Regulations on certification of informatization objects according to requirements.
APPROVED BY Chairman of the State Technical Commission under the President of the Russian Federation Yu. Yashin » November 25, 1994
REGULATION for certification of information technology objects according to the requirements of information security Moscow 1994 1. GENERAL PROVISIONS
1.1. These Regulations establish the basic principles, organizational structure of the system of certification of information technology objects according to information security requirements, the procedure for conducting certification, as well as control and supervision over the certification and operation of certified information technology objects.
1.2. The Regulation has been developed in accordance with the laws of the Russian Federation «On Certification of Products and Services» and «On State Secrets», «Regulation on the state system of information protection in the Russian Federation from foreign technical intelligence services and from its leakage through technical channels», «Regulation on state licensing of activities in the field of information protection», «Regulation on the certification of information protection tools according to information security requirements», «GOST R Certification System».
1.3. The system of certification of information technology objects according to information security requirements (hereinafter referred to as the certification system) is an integral part of the unified system of certification of information protection tools and certification of information technology objects according to information security requirements and is subject to state registration in accordance with the procedure established by the State Standard of Russia. The activities of the certification system are organized by the federal body for certification of products and certification of information technology objects according to information security requirements (hereinafter referred to as the federal body for certification and certification), which is the State Technical Commission of Russia.
1.4. Certification of information technology objects is understood as a set of organizational and technical measures, as a result of which, by means of a special document — «Certificate of Conformity» — it is confirmed that the object complies with the requirements of standards or other regulatory and technical documents on information security approved by the State Technical Commission of Russia. The presence of a valid «Certificate of Conformity» at an information technology object gives the right to process information with the level of secrecy (confidentiality) and for the period of time established in the «Certificate of Conformity».
1.5. Mandatory certification is required for information technology objects intended for processing information constituting a state secret, managing ecologically hazardous objects, and conducting secret negotiations. In other cases, certification is voluntary (voluntary certification) and can be carried out at the initiative of the customer or owner of the information technology object. Certification according to information security requirements precedes the start of processing the information subject to protection and is caused by the need for official confirmation of the effectiveness of the set of measures and means of information protection used at a specific information technology object.
1.6. When certifying an information technology object, its compliance with the requirements for protecting information from unauthorized access is confirmed, including from computer viruses, from leakage due to side electromagnetic radiation and interference during special impacts on the object (high-frequency imposition and irradiation, electromagnetic and radiation impact), from leakage or impact on it due to special devices built into information technology objects.
1.7. Certification provides for a comprehensive check (certification tests) of the protected information technology object under real operating conditions in order to assess the compliance of the applied set of measures and means of protection with the required level of information security.
1.8. Certification is carried out by the certification body in the manner established by this Regulation in accordance with the scheme selected by this body at the stage of preparation for certification from the following main list of works:
analysis of initial data on the certified information technology object; preliminary familiarization with the certified information technology object; conducting an expert examination of the information technology object and analysis of the developed documentation on information protection at this object from the point of view of its compliance with the requirements of regulatory and methodological documentation; testing individual information protection tools and systems at the certified information technology object using special control equipment and test tools; testing individual information protection tools and systems in test centers (laboratories) for certification of information protection tools according to information security requirements; conducting comprehensive certification tests of the information technology object in real operating conditions; analysis of the results of expert examination and comprehensive certification tests of the information technology object and approval of the conclusion on the results of certification. 1.9. Certification bodies are accredited by the State Technical Commission of Russia. The accreditation rules are determined by the «Regulation on the accreditation of testing laboratories and bodies for certification of information protection tools according to information security requirements» in force in the system. The State Technical Commission of Russia may transfer the rights to accredit industry (departmental) certification bodies to other government bodies.
1.10. The costs of all types of work and services on mandatory and voluntary certification of information technology objects shall be paid by applicants. Payment for work on mandatory certification shall be made in accordance with the contract at the approved rates, and in their absence — at the contract price in the manner established by the State Technical Commission of Russia in agreement with the Ministry of Finance of the Russian Federation. The costs of all types of work and services on certification of information technology objects shall be paid by applicants from the funds allocated for the development (revision) and commissioning of the protected information technology object.
1.11. The bodies for certification of information technology objects shall be responsible for the performance of the functions assigned to them, ensuring the safety of state and commercial secrets, as well as for compliance with the copyrights of the developers of the certified information technology objects and their components.
2. ORGANIZATIONAL STRUCTURE OF THE SYSTEM FOR CERTIFICATION OF INFORMATIZATION OBJECTS ACCORDING TO INFORMATION SECURITY REQUIREMENTS 2.1. The organizational structure of the system for certification of information technology objects is formed by:
Federal body for certification of information protection means and certification of information technology objects according to information security requirements — State Technical Commission of Russia; Bodies for certification of information technology objects according to information security requirements; Test centers (laboratories) for certification of products according to information security requirements; Applicants (customers, owners, developers of certified information technology objects).
2.2. The Federal body for certification and certification performs the following functions:
organizes mandatory certification of information technology objects; creates systems for certification of information technology objects and establishes rules for conducting certification in these systems; establishes rules for accreditation and issuance of licenses for carrying out work on mandatory certification; organizes, finances the development and approves regulatory and methodological documents on the certification of information technology objects; accredits bodies for the certification of information technology objects and issues them licenses for carrying out certain types of work; exercises state control and supervision over compliance with the certification rules and the operation of certified information technology objects; considers appeals arising in the process of certification of information technology objects and control over the operation of certified information technology objects; organizes periodic publication of information on the functioning of the certification system of information technology objects according to information security requirements.
2.3. The bodies for certification of information technology objects are accredited by the State Technical Commission of Russia and receive a license from it for the right to conduct certification of information technology objects. Such bodies may be industry and regional institutions, enterprises and organizations for information protection, special centers of the State Technical Commission of Russia.
2.4. Certification bodies:
certify information technology objects and issue «Certificates of Conformity»; monitor the security of information circulating at certified information technology objects and their operation; cancel and suspend the «Certificates of Conformity» issued by this body; form a fund of regulatory and methodological documentation necessary for the certification of specific types of information technology objects, participate in their development; maintain an information base of information technology objects certified by this body; interact with the State Technical Commission of Russia and inform it quarterly of their activities in the field of certification.
2.5. Testing centers (laboratories) for certification of products according to information security requirements, at the request of applicants, conduct tests of uncertified products used at an information technology facility subject to mandatory certification, in accordance with the «Regulations on the certification of information security tools according to information security requirements».
2.6. Applicants:
prepare the information technology object for certification by implementing the necessary organizational and technical measures to protect information; involve certification bodies in organizing and conducting certification of the information technology object; provide certification bodies with the necessary documents and conditions for conducting certification; involve, where necessary, certification testing centers (laboratories) for testing non-certified information security tools used at the information technology object being certified; operate the information technology object in accordance with the terms and requirements established in the «Certificate of Conformity»; notify the certification body that issued the «Certificate of Conformity» of all changes in information technologies, the composition and placement of information technology tools and systems, and the conditions of their operation that may affect the effectiveness of information security measures and means (the list of characteristics that determine information security, changes to which must be notified to the certification body, is provided in the «Certificate of Conformity»); provide the necessary documents and conditions for monitoring and supervising the operation of an information technology facility that has undergone mandatory certification.
3. PROCEDURE FOR CONDUCTING CERTIFICATION AND CONTROL
3.1. The procedure for conducting certification of IT facilities according to information security requirements includes the following actions: filing and reviewing an application for certification; preliminary familiarization with the facility being certified; testing of non-certified information security tools and systems used at the facility being certified (if necessary); development of a program and methodology for certification tests; conclusion of contracts for certification; conducting certification tests of the IT facility; registration, execution and issuance of the «Certificate of Conformity»; implementation of state control and supervision, inspection control over the certification and operation of certified IT facilities; consideration of appeals.
3.2. Submission and review of an application for certification.
3.2.1. In order to receive a «Certificate of Conformity», the applicant shall send in advance to the certification body an application for certification with the initial data on the certified information technology object according to the form given in Appendix 1.
3.2.2. The certification body shall review the application within one month and, based on the analysis of the initial data, select a certification scheme, agree it with the applicant and make a decision on conducting the certification of the information technology object.
3.3. Preliminary familiarization with the certified object.
If the initial data on the certified information technology object is insufficient, the certification scheme shall include work on preliminary familiarization with the certified object, carried out before the stage of certification tests.
3.4. Testing of non-certified information security tools and systems used at the certified information technology facility.
3.4.1. When using non-certified information security tools and systems at the certified information technology facility, the certification scheme may include work on testing them in test centers (laboratories) for certification of information security tools according to information security requirements or directly at the certified information technology facility using special control equipment and test tools.
3.4.2. Testing of individual non-certified information security tools and systems at test centers (laboratories) for certification shall be conducted prior to certification testing of information technology facilities. In this case, the applicant must submit the conclusions of the bodies for certification of information security tools on information security requirements and certificates by the start of the certification tests.
3.5. Development of the program and methodology for certification tests.
3.5.1. Based on the results of reviewing the application and analyzing the initial data, as well as preliminary familiarization with the certified object, the certification body develops a certification test program, which provides for a list of works and their duration, test methods (or standard methods are used), determines the quantitative and professional composition of the certification commission appointed by the body for certification of information technology objects, the need to use control equipment and test tools at the certified information technology object or to involve testing centers (laboratories) for certification of information security tools according to information security requirements.
3.5.2. The procedure, content, conditions and methods of testing for assessing the characteristics and indicators checked during certification, their compliance with established requirements, as well as the control equipment and test tools used for these purposes are defined in the test methods for various types of information technology objects.
3.5.3. The program of certification tests is agreed upon with the applicant.
3.6. Conclusion of contracts for certification.
3.6.1. The preparation stage ends with the conclusion of an agreement between the applicant and the certification body for conducting the certification, the conclusion of agreements (contracts) of the certification body with the experts involved and the execution of an order for the admission of the certification commission to conduct the certification.
3.6.2. Payment for the work of the members of the certification committee is made by the certification body in accordance with the concluded employment agreements (contracts) at the expense of financial resources from the concluded agreements for the certification of information technology objects.
3.7. Conducting certification tests of information technology objects.
3.7.1. At the stage of certification tests of an information technology object:
an analysis is carried out of the organizational structure of the information technology facility, information flows, composition and structure of the complex of technical means and software, the information protection system at the facility, the developed documentation and its compliance with the requirements of regulatory documentation on information protection; the correctness of the categorization of electronic computer facilities and the classification of automated systems (during certification of automated systems), the selection and application of certified and non-certified means and information protection systems is determined; testing of non-certified information security tools and systems at the certified facility or analysis of their test results in certification testing centers (laboratories) is carried out; the level of personnel training and the distribution of personnel responsibilities for ensuring compliance with information security requirements are checked; comprehensive certification tests of the information technology facility are carried out in real operating conditions by checking the actual compliance with the established requirements at various stages of the technological process of processing the protected information; test reports and a conclusion on the results of certification are drawn up with specific recommendations for eliminating the violations committed, bringing the information technology facility’s protection system into compliance with the established requirements and improving this system, as well as recommendations for monitoring the functioning of the information technology facility.
3.7.2. The conclusion on the certification results with a brief assessment of the IT object's compliance with the information security requirements, a conclusion on the possibility of issuing a «Certificate of Conformity» and the necessary recommendations is signed by the members of the certification committee and communicated to the applicant. Test reports confirming the results obtained during the tests and substantiating the conclusion given in the report are attached to the conclusion. The test reports are signed by the experts — members of the certification committee who conducted the tests. The conclusion and test reports are subject to approval by the certification body.
3.8. Registration, preparation and issuance of the «Certificate of Conformity».
3.8.1. The “Certificate of Conformity” for an information technology object that meets information security requirements is issued by the certification body in the form given in Appendix 2.
3.8.2. The «Certificate of Conformity» is drawn up and issued to the applicant after approval of the conclusion based on the results of the certification.
3.8.3. Registration of «Certificates of Conformity» is carried out according to industry or territorial criteria by certification bodies for the purpose of maintaining an information base of certified information technology objects and planning control and supervision activities. Maintenance of consolidated information bases of certified information technology objects is carried out by the State Technical Commission of Russia or, at its request, by one of the bodies supervising the certification and operation of certified objects.
3.8.4. The «Certificate of Conformity» is issued to the owner of the certified information technology object by the certification body for a period during which the immutability of the operating conditions of the information technology object and the technology for processing protected information that may affect the characteristics that determine the security of information (composition and structure of technical means, placement conditions, software used, information processing modes, means and measures of protection) is ensured, but not more than for 3 years. The owner of the certified information technology object is responsible for the fulfillment of the established operating conditions of the information technology object, the technology for processing protected information and the requirements for information security.
3.8.5. In the event of a change in the conditions and technology for processing protected information, the owners of certified objects are required to notify the certification body, which makes a decision on the need to conduct an additional check of the effectiveness of the information technology object’s security system.
3.8.6. If the certified object does not comply with the information security requirements and it is impossible to promptly eliminate the deficiencies noted by the certification committee, the certification body makes a decision to refuse to issue a «Certificate of Conformity». In this case, a period for re-certification may be proposed, provided that the deficiencies are eliminated. If there are comments of a non-fundamental nature, the «Certificate of Conformity» may be issued after checking whether these comments have been eliminated.
3.9. Consideration of appeals.
If the applicant disagrees with the refusal to issue a «Certificate of Conformity», he/she has the right to appeal to a higher certification body or directly to the State Technical Commission of Russia for additional consideration of the results obtained during testing, where it is considered within one month with the involvement of interested parties. The appellant is notified of the decision taken.
3.10. State control and supervision, inspection control over compliance with the rules for certification and operation of certified information technology objects.
3.10.1. State control and supervision, inspection control over the certification of information technology facilities is carried out by the State Technical Commission of Russia both during and upon completion of certification, and over the operation of certified information technology facilities — periodically in accordance with the work plans for control and supervision. The State Technical Commission of Russia may transfer some of its functions of state control and supervision over the certification and operation of certified information technology facilities to accredited certification bodies.
3.10.2. The scope, content and procedure for state control and supervision are established in the regulatory and methodological documentation on the certification of information technology facilities.
3.10.3. State control and supervision over compliance with certification rules includes checking the correctness and completeness of the activities carried out to certify information technology objects, the preparation and review by certification bodies of reporting documents and test reports, timely introduction of changes to regulatory and methodological documentation on information security, and inspection control over the operation of certified information technology objects.
3.10.4. In the event of gross violations by the certification body of the requirements of standards or other regulatory and methodological documents on information security, identified during control and supervision, the certification body may be deprived of its license for the right to conduct certification of information technology objects.
3.10.5. If a violation of the rules for the operation of certified information technology objects, the technology for processing protected information and the requirements for information security is detected, the body conducting control and supervision may suspend or cancel the «Certificate of Conformity», with this decision being recorded in the «Certificate of Conformity» and informing the body maintaining the consolidated information base of certified information technology objects and the State Technical Commission of Russia. The decision to cancel the «Certificate of Conformity» is adopted in cases where, as a result of prompt adoption of organizational and technical security measures, the required level of information security cannot be restored.
3.10.6. In case of gross violations by the certification body of the requirements of standards or other regulatory documents on information security approved by the State Technical Commission of Russia, revealed during control and supervision and leading to re-certification, the costs of implementing control and supervision may be recovered from the certification body by decision of the State Arbitration. Re-certification may also be carried out at the expense of this certification body.
3.10.7. The costs of implementing supervision over mandatory certification and operation of facilities that have passed mandatory certification are paid by the supervisory body from state budget funds allocated to it for these purposes.
4. REQUIREMENTS TO REGULATORY AND METHODOLOGICAL DOCUMENTS ON CERTIFICATION OF INFORMATIZATION FACILITIES 4.1. Information technology objects, regardless of the domestic or foreign hardware and software used, are certified for compliance with the requirements of state standards or other regulatory documents on information security approved by the State Technical Commission of Russia.
4.2. The composition of regulatory and methodological documentation for the certification of specific information technology objects is determined by the certification body depending on the type and operating conditions of the information technology objects based on an analysis of the initial data on the certified object.
4.3. Only those indicators, characteristics, and requirements that can be objectively verified are included in the normative documentation.
4.4. The normative and methodological documentation on test methods must contain references to the conditions, content, and procedure for conducting tests, the control equipment and test tools used in testing, which minimize the errors in test results and allow these results to be reproduced.
4.5. The texts of regulatory and methodological documents used in the certification of information technology objects must be formulated clearly and distinctly, ensuring their precise and uniform interpretation. They must contain an indication of the possibility of using the document to certify certain types of information technology objects according to information security requirements or information protection areas.
4.6. The official language of the certification system is Russian, in which all documents used and issued within the framework of the certification system are drawn up.
HEAD OF THE DEPARTMENT OF THE STATE TECHNICAL COMMISSION UNDER THE PRESIDENT OF THE RUSSIAN FEDERATION V. Virkovsky
» November 24, 1994
Appendix 1
To:_______(name of the certification body and its address)________
APPLICATION
to conduct certification of the information technology object 1._________________(name of the applicant)__________________ requests to conduct certification of ________________ (name of the information technology object)___________________ for compliance with the information security requirements:_____________________2. The necessary initial data on the information technology object to be certified are attached.
3. The applicant is ready to provide the necessary documents and conditions for conducting the certification.
4. The applicant agrees to pay, on a contractual basis, the costs of all types of work and services for the certification of the information technology object specified in this application.
5. Additional conditions or information for the agreement:
5.1. I propose to conduct a preliminary familiarization with the certified object in the period ______________________________________________________________
5.2. I propose to conduct certification tests of the information technology object in the period _____________________________________________________ ________
5.3. Testing of non-certified information technology tools and systems ______(name of tools and systems)___________________________________________ is planned to be carried out in testing centers (laboratories)______(name of testing centers)___________________
during the period__________________
(or it is proposed to carry out directly at the certified facility during the period_____________).Other conditions (proposals).
seal
Head (of applicant's body) ________________________ (signature, date) (Surname, Initials)
to the form «Application…» Initial data on the certified information object are prepared on the basis of the following list of questions
1. Full and precise name of the information technology object and its purpose. 2. The nature (scientific and technical, economic, industrial, financial, military, political) and level of secrecy (confidentiality) of the processed information is determined (in accordance with what lists (state, industry, departmental, enterprise). 3. Organizational structure of the information technology facility. 4. List of premises, composition of the complex of technical means (main and auxiliary) included in the information technology facility, in which (on which) the specified information is processed (located in the premises where it circulates). 5. Features and layout of the information technology facility indicating the boundaries of the controlled zone. 6. Structure of software (general system and application) used at the certified information technology facility and intended for processing protected information, the information exchange protocols used. 7. General functional diagram of the information technology facility, including the information flow diagram and modes of processing protected information. 8. Availability and nature of interaction with other information technology facilities. 9. Composition and structure of the information security system at the certified information technology facility. 10. List of hardware and software tools in a secure design, protection and control tools used at the certified information technology facility and having the appropriate certificate, and an instruction for operation. 11. Information about the developers of the information security system, availability of licenses for such work from third-party developers (in relation to the enterprise where the certified information technology object is located). 12. Availability of an information security service, an administrator service (automated system, network, databases) at the information technology object (at the enterprise where the information technology object is located). 13. Availability and main characteristics of physical protection of the information technology object (premises where the protected information is processed and information media are stored). 14. Availability and readiness of design and operational documentation for the information technology object and other initial data on the certified information technology object that affect information security. Appendix 2
«APPROVED« ___________(position of the head of the certification body)_____________ m.p. Full name «____» _________ 19___ CERTIFICATE OF CONFORMITY ________(indicate the full name of the information object)____________ INFORMATION SECURITY REQUIREMENTS N _________ Valid until «____» _________ 19___ 1. This CERTIFICATE certifies that: __________(the full name of the information technology object is given)_____________
_______________category
_______________class
complies with the requirements of regulatory and methodological documentation on information security. The composition of the complex of technical means of the information technology facility (indicating factory numbers, model, manufacturer, certificate numbers), the layout scheme in the premises and relative to the boundaries of the controlled area, the list of software used, as well as means of protection (indicating the manufacturer and certificate numbers) are attached. 2. The organizational structure, the level of training of specialists, regulatory, methodological support and technical equipment of the information security service ensure control over the effectiveness of measures and means of protection and maintenance of the level of protection of the information technology facility during operation in accordance with the established requirements. 3. The certification of the information technology facility has been carried out in accordance with the program and methods of certification tests approved on ______________ 19__ N______ 4. Taking into account the results of certification tests, the information technology facility is permitted to process ______________(indicate the highest level of secrecy, confidentiality)________________ __________________________________________________ information. 5. When operating the information technology facility, it is prohibited to: ______________(indicate restrictions that may affect the effectiveness of information security measures and tools)________________________________________________ 6. Control over the effectiveness of the implemented security measures and tools is assigned to the information security service. 7. Detailed results of the certification tests are given in the conclusion of the certification commission (N __________»____»___________1996) and test protocols. 8. The «Certificate of Conformity» is issued for _____ years, during which the operating conditions of the information technology object and the technology for processing protected information that may affect the characteristics specified in paragraph 9 must remain unchanged. 9. List of characteristics, changes to which must be reported to the certification body 9.1.__________________________________________________________ 9.2.__________________________________________________________
Head of the Certification Commission ___________________(job title with the name of the enterprise)__________
__________Full name___________ «____» __________19___.
Notes of the supervisory authority: ______________________
1.1 Note. The information technology objects certified according to information security requirements are understood to be automated systems of various levels and purposes, communication, display and reproduction systems together with the premises in which they are installed, intended for processing and transmitting information subject to protection, as well as the premises themselves, intended for conducting confidential negotiations.