Standard Regulations on the Testing Laboratory.
APPROVED
by the Chairman of the State Technical Commission under the
President of the Russian Federation
Y. Yashin
November 25, 1994
STANDARD REGULATION
on the testing laboratory
1. GENERAL PROVISIONS
1.1. These Standard Regulations establish the main functions, rights, obligations, responsibilities and other aspects of the testing laboratory's activities when conducting certification tests of information security tools.
1.2. The standard regulation has been developed in accordance with the laws of the Russian Federation «On Certification of Products and Services» and «On State Secrets», «Regulations on the state system of information protection in the Russian Federation from foreign technical intelligence services and from its leakage through technical channels», based on the «GOST R Certification System» and the «Rules for conducting certification in the Russian Federation».
1.3. Testing laboratories are an integral part of the organizational structure of the information security certification system, the activities of which are organized by the State Technical Commission under the President of the Russian Federation (State Technical Commission of Russia).
1.4. Testing laboratories are accredited by the State Technical Commission of Russia in accordance with the «Regulations on the accreditation of testing laboratories and bodies for certification of information security tools according to information security requirements».
The testing laboratory must be a legal entity or its separate structural division, have trained specialists, the necessary testing base, guidelines and regulatory documents to carry out the entire range of work on certification of information security tools in its area of accreditation and meet the established requirements.
Accreditation is carried out only if there is a license from the State Technical Commission of Russia for the relevant types of activity.
Accreditation as a testing laboratory of enterprises subordinate to federal executive authorities is carried out upon the submission of these authorities.
1.5. The testing laboratory in its activities is guided by the legislation of the Russian Federation, state standards, regulatory and methodological documentation on issues of certification of information security tools, approved by the State Technical Commission of Russia.
1.6. The testing laboratory carries out its activities in accordance with the Regulation developed on the basis of this Model Regulation, taking into account the legal status and specific area of accreditation.
1.7. The management of the testing laboratory is carried out by the head (manager) of the testing laboratory (engineer, higher education), who is appointed in agreement with the certification body.
1.8. The testing laboratory must be staffed with specialists in testing, automation of testing and measurement processes, metrological support of testing, repair of testing equipment and measuring instruments, as well as in the technology of manufacturing information security tools and making changes to design documentation.
1.9. The testing laboratory must have a material and technical and metrological base sufficient for conducting certification tests within the established scope of accreditation.
1.10. The composition and qualifications of the testing laboratory personnel, the material and technical base, regulatory documentation and other information confirming the compliance of the testing laboratory with the requirements of this Model Regulation must be reflected in the Testing Laboratory Passport.
1.11. The form of the list of tests conducted by the testing laboratory and the nomenclature of information security tools assigned to the testing laboratory are given in the Appendix to this Model Regulation.
1.12. The costs of the testing laboratory for conducting certification tests are paid by applicants.
Payment for work on certification of specific information security tools is made in the manner established by the State Technical Commission of Russia in agreement with the Ministry of Finance of the Russian Federation, on the basis of concluded contracts.
2. TASKS AND FUNCTIONS OF THE TEST LABORATORY
2.1. The main tasks of the testing laboratory are:
conducting certification tests of information security tools for compliance with the requirements of regulatory documents approved by the State Technical Commission of Russia and State Standards;
conducting individual tests of information security tools on behalf of the State Technical Commission of Russia and certification bodies;
developing and submitting the necessary test methods for approval to the certification body;
conducting an examination of regulatory documentation in terms of controlled indicators, methods and testing tools.
2.2. The testing laboratory performs the following functions:
conduct tests of specific information security tools, prepare conclusions and protocols of certification tests;
select samples of information security tools for certification tests;
participate in the preliminary inspection (certification) of the production of certified information security tools;
analyzes the reasons for non-compliance of information security tools submitted for testing with information security requirements;
develops and improves testing methods and programs, testing methods and tools, regulatory and technological documents for testing;
participates in conducting checks to control the stability of the manufacturing quality of tested information security tools (on behalf of the State Technical Commission of Russia and certification bodies);
participates in the preliminary inspection of the manufacturing conditions of types of certified information security tools assigned to the testing laboratory;
participates in the consideration of appeals on issues of certification of information security tools;
provides methodological and consulting assistance to testing departments of enterprises that produce information security tools assigned to the testing laboratory;
collects, stores, systematizes and submits to the certification body information on information security tools (products) tested in the testing laboratory. The information received must be used strictly confidentially (without violating the applicant's property rights to the product, including its copyright and the right to protect commercial secrets);
analyzes foreign experience in conducting the types of tests assigned to the testing laboratory, on the requirements for protective equipment and on testing methods.
Based on the results of the tests conducted, the testing laboratory prepares and submits to the certification body (copies — to the applicant):
test reports with a conclusion on the compliance (or non-compliance) of the tested information security tools with the established test safety requirements. Test reports with a conclusion are the main mandatory document when deciding on the compliance of the product with the information security requirements;
regulatory documentation examination report.
3. RIGHTS, RESPONSIBILITIES AND LIABILITIES OF THE TEST LABORATORY
3.1. The testing laboratory, within the established scope of accreditation, has the right to:
conclude contracts for the performance of work;
develop the form of test reports, the procedure for their execution and signing, ensuring an objective assessment and reflection of the results of the tests performed;
in case of negative test results, at the initiative of the applicant, conduct a survey of manufacturers of information security equipment in order to issue recommendations for changing the technology of their manufacture, making changes to the technical and design documentation for information security equipment;
subcontract some of the certification tests to other testing laboratories in agreement with the applicant and the certification body;
promote the work of the testing laboratory;
in agreement with the applicant, retain samples of the information security tools being certified.
3.2. The testing laboratory is obliged to:
perform the functions stipulated by this Model Regulation;
ensure the completeness and objectivity of the tests, the reliability and accuracy of their results;
comply with the procedure and timeframes for conducting tests agreed with the applicant, as well as the conditions that ensure the confidentiality of their conduct;
ensure conditions that prevent the distribution of the certified product in violation of the procedure established by law;
ensure the safety of state secrets in accordance with the requirements of current regulatory documents;
provide, where necessary, access for representatives of the applicant and regulatory authorities to the premises or test sites (areas) to observe the tests being carried out;
submit an annual report on the results of their activities to the certification body;
ensure that the technical condition of the control and measuring equipment and test equipment complies with the requirements of the operational documentation, ensure their timely verification and certification;
ensure that production facilities for testing are maintained in accordance with sanitary and hygienic standards and regulations, safety and environmental protection requirements, and test method requirements; promptly notify the certification body of any changes in the status and technical equipment of the testing laboratory.
For each category of specialists in the testing laboratory, there must be job descriptions establishing their functions, duties, rights and responsibilities, requirements for the quality of work, education, technical knowledge and work experience.
Employees of the testing laboratory directly involved in testing must be certified for the right to conduct them within the framework of the current certification procedure.
Systematic advanced training of testing laboratory specialists must be ensured through internships in relevant institutes for advanced training, laboratories and centers.
The testing laboratory must have documentation that includes:
state and international regulatory documents governing technical requirements and testing methods for protection equipment for compliance with information security requirements;
programs and methods for certification testing of security equipment for compliance with information security requirements;
schedules for verification and certification of control and measuring equipment and test equipment;
methods for certification of test equipment and verification of non-standardized measuring instruments;
documentation on the operation of test equipment (test equipment);
work logs, test reports and copies of issued reports on test results.
The testing laboratory must have equipped premises for receiving, storing and sending samples submitted for testing, in accordance with the requirements of the regulatory documentation for them.
3.3. The testing laboratory is responsible for:
correctness and completeness of the functions and duties assigned to the testing laboratory;
correctness and completeness of the tests, objectivity,
accuracy and reliability of their results and conclusions;
compliance with the requirements of regulatory documents (national and international) imposed on the procedure and rules of testing;
the safety and operability of information security tools submitted for certification testing;
meeting the established deadlines for testing, processing and registration of their results;
timely renewal of accreditation for the right to conduct certification tests;
preservation of information constituting a state or commercial secret of the applicant;
observance of the applicant's property rights to the tested information protection tools, including its copyright.
Responsibility is regulated by current legislation, decrees of the Government of the Russian Federation, and regulatory acts of the State Technical Commission of Russia.
HEAD OF THE DEPARTMENT OF THE STATE TECHNICAL COMMISSION UNDER THE PRESIDENT OF THE RUSSIAN FEDERATIONS
V. Virkovsky
» November 24, 1994