Aspects of design and implementation of access control and management systems (ACS).

Aspects of design and implementation of access control and management systems ACS.

At present, access control and management systems (ACS) are an integral part of the comprehensive security system of enterprises and organizations.

The access subject (employee, visitor) must present some access identifier when accessing the facility (protected area, premises) for identification.

The ACS, based on the data and rights of the subject established by the administrator, makes a decision on his access to the facility.

In this case, the system operates with information about his last name, first name, patronymic, position, work phone number and registration address as unique data inherent to the access subject.

In some cases, the ACS records the passport data of the subject and other information.

Access control and management systems that do not take into account (do not process) personal data (PDn) constitute a small part of the many different ACS and are currently practically not used in enterprises (an example of such a system is an intercom).

Thus, the information processed by the system in the vast majority of cases contains personal data.

Consequently, ACS (with rare exceptions) are personal data information systems (PDn).

Each ISPDN must meet a number of requirements for the protection of personal data. In order to meet these requirements, it is generally necessary to create a personal data protection system (PDPS).

The access control and management system is not an information protection system and is not subject to the requirement to have built-in information protection tools (IPS).

However, from the moment of the beginning of the processing of personal data, the ACS acquires the status of an ISPD of a certain class and already in this capacity must be supplemented by an adequate system for the protection of personal data.

The commissioning and operation of an ACS that processes personal data, but is not equipped with an ISPD, will be a violation by the operator (owner of the ACS) of the current legislation.

Thus, the SPDN (both for the ACS and for any information system in general) should be considered as a certain superstructure, which is a set of organizational measures and a complex of software and hardware that perform the function of protecting information (personal data).

The SPDN should provide the following functions:

• access control (to the ISPD);
• registration and accounting;
• ensuring integrity;
• ensuring secure inter-network interaction;
• anti-virus protection;
• intrusion detection;
• security analysis.

The methods and means of protecting PD are determined by the operator in accordance with those recommended by the FSTEC of Russia.

In each case, the specific set of necessary means and methods of protection depends on the class of the ISPDN, as well as on the design features of the ACS and the local network.

Depending on the nature of the information being processed, the access control and management system can be classified as the second or third class.

In most cases, such a system should be classified as a special information system.

Depending on the design, the ACS can be classified as either distributed or local information systems.

The ACS may be a system with or without a connection to public communication networks, usually multi-user with or without differentiation of access rights.

Based on the analysis of the features of the ISPDN, a list of threats relevant specifically to this ISPDN is specified (a private threat model), and the security system is developed taking this model into account.

The selected methods and methods of protection must ensure the neutralization of the expected security threats.

The design of the SZPDn should be carried out at the stage of designing the ACS or the security system as a whole

The operator is limited in its capabilities to create and commission the SZPDn, since the activity on technical protection of confidential information is subject to mandatory licensing, which leads to the need to involve a specialized organization (licensee) to perform such work.

«NITs FORS» — a developer and installer of integrated security systems — is also a licensee of the FSTEC in the field of technical protection of confidential information.

Our significant practical experience in the field of information security allows us to recommend the following steps to comply with the requirements of the legislation on the protection of personal data in relation to ACS:

• for ACS developers — implement the necessary functions for protecting personal data either by introducing the appropriate security tools into the ACS software (if it is possible to develop the information security tool independently), or test certified information security tools from third-party developers for compatibility with their product;
• for ACS installers — in design solutions, as well as during implementation, take into account the need for the ACS to comply with the requirements for the security of personal data when processing them in the ISPDN. Only an organization that has the appropriate licenses from the FSTEC of Russia and the FSB of Russia can implement these requirements qualitatively and in full;
• for organizations supplying software and hardware components of the ACS — recommend that the customer pay attention to the need to retrofit the ACS with a personal data protection system;
• for ACS customers — when preparing technical specifications for creating an ACS, it is mandatory to include a section with requirements for the personal data protection system. Among the results of the work, provide for the submission by the contractor of a certificate of compliance with information security requirements. When conducting tenders, the contractor must be required to have the appropriate licenses from the FSTEC of Russia and the FSB of Russia.

The process of partially bringing the developed access control and management systems into compliance with the law can be illustrated by the following fact: the Bastion hardware and software complex is one of the products of the FORS Research Center.

Since 2009, the Bastion APCS includes the Bastion — Personal Data software module, which implements the requirements for the ISPDN in terms of logging operations with personal data (usually, DBMSs used in information systems, including ACSs, do not log facts of familiarization with data contained in the database, which currently no longer meets the requirements of regulatory documents).

The Bastion — Personal Data module implements the following tasks inherent in ACSs:

1. Logging of all operations on access and modification of personal data. In the terminology of the Bastion APCS, the module logs all operations with personal data of employees who have been issued access cards to the ACS (including both modification and viewing of personal cards).
2. Viewing, saving and printing reports on access and modification of personal data. In the terminology of the Bastion APCS, the module enables the creation and printing of reports on all operations performed on personal data of employees (including both modification and viewing of personal cards).
3. Printing of the informed consent form for the use of personal data. In the terminology of the Bastion APCS, the module allows you to print out an employee's informed consent for the use of their personal data in the ACS.
   We emphasize that the presence of such a module is not a sufficient solution to the problem of protecting personal data in the ACS.

Despite the fact that access control and management systems, as a rule, are not complex ISPD classes 1 and 2, in order to avoid violations of citizens' rights and claims from supervisory and control authorities (primarily Roskomnadzor of the Russian Federation), they must be equipped with SZPDn.

Methods for optimizing costs when equipping ACS with information security tools will be discussed in the following articles.

Legislative and regulatory framework for control and management of personal data:

1. Federal Law of the Russian Federation of July 27, 2006 N 152-FZ «On Personal Data»;
2. Resolution of the Government of the Russian Federation of 17.11.2007 N 781 «On approval of the Regulation on ensuring the security of personal data when processing them in personal data information systems»;
3. Resolution of the Government of the Russian Federation of 15.09.2008 N 687 «On approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools»;
4. Order of the FSTEC of Russia, the FSB of Russia, the Ministry of Information Technologies and Communications of Russia of 13.02.2008 N 55/86/20 «On approval of the Procedure for classifying personal data information systems»;
5. Order of the FSTEC of the Russian Federation dated 05.02.2010 N 58 «On approval of the Regulation on methods and means of protecting information in personal data information systems»;
6. Methodological document of the FSTEC of Russia dated February 15, 2008 «Basic model of threats to the security of personal data when processing them in personal data information systems»;
7. Methodological document of the FSTEC of Russia dated February 15, 2008 «Methodology for determining current threats to the security of personal data when processing them in personal data information systems»;
8. Code of Administrative Offenses dated December 30, 2001 N 195-FZ;
9. Criminal Code of the Russian Federation dated June 13, 1996 N 63-FZ;
10. Labor Code of the Russian Federation dated December 30, 2001. № 197-FZ;
11. Federal Law of the Russian Federation of 08.08.2001 «On Licensing Certain Types of Activities» № 128-FZ.

Shmelev P.V. — Director of Development, «NITs «FORS»
Skripka A.A. — Information Security Specialist, «NITs «FORS»
Association «Electronic Systems»