Regulation on State Licensing of Activities in the Field of Information Security. Part 1

Regulations on State Licensing of Activities in the Field of Information Security.

Approved by the Decision of the State Technical Commission under the President of the Russian Federation and the Federal Agency for Government Communications and Information under the President of the Russian Federation dated April 27, 1994 N 10

1.2. These Regulations use the following basic concepts:

• licensing in the field of information protection

• and

• activity consisting of the transfer or receipt of rights to carry out work in the field of information protection;
• license in the field of information security — a permit issued in the appropriate manner for the right to carry out certain work in the field of information security;
• licensee in the field of information security — a party that has received the right to carry out work in the field of information security;
• information security — a set of measures taken to prevent leakage, theft, loss, unauthorized destruction, distortion, modification (forgery), unauthorized copying, blocking of information, etc.
• information security effectiveness — the degree to which the achieved results of information security actions correspond to the stated goal of security;
• information security effectiveness control — verification of compliance of the effectiveness of information security measures with the established requirements or standards for security effectiveness;
• information security — the state of information, information resources and information systems in which the protection of information (data) from leakage, theft, loss, unauthorized destruction, distortion, modification (forgery), copying, blocking, etc. is ensured with the required probability;

encryption tools: — hardware, software, hardware-software, systems, and complexes implementing cryptographic algorithms for converting information, designed to protect information (including those included in systems and complexes for protecting information from unauthorized access) circulating in technical equipment, during its processing, storage, and transmission via communication channels, including encryption equipment; — hardware, software, and hardware-software, systems, and complexes for protection against the imposition of false information, including means of imitation protection and «electronic signature»; — hardware, software, and hardware-software, systems, and complexes intended for the production and distribution of key documents used in encryption tools, regardless of the type of key information carrier; — protected information — information constituting state and other secrets protected by law; — certification of an object in protected execution — official confirmation of the presence at the protected object of the necessary and sufficient conditions ensuring the fulfillment of the established requirements of the governing documents and standards for the effectiveness of information protection; — the technical means of processing (TSOI information) in the field of information protection is an integral part of the State Information Protection System. The activities of the licensing system are organized by the State licensing bodies, which are the State Technical Commission under the President of the Russian Federation (State Technical Commission of Russia) and the Federal Agency for Government Communications and Information under the President of the Russian Federation (FAPSI).

1.4. State licensing authorities, within the limits of their competence established by the legislation of the Russian Federation, carry out licensing of activities in the field of information protection in accordance with the lists of types of activities provided in Appendix 1.

1.5. A license for the right to carry out activities in the field of information protection (hereinafter referred to as the license) is issued to an enterprise by a state licensing body upon the submission of a state body of the Russian Federation for specific types of activities for three years, after which it is re-registered in the manner established for issuing a license.

1.6. A license shall be issued to an applicant enterprise that has submitted an application for it, which has a production and testing base, regulatory and methodological documentation, scientific, engineering and technical personnel, provided that they meet the requirements of the state licensing authority based on the results of the examination of the enterprise's activities in the declared area of ​​work. The applicant has the right to familiarize himself with these requirements at the state licensing authority.

1.7. To obtain a license, the following shall be submitted:

• application;
• representation of the state authority of the Russian Federation;
• examination materials confirming the availability of the necessary conditions for carrying out work in the declared types of activity, as well as the professional suitability of the head of the applicant enterprise, or persons authorized by him to manage the licensed activity;
• copies of documents on state registration of business activities and the company charter.

1.8. A license may be refused in cases where:

• the necessary conditions for carrying out work on the declared type of activity are lacking;
• the professional training of the head of the applicant company, or persons authorized by him to manage the licensed activity, does not meet the established requirements;
• the documents submitted to obtain a license contain false information;
• the applicant has been found guilty of unfair competition in the licensed activity in accordance with the procedure established by law.

1.9. A license is issued for a fee, the amount of which is established by state licensing authorities in agreement with the Ministry of Finance of the Russian Federation.

1.10. Enterprises carrying out information protection activities, the types of which are specified in Appendix 1 of these Regulations, without a license, bear liability provided for by the legislation of the Russian Federation.

state licensing authorities; licensing centers; applicant enterprises.

2.2. State licensing authorities, within the limits of their competence, perform the following functions;

organize mandatory state licensing of enterprise activities; issue state licenses to applicant enterprises; provide scientific and methodological guidance for licensing activities; approve lists of licensing centers; agree on the composition of expert commissions submitted by licensing centers; monitor and supervise the completeness and quality of work carried out by licensees in the field of information security; ensure the publication of the necessary information on licensing activities; consider controversial issues arising during the examination of the applicant enterprise.

2.3. Licensing centers perform the following functions:

• form expert commissions and submit their composition for approval by the heads of the relevant state licensing bodies and industries;
• plan and carry out work on the examination of applicants;
• control the completeness and quality of work performed by licensees;
• systematize licensees' reports and annually submit a consolidated report to the relevant state licensing authorities;
• participate in the work of the relevant state licensing authorities when considering controversial issues arising during the examination of the applicant enterprise and facts of poor quality work by licensees.

2.3.1. Licensing centers may be created under state licensing bodies, in regions and industries (departments) of the Russian Federation.

• Licensing centers under state licensing authorities are created by orders of the heads of these authorities. Industry licensing centers are created by joint decisions of the heads of committees (ministries) and the relevant state licensing authorities. Regional licensing centers are created by joint decisions of regional government bodies and the relevant state licensing authorities. The organization of interaction between industry and regional licensing centers and the relevant government bodies is reflected in these decisions.
• Licensing centers can be formed from special centers of the State Technical Commission of Russia, government communications centers of the Federal Agency for Government Communications and Information (FAPSI), industry and regional institutions, enterprises and organizations for information protection.

2.3.2. For a comprehensive examination of applicant enterprises in order to assess their capabilities to carry out work on information protection in the selected area, expert commissions are created at licensing centers. They are formed from among specialists competent in the relevant area of ​​information protection from industries, the Armed Forces, government agencies, other organizations and institutions. Expert commissions are created in one or several areas of information protection.

2.4. Licensees are obliged to: o

• carry out their activities in strict accordance with the requirements of regulatory documents on information protection;
• ensure the secrecy of correspondence, telephone conversations, documents and other messages of individuals and legal entities using their services;
• annually submit directly to the state licensing authority or to the licensing center information on the amount of work performed for specific types of activities specified in the license.

2.4.1. Licensees have the right to use the regulatory and methodological documents of the relevant state licensing authorities, to contact them for the necessary consultations and assistance, and also to refer to the received license in official documents and advertising materials.

2.4.2. Licensees bear legal and financial responsibility for the completeness and quality of the work performed and for ensuring the safety of state and commercial secrets entrusted to them in the course of practical activities.

2.5. Consumer enterprises have the right to contact:

• the state licensing authority or the licensing center with complaints about poor-quality work performed by licensees to protect information;
• the judicial authorities in accordance with the established procedure.

• conducting an examination of the applicant;
• submitting, reviewing an application for licensing, registration and issuance of licenses;
• extending the validity period of licenses;
• registering licensees and informing in the field of licensing.

3.1.1. The examination of the applicant enterprise is carried out by the expert commission of the relevant licensing center on the basis of the enterprise's application containing the licensed types of activities and lists of the production and testing equipment, regulatory and methodological documentation available at the enterprise required to support them. The result of the commission's work is an expert opinion, which assesses the applicant's ability to carry out work in the selected type of information protection activity. The opinion is approved by the head of the relevant licensing center and is valid for three months from the date of its issue. The examination is carried out on the basis of a business agreement between the licensing center and the applicant enterprise. Payment for the work of the members of the expert commission is carried out by the licensing center.

3.1.2. An application for a license (Appendix 2) is submitted to the state licensing authority and is accepted for consideration only if all the documents listed in paragraph 1.7 are available. The license issuing authority has the right to verify the accuracy of the information provided.

3.1.3. The registration of a license (Appendix 3) and its issuance (notice of refusal to issue) is carried out within thirty days from the date of filing the application with all necessary documents.

3.1.4. To consider controversial issues arising during the examination of the applicant enterprise, an additional independent examination may be conducted. The composition of the expert commission is formed by the state licensing authority in agreement with the applicant enterprise. The conclusion of the expert commission is decisive for making the appropriate decision in connection with the application for a license.

• The time spent on the examination is not included in the period established for issuing a license.
• The costs of conducting an additional independent examination shall be borne by the party found guilty of the conflict.

3.1.5. The actions of the licensing authorities may be appealed in the courts in accordance with the established procedure.

3.1.6. The bodies that issued the license shall suspend or terminate the license early in the following cases:

• upon application of the license holder;
• liquidation of a legal entity or termination of a document on individual labor activity;
• failure by the license holder to comply with the conditions for maintaining the regulatory framework and technical equipment at the level of requirements for ensuring information security;
• failure to notify the body that issued the license within the established timeframes of the information stipulated by this Regulation.
• The license holder shall be informed in writing of the suspension or termination of the license by the body that issued the license no later than five days from the date of the decision. Within ten days of receiving the notification, the license holder shall be obliged to return the license to the body that issued the license.

3.1.7. The registration of licensees shall be maintained by state licensing bodies on the basis of information received from licensing centers.

3.2. Control and supervision over the completeness and quality of work carried out by licensees in the field of information security is carried out by:

• The State Technical Commission of Russia, FAPSI and industry control bodies within their competence during scheduled inspections of the state of information security at consumer enterprises that have used the services of licensees;
• when state licensing authorities and licensing centers control the quality of work performed by licensees on complaints from consumer enterprises.

Appendix 1