Why is there an assessment of compliance of information protection means with certification?
In a previous post, Certification of means of protection and personal data lacked specificity in the issue of certification as such.
This time, I’ll set out not my vision of the issue, but excerpts from laws leading to the thesis that Certification is the only form of assessing the conformity of security equipment with information protection requirements .
The article turned out to be a bit messy, but, hopefully, understandable.
We will consider the requirements for protective equipment in accordance with the latest regulatory documents: Order of the FSTEC No. 21, Government Decision No. 1119 - they establish the requirement on the need for conformity assessment.
Point 4 of Order No. 21
Paragraph 13 of Decree No. 1119
Thus, when neutralizing threats with the help of protective equipment, it is necessary to use information security measures that have passed conformity assessment.
For many, the question arises at this point, since direct documents on the protection of information do not give a clear definition of conformity assessment.
In order to understand what this is, you should refer to the latest version of the Federal Law of December 27, 2002 N 184-ФЗ "On Technical Regulation" as amended on September 1, 2013 (hereinafter Federal Law No. 184)
First, let's define the concepts:
Following article 20 of Federal Law No. 184:
In turn, the mandatory can take place in two forms: declaration of conformity and mandatory certification .
In fact, we get 3 ways to confirm compliance:
- voluntary certification
- mandatory certification
- declaration of conformity
We will not consider mandatory certification: on this topic it is of no interest to us. Consider the rest.
I will not focus much on this form, since at the moment there really are no certification bodies (I could be wrong). The only one that comes to mind is Gazpromsert, and that is more for using products within the company.
In accordance with 21 articles:
At one time there was a movement to create a system of voluntary certification in the context of PD protection, but it seems that things did not go well.
And the difference in the waste of time and resources in comparison with the mandatory certification comes out insignificant (if at all).
The following paragraph of the law may seem most attractive:
and especially the soul-warming lines of the same article:
Especially taking into account paragraph 3 of Article 23:
But let us pay attention to the last sentence of paragraph 2 of Article 24: “The composition of evidence is determined by the relevant technical regulation.” and also paragraph 5 of chapter 24:
Also (and first of all) it is worth considering paragraph 1 of Article 23:
Summarizing all of the above, it turns out the following: The law in no way restricts our right to declare that information protection means comply with information protection requirements (in accordance with paragraph 1 of Article 28, “The Applicant has the right to ... choose the form and scheme of confirmation of conformity provided for certain types of products relevant technical regulation; „), but this procedure must be carried out in accordance with the technical regulation (in accordance with paragraph 2 of Article 28“ The applicant must ... provide conformity of products to the requirements of technical regulations ") .
But what is a technical regulation? In accordance with the definition described above, it is a regulatory document published at the level of the Government and defining product requirements.
I note that this statement is partially true ... it is better to make a postscript: at present .
We found out above that the declaration of conformity should be carried out in accordance with technical regulations, which, in our case, should be developed by the FSTEC employees. But ... "things are still there."
For the entire period of existence of the PD law, not a single technical regulation has been issued. The only thing that exists at the moment is security profiles, but they are intended for security developers (and, by the way, it seems to have been torn off with NIST). You can familiarize yourself with them here: Project package of protection profiles .
Federal Law 184 “On Technical Regulation” can be found on the official website of the FSTEC of Russia:
Federal Law of December 27, 2002 N 184-ФЗ
If there is interest in protection profiles, then regulatory documents can be viewed here .
This time, I’ll set out not my vision of the issue, but excerpts from laws leading to the thesis that Certification is the only form of assessing the conformity of security equipment with information protection requirements .
The article turned out to be a bit messy, but, hopefully, understandable.
Where do the legs grow from?
We will consider the requirements for protective equipment in accordance with the latest regulatory documents: Order of the FSTEC No. 21, Government Decision No. 1119 - they establish the requirement on the need for conformity assessment.
Point 4 of Order No. 21
4. Measures to ensure the security of personal data are implemented, inter alia, through the use of information protection tools in the information system that have passed the conformity assessment procedure in the prescribed manner, in cases where the use of such tools is necessary to neutralize current threats to the security of personal data.
Paragraph 13 of Decree No. 1119
To ensure ... the level of security of personal data during their processing in information systems, the following requirements must be met: ...
d) the use of information protection tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such tools is necessary to neutralize actual threats.
Thus, when neutralizing threats with the help of protective equipment, it is necessary to use information security measures that have passed conformity assessment.
For many, the question arises at this point, since direct documents on the protection of information do not give a clear definition of conformity assessment.
What is a “conformity assessment”?
In order to understand what this is, you should refer to the latest version of the Federal Law of December 27, 2002 N 184-ФЗ "On Technical Regulation" as amended on September 1, 2013 (hereinafter Federal Law No. 184)
First, let's define the concepts:
declaration of conformity - a form of confirmation of compliance of products with the requirements of technical regulations;
declaration of conformity - a document certifying the conformity of the products put into circulation with the requirements of technical regulations;
conformity assessment - direct or indirect determination of compliance with the requirements for the facility;
confirmation of conformity - documentary evidence of conformity of products or other objects, processes of production, operation, storage, transportation, sale and disposal, performance of work or the provision of services to the requirements of technical regulations, provisions of standards or contract terms;
technical regulations- a document that is adopted by an international treaty of the Russian Federation, ratified in the manner established by the legislation of the Russian Federation, or federal law, or by a decree of the President of the Russian Federation, or by a resolution of the Government of the Russian Federation, and establishes requirements for objects of technical regulation (products, including buildings, structures and structures, processes of production, operation, storage, transportation, sale and disposal);
conformity confirmation form - a certain procedure for documenting the conformity of products or other objects, processes of production, operation, storage, transportation, sale and disposal, performance of work or the provision of services to the requirements of technical regulations, the provisions of standards or the terms of contracts.
Following article 20 of Federal Law No. 184:
Forms of confirmation of compliance, - we find out that there is voluntary certification and mandatory confirmation of compliance .
1. The confirmation of compliance in the territory of the Russian Federation may be voluntary or mandatory.
2. Voluntary confirmation of compliance is carried out in the form of voluntary certification.
3. Mandatory confirmation of conformity is carried out in the following forms:
- adoption of a declaration of conformity (hereinafter - declaration of conformity);
- mandatory certification.
In turn, the mandatory can take place in two forms: declaration of conformity and mandatory certification .
In fact, we get 3 ways to confirm compliance:
- voluntary certification
- mandatory certification
- declaration of conformity
We will not consider mandatory certification: on this topic it is of no interest to us. Consider the rest.
Voluntary certification
I will not focus much on this form, since at the moment there really are no certification bodies (I could be wrong). The only one that comes to mind is Gazpromsert, and that is more for using products within the company.
In accordance with 21 articles:
Article 21. Voluntary confirmation of conformity, - it can be seen that it is more used to meet corporate standards.
1. Voluntary confirmation of conformity is carried out on the initiative of the applicant on the terms of an agreement between the applicant and the certification body. Voluntary confirmation of compliance can be carried out to establish compliance with national standards, preliminary national standards, standards of organizations, codes of practice, voluntary certification systems, contract terms ...
2. A voluntary certification system can be created by a legal entity and (or) individual entrepreneur or several legal entities and (or) individual entrepreneurs.
At one time there was a movement to create a system of voluntary certification in the context of PD protection, but it seems that things did not go well.
And the difference in the waste of time and resources in comparison with the mandatory certification comes out insignificant (if at all).
Declaration of Conformity
The following paragraph of the law may seem most attractive:
Article 24. Declaration of conformity
1. The
declaration of conformity is carried out according to one of the following schemes: - adoption of a declaration of conformity on the basis of own evidence ;
- adoption of a declaration of conformity on the basis of their own evidence, evidence obtained with the participation of the certification body and (or) an accredited testing laboratory (center) (hereinafter - the third party).
and especially the soul-warming lines of the same article:
2. When declaring compliance on the basis of his own evidence, the applicant independently creates evidence for the purpose of confirming compliance of products with the requirements of technical regulations. As evidence materials, technical documentation, the results of our own research (tests) and measurements and (or) other documents are used, which served as a motivated basis for confirming the conformity of products with the requirements of technical regulations. The composition of evidence is determined by the relevant technical regulations.
Especially taking into account paragraph 3 of Article 23:
3. The declaration of conformity and the certificate of conformity have equal legal force irrespective of the schemes of mandatory confirmation of conformity and are valid throughout the Russian Federation.
But let us pay attention to the last sentence of paragraph 2 of Article 24: “The composition of evidence is determined by the relevant technical regulation.” and also paragraph 5 of chapter 24:
The composition of evidence is determined by the relevant technical regulations .
Also (and first of all) it is worth considering paragraph 1 of Article 23:
1. Mandatory confirmation of compliance is carried out only in cases established by the relevant technical regulation, and exclusively for compliance with the requirements of the technical regulation .
Summarizing all of the above, it turns out the following: The law in no way restricts our right to declare that information protection means comply with information protection requirements (in accordance with paragraph 1 of Article 28, “The Applicant has the right to ... choose the form and scheme of confirmation of conformity provided for certain types of products relevant technical regulation; „), but this procedure must be carried out in accordance with the technical regulation (in accordance with paragraph 2 of Article 28“ The applicant must ... provide conformity of products to the requirements of technical regulations ") .
But what is a technical regulation? In accordance with the definition described above, it is a regulatory document published at the level of the Government and defining product requirements.
So why "certification" = "conformity assessment"?
I note that this statement is partially true ... it is better to make a postscript: at present .
We found out above that the declaration of conformity should be carried out in accordance with technical regulations, which, in our case, should be developed by the FSTEC employees. But ... "things are still there."
For the entire period of existence of the PD law, not a single technical regulation has been issued. The only thing that exists at the moment is security profiles, but they are intended for security developers (and, by the way, it seems to have been torn off with NIST). You can familiarize yourself with them here: Project package of protection profiles .
Federal Law 184 “On Technical Regulation” can be found on the official website of the FSTEC of Russia:
Federal Law of December 27, 2002 N 184-ФЗ
If there is interest in protection profiles, then regulatory documents can be viewed here .