New in information security certification
About a year ago, on April 3, 2018, the FSTEC of Russia issued order No. 55 . He approved the Regulation on the certification system of information security tools.
This determined who is a member of the certification system. It also specified the organization and procedure for certification of products that are used to protect confidential information representing state secrets, the means of protection of which also need to be certified through this system.
So, what exactly does the Regulation relate to products that need to be certified?
- Means to combat foreign technical intelligence and means of monitoring the effectiveness of technical protection of information.
- IT security tools, including secure information processing tools.
The membership of the certification system included:
- FSTEC accredited bodies.
- Testing laboratories that are accredited by FSTEC.
- Manufacturers of information security tools.
To get certified, you must take the following steps:
- Apply for certification.
- Wait for a decision on certification.
- Pass certification tests.
- To issue an expert opinion and a draft certificate of conformity based on the results.
Further, a certificate may be issued or refused.
In addition, in this or that case it is made:
- Providing a duplicate certificate.
- Labeling of protective equipment.
- Modification of already certified remedies.
- Certificate renewal.
- Suspend a certificate.
- The termination of its action.
The 13th clause of the Regulation should be cited:
“13. Certification tests of information security tools are carried out on the material and technical base of the testing laboratory, as well as on the material and technical bases of the applicant and (or) the manufacturer located in the Russian Federation.
Not so long ago, on March 29, 2019, the FSTEC published another improvement, which was entitled " Information message of the FSTEC of Russia dated March 29, 2019 N 240/24/1525 ."
The document has modernized the certification system for information security tools. Thus, the Information Security Requirements are approved. They establish levels of confidence in the means of technical protection of information and the means of ensuring the security of information technologies. They, in turn, determine the conditions for the development and production of information security tools, testing of information security tools, as well as to ensure the security of information security tools during their use. There are six levels of trust in total. The lowest level is the sixth. The highest is the first.
First of all, confidence levels are intended for developers and manufacturers of protective equipment, applicants for certification, as well as for testing laboratories and certification bodies. Compliance with the Level of Trust Requirements is mandatory for certification of information security tools.
All this will take effect on June 1, 2019. In connection with the approval of the requirements for the level of trust, the FSTEC will no longer accept applications for certification of protective equipment for compliance with the requirements of the guiding document “Protection against unauthorized access. Part 1. Software for information security. Classification by the level of control of the absence of undeclared opportunities. ”
Information protection tools corresponding to the first, second and third levels of trust are used in information systems that process information containing information constituting a state secret.
The use of means of protection from the fourth to the sixth level of confidence for GIS and ISPDn respective classes / protection levels are given in the table:
should pay particular attention to the fact that:
"The action of the conformity assessment of information protection means, in respect of which compliance with this estimate will not be carried out before 1 ”on January 20, based on paragraph 83 of the Regulation on the certification of information protection means, approved by order of the FSTEC of Russia dated April 3, 2018 No. 55, may be suspended.”
While lawmakers continue to work on improving certification requirements, we provide a cloud infrastructure that meets all the requirements of adopted laws. The solution provides for already prepared infrastructure, a ready-made solution for compliance with federal law 152.