Automated systems. Protection from unauthorized access to information.

AUTOMATED SYSTEMS
PROTECTION AGAINST UNAUTHORIZED ACCESS TO INFORMATION

CLASSIFICATION
OF AUTOMATED SYSTEMS AND REQUIREMENTS FOR INFORMATION PROTECTION

This guideline document establishes the classification of automated systems subject to protection against unauthorized access to information, and requirements for information protection in AS of various classes.

The guideline document has been developed in addition to GOST 34.003-90, GOST 34.601-90, RD 50-680-88, RD 50-34.680-90 and other documents.

The document can be used as a normative and methodological material for customers and developers of AS when formulating and implementing security requirements.

Accepted abbreviations

AS — automated systems
NSD — unauthorized access
RD — guidance document
ISP — information security system
ISP NSD — information protection system from unauthorized access

1. CLASSIFICATION OF AS

1.1. The classification applies to all existing and planned AS of institutions, organizations and enterprises that process confidential information.

1.2. The division of AS into appropriate classes according to the conditions of their operation from the point of view of information protection is necessary for the purpose of developing and applying justified measures to achieve the required level of information protection.

1.3. Differentiation of the approach to the selection of methods and means of protection is determined by the importance of the information being processed, the difference in the AS by its composition, structure, methods of information processing, quantitative and qualitative composition of users and service personnel.

1.4. The main stages of the classification of AS are:

development and analysis of initial data;
identification of the main features of the AS necessary for classification;
comparison of the identified AS features with those classified;
assigning the AS the appropriate information protection class against unauthorized access.

1.5. The necessary initial data for classifying a specific AS are:

list of protected AS information resources and their level of confidentiality;
list of persons with access to the AS standard tools, indicating their level of authority;
matrix of access or powers of access subjects in relation to the protected information resources of the AS;
data processing mode in the AS.

1.6. The choice of the AS class is made by the customer and the developer with the involvement of information security specialists.

1.7. The defining features by which the AS is grouped into different classes include:

the presence in the AS of information of different levels of confidentiality;
the level of authority of the subjects of access to the AS to access confidential information;
the mode of data processing in the AS — collective or individual.

1.8. Nine classes of AS protection from unauthorized access to information are established.

Each class is characterized by a certain minimum set of protection requirements.

The classes are divided into three groups, differing in the features of information processing in the AS.

Within each group, a hierarchy of protection requirements is observed depending on the value (confidentiality) of the information and, consequently, a hierarchy of AS security classes.

1.9. The third group includes AS in which one user works, who is allowed to access all AS information located on media of the same confidentiality level. The group contains two classes — 3B and 3A.

The second group includes AS in which users have the same access rights (authorities) to all AS information processed and (or) stored on media of different confidentiality levels. The group contains two classes — 2B and 2A.

The first group includes multi-user AS in which information of different confidentiality levels is simultaneously processed and (or) stored. Not all users have the right to access all AS information. The group contains five classes — 1D, 1G, 1V, 1B and 1A.

2. REQUIREMENTS FOR PROTECTING INFORMATION FROM UNINSTALLATION FOR AS

2.1. Protecting information from uninsulated data is an integral part of the general problem of ensuring information security. Measures to protect information from uninsulated data must be carried out in conjunction with measures for the special protection of the main and auxiliary means of computing equipment, communication systems and means from technical means of intelligence and industrial espionage.

2.2. In general, a set of software and hardware tools and organizational (procedural) solutions for protecting information from unauthorized access is implemented within the framework of the information protection system from unauthorized access (IPS UA), conventionally consisting of the following four subsystems:

access control;
registration and accounting;
cryptographic;
integrity assurance.

2.3. Depending on the AS class, the requirements in accordance with paragraphs 2.4, 2.7 and 2.10 must be implemented within these subsystems. These requirements are formulated in detail in paragraphs 2.5, 2.6, 2.8, 2.9 and 2.11-2.15.

2.4. Requirements for AS of the third group

Designations:

« — » — no requirements for this class;

« + » — there are requirements for this class.

Subsystems and requirements	Classes
Subsystems and requirements	3A	3Б
1. Access control subsystem
1.1. Identification, authentication, and access control of subjects:
into the system	+	+
to terminals, computers, computer network nodes, communication channels, external computer devices	—	—
k programs	—	—
to volumes, directories, files, records, record fields	&# 8212;	—
1.2. Information flow management	—	—
2. Registration and accounting subsystem
2.1 . Registration and accounting:
entry (exit) of access subjects to (from) system (network node)	+	+
issuing printed (graphic) output documents	—	+
launching (terminating) programs and processes (tasks, tasks)	—	—
access of programs of access subjects to protected files, including their creation and deletion, transmission via communication lines and channels	—	—
access of programs of access subjects to terminals, computers, computer network nodes, communication channels, external computer devices, programs, volumes, directories, files, records, record fields	—	—
changes in the powers of access subjects	—	—
created protected access objects	—	—
2.2. Storage media accounting	+	+
2.3. Clearing (zeroing, depersonalizing) released areas of the computer's RAM and external storage devices	—	+
2.4. Signaling attempts to violate security	—	—
3. Cryptographic subsystem
3.1. Encryption of confidential information	—	—
3.2. Encryption of information belonging to different access subjects (groups of subjects) on different keys	—	—
3.3. Use of certified cryptographic tools	—	—
4. Integrity subsystem
4.1. Ensuring the integrity of software and processed information	+	+
4.2. Physical security of computing equipment and storage media	+	+
4.3. Availability of an information protection administrator (service) in the AS	—	—
4.4. Periodic testing of information and information protection equipment of NSD	+	+
4.5. Availability of means for restoring the NSD information security system	+	+
4.6. Use of certified means of protection	—	+

Registration and accounting subsystem:

— registration of the entry (exit) of subjects of access to the system (from the system), or registration of loading and initialization of the operating system and its software shutdown must be carried out. Registration of exit from the system or shutdown is not carried out at the moments of hardware shutdown of the AS. The registration parameters indicate:

date and time of entry (exit) of the subject of access to the system (from the system) or loading (stopping) of the system;

— all protected information carriers must be accounted for using any marking and entering accounting data into a log (accounting card).

Integrity assurance subsystem:

— the integrity of the software of the NSD information security system, the information being processed, and the immutability of the software environment must be ensured. In this case:

the integrity of the NSD information security system is checked when the system is loaded based on the presence of names (identifiers) of the NSD components;
the integrity of the software environment is ensured by the absence of software development and debugging tools in the AS;

— physical security of the STS (devices and storage media) must be implemented, providing for access control to the AS premises by unauthorized persons, the presence of reliable barriers to unauthorized entry into the AS premises and storage of storage media, especially outside working hours;

— periodic testing of the functions of the NSD information security system should be carried out when the software environment and the AS personnel change using test programs that simulate NSD attempts;

— means for restoring the NSD information security system should be available, providing for maintaining two copies of the NSD information security system software and their periodic updating and performance monitoring.

2.6. Requirements for security class 3A:

Access control subsystem:

— identification and authentication of access subjects must be performed when logging into the system using a conditionally permanent password of at least six alphanumeric characters in length.

date and time of the access subject's entry (exit) into the system (from the system) or loading (stopping) the system;

result of the login attempt: successful or unsuccessful (in case of unauthorized access);

— registration of the issuance of printed (graphic) documents on a «hard» copy must be carried out. The issuance must be accompanied by automatic marking of each sheet (page) of the document with a serial number and the accounting details of the AS with an indication on the last sheet of the document of the total number of sheets (pages). The registration parameters indicate:

date and time of issue (access to the output subsystem);
brief content of the document (name, type, code, cipher) and its level of confidentiality;
specification of the issuing device [logical name (number) of the external device];

— all protected information carriers must be accounted for by marking them and entering the accounting data into a log (accounting card);

— several types of accounting (duplicate) must be carried out with registration of the issuance (reception) of information carriers;

— must be performed the cleaning (zeroing, depersonalization) of the released areas of the computer's RAM and external storage devices. Cleaning is performed by double random writing to the released memory area, previously used to store protected data (files).

Integrity assurance subsystem:

— must ensure the integrity of the software tools of the NSD ISS, the information processed, as well as the immutability of the software environment. In this case:

the integrity of the NSD ISS is checked when the system is loaded by the presence of names (identifiers) of the ISS components;
the integrity of the software environment is ensured by the absence of software development and debugging tools in the AS;

— physical security of the STS (devices and information carriers) must be implemented, providing for the constant presence of security of the territory and the building where the AS is located, using technical security equipment and special personnel, the use of a strict access control regime, special equipment of the AS premises;

— certified means of protection must be used. Their certification is carried out by special certification centers or specialized enterprises licensed to certify means of protection of the NSD information security system.

2.7. Requirements for the second group of AS

Designations:

« — » — there are no requirements for this class;

« + » — there are requirements for this class.

Subsystems and requirements	Classes
Subsystems and requirements	2A	2B
1. Access Control Subsystem
1.1. Identification, authentication and access control of subjects:
to the system	+	+
to terminals, computers, computer network nodes, communication channels, external computer devices	—	+
to programs	—	+
to volumes , directories, files, records, record fields	—	+
1.2. Information flow management	—	+
2 . Registration and accounting subsystem
2.1 . Registration and accounting:
entrance (exit) of access subjects to (from) the system (network node)	+	+
issuance of printed (graphic) output documents	—	+
starting (ending) programs and processes (tasks, tasks)	—	+
access of programs of subjects of access to protected files, including their creation and deletion, transmission via communication lines and channels	—	+
access of programs of access subjects to terminals, computers, computer network nodes, communication channels, external computer devices, programs, volumes, directories, files, records, record fields	—	+
changes in the powers of access subjects	—	—
created protected access objects	—	+
2.2. Storage media accounting	+	+
2.3. Clearing (zeroing, depersonalizing) released areas of the computer's RAM and external storage devices	—	+
2.4. Signaling attempts to violate security	—	—
3. Cryptographic subsystem
3.1. Encryption of confidential information	—	+
3.2. Encryption of information belonging to different access subjects (groups of subjects) on different keys	—	—
3.3. Use of certified cryptographic tools	—	+
4. Integrity Ensuring Subsystem
4.1. Ensuring the Integrity of Software and Processed Information	+	+
4.2. Physical security of computing equipment and storage media	+	+
4.3. Availability of an administrator (service) for information security in the AS	—	+
4.4. Periodic testing of information and information protection equipment of NSD	+	+
4.5. Availability of means for restoring information and data protection equipment of NSD	+	+
4.6. Use of certified security tools	—	+

2.8. Requirements for security class 2B:

Access control subsystem:

— identification and authentication of access subjects must be carried out when logging into the system using an identifier (code) and a conditionally permanent password of at least six alphanumeric characters in length.

Registration and accounting subsystem:

— registration of the login (logout) of subjects of access to the system (from the system), or registration of loading and initialization of the operating system and its software shutdown must be carried out. Registration of logout from the system or shutdown is not carried out at the time of hardware shutdown of the AS. The registration parameters indicate:

date and time of login (logout) of the subject of access to the system (from the system) or loading (stopping) of the system;
result of the login attempt: successful or unsuccessful (in case of unauthorized access);

— accounting of all protected information carriers must be carried out by marking them and entering the accounting data in a log (accounting card).

Integrity assurance subsystem:

— the integrity of the software tools of the NSD ISS, the information being processed, and the immutability of the software environment must be ensured. In this case:

the integrity of the NSD ISS is checked when loading the system based on the presence of names (identifiers) of the ISS components;
the integrity of the software environment is ensured by the absence of software development and debugging tools in the AS during processing and (or) storage of protected information;

— physical security of the STS (devices and information carriers) must be implemented, providing for access control to the AS premises by unauthorized persons, the presence of reliable barriers to unauthorized entry into the AS premises and storage of information carriers, especially outside working hours;

— means of restoring the NSD information security system should be available, providing for maintaining two copies of the NSD information security system software and their periodic updating and performance monitoring.

2.9. Requirements for security class 2A.

Access control subsystem:

— identification and authentication of access subjects must be performed when logging into the system using an identifier (code) and a conditionally permanent password of at least six alphanumeric characters in length;

— identification of terminals, computers, computer network nodes, communication channels, and external computer devices must be performed using their logical addresses (numbers);

— identification of programs, volumes, directories, files, records, and record fields must be performed using their names;

— information flows must be managed using confidentiality labels. The level of confidentiality of the storage devices must not be lower than the level of confidentiality of the information recorded on them.

Registration and accounting subsystem:

— the entry (exit) of access subjects to (from) the system must be registered, or the loading and initialization of the operating system and its software shutdown must be registered. Exit from the system or shutdown is not registered at the time of hardware shutdown of the AS.

The registration parameters specify:

date and time of entry (exit) of the access subject into (from) the system or loading (stopping) the system;
result of the entry attempt: successful or unsuccessful (in case of unauthorized access);
identifier (code or last name) of the subject, presented during the access attempt;

— registration of the issuance of printed (graphic) documents on a «hard» copy must be carried out. The issuance must be accompanied by automatic marking of each sheet (page) of the document with a serial number and the accounting details of the AS with an indication on the last sheet of the document of the total number of sheets (pages). The registration parameters indicate:

date and time of issuance (access to the output subsystem);
specification of the issuing device [logical name (number) of the external device], brief content (name, type, cipher, code) and level of confidentiality of the document;
identifier of the access subject who requested the document;

— registration of the launch (completion) of programs and processes (tasks, tasks) intended for processing protected files must be carried out. The registration parameters indicate:

date and time of launch;
name (identifier) of the program (process, task);
identifier of the access subject that requested the program (process, task);
launch result (successful, unsuccessful — unauthorized);

— attempts to access software (programs, processes, tasks, tasks) to protected files must be registered. The registration parameters shall specify:

date and time of the attempt to access the protected file, indicating its result: successful, unsuccessful — unauthorized,
access subject identifier;
protected file specification;

— attempts to access software to the following additional protected access objects must be registered: terminals, computers, computer network nodes, communication lines (channels), external computer devices, programs, volumes, directories, files, records, record fields. The registration parameters specify:

date and time of attempt to access the protected object, indicating its result: successful, unsuccessful — unauthorized;
access subject identifier;
protected object specification [logical name (number)];

— automatic accounting of created protected files should be carried out using their additional marking used in the access control subsystem. The marking should reflect the level of confidentiality of the object;

— accounting of all protected information carriers should be carried out using their marking and entering accounting data into a log (accounting card);

— accounting of protected media should be carried out in a log (card index) with registration of their issue (reception);

— several types of accounting (duplicate) of protected information carriers should be carried out;

— clearing (zeroing, depersonalization) of freed areas of the computer's RAM and external storage devices must be performed. Clearing is performed by double random writing to the freed area of memory previously used to store protected data (files).

Cryptographic subsystem:

— encryption of all confidential information recorded on shared (partial) data carriers used by various access subjects, in communication channels, as well as on removable data carriers (floppy disks, microcassettes, etc.) of long-term external memory for storage outside the work sessions of authorized access subjects must be performed. In this case, automatic release and clearing of external memory areas containing previously unencrypted information must be performed;

— access of subjects to encryption operations and cryptographic keys must be additionally controlled by the access control subsystem;

— certified cryptographic protection tools must be used. Their certification is carried out by special certification centers or specialized enterprises licensed to carry out certification of cryptographic protection tools.

Integrity assurance subsystem:

— the integrity of the software tools of the NSD information security system, the information being processed, and the immutability of the software environment must be ensured. In this case:

the integrity of the NSD SZI is checked when the system is loaded based on the presence of names (identifiers) of the SZI components;
the integrity of the software environment is ensured by the absence of software development and debugging tools in the AS;

— physical security of the information technology equipment (devices and storage media) must be implemented, providing for the constant presence of security of the territory and the building where the AS is located, using technical security equipment and special personnel, the use of a strict access control regime, special equipment of the AS premises;

— an administrator (service) of information protection must be provided, responsible for the maintenance, normal functioning and control of the work of the NSD ISP;

— periodic testing of the NSD ISP functions must be carried out when the software environment and the AS personnel change using test programs simulating NSD attempts;

— there must be means for restoring the NSD information security system, which provide for maintaining two copies of the NSD information security system software and their periodic updating and performance monitoring;

— certified protection means must be used. Their certification is carried out by special certification centers or specialized enterprises licensed to certify the protection means of the NSD information security system.

2.10. Requirements for the first group of AS

Designations:

« — » — there are no requirements for this class;

« + » — there are requirements for this class.

Subsystems and Requirements	Classes
Subsystems and Requirements	1Д	1G	1B	1B	1A
1. Access control subsystem
1.1. Identification, authentication and access control of subjects:
to the system	+	+	+	+	+
to terminals, computers, computer network nodes, communication channels, external computer devices	—	+	+	+	+
to programs	—	+	+	+	+
to volumes, directories, files, records, record fields	—	+	+	+	+
1.2. Information flow management	—	—	+	+	+
2. Registration and accounting subsystem
2.1. Registration and accounting: entry (exit) of access subjects into (from) the system (network node)	+	+	+	+	+
issuing printed (graphic) output documents	—	+	+	+	+	+
starting (terminating) programs and processes (tasks, tasks)	—	+	+	+	+
access of programs of access subjects to protected files, including their creation and deletion, transmission via communication lines and channels	—	+	+	+	+
access of programs of access subjects to terminals, computers, computer network nodes, communication channels, external computer devices, programs, volumes, directories, files, records, record fields	—	+	+	+	+
changes in permissions of access subjects	—	—	+	+	+
created protected access objects	—	—	+	+	+
2.2. Storage Media Accounting	+	+	+	+	+
2.3. Clearing (zeroing, depersonalizing) freed areas of computer RAM and external storage devices	—	+	+	+	+
2.4. Signaling attempts to violate security	—	—	+	+	+
3. Cryptographic subsystem
3.1. Encryption of confidential information	—	—	—	+	+
3.2. Encryption of information belonging to different access subjects (groups of subjects) on different keys	—	—	—	—	+
3.3 . Use of certified cryptographic tools	—	—	—	+	+
4. Integrity Assurance Subsystem
4.1. Ensuring the Integrity of Software and Processed Information	+	+	+	+	+
4.2. Physical security of computer equipment and storage media	+	+	+	+	+
4.3. Availability of an information protection administrator (service) in the AS	—	—	+	+	+
4.4. Periodic testing of information and information protection equipment of NSD	+	+	+	+	+
4.5 . Availability of means for restoring information and data protection equipment of NSD	+	+	+	+	+
4.6. Use of certified protective equipment	—	—	+	+	+

Registration and accounting subsystem:

— must register the entry (exit) of subjects of access to the system (from the system), or register the loading and initialization of the operating system and its software shutdown. Registration of exit from the system or shutdown is not carried out at the time of hardware shutdown of the AS. The registration parameters indicate:

date and time of entry (exit) of the access subject into (from) the system or loading (stopping) the system;
result of the entry attempt: successful or unsuccessful — unauthorized;
identifier (code or surname) of the subject presented during the access attempt;

— all protected information carriers must be recorded by marking them and entering the accounting data into a log (accounting card);

— the protected media must be recorded in a journal (card index) with registration of their issue (reception).

Integrity assurance subsystem:

— the integrity of the software of the NSD information security system, the information being processed, and the immutability of the software environment must be ensured. In this case:

the integrity of the NSD information security system is checked when loading the system using the checksums of the NSD components;
the integrity of the software environment is ensured by the use of translators from high-level languages and the absence of means for modifying the object code of programs during the processing and (or) storage of protected information;

— physical security of the computer equipment (devices and storage media) must be implemented, providing for access control to the premises of the AS by unauthorized persons, the presence of reliable barriers to unauthorized entry into the premises of the AS and the storage of storage media, especially outside working hours;

2.12. Requirements for security class 1G:

Access control subsystem:

— identification of terminals, computers, computer network nodes, communication channels, and external computer devices must be performed using logical names;

— identification of programs, volumes, directories, files, records, and record fields must be performed using names;

— access control of subjects to protected resources must be carried out in accordance with the access matrix.

Registration and accounting subsystem:

— registration of the login (logout) of subjects of access to the system (from the system), or registration of loading and initialization of the operating system and its software shutdown must be performed. Registration of logout from the system or shutdown is not performed at the time of hardware shutdown of the AS. The registration parameters indicate:

date and time of login (logout) of the subject of access to the system (from the system) or loading (stopping) of the system;
result of the login attempt: successful or unsuccessful — unauthorized;
identifier (code or last name) of the subject, presented during the access attempt;
code or password presented during an unsuccessful attempt;

— registration of the issuance of printed (graphic) documents on a «hard» copy must be carried out. The registration parameters indicate:

date and time of issuance (access to the output subsystem);
specification of the issuing device [logical name (number) of the external device];
brief content (name, type, cipher, code) and level of confidentiality of the document;
identifier of the access subject who requested the document;

— registration of the launch (completion) of programs and processes (tasks, tasks) intended for processing protected files must be performed. The registration parameters specify:

date and time of launch;
name (identifier) of the program (process, task);
identifier of the access subject who requested the program (process, task);
launch result (successful, unsuccessful — unauthorized);

— attempts to access software (programs, processes, tasks, assignments) to protected files must be registered. The registration parameters shall specify:

date and time of attempt to access the protected file with indication of its result: successful, unsuccessful — unauthorized;
access subject identifier;
specification of the protected file;

date and time of attempt to access the protected object with an indication of its result: successful, unsuccessful — unauthorized;
access subject identifier;
protected object specification [logical name (number)];

— all protected information carriers must be recorded by marking them and entering accounting data into a log (accounting card);

— protected media must be recorded in a log (card index) with registration of their issue (reception);

— clearing (zeroing, depersonalization) of freed areas of the computer's RAM and external storage devices must be performed. Clearing is performed by a single random write to the freed area of memory previously used to store protected data (files);

Integrity assurance subsystem:

— the integrity of the NSD information security system software, as well as the immutability of the software environment must be ensured. In this case:

the integrity of the NSD SZI is checked when loading the system using the checksums of the SZI components;
the integrity of the software environment is ensured by using translators from high-level languages and the absence of means for modifying the object code of programs during the processing and (or) storage of protected information;

— physical security of the STS (devices and storage media) must be implemented, providing for access control to the premises of the AS by unauthorized persons, the presence of reliable barriers to unauthorized entry into the premises of the AS and storage of storage media, especially outside working hours;

— periodic testing of the functions of the STS NSD must be carried out when the software environment and personnel of the AS change using test programs simulating NSD attempts;

— there must be means for restoring the NSD information security system, providing for maintaining two copies of the NSD information security system software and their periodic updating and performance monitoring.

2.13. Requirements for security class 1B:

Access control subsystem:

— terminals, computers, computer network nodes, communication channels, and external computer devices must be identified by logical names and/or addresses;

— programs, volumes, directories, files, records, and record fields must be identified by names;

— access control of subjects to protected resources must be exercised in accordance with the access matrix;

— information flows must be managed using confidentiality labels. The confidentiality level of the storage devices must not be lower than the confidentiality level of the information recorded on them.

Registration and accounting subsystem:

date and time of entry (exit) of the access subject into (from) the system or loading (stopping) the system;
result of the entry attempt: successful or unsuccessful — unauthorized;
identifier (code or surname) of the subject presented during the access attempt;
code or password presented during an unsuccessful attempt;

date and time of issuance (access to the output subsystem);
specification of the issuing device [logical name (number) of the external device];
brief content (name, type, cipher, code) and level of confidentiality of the document;
identifier of the access subject who requested the document;
volume of the document actually issued (number of pages, sheets, copies) and the result of issuance: successful (entire volume), unsuccessful;

— registration of the launch (completion) of programs and processes (tasks, tasks) intended for processing protected files must be carried out. The registration parameters specify:

date and time of launch;
name (identifier) of the program (process, task);
identifier of the access subject that requested the program (process, task);
launch result (successful, unsuccessful — unauthorized);

— attempts to access protected files by software tools (programs, processes, tasks, assignments) must be registered. The registration parameters shall specify:

date and time of the attempt to access the protected file, indicating its result: successful, unsuccessful, — unauthorized;
access subject identifier;
protected file specification;
name of the program (process, assignment, task) accessing the file;
type of requested operation (read, write, delete, execute, extend, etc.);

date and time of attempt to access the protected object, indicating its result: successful, unsuccessful — unauthorized;
access subject identifier;
protected object specification [logical name (number)];
program name (process, task, job) accessing the protected object;
type of requested operation (read, write, mount, capture, etc.);

— changes in the access rights of access subjects and the status of access objects must be registered. The registration parameters shall specify:

date and time of the change in rights;
identifier of the access subject (administrator) who made the changes;

— accounting of all protected information carriers should be carried out using their marking and entering accounting data into a log (accounting card);

— accounting of protected media should be carried out in a log (card index) with registration of their issue (reception);

— several types of accounting (duplicate) of protected information carriers should be carried out;

— clearing (zeroing, depersonalization) of released areas of the computer's RAM and external storage devices must be performed. Clearing is performed by double random writing to any released area of memory used to store protected information;

— signaling of attempts to violate protection must be performed.

Integrity assurance subsystem:

— the integrity of the software tools of the NSD information security system, as well as the immutability of the software environment must be ensured. In this case:

the integrity of the NSD information security system is checked when the system is loaded using the checksums of the information security system components;
the integrity of the software environment is ensured by using translators from high-level languages and the absence of means for modifying the object code of programs when processing and (or) storing protected information;

— physical security of the SVT (devices and information carriers) must be carried out, providing for the constant presence of security of the territory and the building where the AS is located, using technical security equipment and special personnel, the use of a strict access control regime, special equipment of the AS premises;

— an administrator (service) of information protection must be provided, responsible for the maintenance, normal functioning and control of the work of the SZI NSD. The administrator must have his own terminal and the necessary means of operational control and influence on the security of the AS;

— periodic testing of all functions of the NSD information security system must be carried out using special software at least once a year;

2.14. Requirements for security class 1B:

Access control subsystem:

— identification and authentication of access subjects must be carried out when logging into the system using an identifier (code) and a temporary password of at least eight alphanumeric characters;

— terminals, computers, computer network nodes, communication channels, and external computer devices must be identified by physical addresses (numbers);

— programs, volumes, directories, files, records, and record fields must be identified by names;

— access control of subjects to protected resources must be exercised in accordance with the access matrix;

Registration and accounting subsystem:

— registration of the login (logout) of subjects of access to the system (from the system), or registration of loading and initialization of the operating system and its software shutdown must be performed. Registration of logout from the system or shutdown is not performed at the time of hardware shutdown of the AS. The registration parameters indicate:

date and time of login (logout) of the subject of access to the system (from the system) or loading (stopping) of the system;
result of the login attempt: successful or unsuccessful — unauthorized;
identifier (code or last name) of the subject, presented during the access attempt;
code or password presented during an unsuccessful attempt;

— registration of the issuance of printed (graphic) documents on a «hard» copy must be carried out. The issuance must be accompanied by automatic marking of each sheet (page) of the document with its sequential number and the accounting details of the AS with the total number of sheets (pages) indicated on the last sheet of the document. Together with the issuance of the document, an accounting card of the document must be automatically issued indicating the date of issue of the document, the accounting details of the document, a brief content (name, type, cipher, code) and the level of confidentiality of the document, the name of the person who issued the document, the number of pages and copies of the document (in case of incomplete issuance of the document — the actually issued number of sheets in the «Defective» column). The registration parameters specify:

date and time of issue (access to the output subsystem);
specification of the issue device [logical name (number) of the external device];
brief content (name, type, cipher, code) and level of confidentiality of the document;
identifier of the access subject who requested the document;
volume of the document actually issued (number of pages, sheets, copies) and the result of issuance: successful (entire volume), unsuccessful;

— registration of the launch (completion) of all programs and processes (tasks, tasks) in the AS must be carried out. The registration parameters indicate:

date and time of launch;
name (identifier) of the program (process, task);
identifier of the access subject that requested the program (process, task);
startup result (successful, unsuccessful — unauthorized);

— attempts to access protected files by software tools (programs, processes, tasks) must be registered. The registration parameters specify:

date and time of attempt to access the protected file, indicating its result: successful, unsuccessful — unauthorized;
access subject identifier;
protected file specification;
name of the program (process, task, job) accessing the file;
type of requested operation (read, write, delete, execute, extend, etc.);

— attempts to access software to the following additional protected access objects must be registered: terminals, computers, computer network nodes, communication lines (channels), external computer devices, programs, volumes, directories, files, records, and record fields. The registration parameters shall specify:

date and time of the attempt to access the protected object, indicating its result: successful, unsuccessful — unauthorized;
access subject identifier;
protected object specification [logical name (number)];
program name (process, task, job) accessing the protected object;
type of requested operation (read, write, mount, capture, etc.);

— changes in the access subject’s powers and the access object’s status must be registered. The registration parameters shall specify:

date and time of the power change;
identifier of the access subject (administrator) who made the changes;
identifier of the subject whose powers were changed and the type of change (password, code, profile, etc.);
specification of the object whose security status was changed and the type of change (security code, confidentiality level);

— automatic accounting of created protected files, initiated protected volumes, directories, areas of the computer's RAM allocated for processing protected files, external computer devices, communication channels, computers, computer network nodes, network fragments must be carried out using their additional marking used in the access control subsystem. The marking must reflect the level of confidentiality of the object;

— all protected information carriers must be recorded using their marking;

— recording of protected information carriers must be carried out in a journal (card index) with registration of their issue (reception);

— several types of recording (duplicate) of protected information carriers must be carried out;

— clearing (zeroing, depersonalization) of freed areas of the computer's RAM and external storage devices must be performed. Clearing is performed by double random writing to any freed area of memory used to store protected information;

— signaling of attempts to violate protection must be performed on the terminal of the administrator and the intruder.

Cryptographic subsystem:

— encryption of all confidential information recorded on shared (partial) data carriers used by various access subjects, in communication channels, as well as on removable portable data carriers (floppy disks, microcassettes, etc.) of long-term external memory for storage outside the work sessions of authorized access subjects must be performed. In this case, forced clearing of external memory areas containing previously unencrypted information must be performed;

— access of subjects to encryption operations and to the corresponding cryptographic keys must be additionally controlled by means of an access control subsystem;

Integrity assurance subsystem:

— the integrity of the software tools of the NSD SZI, as well as the immutability of the software environment must be ensured. In this case:

the integrity of the NSD SZI is checked against the checksums of all SZI components both during the loading process and dynamically during the operation of the AS;
the integrity of the software environment is ensured by the quality of acceptance of software in the AS intended for processing protected files;

— periodic testing of all functions of the NSD information security system must be carried out using special software at least once per quarter;

— means for restoring the NSD information security system must be available, providing for maintaining two copies of the NSD information security system software and their periodic updating and performance monitoring, as well as prompt restoration of the NSD information security system functions in the event of failures;

— certified means of protection must be used. Their certification is carried out by special certification centers or specialized enterprises licensed to certify means of protection of the NSD SZI.

2.15. Requirements for security class 1A:

Access control subsystem:

— identification and authentication of access subjects must be carried out when logging into the system using biometric characteristics or special devices (tokens, cards, electronic keys) and a temporary password of at least eight alphanumeric characters.

— hardware identification and authentication of terminals, computers, computer network nodes, communication channels, external computer devices must be carried out using unique built-in devices;

— identification and authentication of programs, volumes, directories, files, records, record fields must be carried out using names and checksums (passwords, keys);

— access control of subjects to protected resources must be carried out in accordance with the access matrix;

— information flows must be managed using confidentiality labels. At the same time, the confidentiality level of storage devices must not be lower than the confidentiality level of the information recorded on them.

Registration and accounting subsystem:

— registration of the login (logout) of subjects of access to the system (from the system), or registration of loading and initialization of the operating system and its software shutdown must be performed. Registration of logout from the system or shutdown is not performed at the time of hardware shutdown of the AS. The registration parameters indicate:

date and time of login (logout) of the subject of access to the system (from the system) or loading (stopping) of the system;
result of the login attempt: successful or unsuccessful — unauthorized;
identifier (code or surname) of the subject, presented during the access attempt;
code or password presented in case of unsuccessful attempt;

— registration of the issuance of printed (graphic) documents on a «hard» copy must be carried out. The issuance must be accompanied by automatic marking of each sheet (page) of the document with its sequential number and the accounting details of the AS with the total number of sheets (pages) indicated on the last sheet of the document. Together with the issuance of the document, an accounting card of the document must be automatically issued indicating the date of issue of the document, the accounting details of the document, a brief content (name, type, cipher, code) and the level of confidentiality of the document, the name of the person who issued the document, the number of pages and copies of the document (in case of incomplete issuance of the document — the actually issued number of sheets in the «Defective» column). The registration parameters indicate:

date and time of issue (access to the output subsystem);
specification of the issuing device [logical name (number) of the external device];
brief content (name, type, cipher, code) and level of confidentiality of the document;
identifier of the access subject who requested the document;
volume of the document actually issued (number of pages, sheets, copies) and the result of issuance: successful (entire volume), unsuccessful;

— registration of the launch (completion) of all programs and processes (tasks, tasks) in the AS must be carried out. The registration parameters indicate:

date and time of launch;
name (identifier) of the program (process, task);
identifier of the access subject who requested the program (process, task);
launch result (successful, unsuccessful — unauthorized);
full specification of the corresponding file of the program (process, task) «image» — device (volume, directory), file name (extension);

— attempts to access protected files by software tools (programs, processes, tasks) must be registered. The registration parameters shall specify:

date and time of the attempt to access the protected file, indicating its result: successful, unsuccessful — unauthorized;
access subject identifier;
specification of the protected file;
name of the program (process, task, task) accessing the file, type of requested operation (read, write, delete, execute, extend, etc.);

— Attempts to access software to the following additional protected access objects must be registered: terminals, computers, computer network nodes, communication lines (channels), external computer devices, programs, volumes, directories, files, records, and record fields. The registration parameters shall specify:

date and time of the attempt to access the protected object, indicating its result: successful, unsuccessful, — unauthorized;
access subject identifier;
protected object specification [logical name (number)];
name of the program (process, task, job) accessing the protected object;
type of requested operation (read, write, mount, capture, etc.);

— changes in the powers of access subjects and the status of access objects must be registered. The registration parameters shall specify:

date and time of change of powers and status;
identifier of the access subject (administrator) who made the changes;
identifier of the access subject whose permissions have been changed and the type of change (password, code, profile, etc.);
specification of the object whose security status has been changed and the type of change (security code, confidentiality level);

— automatic accounting of created protected files, initiated protected volumes, directories, areas of computer RAM allocated for processing protected files, external computer devices, communication channels, computers, computer network nodes, network fragments must be carried out using their additional marking used in the access control subsystem. The marking must reflect the level of confidentiality of the object;

— accounting of all protected information carriers must be carried out using their marking and entering accounting data in a log (accounting card);

— accounting of protected media must be carried out in a log (card index) with registration of their issue (reception);

— several types of accounting (duplicate) of protected information carriers must be carried out;

— clearing (zeroing, depersonalization) of released areas of the computer's RAM and external storage devices must be carried out. Clearing is carried out by double random writing to any released area of memory that contained the protected information;

— reliable signaling of attempts to violate protection must be carried out on the administrator's and the intruder's terminal.

Cryptographic subsystem:

— encryption of all confidential information recorded on shared (parcelable) data carriers used by different access subjects, in communication channels, as well as on any removable data carriers (floppy disks, microcassettes, etc.) of long-term external memory for storage outside the work sessions of authorized access subjects must be performed. In this case, automatic clearing of external memory areas containing previously unencrypted information must be performed;

— different cryptographic keys must be used to encrypt information belonging to different access subjects (groups of subjects);

— access of subjects to encryption operations and to the corresponding cryptographic keys must be additionally controlled by means of an access control subsystem;

— certified cryptographic protection tools must be used. Their certification is carried out by special certification centers or specialized enterprises licensed to certify cryptographic protection tools.

Integrity assurance subsystem:

— the integrity of the software tools of the NSD SZI, as well as the immutability of the software environment must be ensured. In this case:

the integrity of the NSD SZI is checked using the imitation inserts of the GOST 28147-89 algorithm or using the checksums of another certified algorithm of all SZI components both during the loading process and dynamically during the operation of the AS;
the integrity of the software environment is ensured by the quality of acceptance of any software in the AS;

— periodic testing of all functions of the NSD information security system must be carried out using special software at least once per quarter;

— means for restoring the NSD information security system must be available, providing for maintaining two copies of the NSD information security system software and their periodic updating and performance monitoring, as well as automatic prompt restoration of the NSD information security system functions in the event of failures;

— certified means of protection must be used. Their certification is carried out by special certification centers or specialized enterprises that have a license to certify means of protection for the NSD information security system.

2.16. Organizational measures within the framework of the NSD information security system in ASs that process or store information that is the property of the state and classified as secret must meet state requirements for ensuring the secrecy of the work performed.

2.17. When processing or storing information in the AS that is not classified as secret, within the framework of the NSD SZI, state, collective, private and joint enterprises, as well as private individuals, are recommended to implement the following organizational measures:

identification of confidential information and its documentary registration in the form of a list of information subject to protection;
determination of the procedure for establishing the level of authority of the access subject, as well as the circle of persons to whom this right is granted;
establishment and formalization of access control rules, i.e. a set of rules governing the rights of access of subjects to objects;
familiarization of the access subject with the list of protected information and his level of authority, as well as with organizational, administrative and working documentation defining the requirements and procedure for processing confidential information;
receiving from the access subject a non-disclosure agreement regarding confidential information entrusted to him;
ensuring the security of the facility where the protected AS is located (territory, buildings, premises, storage facilities for information carriers) by establishing appropriate posts, technical security means or by any other means that prevent or significantly complicate the theft of computer equipment (CET), information carriers, as well as unauthorized access control devices to CET and communication lines;
selection of the AS security class in accordance with the characteristics of information processing (processing technology, specific operating conditions of the AS) and its level of confidentiality;
organization of the information security service (responsible persons, the AS administrator) responsible for the accounting, storage and issuance of information carriers, passwords, keys, maintenance of service information of the NSD ISP (generation of passwords, keys, support of access control rules), acceptance of new software included in the AS, as well as monitoring the progress of the technological process of processing confidential information, etc.;
development of the NSD ISP, including the relevant organizational, administrative and operational documentation;
acceptance of the NSD ISP as part of the AS.

2.18. When developing an AS intended for processing or storing information that is the property of the state and classified as secret, it is necessary to be guided by the RD «Computer Equipment. Protection against Unauthorized Access to Information. Indicators of protection against unauthorized access to information» for AS protection classes not lower than (by groups) 3A, 2A, 1A, 1B, 1V and use certified SVT:

not lower than class 4 — for AS protection class 1V;

not lower than class 3 — for AS protection class 1B;

not lower than class 2 — for AS protection class 1A.