Model regulations on the body for certification of information technology objects according to information security requirements.
APPROVED
By the Chairman of the State
Technical Commission under
President of the Russian Federation
Y. Yashin
November 25, 1994
STANDARD REGULATION
on the body for certification of information technology facilities according to information security requirements
1. GENERAL PROVISIONS
1.1. This Model Regulation establishes general requirements for the body for certification of information technology objects according to information security requirements (hereinafter referred to as the certification body), its functions, rights, duties and responsibilities.
1.2. The standard regulation has been developed in accordance with the laws of the Russian Federation «On Certification of Products and Services» and «On State Secrets», «Regulations on the state system of information protection in the Russian Federation from foreign technical intelligence services and from its leakage through technical channels», «GOST R Certification System», based on the «Regulations on the certification of information protection tools according to information security requirements», «Regulations on the certification of information technology objects according to information security requirements» and is intended for use in developing Regulations on specific certification bodies.
1.3. The certification body is an integral part of the organizational structure of the unified system of certification of information security tools and certification of information technology objects according to information security requirements.
1.4. The certification body may be formed from special centers of the State Technical Commission under the President of the Russian Federation (State Technical Commission of Russia), industry and regional institutions, enterprises and organizations for information security.
1.5. The certification body is accredited by the federal body for certification of information protection tools and certification of information technology objects according to information security requirements (hereinafter referred to as the «federal body for certification and certification»), which is the State Technical Commission of Russia.
The accreditation rules are determined by the «Regulation on the accreditation of testing laboratories and bodies for certification of information protection tools according to information security requirements» in force in the certification and certification system.
1.6. The certification body in its activities is guided by the legislation of the Russian Federation, state standards of Russia, regulatory and methodological documentation of the State Technical Commission of Russia.
1.7. The regulation on a specific certification body is developed on the basis of this Model Regulation, taking into account the legal status and the declared scope of accreditation.
The Regulation specifies the types of information technology objects for which the certification body applies for accreditation by the State Technical Commission of Russia.
The Regulation is signed by the head of the certification body, agreed upon with the head of the body carrying out accreditation, and approved by the head of the State Technical Commission of Russia.
1.8. The costs of carrying out all types of work and services for certification of information technology objects according to information security requirements, both in the case of mandatory and voluntary certification, are paid by applicants from the funds allocated for the development (revision) and commissioning of the protected information technology object.
1.9. The activities of the certification body accredited by the State Technical Commission of Russia are carried out on the basis of a license for certain types of activities (see the «Licensing Regulations») and an Accreditation Certificate (see the «Accreditation Regulations») issued to it for the right to conduct certification of information technology objects.
2. TASKS AND FUNCTIONS OF THE CERTIFICATION BODY
2.1. The main tasks of the certification body are to organize and conduct certification of information technology objects according to information security requirements, as well as to monitor the condition and operation of information technology objects certified by this body.
2.2. The certification body performs the following functions:
forms and maintains up-to-date the fund of normative and methodological documentation used in the certification of specific types of information technology objects;
considers applications for the certification of information technology objects, plans work on the certification of information technology objects and communicates the deadlines for conducting certification to applicants;
analyzes the initial data on certified objects and determines the certification scheme, decides on the need to conduct tests of non-certified products used at the certified object in testing centers (laboratories);
organizes work on the certification of information technology objects both on the basis of concluded contracts and other relationships determined at the enterprise and fixed in the Regulation on a specific body;
develops a program and, if necessary, methods for certification tests;
forms and dispatches (when carrying out certification work on orders from third-party applicants) certification committees of competent specialists in the areas of information protection necessary for a specific information technology facility, and involves specialists from certification testing centers (laboratories) in these committees in the event of testing information protection tools directly at the information technology facility being certified;
reviews the results of certification tests of the information technology object, approves the conclusion on the results of certification and issues the applicant a «Certificate of Conformity»;
when monitoring the condition and operation of certified information technology objects, checks the compliance of the actual operating conditions of the object and the technology for processing protected information with the conditions and technology under which the «Certificate of Conformity» was issued;
cancels and suspends the «Certificates of Conformity» issued by this body;
maintains an information base of information technology objects certified by this body;
interacts with the State Technical Commission of Russia and informs it of its activities in the field of certification.
3. ACTIVITIES OF CERTIFICATION COMMISSIONS
3.1. Certification commissions are formed by the body for certification of information technology objects from among both full-time employees of the certification body and specialists in various areas of information security of other enterprises and organizations in such a way as to ensure a comprehensive check of a specific protected information technology object in order to assess its compliance with the required level of information security.
3.2. If necessary, in the event of testing individual means and systems of information protection at the certified information technology facility, the certification committee shall include specialists from testing centers (laboratories) for certification of specific types of products.
3.3. The certification commissions shall include specialists competent in the relevant area of information protection, with experience in scientific and practical activities and control and verification work, who are not directly involved in the activities of applicants.
3.4. The permanent staff (personnel) of the certification body shall carry out their activities in accordance with job descriptions and must have the necessary qualifications and competence.
4. RIGHTS, RESPONSIBILITIES AND LIABILITIES
OF THE CERTIFICATION BODY
4.1. The certification body has the right to:
engage the most competent specialists to work on certification commissions in the manner determined by the Regulation on a specific body;
establish deadlines, contract prices for conducting certification, and also establish other conditions of interaction or mutual settlements determined by the Regulation on a specific body;
refuse to certify an IT facility to an applicant, stating the reasons for the refusal and specific recommendations for conducting the certification;
participate in monitoring the condition and operation of an IT facility certified by this body;
revoke and suspend the «Certificate of Conformity» in the event of a violation by its owner of the conditions for the operation of the IT facility, the technology for processing protected information, and information security requirements.
4.2. The certification body is obliged to:
fully comply with all certification rules and procedures established by the fundamental documents of the certification and certification system for information security requirements, organizational and methodological documents of this system and other documents submitted during accreditation;
recognize certificates for those information security tools for which their compliance with specific regulatory documents on the rules of this system has been proven;
when introducing a new standard for a previously certified tool into regulatory documents on information security tools, inform the manufacturer of the information security tools within one month of the time frame and procedure for introducing it, and also assist them in the timely implementation of certification work in accordance with the new standards;
inform the State Technical Commission of Russia of all changes that may lead to the need to consider the issue of accreditation and suspension of the license;
keep records of all complaints filed against certified information security tools and inform the State Technical Commission of Russia about this;
organize and conduct certification of the information technology facility within the timeframes established by the agreement with the applicant;
ensure the completeness and objectivity of the certification of the information technology object;
ensure the safety of state and commercial secrets during and upon completion of the certification of the information technology object, and compliance with copyright;
maintain an information base of information technology objects certified by this body;
submit quarterly to federal certification and attestation bodies information on the results of the attestation, as well as copies of the «Certificates of Conformity» for their registration;
admit, in accordance with the established procedure, representatives of control bodies to supervise the certification of information technology objects.
4.3. The certification body is responsible for:
compliance of the certification tests of the information technology object carried out by him with the requirements of standards and other regulatory and methodological documents on information security, as well as the reliability and objectivity of their results;
the completeness and quality of performance of the functions and duties assigned to him;
the formation and qualification of certification commissions; compliance with the requirements of regulatory and methodological documents applicable to the certification procedure;
compliance with the established terms and conditions for certification, specified in the agreement with the applicant;
ensuring the safety of state and commercial secrets of the applicant;
compliance with applicable law.
HEAD OF THE DEPARTMENT OF THE STATE TECHNICAL
COMMISSION UNDER THE PRESIDENT OF THE RUSSIAN FEDERATION
V. Virkovsky
» 24» November 1994