Regulations on the certification of information technology objects according to information security requirements.

logo11d 4 1

Regulations on the certification of information technology objects according to information security requirements.

Regulations on the certification of information technology objects according to information security requirements.

«APPROVED»
By the Chairman of the State
Technical Commission under the
President of the Russian Federation
Yu. Yashin
» 25 » November 1994

REGULATION
on certification of information technology objects according to the requirements of
information security
Moscow
1994

Contents:

  1. General Provisions
  2. Organizational Structure of the Certification System of Information Technology Objects According to the Requirements of Information Security
  3. Procedure for conducting certification and control
  4. Requirements for regulatory and methodological documents on certification of information technology objects
  5. Appendix 1
  6. Appendix 2

1. GENERAL PROVISIONS

1.1. These Regulations establish the basic principles, organizational structure of the system of certification of information technology objects according to information security requirements, the procedure for conducting certification, as well as control and supervision over the certification and operation of certified information technology objects.

1.2. The Regulation has been developed in accordance with the laws of the Russian Federation «On Certification of Products and Services» and «On State Secrets», «Regulation on the state system of information protection in the Russian Federation from foreign technical intelligence services and from its leakage through technical channels», «Regulation on state licensing of activities in the field of information protection», «Regulation on the certification of information protection tools according to information security requirements», «GOST R Certification System».

1.3. The system of certification of information technology objects according to information security requirements (hereinafter referred to as the certification system) is an integral part of the unified system of certification of information protection tools and certification of information technology objects according to information security requirements and is subject to state registration in accordance with the procedure established by the State Standard of Russia. The activities of the certification system are organized by the federal body for certification of products and certification of information technology objects according to information security requirements (hereinafter referred to as the federal body for certification and certification), which is the State Technical Commission of Russia.

1.4. Certification of information technology objects is understood as a set of organizational and technical measures, as a result of which, by means of a special document — «Certificate of Conformity» — it is confirmed that the object complies with the requirements of standards or other regulatory and technical documents on information security approved by the State Technical Commission of Russia.

The presence of a valid «Certificate of Conformity» at an information technology object gives the right to process information with the level of secrecy (confidentiality) and for the period of time established in the «Certificate of Conformity».

1.5. Mandatory certification is required for information technology objects intended for processing information constituting a state secret, managing environmentally hazardous objects, and conducting secret negotiations.

In other cases, certification is voluntary (voluntary certification) and can be carried out at the initiative of the customer or owner of the information technology object.

Certification according to information security requirements precedes the start of processing the information subject to protection and is caused by the need for official confirmation of the effectiveness of the set of measures and means of information protection used at a specific information technology facility.

1.6. When certifying an information technology facility, its compliance with the requirements for protecting information from unauthorized access is confirmed, including from computer viruses, from leakage due to side electromagnetic radiation and interference during special impacts on the facility (high-frequency imposition and irradiation, electromagnetic and radiation impact), from leakage or impact on it due to special devices built into information technology facilities.

1.7. Certification provides for a comprehensive check (certification tests) of the protected information technology object in real operating conditions in order to assess the compliance of the applied set of measures and means of protection with the required level of information security.

1.8. Certification is carried out by the certification body in the manner established by this Regulation in accordance with the scheme selected by this body at the stage of preparation for certification from the following main list of works:

  • analysis of initial data on the certified information technology object;
  • preliminary familiarization with the certified information technology object;
  • conducting an expert examination of the information technology object and analysis of the developed documentation on information security at this object from the point of view of its compliance with the requirements of regulatory and methodological documentation;
  • testing of individual information security tools and systems at the certified information technology facility using special control equipment and test tools;
  • testing of individual information security tools and systems at test centers (laboratories) for certification of information security tools according to information security requirements;
  • conducting comprehensive certification tests of the information technology facility under real operating conditions;
  • analysis of the results of expert examination and comprehensive certification tests of the information technology object and approval of the conclusion on the results of certification.

1.9. Certification bodies are accredited by the State Technical Commission of Russia. The accreditation rules are determined by the «Regulation on the accreditation of testing laboratories and bodies for certification of information protection tools according to information security requirements» in force in the system.

The State Technical Commission of Russia may transfer the rights to accredit industry (departmental) certification bodies to other government bodies.

1.10. The costs of carrying out all types of work and services for mandatory and voluntary certification of information technology objects are paid by applicants.

Payment for work on mandatory certification is made in accordance with the contract at the approved rates, and in their absence — at the contract price in the manner established by the State Technical Commission of Russia in agreement with the Ministry of Finance of the Russian Federation, .

The costs of carrying out all types of work and services for certification of information technology objects are paid by applicants from the financial resources allocated for the development (revision) and commissioning of the protected information technology object.

1.11. The bodies for certification of information technology objects are responsible for the performance of the functions assigned to them, ensuring the safety of state and commercial secrets, as well as for compliance with the copyrights of the developers of the information technology objects being certified and their components.

2. ORGANIZATIONAL STRUCTURE OF THE SYSTEM FOR CERTIFICATION OF INFORMATIZATION OBJECTS ACCORDING TO INFORMATION SECURITY REQUIREMENTS

2.1. The organizational structure of the system for certification of information technology objects shall consist of:

  • federal body for certification of information protection means and certification of information technology objects according to information security requirements — State Technical Commission of Russia;
  • bodies for certification of information technology objects according to information security requirements;
  • test centers (laboratories) for certification of products according to information security requirements;
  • applicants (customers, owners, developers of certified information technology objects).
  • 2.2. The federal certification and certification body performs the following functions:
  • organizes mandatory certification of information technology objects;
  • creates systems for certification of information technology objects and establishes rules for conducting certification in these systems;
  • establishes the rules for accreditation and issuance of licenses for carrying out work on mandatory certification;
  • organizes, finances the development and approves regulatory and methodological documents on the certification of information technology objects;
  • accredits bodies for the certification of information technology objects and issues them licenses for carrying out certain types of work;
  • implements state control and supervision over compliance with the certification rules and the operation of certified information technology objects;
  • considers appeals arising in the process of certification of information technology objects and control over the operation of certified information technology objects;
  • organizes periodic publication of information on the functioning of the system of certification of information technology objects according to information security requirements.

2.3. Bodies for certification of information technology objects are accredited by the State Technical Commission of Russia and receive a license from it for the right to conduct certification of information technology objects.

Such bodies may be industry and regional institutions, enterprises and organizations for information security, special centers of the State Technical Commission of Russia.

2.4. Certification bodies:

  • certify information technology objects and issue «Certificates of Conformity»;
  • monitor the security of information circulating at certified information technology objects and their operation;
  • cancel and suspend the «Certificates of Conformity» issued by this body;
  • form a fund of normative and methodological documentation necessary for certification of specific types of information technology objects, participate in their development;
  • maintain an information base of information technology objects certified by this body;
  • interact with the State Technical Commission of Russia and inform it quarterly about their activities in the field of certification.

2.5. Testing centers (laboratories) for certification of products according to information security requirements, at the request of applicants, conduct tests of uncertified products used at an information technology facility subject to mandatory certification, in accordance with the «Regulations on the Certification of Information Protection Tools According to Information Security Requirements».

2.6. Applicants:

  • prepare the information technology facility for certification by implementing the necessary organizational and technical measures to protect information;
  • involve certification bodies in organizing and conducting certification of the information technology facility;
  • provide certification bodies with the necessary documents and conditions for conducting certification;
  • involve, where necessary, certification testing centers (laboratories) for testing non-certified information security tools used at the information technology facility being certified;
  • operate the information technology facility in accordance with the conditions and requirements established in the «Certificate of Conformity»;
  • notify the certification body that issued the «Certificate of Conformity» of all changes in information technologies, the composition and placement of information technology tools and systems, and the conditions of their operation that may affect the effectiveness of information security measures and means (the list of characteristics that determine information security, changes to which must be reported to the certification body, is provided in the «Certificate of Conformity»);
  • provide the necessary documents and conditions for the implementation of control and supervision over the operation of an information technology facility that has undergone mandatory certification.

3. PROCEDURE FOR CONDUCTING CERTIFICATION AND CONTROL

3.1. The procedure for conducting certification of information technology facilities according to information security requirements includes the following actions:

  • submission and review of an application for certification;
  • preliminary familiarization with the certified object;
  • testing of non-certified information security tools and systems used at the certified object (if necessary);
  • development of a program and methodology for certification tests;
  • conclusion of contracts for certification;
  • conducting certification tests of the information technology object;
  • registration, registration and issuance of the «Certificate of Conformity»;
  • implementation of state control and supervision, inspection control over the certification and operation of certified information technology objects;
  • consideration of appeals.

3.2. Submission and consideration of an application for certification.

3.2.1. In order to receive a «Certificate of Conformity», the applicant shall submit in advance to the certification body an application for certification with the initial data on the certified information technology object according to the form given in Appendix 1.

3.2.2. The certification body shall review the application within one month and, based on the analysis of the initial data, select a certification scheme, agree it with the applicant and make a decision on conducting the certification of the information technology object.

3.3. Preliminary familiarization with the object being certified.

If the initial data on the information technology object being certified is insufficient, the certification scheme shall include work on preliminary familiarization with the object being certified, carried out before the stage of certification tests.

3.4. Testing of non-certified information security tools and systems used at the certified information technology facility.

3.4.1. When using non-certified information security tools and systems at the certified information technology facility, the certification scheme may include work on testing them in test centers (laboratories) for certification of information security tools according to information security requirements or directly at the certified information technology facility using special control equipment and test tools.

3.4.2. Testing of individual non-certified information security tools and systems in certification testing centers (laboratories) is carried out before certification testing of information technology objects.

In this case, the applicant must submit the conclusions of the information security tools certification bodies on information security requirements and certificates by the start of certification testing.

3.5. Development of a program and methodology for certification testing.

3.5.1. Based on the results of reviewing the application and analyzing the initial data, as well as preliminary familiarization with the certified object, the certification body develops a certification test program, which provides for a list of works and their duration, test methods (or standard methods are used), determines the quantitative and professional composition of the certification commission appointed by the body for certification of information technology objects, the need to use control equipment and test tools at the certified information technology object or the involvement of testing centers (laboratories) for certification of information security tools according to information security requirements.

3.5.2. The procedure, content, conditions and methods of testing for assessing the characteristics and indicators checked during certification, their compliance with the established requirements, as well as the control equipment and test tools used for these purposes are defined in the test methods for various types of information technology objects.

3.5.3. The program of certification tests is agreed upon with the applicant.

3.6. Conclusion of contracts for certification.

3.6.1. The preparation stage ends with the conclusion of an agreement between the applicant and the certification body for conducting the certification, the conclusion of agreements (contracts) of the certification body with the experts involved and the execution of an order for the admission of the certification commission to conduct the certification.

3.6.2. Payment for the work of the members of the certification committee is made by the certification body in accordance with the concluded employment agreements (contracts) at the expense of financial resources from the concluded agreements for the certification of information technology objects.

3.7. Conducting certification tests of information technology objects.

3.7.1. At the stage of certification tests of the information technology object:

  • an analysis of the organizational structure of the information technology facility, information flows, composition and structure of the complex of technical means and software, the information protection system at the facility, the developed documentation and its compliance with the requirements of regulatory documentation on information protection is carried out;
  • the correctness of the categorization of electronic computer facilities and the classification of automated systems (during certification of automated systems), the selection and use of certified and non-certified means and information protection systems is determined;
  • testing of non-certified information security tools and systems at the certified facility or analysis of the results of their testing in certification testing centers (laboratories) is carried out;
  • the level of personnel training and the distribution of personnel responsibilities for ensuring compliance with information security requirements are checked;
  • comprehensive certification tests of the information technology object are carried out in real operating conditions by checking the actual fulfillment of the established requirements at various stages of the technological process of processing the protected information;
  • test protocols and a conclusion on the results of certification are drawn up with specific recommendations for eliminating the violations committed, bringing the protection system of the information technology object into compliance with the established requirements and improving this system, as well as recommendations for monitoring the functioning of the information technology object.

3.7.2. The conclusion on the results of certification with a brief assessment of the conformity of the information technology object with the requirements for information security, a conclusion on the possibility of issuing a «Certificate of Conformity» and the necessary recommendations is signed by the members of the certification committee and communicated to the applicant.

The conclusion is accompanied by test reports confirming the results obtained during the tests and substantiating the conclusion given in the conclusion.

The test reports are signed by the experts — members of the certification committee who conducted the tests.

The conclusion and test protocols are subject to approval by the certification body.

3.8. Preparation, registration and issuance of the «Certificate of Conformity».

3.8.1. The «Certificate of Conformity» for an information technology object that meets information security requirements is issued by the certification body in the form given in Appendix 2.

3.8.2. The «Certificate of Conformity» is prepared and issued to the applicant after approval of the conclusion based on the certification results.

3.8.3. Registration of «Certificates of Conformity» is carried out according to industry or territorial criteria by certification bodies for the purpose of maintaining an information base of certified information technology objects and planning control and supervision activities.

Maintenance of consolidated information bases of certified information technology objects is carried out by the State Technical Commission of Russia or, at its request, by one of the bodies supervising the certification and operation of certified objects.

3.8.4. The «Certificate of Conformity» is issued to the owner of the certified information technology object by the certification body for a period during which the immutability of the operating conditions of the information technology object and the technology for processing the protected information that may affect the characteristics that determine the security of information (composition and structure of technical means, placement conditions, software used, information processing modes, means and measures of protection) is ensured, but not more than for 3 years.

The owner of a certified information technology facility is responsible for fulfilling the established conditions for the operation of the information technology facility, the technology for processing protected information, and the requirements for information security.

3.8.5. In the event of a change in the conditions and technology for processing protected information, the owners of certified objects are obliged to notify the certification body, which makes a decision on the need to conduct an additional check of the effectiveness of the information technology object's security system.

3.8.6. If the certified object does not comply with the information security requirements and it is impossible to promptly eliminate the deficiencies noted by the certification committee, the certification body makes a decision to refuse to issue a «Certificate of Conformity».

In this case, a period for re-certification may be proposed, provided that the deficiencies are eliminated.

If there are any comments of a non-fundamental nature, the «Certificate of Conformity» may be issued after checking whether these comments have been eliminated.

3.9. Consideration of appeals.

If the applicant disagrees with the refusal to issue the «Certificate of Conformity», he/she has the right to appeal to a higher certification body or directly to the State Technical Commission of Russia for additional consideration of the results obtained during testing, where it is considered within one month with the involvement of interested parties. The appellant is notified of the decision taken.

3.10. State control and supervision, inspection control over compliance with the rules for certification and operation of certified information technology objects.

3.10.1. State control and supervision, inspection control over the certification of information technology objects is carried out by the State Technical Commission of Russia both during and upon completion of certification, and for the operation of certified information technology objects — periodically in accordance with the work plans for control and supervision.

The State Technical Commission of Russia may transfer some of its functions of state control and supervision over certification and operation of certified information technology facilities to accredited certification bodies.

3.10.2. The scope, content and procedure for state control and supervision are established in the regulatory and methodological documentation on certification of information technology facilities.

3.10.3. State control and supervision over compliance with certification rules includes checking the correctness and completeness of the activities carried out to certify information technology objects, the preparation and review by certification bodies of reporting documents and test reports, timely introduction of changes to regulatory and methodological documentation on information security, and inspection control over the operation of certified information technology objects.

3.10.4. In the event of gross violations by the certification body of the requirements of standards or other regulatory and methodological documents on information security, identified during control and supervision, the certification body may be deprived of its license for the right to conduct certification of information technology objects.

3.10.5. If a violation of the rules for the operation of certified information technology objects, the technology for processing protected information and the requirements for information security is detected, the body conducting control and supervision may suspend or cancel the «Certificate of Conformity», with this decision being recorded in the «Certificate of Conformity» and informing the body maintaining the consolidated information base of certified information technology objects and the State Technical Commission of Russia.

Decision to cancel the «Certificate of Conformity» is adopted in cases where, as a result of prompt adoption of organizational and technical security measures, the required level of information security cannot be restored.

3.10.6. In case of gross violations by the certification body of the requirements of standards or other regulatory documents on information security approved by the State Technical Commission of Russia, revealed during control and supervision and leading to re-certification, the costs of implementing control and supervision may be recovered from the certification body by decision of the State Arbitration. Re-certification may also be carried out at the expense of this certification body.

3.10.7. The costs of implementing supervision over mandatory certification and operation of facilities that have passed mandatory certification shall be paid by the supervisory body from state budget funds allocated to it for these purposes.

4. REQUIREMENTS TO REGULATORY AND METHODOLOGICAL DOCUMENTS ON CERTIFICATION OF INFORMATIZATION FACILITIES

4.1. Informatization facilities, regardless of the domestic or foreign hardware and software used, are certified for compliance with the requirements of state standards or other regulatory documents on information security approved by the State Technical Commission of Russia.

4.2. The composition of the normative and methodological documentation for the certification of specific information technology objects is determined by the certification body depending on the type and conditions of operation of the information technology objects based on the analysis of the initial data on the certified object.

4.3. The normative documentation includes only those indicators, characteristics, and requirements that can be objectively verified.

4.4. The regulatory and methodological documentation on test methods must contain references to the conditions, content and procedure for conducting tests, the control equipment and test tools used during testing, which minimize the errors in test results and allow these results to be reproduced.

4.5. The texts of regulatory and methodological documents used in the certification of information technology objects must be formulated clearly and distinctly, ensuring their precise and uniform interpretation. They must contain an indication of the possibility of using the document to certify certain types of information technology objects according to information security requirements or information protection areas.

4.6. The official language of the certification system is Russian, in which all documents used and issued within the framework of the certification system are drawn up.

HEAD OF THE DEPARTMENT OF THE STATE TECHNICAL COMMISSION UNDER THE PRESIDENT OF THE RUSSIAN FEDERATION

 

V. Virkovsky

» November 24, 1994

Appendix 1

To:________________________________________________
(name of certification body and its address)

APPLICATION

for certification of an information technology object

1.______________________________________________________________
________________________________________________________________
(name of applicant)

requests certification of ________________________________________
________________________________________________________________
________________________________________________________________
(name of the information technology object)

for compliance with information security requirements:_______________
_________________________________________________________________
_________________________________________________________________

2. The necessary initial data on the certified information technology object are attached.

3. The applicant is ready to provide the necessary documents and conditions for conducting the certification.

4. The applicant agrees to pay, on a contractual basis, the costs of all types of work and services for the certification of the information technology object specified in this application.

5. Additional conditions or information for the contract:

5.1. I propose to conduct a preliminary familiarization with the certified object during the period ________________________________________________________________

5.2. I propose to conduct certification tests of the information technology object during the period ________________________________________________________________

5.3. Testing of non-certified information technology tools and systems _________________________________________________________________
_________________________________________________________________
(name of tools and systems)

it is planned to be carried out in testing centers (laboratories) ________________________________________________________________
________________________________________________________________
(name of testing centers)

during the period__________________

(or it is proposed to carry out directly at the certified object during the period_____________).

Other conditions (proposals).

 

print

Head (of the applicant's body)
____________ ____________

(signature, date) (Surname, Initials)

 

Appendix
to the «Application…» form

Initial data on the certified
information object

are prepared on the basis of the following list of questions

1. Full and exact name of the information object and its purpose.

2. The nature (scientific and technical, economic, industrial, financial, military, political) and level of secrecy (confidentiality) of the processed information is determined (in accordance with what lists (state, industry, departmental, enterprise).

3. Organizational structure of the informatization object.

4. List of premises, composition of the complex of technical means (main and auxiliary) included in the information technology facility, in which (on which) the specified information is processed (located in the premises where it circulates).

5. Features and layout of the information technology facility indicating the boundaries of the controlled area.

6. Structure of software (general system and application) used at the certified information technology facility and intended for processing the protected information, the information exchange protocols used.

7. General functional diagram of the information technology facility, including the diagram of information flows and modes of processing the protected information.

8. Availability and nature of interaction with other information technology objects.

9. Composition and structure of the information security system at the information technology object being certified.

10. List of hardware and software in a secure design, means of protection and control used at the information technology object being certified and having the appropriate certificate, and an instruction for operation.

11. Information about the developers of the information security system, whether third-party developers (in relation to the enterprise where the certified information technology facility is located) have licenses to carry out such work.

12. Availability of an information security service, an administrator service (automated system, network, databases) at the information technology facility (at the enterprise where the information technology facility is located).

13. Availability and main characteristics of physical protection of the information technology facility (premises where the protected information is processed and information media are stored).

14. Availability and readiness of design and operational documentation for the information technology object and other initial data on the certified information technology object that affect information security.

Appendix 2

«APPROVED»

_____________________________________________
(position of the head of the certification body)

__________________ ____________________

m.p. Full name.

«____» _________ 19___

CERTIFICATE OF CONFORMITY

_____________________________________________________________
(the full name of the information object is indicated)

INFORMATION SECURITY REQUIREMENTS
N_____

Valid until «____» _________ 19___

1. This CERTIFICATE certifies that:
________________________________________________________________
________________________________________________________________
(the full name of the information technology object is given)

______________________________ category _______________class

complies with the requirements of regulatory and methodological documentation on information security.

The composition of the complex of technical means of the information technology facility (indicating factory numbers, model, manufacturer, certificate numbers), the layout of the premises and relative to the boundaries of the controlled area, the list of software used, as well as security means (indicating the manufacturer and certificate numbers) are attached.

2. The organizational structure, the level of training of specialists, regulatory, methodological support and technical equipment of the information security service ensure control over the effectiveness of measures and means of protection and maintenance of the level of security of the information technology facility during operation in accordance with the established requirements.

3. Certification of the information technology facility is carried out in accordance with the program and methods of certification tests approved by «____»__________ 19__. N______

4. Taking into account the results of certification tests at the information technology facility, processing of ________________________________________________________________
______________________________________________________________ information is permitted.
(indicates the highest level of secrecy, confidentiality)

5. When operating an information technology facility, it is prohibited:

________________________________________________________________
(indicates restrictions that may affect the effectiveness of measures and means of protecting information)

6. Control over the effectiveness of implemented measures and means of protection is assigned to the information security service.

7. Detailed results of the certification tests are given in the conclusion of the certification commission (No. _____ «___»________19) and test protocols.

8. The «Certificate of Conformity» is issued for _____ years, during which the operating conditions of the information technology object and the technology for processing protected information that may affect the characteristics specified in clause 9 must remain unchanged.

9. List of characteristics, changes to which must be reported to the certification body

9.1__________________________________________________________

9.2__________________________________________________________

Head of the certification commission

___________________________________________________
(job title with the name of the enterprise)

_____________________
Full name

«____» __________19___

Notes of the supervisory authority: ______________________

 

Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.
Принять