Cloud4Y March 23, 2018 at 08:26

The Department of Information Technology, Communications and Information Protection of the City of N requires ...

Tutorial

Public IT is often the subject of jokes and criticisms. However, it cannot be denied that in recent years, work on the development of the information society, and in particular, work to increase the availability of public electronic services, has yielded results.

The following elements of the e-government system have been created in the Russian Federation:

2008 - a network of multifunctional service delivery centers (MFCs);
2009 - a single portal for the provision of state and municipal services (EPGU), regional portals and portals of municipalities (EPGU) related to the system of interagency electronic interaction (SMEV);
2011 - an open government system;
2013 - integrated government (MFC + EPGU + SMEV).

Government agencies are interested in highly qualified personnel, reducing risks and costs, joining forces with the private sector in the provision of services. Perhaps you are an IT specialist thinking about working in the Information Technology Department of your city, or an employee of an IT company with a private form of ownership that would like to provide its services to government organizations. What you need to know and what to be prepared for such a job?

For our part, we offer a cloud infrastructure for hosting state information systems in them and have experience in implementing such projects.

The most relevant issue for government customers is the issue of compliance with legal requirements.The purpose of this article is to increase the awareness of specialists in matters of work in the field of public IT. This article is devoted to one of the main regulatory legal acts in the field of information security in the State and Municipal Information Systems - the 17th order of the FSTEC.

During the adoption, during the introduction of amendments to the Order of February 11, 2013 N 17 “On the approval of requirements for the protection of information not constituting state secrets contained in state information systems”, many copies were broken.

Let me remind you that the latest version of this order is now in its edition of February 15, 2017. But we will be fair, most of the claims related to Appendix No. 2 of this order, namely, the composition of the protective measures. The initial questions about the application of measures were removed after the release of the methodological document dated February 11, 2014 “Information security measures in state information systems” , which answered “how” to implement the requirements of the Order.

We would like to consider the main postulates of the 17th order, without going over to the options for implementing and applying specific protective measures.

So, let's proceed to the theoretical creation of our information system, taking into account the requirements of order No. 17.

It should immediately be noted here that

“The document does not address information protection requirements associated with the use of cryptographic methods of information protection and encryption (cryptographic) means of information protection.”

So we will not consider cryptography.

For ease of perception, I recommend an example of a leak from the article “And so it goes ... or how the data of 14 million Russians were in my hands . ” It will be much easier to perceive the “dry” rules of the law if you think about something more specific. Let's see how Order No. 17 helps us in this situation.

Omitting the non-essential and trivial parts of the Order, we move on to its second section, namely, to item number 9. We begin to create a defense with the appointment of the “guilty”:

“To ensure the protection of information contained in the information system, the operator designates the structural unit or official (employee) responsible for the protection of information”

Someone must make decisions and be responsible for various development mistakes that lead to leaks. The order also clarifies that this responsible person should take part in all stages of the life cycle of the information system, which in general is quite logical. We quote point 12.

“The protection of information contained in an information system is an integral part of the creation and operation of an information system and is provided at all stages (stages) of its creation, during operation and decommissioning ...”

Protection measures are reduced to the following points:

formation of requirements for the protection of information contained in the information system;
development of an information system information security system;
implementation of information security system information system;
certification of the information system according to the requirements of information security (hereinafter - certification of the information system) and putting it into effect;
ensuring the protection of information during the operation of a certified information system;
ensuring the protection of information during the decommissioning of a certified information system or after a decision is made to end information processing.

Formation of requirements

This stage, however, like the other stages, is divided into several sub-stages, but we will try to present all this more succinctly.

The formation of requirements begins with the decision that our information system needs to be protected. After we have made such a decision, we need to classify this system, and for this we need to understand the purpose of creating the system, examine the information being processed in the IP, and also understand what regulatory acts our information system is subject to.

In addition to the fact that IP is state-owned and is subject to the 17th order, it can also be a public information system, which means that other NPAs also apply to it. In particular, the order of the Federal Security Service of the Russian Federation N 416 and the FSTEC of the Russian Federation N 489 dated 08/31/2010 "On the approval of the Requirements for the protection of information contained in public information systems", probably forgotten by all.

We omit the norms of this order in this article. But I would like to note that the reduction of the requirements of various documents to a single denominator, sometimes almost contradicting each other, is a separate issue when working with our legislation.

Having figured out all of the above, we need to classify our IP and move on to modeling threats. In the current edition of the Order, there are three classes of GIS out of four in its first edition, but this will not hinder us in any way. The classification is fairly well described and should not arise with this difficulty. What you should pay attention to is the following text:

“The security class is determined for the information system as a whole and, if necessary, for its individual segments”

Thus, we can divide our information system into its constituent parts and classify each of them individually. For example, to classify separately the servers of the information system and its workplaces.

In the future, respectively, each of the segments will have its own set of protective measures, which is very convenient. It is also necessary to remember that the GIS class is not constant and can vary depending on the circumstances (changing the scale of the IP, the significance of the processed information, etc.).

Threat modeling, the topic itself is quite extensive, so here we restrict ourselves to mentioning this stage. For a detailed review of it, it is advisable to refer you to our previous article “On Threat Modeling” .

The requirements for the protection system are determined directly depending on the security class of the information system and the threats to information security that we identified at the previous stages. These requirements are included in the TOR for the creation of a protection system.

As the Order tells us, they should include the following:

the purpose and objectives of ensuring the protection of information in the information system;
information system security class;
a list of regulatory legal acts, methodological documents and national standards to which the information system must comply;
list of information system protection objects;
requirements for measures and means of information protection used in the information system;
stages (work stages) of creating an information system protection system;
requirements for supplied hardware, software, information security tools;
the functions of the customer and operator to ensure the protection of information in the information system;
requirements for the protection of tools and systems that ensure the functioning of the information system (providing infrastructure);
requirements for the protection of information during information interaction with other information systems and information and telecommunication networks, including information systems of an authorized person, as well as the use of computing resources (capacities) provided by an authorized person for information processing.

As you can see, these items list everything that we had to determine at the previous stages. So, if earlier we went through all the points in good faith, then problems with filling TK should not arise.

Development of an information security system

The protection system is developed in accordance with the ToR formed earlier. Development includes three large stages:

design directly;
development of operational documentation;
prototyping and testing.

As you can see, there are three stages that are quite lengthy in time and labor. The development phase is actually very important and avoids most of the problems that arise in subsequent stages.

Unfortunately, many do not pay due attention to this stage, and many factors push them towards this. So the work is built in a huge number of offices of the middle hand. The serious implementation of all three points is typical mainly for large organizations and projects. And therefore, leaks from systems in the development of which these stages were ignored or performed “through the sleeves” are not surprising. Let me explain a little how this happens with this approach.

When we talk about state information systems, we can most likely say that the owner of these systems is a government agency with all the consequences. Recall public procurement, budget constraints, add the likelihood that outside the window is autumn, you need to win back and hand over the project before the end of the new year and get ... We will get at least a 70 percent probability that in fact there will be enough time only for design. In the process of “prototyping and testing”, yeah, someone else would have put the finances on the prototype, the operational documentation will be updated. Testing will come down to verifying that the system will not crash when installing security features. Well, at the output - the expected result: it works and okay!

This is how it should not be. And if this happens, then the possibility of leaks should not after surprise.

Of the three points, I would like to focus on design. So, at the design stage:

types of access subjects and access objects that are objects of protection are determined;
defines access control methods, types of access and rules for differentiating access of access subjects to access objects;
information security measures to be implemented in the information security system of the information system are selected;
the types and types of information protection tools that ensure the implementation of technical measures to protect information are determined
the structure of the information security system is determined, including the composition and placement of its elements;
the selection of information protection tools certified for compliance with information security requirements is carried out, taking into account their cost , compatibility with information technologies and technical means, the security functions of these tools and the features of their implementation, as well as the security class of the information system;
requirements for software settings are defined, including software for information security tools that ensure the implementation of information security measures, as well as the elimination of possible vulnerabilities in the information system that lead to information security threats;
measures of information protection are determined during information interaction with other information systems and information and telecommunication networks, including information systems of an authorized person, as well as when using computing resources provided by an authorized person for information processing.

All of the above is executed in the form of a technical project or a similar document. The final version of the technical project is only after the stage of prototyping and testing. The order allows, based on the test results, to make changes to the technical design.

Security system implementation

So, the protection system is developed, tested and ready for implementation. The implementation of the protection system includes:

installation and configuration of information security tools;
development of documents defining the rules and procedures implemented by the operator to ensure the protection of information;
implementation of organizational measures to protect information;
preliminary tests of the information security system;
trial operation of an information security system;
analysis of information system vulnerabilities and adoption of information protection measures to eliminate them;
acceptance tests of the information system information protection system.

Installation and configuration of protective equipment is based on previously developed documentation.

The documents developed at this stage specify the rules and procedures for various aspects of the operation of the created system (incident response, configuration management, monitoring, etc.).

The implementation of organizational measures also includes control over the possibility of their implementation and completeness of coverage. Essentially, at this stage, conflicts between implemented measures and existing business processes are tracked.

After the installation of protective equipment and the implementation of organizational protective measures, preliminary tests are carried out and the trial operation phase begins.

During the trial operation, a very important stage is carried out - vulnerability analysis. Based on the results of this analysis, both the threat model and the technical decisions made can be adjusted. In the latest edition of the Order, it was added that

“According to the results of the vulnerability analysis, it should be confirmed that the information system does not contain vulnerabilities contained in the data security threats database of the FSTEC of Russia, as well as in other sources, or their use (exploitation) by the violator is impossible.”

As the name implies, it is at this stage that the state of the so-called “real security” is checked and the result directly depends on the qualifications of the testers.

After conducting checks and adjusting (if necessary) the applied solutions, we proceed to acceptance tests.

Certification of the information system

After successful acceptance tests, you can proceed to Certification.

Certification is certification, it’s difficult to clarify something here, so I’ll just list the methods of verification (testing) during certification tests:

expert-documentary method, which provides verification of the compliance of the information system information security system with the established requirements for information security, based on the assessment of operational documentation, organizational and administrative documents for information protection, as well as the operating conditions of the information system;
analysis of information system vulnerabilities, including those caused by improper setup (configuration) of software and information protection tools;
testing the information protection system by attempting unauthorized access (impact) to the information system bypassing its information protection system.

Raising the issue of certification, I would like to draw attention to the following text of the Order:

“Certification of the information system is allowed on the basis of the results of the certification tests of the selected set of segments of the information system that implement the complete information processing technology.

In this case, the certificate of conformity is distributed to other segments of the information system subject to their compliance with the segments of the information system that have passed certification tests. ”

Thus, if there are, say, hundreds of typical jobs, the Order allows certification of not all hundreds, but for example 3-5 jobs. Provided that the applied means and protection measures are fully consistent, the certificate may apply to workplaces that have not undergone the full certification process. For such jobs, it is advisable to limit it to inspection control, confirming the conformity of the configuration of such workplaces to reference samples that have passed certification.

Having successfully passed the certification tests, you can begin to commission the system. An important note here is the following:

“If an information system is created on the basis of an authorized person’s data center, such a data center should be certified for a security class not lower than the security class set for the information system being created.”

That is, if you plan to place your system, for example, on the site of a cloud provider , you need to make sure that its infrastructure is certified in the class corresponding to your IS.

Information security during operation

In the course of operation of a put-in IS, tasks arise that are related both to maintaining operability and keeping the protection system up to date.

General operation includes four stages:

management (administration) of the information system information protection system;
incident detection and response;
configuration management of a certified information system and its information protection system;
control (monitoring) over ensuring the level of security of information contained in the information system.

At this stage, it is quite problematic to single out some particular points, because the general steps are highlighted, and the details vary greatly from the configuration of a particular IC. It would seem that this can be finished, but, in fact, it is still early. One of the important stages in the life cycle of any IP is decommissioning.

Information security during decommissioning

The decommissioning of the information system, according to the Order, includes two stages:

archiving information contained in the information system;
destruction (erasing) of data and residual information from computer storage media and (or) destruction of computer storage media.

It is worth noting here that if you erase, rather than physically destroy the media, then you should do this with certified tools that guarantee the destruction of information. Of course, at the same time, all the necessary acts should be drawn up, according to previously developed operational documentation.