FSTEC vs NIST: leakage protection in Russian and American style
A lot of texts were written on the topic of differences between the Russian and Western mentalities, many books were published, and many films were shot. Mental discrepancies can be seen literally in everything, starting with domestic nuances and ending with rule-making, including in the area of application of information leakage protection (DLP) systems. So we had the idea to prepare for our readers a series of articles-comparisons of approaches to the protection against leaks in the Russian and the American manner.
In the first article, we compare the similarities and differences in the recommendations of Russian and foreign regulators for the protection of information to which leak protection systems can be applied to one degree or another. In the second - we will tell about the applicability of key DLP-systems for the constituent modules to GIS protection measures recommended by the FSTEC of the Russian Federation. In the third we will consider the same list of leak protection systems for correlations with the recommendations of the American NIST US standard.
So, what do the FSTEC of the Russian Federation and NIST US recommend to us in relation to information security, for which DLP systems can be used? The answer to this question - under the cut.
In the Russian Federation, the body implementing the state policy, as well as special and control functions in the field of state information security, is the FSTEC (Federal Service for Technical and Export Control). The main regulatory document for GIS (state information systems) and ISPDN (personal data information systems), according to the orders No. 17, 21 and 31, is the methodological document of the FSTEC “Measures to protect information in state information systems”. The document describes the methodology for implementing organizational and technical measures to protect information in state and related information systems (IS).
This document states that the requirements for information security depend on the security class of the system. There are only three classes - K1, K2, K3, they are aimed at ensuring the confidentiality, integrity and availability of information processed in the system. The first class (K1) is the highest, the third class (K3) is the lowest. The class of a system depends on two parameters: on the level of significance of the information being processed and on the scale of the information system.
The FSTEC document contains information protection measures in information systems, starting with identification and authentication and ending with the protection of the information systems themselves, the means and systems of communication and data transmission. The process of ensuring information security, according to the document, should be structured as follows:
In the United States, NIST (National Institute of Standards and Technology) is the National Institute of Standards and Technology.
Since the early 1990s, NIST has published Federal Information Processing Standards (FIPS) and more detailed explanations / recommendations (Special Publications) in the field of information security. One of the publications of this category, SP 800-53 rev., Is applicable to data leak prevention systems. 5 Security and Privacy Controls for Information Systems and Organizations (Security Control and Privacy of Information Systems and Organizations). This document has not yet been approved, but is already closed for discussion. The preliminary text of the document will be published in the spring of 2019, and the final text in the summer of 2019.
Despite the fact that the structure of the documents are different, the approach to ensuring information security, written in them, is in many ways similar. At the same time, in the American standard there is a noticeable bias towards consulting:
Categorization of information systems by classes is regulated by another document - FIPS 199. The classification approach, as in the recommendations of the FSTEC, is based on the classic triad “Confidentiality - Integrity - Accessibility”. The maximum criticality is determined on the basis of the potentially highest impact on the IP of one of the elements of the triad.
So, we will directly identify the measures and instructions that can be attributed to the means of preventing data leaks (see the table below).
As can be seen from the table, the basic recommendations of NIST are higher level. It is worth noting, however, that in American standards there are direct indications of the use of data leakage prevention systems, including a separate chapter devoted to the “legalization” of such systems, where all necessary measures are prescribed, from legal procedures and developing information security policies, to assigning responsible and to control the exchange of information with a third party.
The American standard allows the use of personal mobile devices for authentication in information systems using a temporary blocking mechanism and / or strong encryption. But despite all the "advanced", the document does not say how to regulate the use of these devices for identification in data leakage prevention systems.
In the future, due to the wide spread of DLP systems and the growing number of detected incidents, the number of court proceedings will increase. In such a situation, simply “legalizing” is not enough - an evidence base is needed, but it cannot exist without “non-repudiation”. At NIST, a separate chapter of the audit is devoted to this - AU-10, where the definition of this concept is given. Additional reinforcement recommendations describe the procedure for ensuring “non-repudiation” when creating, sending and receiving information:
In the FSTEC recommendations, the procedure for ensuring “non-repudiation” is not described in detail, although the requirements for gaining IAF.7 (identification and authentication of file system objects) indicate the need to “use evidence of authenticity”. Perhaps in the future, the regulator will consider in more detail the measures that should be applied to ensure “non-repudiation”.
In our opinion, useful recommendations of the American standard are:
Perhaps in the future, these recommendations will be reflected in domestic standards.
In the first article, we compare the similarities and differences in the recommendations of Russian and foreign regulators for the protection of information to which leak protection systems can be applied to one degree or another. In the second - we will tell about the applicability of key DLP-systems for the constituent modules to GIS protection measures recommended by the FSTEC of the Russian Federation. In the third we will consider the same list of leak protection systems for correlations with the recommendations of the American NIST US standard.
So, what do the FSTEC of the Russian Federation and NIST US recommend to us in relation to information security, for which DLP systems can be used? The answer to this question - under the cut.
We have
In the Russian Federation, the body implementing the state policy, as well as special and control functions in the field of state information security, is the FSTEC (Federal Service for Technical and Export Control). The main regulatory document for GIS (state information systems) and ISPDN (personal data information systems), according to the orders No. 17, 21 and 31, is the methodological document of the FSTEC “Measures to protect information in state information systems”. The document describes the methodology for implementing organizational and technical measures to protect information in state and related information systems (IS).
This document states that the requirements for information security depend on the security class of the system. There are only three classes - K1, K2, K3, they are aimed at ensuring the confidentiality, integrity and availability of information processed in the system. The first class (K1) is the highest, the third class (K3) is the lowest. The class of a system depends on two parameters: on the level of significance of the information being processed and on the scale of the information system.
The FSTEC document contains information protection measures in information systems, starting with identification and authentication and ending with the protection of the information systems themselves, the means and systems of communication and data transmission. The process of ensuring information security, according to the document, should be structured as follows:
- the definition of a basic set of protection measures according to the class of IP,
- adaptation of the base set of measures
- clarification of measures according to the threat model
- addition taking into account other regulatory framework in terms of information protection.
Have them
In the United States, NIST (National Institute of Standards and Technology) is the National Institute of Standards and Technology.
Since the early 1990s, NIST has published Federal Information Processing Standards (FIPS) and more detailed explanations / recommendations (Special Publications) in the field of information security. One of the publications of this category, SP 800-53 rev., Is applicable to data leak prevention systems. 5 Security and Privacy Controls for Information Systems and Organizations (Security Control and Privacy of Information Systems and Organizations). This document has not yet been approved, but is already closed for discussion. The preliminary text of the document will be published in the spring of 2019, and the final text in the summer of 2019.
Despite the fact that the structure of the documents are different, the approach to ensuring information security, written in them, is in many ways similar. At the same time, in the American standard there is a noticeable bias towards consulting:
- Basic control section.
- Additional guidelines.
- Improving the elements of basic management.
- Related controls.
- Section of references to other regulatory framework applicable to the control or allowing to improve this element.
Categorization of information systems by classes is regulated by another document - FIPS 199. The classification approach, as in the recommendations of the FSTEC, is based on the classic triad “Confidentiality - Integrity - Accessibility”. The maximum criticality is determined on the basis of the potentially highest impact on the IP of one of the elements of the triad.
So, we will directly identify the measures and instructions that can be attributed to the means of preventing data leaks (see the table below).
Comparative table of recommendations FSTEC and NIST
As can be seen from the table, the basic recommendations of NIST are higher level. It is worth noting, however, that in American standards there are direct indications of the use of data leakage prevention systems, including a separate chapter devoted to the “legalization” of such systems, where all necessary measures are prescribed, from legal procedures and developing information security policies, to assigning responsible and to control the exchange of information with a third party.
The American standard allows the use of personal mobile devices for authentication in information systems using a temporary blocking mechanism and / or strong encryption. But despite all the "advanced", the document does not say how to regulate the use of these devices for identification in data leakage prevention systems.
In the future, due to the wide spread of DLP systems and the growing number of detected incidents, the number of court proceedings will increase. In such a situation, simply “legalizing” is not enough - an evidence base is needed, but it cannot exist without “non-repudiation”. At NIST, a separate chapter of the audit is devoted to this - AU-10, where the definition of this concept is given. Additional reinforcement recommendations describe the procedure for ensuring “non-repudiation” when creating, sending and receiving information:
- Collection of necessary information about the user and identification in the information system.
- Validation is proof of identity and identity.
- Maintaining a life cycle is a continuous process of gathering information and verifying eligibility for compliance according to the actions performed.
- Checking the immutability / modification of information before transmission and processing. For example, by using a checksum.
- Apply electronic signature .
In the FSTEC recommendations, the procedure for ensuring “non-repudiation” is not described in detail, although the requirements for gaining IAF.7 (identification and authentication of file system objects) indicate the need to “use evidence of authenticity”. Perhaps in the future, the regulator will consider in more detail the measures that should be applied to ensure “non-repudiation”.
What can you borrow
In our opinion, useful recommendations of the American standard are:
- the expediency of using identification / authentication tools, further protection of accounts and transmitted information as part of the “non-repudiation” procedure. It is possible to include such recommendations in the Russian standard in any explicit and simplified form without using a qualified electronic signature in accordance with Federal Law No. 63.
- regulation of the DLP “legalization” mechanism, starting with documentary support and ending with the provision of information to a third party.
Perhaps in the future, these recommendations will be reflected in domestic standards.