Information protection and certification. If there is no difference - why pay more?

Short introduction

The infamous 152 Federal Law caused a lot of headache for our brother, the system administrator. Even on paper, the Russian legislation in the field of information security raises many questions, and when it comes to solving some problems in practice ... Everything becomes very sad here.
I personally consider this article as a small ray of light in this huge dark realm of regulations, taxiways and other scary words that are not completely clear to a simple techie. To read, in my opinion, it makes sense both to technical specialists in order to convey useful information to the management, and for decent leaders who care about saving money and know the real price of all kinds of pieces of paper.
A familiar topic? Then welcome to cat.

Give certification for each product!

Thanks to merced2001 , he gave a sensible comment on the article.
I note right away that this article does not address the subtle aspects of encryption certification and does not apply to state and municipal information systems. The article is an introductory article and is intended to give the reader food for thought, which, perhaps, will lead him to understanding this topic. So now, with a clear conscience, you can continue.

From the very beginning, the idea of ​​certificates was quite understandable: in order to at least somehow guarantee compliance with technical conditions or specific requirements of regulators, it was necessary to undergo a rite of passagecertification procedure. A knowledgeable person will immediately want to correct me “Not certification, but conformity assessment!” and he will be right, but more on that later. Indeed, the law says that all means of protecting personal data must undergo a conformity assessment procedure. And somehow, so imperceptibly, we were all convinced that this is nothing more than certification. It was understood that all manufacturers would quickly certify their products and happiness, peace and communism would come. But, as you know, the devil is always in the details. He did not wait long and immediately crawled to the surface. For reference - about 1,500,000 - 2,000,000 of our rubles cost to certify a product. By time, about a year. And all this is automatically included in the cost of the product. At the same time, manufacturers consider certification as an investment, which is quite logical. The most negative role in pricing was played by the lack of competition. But high prices are not the worst of all evils. The bottom line is that all updates also had to be certified. Faster than two weeks, this is simply impossible. Just imagine that you have a service with critical vulnerability hanging, a ready-made exploit has already appeared in the public, kind people have already included it in the Metasploit database, and the supplier of the certified product has just begun to itch in this direction and the solution will be issued no sooner than two weeks later (this is at best). Can you sleep well? I definitely can’t. But the law is the law, nothing can be done. So our brother had to endure a sea of ​​headache, sometimes moving to another place. This I have not yet mentioned the quality of hastily blinded “SZI”. And somehow I had to live with it.

PP 1119 came out. What has changed?

In fact, government agencies that are actively promoting the full coverage of infrastructure with certified products have become the number one threat. And since there is such a threat - you need to neutralize it or minimize the damage.
It should be noted that the rules of PP 1119 were slightly relaxed and the hands of ordinary enterprises were freed up, which the FSTEC and the FSB beautifully refer to as “Personal Data Operators”.
The first way to confront these state organizations, by the way, is the cleanest, legal and least costly - this is depersonalization and lowering the level of security of those same personal data. Here, both mathematicians who came up with algorithms for mixing this data in the database , and auditors who proposed, for example, replacing the “disability” field in 1C with “privilege”, thereby avoiding biometric data, tried .
Indirectly, this even additionally puts the infrastructure in order, which, of course, is good.
But this is only the top, the very "meat" - the rationale for using certified products. As I already said, in our legislation there is such a wording as “conformity assessment procedure” for Federal Law 152 and Federal Law 1119 FSTEC joyfully reported that, they say, this is nothing more than a certification . But actually it is not. Legally, they are right; certification is indeed a conformity assessment procedure, but this is only a subset of it.
If we turn to Federal Law 184, it reads:
Conformity assessment - direct or indirect determination of compliance with the requirements for an object;
Conformity assessment is carried out in the forms of state control (supervision), accreditation, testing, registration, conformity confirmation, acceptance and commissioning of the facility whose construction is completed, and in a different form.
So, acceptance and commissioning, provided that they have developed procedures for information security, are quite a conformity assessment procedure. And since they all go anyway, why not use existing tools as efficiently as possible!
This approach gives quite tangible advantages:
Using exactly those products that are most suitable for you, rather than choosing from that small number of certified products.
The lack of binding to a specific supplier, because you can always switch to something new, simply by running the standard procedure.
This frees everyone's hands to justify the use of free software and those products that are able to effectively solve the task, and not just wave the flag with a printed paper. Especially open source software of recent times, after the statements of Snowden.
By the way, food for thought, the former head of privacy at Microsoft now trusts only free software .

In the next article I will talk about how you can use open source software to provide information security at the enterprise, based on the new standards of our legislation. Perhaps even with document templates, if there is time.