CERTIFICATION OF INFORMATIZATION FACILITIES AND ALLOCATED PREMISES.

CERTIFICATION OF INFORMATIZATION FACILITIES AND ALLOCATED PREMISES..

KHOREV Anatoly Anatolyevich,
Doctor of Technical Sciences, Professor

CERTIFICATION OF INFORMATIZATION OBJECTS AND ALLOCATED PREMISES

Bycertification of information technology objects we mean a set of organizational and technical measures, as a result of which, through a special document — the «Certificate of Conformity»it is confirmed that the object complies with the requirements of standards and other regulatory and technical documents on information security approved by the federal certification and certification body [2].

Information technology objects, regardless of the domestic or foreign hardware and software used, are certified for compliance with the requirements of Russian state standards or regulatory and methodological documents on information security approved by the federal certification and certification body within its competence.

Mandatory certification applies to information technology objects intended for processing information constituting a state secret, managing ecologically hazardous objects, and conducting secret negotiations. In other cases, certification is voluntary (voluntary certification) and can be carried out at the request of the customer or owner of the information technology object [2].

Certification according to information security requirements precedes the start of processing the information subject to protection and provides for a comprehensive check (certification tests) of the protected information technology object under real operating conditions in order to assess the compliance of the used set of measures and means of information protection with the required level of information security [2].

The presence of a valid “Certificate of Conformity” at the information technology object gives the right to process information with the level of secrecy (confidentiality) and for the period of time established in the “Certificate of Conformity” [2].

When certifying an information technology object, its compliance with the requirements for protecting information from unauthorized access to information processed by automated means (including from computer viruses) and from information leakage through technical channels is confirmed.

If necessary, by decision of the head of the enterprise (institution, firm), organizations holding the appropriate licenses from the FSB of Russia may conduct special checks for the presence of special electronic devices for intercepting information («eavesdropping devices») possibly introduced into designated premises or technical means.

The basic principles, organizational structure of the system for certifying information technology objects according to information security requirements, the procedure for conducting certification, as well as control and supervision over the certification and operation of certified information technology objects are established by the «Regulations on the Certification of Information Objects According to Information Security Requirements»(hereinafter referred to as the Regulation), approved by the Chairman of the State Technical Commission of Russia on November 25, 1994 [2].

The system of certification of information objects according to information security requirements (hereinafter referred to as the certification system) is an integral part of the unified mandatory system of certification of information protection tools and certification of information technology objects according to information security requirements and is subject to state registration in accordance with the procedure established by the State Standard of Russia [2].

The activities of the certification system are organized by the federal body for certification of products and certification of information technology objects according to information security requirements (hereinafter referred to as the federal body for certification and certification), which is the Federal Service for Technical and Export Control of the Russian Federation (FSTEC RF) within the limits of its competence, determined by legislative acts of the Russian Federation.

The organizational structure of the certification system of information technology objectsis formed by [2]:

federal body for certification of information protection tools and certification of information technology objects according to information security requirements;
bodies for certification of information technology objects according to information security requirements;
test centers (laboratories) for certification of products according to information security requirements;
applicants (customers, owners, developers of certified information technology objects).

Federal body for certification and certificationperforms the following functions [2]:

organizes mandatory certification of information technology objects;
creates systems for certification of information technology objects and establishes rules for conducting certification in these systems;
establishes rules for accreditation and issuance of licenses for carrying out work on mandatory certification;
organizes, finances the development and approves regulatory and methodological documents for the certification of information technology objects;
accredits bodies for certification of information technology objects and issues them licenses to carry out certain types of work;
implements state control and supervision over compliance with certification rules and the operation of certified information technology objects;
considers appeals arising in the process of certification of information technology objects and control over the operation of certified information technology objects;
organizes periodic publication of information on the functioning of the system of certification of objects according to information security requirements.

Bodies for certification of objects are accredited by the federal body for certification and certification and receive a license from it to conduct certification of information technology objects.

Such bodies may be industry and regional organizations, enterprises and organizations for information security, special centers of the FSTEC of the Russian Federation.

The accreditation rules are determined by the current «Regulations on the accreditation of testing laboratories and bodies for certification of information media according to information security requirements» for certification bodies.

Certification bodies [2]:

certify information technology objects and issue «Certificates of Conformity»;
monitor the operation of certified information technology objects and the security of information circulating on them;
cancel and suspend the «Certificates of Conformity» issued by this body;
form a fund of normative and methodological documentation necessary for certification of specific types of information technology objects, participate in their development;
maintain an information base of information technology objects certified by this body;
interact with the certification and attestation body and inform it quarterly about their activities in the field of certification.

The bodies for certification of information technology objects are responsible for the performance of the functions assigned to them, ensuring the safety of state and commercial secrets, as well as for observing the copyrights of the developers of the information technology objects being certified and their components.

Testing centers (laboratories)certification of products according to information security requirements in accordance with the applicants' orders, conduct testing of non-certified products used at the information technology facility subject to mandatory certification, in accordance with the «Regulations on the certification of information protection tools according to information security requirements» [2].

Applicants [2]:

prepare the information technology facility for certification by means of the necessary organizational and technical measures for information protection;
engage certification bodies on a contractual basis to organize and conduct certification of the information technology facility;
provide certification bodies with the necessary documents and conditions for conducting certification;
if necessary, involve certification testing centers to conduct testing of non-certified information security tools used at the certified information technology facility;
operate the information technology facility in accordance with the conditions and requirements established in the “Certificate of Conformity”;
notify the certification body that issued the «Certificate of Conformity» of all changes in information technologies, the composition and placement of information technology tools and systems, and the conditions of their operation that may affect the effectiveness of information security measures and means (the list of characteristics that determine information security, changes to which must be notified to the certification body, is provided in the «Certificate of Conformity»);
provide the necessary documents and conditions for monitoring and supervising the operation of an information technology facility that has undergone mandatory certification.

The costs of all work and services for mandatory and voluntary certification of information technology objects are paid by applicants.

Payment for work on mandatory certification is made in accordance with the contract at the approved rates in the manner established by the federal certification and certification body within its competence, in agreement with the Ministry of Finance of the Russian Federation, and in their absence — at the contract price.

The costs of carrying out all types of work and services for certification of information technology objects are paid by applicants from funds allocated for the development (revision) and commissioning of the protected information technology object.

The procedure for certifying information technology objects for compliance with information security requirements includes the following actions [2]:

submitting an application for review and certification;
analysis of initial data on the information technology object being certified;
conducting a preliminary special examination of the information technology object being certified;
development of a program and methodology for certification tests;
conclusion of contracts for certification;
testing of non-certified means and systems of information protection used at the certified facility (if necessary);
conducting special checks for the presence of possibly introduced electronic devices for intercepting information;
conducting certification tests of the information technology facility;
registration and issuance of the «Certificate of Conformity»;
implementation of state control and supervision, inspection control over the certification and operation of certified information technology objects;
consideration of appeals.

Let us consider the procedure for certification of information technology objects for compliance with information security requirements against leakage through technical channels.

To obtain a “Certificate of Conformity”, the applicant shall send in advance to the certification body an application for certification with the initial data on the IT facility being certified, which shall include:

a list of IT facilities subject to certification and allocated premises, indicating the purpose, category and location for each facility;
a list of installed technical means for processing restricted access information (TMPI) indicating the availability of a certificate of conformity (operating instructions), a conclusion based on the results of a special check for the presence of possibly introduced electronic devices for intercepting information, categories and places (premises) of their installation;
a list of installed auxiliary technical means and systems (ATMS) indicating the availability of a certificate of conformity, a conclusion based on the results of a special check for the presence of possibly introduced electronic devices for intercepting information and places of their installation;
a list of installed technical means of information protection indicating the availability of a certificate of conformity and places of their installation.

The certification body shall review the application within one month and, based on the initial data, select a certification scheme, agree it with the applicant and make a decision on conducting certification of the information technology object.

If the initial data on the information technology object being certified is insufficient, the certification scheme shall include work on a preliminary special survey of the certified object, carried out before the stage of certification tests.

When using non-certified information security tools and systems at the certified information technology facility, the certification scheme may include work on testing them in test centers for certification of information security tools according to information security requirements or directly at the certified information technology facility using special control equipment and test tools.

Based on the results of the application review and analysis of the initial data, as well as a preliminary special examination of the certified object, the certification body develops a certification test program, which provides for a list of works and their duration, test methods (if standard methods are not used), determines the composition (quantitative and professional) of the certification commission appointed by the body for certification of information technology objects, the need to use control equipment and test tools at the certified information technology object or to involve test centers for certification of information security tools according to information security requirements [2].

The test program is developed based on the analysis of the initial data on the information technology object and must include the necessary types of tests, certain methodological recommendations for the corresponding types of information technology objects (allocated premises, automated systems, communication systems, etc.), and also determine the terms, conditions and methods of testing.

The program of certification tests is agreed upon with the applicant and can be specified and adjusted during the testing process in agreement with the applicant and the head of the certification committee.

The procedure, content, conditions and methods of testing for assessing the characteristics and indicators checked during certification, their compliance with established requirements, as well as the control equipment and test tools used for these purposes are determined in the testing methods for various information technology objects.

The composition of the regulatory and methodological documentation for the certification of specific information technology objects is determined by the certification body depending on the operating conditions of the information technology objects based on the analysis of the initial data on the certified object. Only those indicators, characteristics and requirements that can be objectively verified are included in the regulatory and methodological documentation.

The regulatory and methodological documentation on test methods must contain references to the conditions, content and procedure for conducting tests, the control equipment and test tools used during testing, which minimize errors in test results and allow these results to be reproduced.

The texts of regulatory and methodological documents used in the certification of information technology objects must be formulated clearly and distinctly, ensuring their precise and uniform interpretation; they must contain an indication of the possibility of using the document to certify certain types of information technology objects according to information security requirements or information protection areas.

The preparation stage is completed by concluding an agreement between the applicant and the certification body for conducting the certification, concluding agreements (contracts) between the certification body and the experts involved, and issuing an order to admit the certification committee to conduct the certification [2].

Payment for the work of the members of the certification commission is made by the certification body in accordance with the concluded employment contracts at the expense of financial resources from the concluded contracts for the certification of information technology objects.

Certification tests provide for a comprehensive check of the protected object under real operating conditions in order to assess the compliance of the used set of measures and means of protection with the required level of information security and are carried out in the following order [1, 2]:

analysis and evaluation of initial data and documentation on information security at the information technology facility, evaluation of the correctness of categorization of allocated premises and information technology facilities;
evaluation of the level of personnel training and distribution of responsibility for compliance with information security requirements;
special survey of the information technology facility;
conducting tests of individual information security tools and systems in testing centers for product certification according to information security requirements (if necessary);
special checks of technical equipment for the presence of possibly introduced special electronic devices for intercepting information;
special checks of premises for the presence of possibly introduced special electronic devices for intercepting information;
conducting tests of individual means and systems for protecting information at the certified facility using special control and measuring equipment;
analysis of the results of a special survey and certification tests, development of recommendations for improving the measures taken to protect information from leakage through technical channels, closing the identified information leakage channels;
preparation of reporting documentation — test protocols and conclusions based on the results of certification tests with the commission's findings on the compliance (or non-compliance) of the information technology object with the established requirements, which is submitted to the certification body for a decision on issuing a «Certificate of Conformity».

To conduct the tests, the applicant shall submit the following initial data and documentation to the certification body:

acceptance documentation for the information technology facility;
certificates of categorization of allocated premises and information technology facilities;
operating instructions for information security tools;
technical passport for the facility being certified;
documents on operation (certificates of compliance with information security requirements) of the TSOI;
certificates of compliance with information security requirements for technical means of information protection;
certificates of compliance with information security requirements for technical means of information protection;
reports on hidden work performed;
measurement protocols for sound insulation of allocated rooms and shielding efficiency of structures and cabins (if performed);
measurement protocols for grounding resistance;
measurement protocols for actual attenuation of information signals to locations of possible placement of reconnaissance assets;
data on the level of training of personnel ensuring information protection;
data on technical provision of means of monitoring the effectiveness of information protection and their metrological verification;
regulatory and methodological documentation on information protection and monitoring the effectiveness of protection.

The given total volume of initial data and documentation may be specified by the applicant depending on the specific features of the information technology object being certified in agreement with the certification committee.