Security Certification and Personal Information

Certification of information security tools caused, causes and will cause a huge number of questions for IT-people. And unfortunately not only with him: the "lawmakers" and "methodological models" themselves can not always properly answer the question of certification. Here, perhaps two sub-questions can be distinguished:
1. What do the controlling bodies “want” (FSTEC, FSB, Roskomnadzor) - hereinafter referred to as “KO”;
2. And what "wants" the law and methodologies.
Partially written in response to Information Security and Certification. If there is no difference - why pay more? , where, I think, the current state of affairs is not quite correctly presented ... although I set out a look at it from personal experience in communicating with corporate bodies, certification bodies, clients and experience in implementing protection systems.

Do not take this article as a scientific work on the legislation in the field of protection of the Persian. data. Rather, as a short essay on the topic.

What the law and methods “want”

Before the RF Government Decree dated 01.11.2012 No. 1119 “On approval of the requirements for the protection of personal data during their processing in personal data information systems”, the situation was approximately the following:
Certification was the only feasible form of assessing the conformity of information protection means .
There were other methods, but it was more fun with them: there were no technical regulations for conformity assessment for specific types of protective equipment. There were requirements, but there were no assessment guidelines. And for the state, everything is simple: there is no verification procedure (that is, it is not described which specific processes are verification to fulfill the requirement), which means that there is no verification.
Perhaps it would be possible to write the “Program and Methodology for Conformity Assessment” on your own, coordinate it with the FSTEC or the certification body (which is very unlikely), and write “Protocol ...”. But this issue was not investigated, because in most cases it was too laborious and did not pay off. It was easier to buy a certified product or get away from a threat in the "Threat Model ...".
This would have looked quite simple from a technical point of view, if it was required to provide an SZI 5 security class of SVT, which in most cases was enough (which, at a quick glance, is testing the authorization functions of the product as a blackbox system), but, for example, if the product was in class K1 system, it was still necessary to ensure control of the NDV (lack of undeclared capabilities). And level 4 NDV control is essentially a lack of code redundancy, which must be confirmed again by certified means like AK-VS or Aist, which cost several hundred thousand rubles.
Yes, you could do it manually, but when do you have a closed source product? Or is the product so complex that manually this work will take a huge amount of time? And again, the issue of harmonizing "Programs and Methods ...".
And I’ll tell you a little secret: at present, for certification laboratories, there are no assessment methods and procedures, and many laboratories create them as they experience. And experience comes down more to whether the methodology will be approved by the certification body, and not to the quality of the evaluation of protective functions.
With the release of Decree No. 1119, the situation has changed a bit.
Paragraph 12 states:
To ensure ... the level of security of personal data during their processing in information systems, the following requirements must be met: ...
d) the use of information protection tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of ensuring information security, in the case when the use of such tools is necessary to neutralize actual threats.

I’ll voice my vision: now certified SIS is required to close actual threats, respectively, in your hands correctly compose a "Threat Model ...", minimizing the use of SIS data. The measures specified in the Appendix to the Regulation remained. But there is no indication either in the decree or in other regulatory documents on the use of SZI to implement the required measures.
Also, “conformity assessment” rather than “certification” is now modestly indicated. But I considered this point above: yes, this is not necessarily a de jure certification, but a de facto certification. And why it should be so perceived below.

What the regulatory authorities “want”

I think there are two points worth noting here:
1. First of all, it is worth noting that FBs often have their own intricate view of what is written in the law. However, they are not going to comment heavily on their approach. It is enough to recall the “discussion” of Decree 1119, to which the COs invited everyone, but did not listen to anyone and did not comment on anyone. There are two assumptions: either they simply did not understand what they were told, or the “discussion” was started for show. My opinion: just a little bit.
Our organization also tried several times to get comments on some points that we, as integrators, should fulfill, but the answer was only: “It's not our business to comment on what we came up with” (as a joke - “I came up with it myself offended ").
The notice on the official site of the FSTEC (the full text here ) was indicative :
At the same time, we inform that the FSTEC of Russia is not empowered to clarify the requirements for the protection of personal data when they are processed in personal data information systems approved by the Decree of the Government of the Russian Federation of November 1, 2012 N 1119, including in terms of determining the types of threats to personal data and the procedure for determining the levels of security of personal data.

2. In connection with clause 1, during the check, all cards will be in the hands of the FSTEC (when checking the FSTEC). It is still compounded by the fact that each federal district has its own FSTEC, Roskomnadzor, the FSB and for some reason the points of view in connection with this they have their own and can radically differ from the neighboring federal district.

So what to do

1. Try to minimize the list of topical threats, since no one really restricts you. Give reasonable arguments, write them in the "Threat Model ...". But it is not worth it to become impudent.
2. Based on the Model, determine the list of SPI.
Keep in mind that to close the threat, it is not necessary to certify all the software, you need to certify the protection mechanism: if you have logged in to processing software using NTLM authentication (Kerberos) and all rights are distinguished at the domain level, certify domain mechanisms, and not the software itself (if NDV is not required), some kind of Secret Net, Dallas Lock, Windows certification pack.
In this regard, it is up to the reader to decide whether to “stand in a pose” or achieve a goal with a minimum of risks and costs.
Fortunately, it is worth noting that most of the most used products have been certified and not all of the market is student Russian crafts. If there is interest, then I can write a small review of remedies for minimal damage to performance.

Also popular now: