Information protection and certification. If there is no difference - why pay more?
Short introduction
The infamous 152 Federal Law caused a lot of headache for our brother, the system administrator. Even on paper, the Russian legislation in the field of information security raises many questions, and when it comes to solving some problems in practice ... Everything becomes very sad here.
I personally consider this article as a small ray of light in this huge dark realm of regulations, taxiways and other scary words that are not completely clear to a simple techie. To read, in my opinion, it makes sense both to technical specialists in order to convey useful information to the management, and for decent leaders who care about saving money and know the real price of all kinds of pieces of paper.
A familiar topic? Then welcome to cat.
Give certification for each product!
Thanks to merced2001 , he gave a sensible comment on the article.
I note right away that this article does not address the subtle aspects of encryption certification and does not apply to state and municipal information systems. The article is an introductory article and is intended to give the reader food for thought, which, perhaps, will lead him to understanding this topic. So now, with a clear conscience, you can continue.
From the very beginning, the idea of certificates was quite understandable: in order to at least somehow guarantee compliance with technical conditions or specific requirements of regulators, it was necessary to undergo a
PP 1119 came out. What has changed?
In fact, government agencies that are actively promoting the full coverage of infrastructure with certified products have become the number one threat. And since there is such a threat - you need to neutralize it or minimize the damage.
It should be noted that the rules of PP 1119 were slightly relaxed and the hands of ordinary enterprises were freed up, which the FSTEC and the FSB beautifully refer to as “Personal Data Operators”.
The first way to confront these state organizations, by the way, is the cleanest, legal and least costly - this is depersonalization and lowering the level of security of those same personal data. Here, both mathematicians who came up with algorithms for mixing this data in the database , and auditors who proposed, for example, replacing the “disability” field in 1C with “privilege”, thereby avoiding biometric data, tried .
Indirectly, this even additionally puts the infrastructure in order, which, of course, is good.
But this is only the top, the very "meat" - the rationale for using certified products. As I already said, in our legislation there is such a wording as “conformity assessment procedure” for Federal Law 152 and Federal Law 1119 FSTEC joyfully reported that, they say, this is nothing more than a certification . But actually it is not. Legally, they are right; certification is indeed a conformity assessment procedure, but this is only a subset of it.
If we turn to Federal Law 184, it reads:
Conformity assessment - direct or indirect determination of compliance with the requirements for an object;
Conformity assessment is carried out in the forms of state control (supervision), accreditation, testing, registration, conformity confirmation, acceptance and commissioning of the facility whose construction is completed, and in a different form.
So, acceptance and commissioning, provided that they have developed procedures for information security, are quite a conformity assessment procedure. And since they all go anyway, why not use existing tools as efficiently as possible!
This approach gives quite tangible advantages:
Using exactly those products that are most suitable for you, rather than choosing from that small number of certified products.
The lack of binding to a specific supplier, because you can always switch to something new, simply by running the standard procedure.
This frees everyone's hands to justify the use of free software and those products that are able to effectively solve the task, and not just wave the flag with a printed paper. Especially open source software of recent times, after the statements of Snowden.
By the way, food for thought, the former head of privacy at Microsoft now trusts only free software .
In the next article I will talk about how you can use open source software to provide information security at the enterprise, based on the new standards of our legislation. Perhaps even with document templates, if there is time.