC No. 21.
As we all remember, almost two years ago, the Orders of the FSTEC No. 17 and 21 came into effect, describing measures to ensure security in GIS and ISDN, respectively . Since then, we began to carry out work on the analysis of these documents as part of the term papers with the aim of developing an algorithm for constructing an ISS and its subsequent automation in a graduation project.
Consider the chain of links:
It is these problematic aspects that prompted us to develop a project for the automated construction of ISI ISPDn, the purpose of which is to create an informational / recommendatory IS resource that will help students and novice specialists competently approach the issue of forming ISI or assessing its effectiveness.
What is the essence of our automated algorithm? Given the initial data on the input information system:
get a list of SRZI at the output, the functionality of which fully compensates for the requirements for ISPDN.
Moreover, the set of funds in the list may vary depending on:
To automate the algorithm, a database of certified SRZI and their correspondence with the measures of the Order is necessary. The basis was taken by the State Register of Certified SRZI (which can be easily found on the website of the FSTEC of Russia). Initially, the most common SRSIs were selected from it, and then funds with an expired FSTEC certificate were eliminated.
Next, there was a problem of expert evaluation of the functionality of all remaining SRSI with specific measures. We requested the appropriate information from the developers, resorted to the help of specialists with experience in the integrator. As a result, the expert assessment carried out, in our opinion, still has errors.
It is worth noting that the algorithm provides for the neutralization of NSD threats of both the selected certified OS and cash on hand.
At the stage of forming the list of SRI, the total cost of introducing SRI is simultaneously calculated, which is the sum of the license cost of each tool for a certain number of hosts plus technical support.
The implementation cost is calculated individually for each SRI based on user-entered data and database tables.
The screenshot shows the price tag table for SRZI.
So, upon completion of the algorithm, we get 3 variants of the SRSI set. For example:
The first module. Lowest Price
Second module. The smallest number of SRI in the
Third module system . Random
Ideally, we expect to improve our project, having received a response from development companies on the adequacy of the compliance of their products with the information in the database.
That’s probably all. We tried to disclose the key points of the project for the automated construction of SZI in accordance with the Order of the FSTEC No. 21. We hope it did not turn out too long.
Since the project is quite “raw”, any of your comments, suggestions and, of course, constructive criticism are welcome.
Thank you for attention!
I would like to share with you a project for the automated construction of an information security system (ISS) in accordance with the Order of the FSTEC No. 21.
As we all remember, almost two years ago, the Orders of the FSTEC No. 17 and 21 came into effect, describing measures to ensure security in GIS and ISDN, respectively . Since then, we began to carry out work on the analysis of these documents as part of the term papers with the aim of developing an algorithm for constructing an ISS and its subsequent automation in a graduation project.
Issue
Consider the chain of links:
- After the publication of the aforementioned orders, few developer companies made a correspondence between the measures presented and the functions developed / issued by the SRHI, which “close” these measures;
- As a result, integrators often began to be creative in pursuing their own compliance while neutralizing current security threats;
- When constructing ISS, it is quite difficult for specialists (with little experience in implementing SRSI) to evaluate the effectiveness of the implemented funds, taking into account the requirements of the FSTEC Order No. 21 for a specific ISPD.
It is these problematic aspects that prompted us to develop a project for the automated construction of ISI ISPDn, the purpose of which is to create an informational / recommendatory IS resource that will help students and novice specialists competently approach the issue of forming ISI or assessing its effectiveness.
Algorithm Automation
What is the essence of our automated algorithm? Given the initial data on the input information system:
- ISPD security level (defines a basic set of security measures for PD security);
- structural and functional characteristics (adapt the basic set of measures);
- SrZI already implemented in ISPDn;
- the need for technical support,
get a list of SRZI at the output, the functionality of which fully compensates for the requirements for ISPDN.
Moreover, the set of funds in the list may vary depending on:
- pricing policy (the lowest total cost of all SRI among all possible combinations);
- the limitations of the "zoo" funds (a list with the least amount of SRZI);
- random sampling.
To automate the algorithm, a database of certified SRZI and their correspondence with the measures of the Order is necessary. The basis was taken by the State Register of Certified SRZI (which can be easily found on the website of the FSTEC of Russia). Initially, the most common SRSIs were selected from it, and then funds with an expired FSTEC certificate were eliminated.
Next, there was a problem of expert evaluation of the functionality of all remaining SRSI with specific measures. We requested the appropriate information from the developers, resorted to the help of specialists with experience in the integrator. As a result, the expert assessment carried out, in our opinion, still has errors.
It is worth noting that the algorithm provides for the neutralization of NSD threats of both the selected certified OS and cash on hand.
At the stage of forming the list of SRI, the total cost of introducing SRI is simultaneously calculated, which is the sum of the license cost of each tool for a certain number of hosts plus technical support.
The implementation cost is calculated individually for each SRI based on user-entered data and database tables.
The screenshot shows the price tag table for SRZI.
- As can be seen from the example, the purchase price of a license unit will cost 1800 cu
- Buying a license for 15 hosts, in accordance with the table, will cost 1600 cu etc.
- The cost of technical support of the product for 1 year will cost 25,000 cu
So, upon completion of the algorithm, we get 3 variants of the SRSI set. For example:
The first module. Lowest Price
Second module. The smallest number of SRI in the
Third module system . Random
Ideally, we expect to improve our project, having received a response from development companies on the adequacy of the compliance of their products with the information in the database.
Conclusion
That’s probably all. We tried to disclose the key points of the project for the automated construction of SZI in accordance with the Order of the FSTEC No. 21. We hope it did not turn out too long.
Since the project is quite “raw”, any of your comments, suggestions and, of course, constructive criticism are welcome.
Thank you for attention!