Articles

Model regulations on the body for certification of information security tools according to information security requirements.

logo11d 4 1

Model regulations on the certification body for information security tools according to information security requirements.

Model regulations on the certification body for information security tools according to information security requirements

APPROVED

By the Chairman of the State
Technical Commission under the
President of the Russian Federation
Yu. Yashin

» 25 » November 1994

STANDARD REGULATION
on the body for certification of information security tools
according to information security requirements

1. GENERAL PROVISIONS

1.1. This Model Regulation establishes general requirements for the body for certification of information security tools in terms of information security requirements, its functions, rights, duties and responsibilities, rules for payment for work performed by the certification body.

1.2. The standard regulation has been developed in accordance with the laws of the Russian Federation «On Certification of Products and Services» and «On State Secrets», «Regulations on the state system of information protection in the Russian Federation from foreign technical intelligence services and from its leakage through technical channels», based on the «GOST R Certification System» and the «Rules for conducting certification in the Russian Federation».

1.3. Certification bodies are an integral part of the organizational structure of the information security certification system, the activities of which are organized by the State Technical Commission under the President of the Russian Federation (State Technical Commission of Russia).

1.4. The certification body is accredited by the State Technical Commission of Russia in accordance with the «Regulation on the accreditation of testing laboratories and bodies for certification of information security tools according to information security requirements».

The certification body must be a legal entity, have trained specialists, guidelines and regulatory documents to carry out the entire range of work on certification of information security tools in its area of ​​accreditation and meet the established requirements.

Accreditation is carried out only if there is a license from the State Technical Commission of Russia for the relevant types of activity.

Accreditation as a certification body for enterprises subordinate to federal executive authorities is carried out upon the submission of these authorities.

1.5. The certification body in its activities is guided by the legislation of the Russian Federation, state standards, regulatory and methodological documentation on issues of certification of information security tools approved by the State Technical Commission of Russia.

1.6. The Regulation on a specific certification body is developed on the basis of this Model Regulation, taking into account the specific area of ​​accreditation and its administrative structure.

The Regulation specifies the specific types of information security tools for the certification of which the body is accredited by the State Technical Commission of Russia, and provides a brief description of the legal status of the certification body.

The Regulation is signed by the head of the certification body and approved by the head of the State Technical Commission of Russia.

2. TASKS AND FUNCTIONS OF THE CERTIFICATION BODY

2.1. The main tasks of the certification body are to certify information security tools according to information security requirements in the declared area of ​​accreditation, control and supervision of information security tools certified by this body and the activities of testing centers (laboratories) for certification.

2.2. The certification body performs the following functions:

  • determines the scheme for conducting certification of specific information security tools taking into account the applicant's proposals;

  • specifies the requirements for compliance with which certification tests are conducted;

  • recommends a testing center (laboratory) to the applicant;

  • approves programs and methods for conducting certification tests;

  • conduct an examination of technical and operational documentation for information security tools and materials from certification tests of these tools;

  • prepare an expert opinion on the certification of information security tools, draft certificates and licenses for the use of the conformity mark and submit them to the State Technical Commission of Russia;

  • organize, if necessary, a preliminary inspection (certification) of the production of certified information security tools;

  • participates in the accreditation of test centers (laboratories);

  • participates in inspection control over the stability of the characteristics of certified information security tools and the activities of test centers (laboratories);

  • stores documentation (originals) confirming the certification of information security tools;

  • petitions the State Technical Commission of Russia to cancel the validity of issued certificates;

  • forms and updates the fund of regulatory and methodological documents required for certification, participates in their development;

  • provides the applicant with the necessary information on certification;

  • interacts with the manufacturer of specific types of information security tools in its area of ​​accreditation for timely certification when standard requirements change;

  • participates in the development of corrective measures to improve the stability of the characteristics of certified information security tools that determine information security;

  • maintains a list of certified information security tools in its area of ​​accreditation and prepares information on certification results for publication;

  • maintains a list of certified testing tools.

3. ADMINISTRATIVE STRUCTURE
OF THE CERTIFICATION BODY

3.1. The administrative structure of the certification body consists of an external management board and a permanent staff.

3.2. The Governing Council is formed from experts from various industries and departments who are competent in a specific area of ​​information protection in order to determine a unified technical policy for the certification of specific types of information protection tools in the declared area of ​​accreditation and to eliminate discrimination against applicants during certification.

The Governing Council:

  • prepares proposals for improving the certification system for specific types of information protection tools;

  • supervises the quality of the examination of the results of testing information protection tools, and, if necessary, testing of information protection tools;

  • defines other fundamental issues of certification of information security tools and certification of production.

3.3. The permanent staff (personnel) of the certification body organizes and carries out work on certification of information security tools in accordance with the functions and responsibilities assigned to the body, as defined by job descriptions, and must have the necessary qualifications and competence and undergo special training.

3.4. The specific regulation on the certification body provides its organizational structure, reflecting the subordination and distribution of responsibilities of the personnel.

4. RIGHTS, RESPONSIBILITIES AND LIABILITIES
OF THE CERTIFICATION BODY

4.1. The certification body has the right:

  • to engage on a contractual basis the most competent specialists in the field of information security to work on the management board, to certify the production of certified information security tools and to examine the test results;

  • to establish contractual prices for the certification of information security tools;

  • participate in testing specific types of information security tools in the declared scope of accreditation in testing centers (laboratories) for certification;

  • establish testing methods, test report forms, and other documents for the testing center;

  • supervise the activities of testing centers (laboratories) for certification of specific types of information security tools in their scope of accreditation;

  • refuse to certify information security tools to the applicant, stating the reasons for the refusal and possible alternative certification options;

  • request the cancellation of previously issued certificates and licenses for the use of the conformity mark in the event of a manufacturer's violation of the requirements of standards and other regulatory documents on information security;

  • request and receive, in the established manner, from applicants and testing centers (laboratories) documentation, information and materials necessary for carrying out certification work;

  • submit issues related to certification to the State Technical Commission of Russia for consideration.

4.2. The certification body is obliged to:

  • fully comply with all the rules and procedures for certification established by the fundamental documents of the certification system for information security tools according to information security requirements;

  • issue draft certificates for those information security tools for which their compliance with specific regulatory documents according to the rules of this system has been proven;

  • when introducing a new standard for a previously certified tool into regulatory documents on information security tools, inform the manufacturer within one month of the time frame and procedure for introducing it, and also assist it in the timely implementation of work on certifying information security tools in accordance with the new standards;

  • keep records of all complaints submitted to certified information security tools and inform the State Technical Commission of Russia about this;

  • conduct certification of information security tools within the timeframes established by the agreement with the applicant;

  • ensure the objectivity of the examination of the results of testing information security tools and certification of production;

  • register certified information security tools in a timely manner;

  • maintain the certification procedure logging system in working order;

  • organize certification of testing tools;

  • ensure the preservation of state and commercial secrets during and upon completion of certification of information protection means, and compliance with copyright;

  • submit information about its activities to the State Technical Commission of Russia, the central body of the certification system;

  • allow, in accordance with the established procedure, representatives of regulatory authorities to supervise the certification of information security tools;

  • provide applicants with information on the services provided.

4.3. The certification body is responsible for:

  • the completeness and quality of performance of the functions and duties assigned to it;

  • compliance with the requirements of state standards, regulatory and methodological documents applicable to the certification procedure;

  • compliance with the established deadlines for certification;

  • ensuring the safety of state secrets and commercial secrets of the applicant;

  • compliance with the applicant's property rights to the certified information security tools, as well as their copyright;

  • compliance with current legislation.

5. PAYMENT FOR WORK PERFORMED BY THE CERTIFICATION BODY

5.1. Work on certification of information security tools according to information security requirements, as well as the related implementation of functions and responsibilities, is a self-supporting type of activity for the certification body, carried out on the basis of:

contracts with applicants for certification of information security tools and certification of production;

employment contracts (agreements) with members of the management board and experts involved in the work on certification and certification of production of certified information security tools.

5.2. The costs of carrying out all types of work and services on certification of information security tools and certification of production are paid by applicants.

Payment is made according to the approved rates, and in their absence — at the contract price.

5.3. Payment for the work of the members of the management board and experts is made by the certification body in accordance with the concluded employment agreements (contracts) at the expense of financial resources from the concluded agreements for the certification of information security tools.

5.4. Participation of the certification body in state supervision and development of methodological documentation on mandatory certification of information security tools in the declared area of ​​accreditation is carried out at the expense of state budget funds allocated by the federal certification and attestation body.

HEAD OF THE DEPARTMENT OF THE STATE TECHNICAL
COMMISSION UNDER THE PRESIDENT OF THE RUSSIAN FEDERATION

V. Virkovsky

» November 24, 1994

    Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.
    Принять