State Customs Committee under the President of the Russian Federation. Regulations On the state system of information protection in the Russian Federation from foreign technical intelligence services and from its leakage through technical channels.
Approved by Resolution of the Council of Ministers —
Government of the Russian Federation dated
September 15, 1993
No. 912-51
State Technical Commission under the President of the Russian Federation
REGULATION
«On the state system of information protection in the Russian Federation from foreign technical intelligence services and from its leakage through technical channels»
(Extracts)
I. GENERAL PROVISIONS
1. This regulation is a document that is mandatory for execution when carrying out work on the protection of information containing data constituting a state or official secret, in the bodies (apparatuses, administrations) of the representative, executive and judicial authorities of the Russian Federation, republics within the Russian Federation, autonomous region, autonomous okrugs, territories, regions, the cities of Moscow and St. Petersburg and in local government bodies (hereinafter referred to as «state authorities»), at enterprises and their associations, institutions and organizations regardless of their organizational and legal form and form of ownership (hereinafter referred to as «enterprises»).
2. The Regulation defines the structure of the state information protection system in the Russian Federation, its tasks and functions, the principles of organizing the protection of information classified in the established manner as a state or official secret, from foreign technical intelligence services and from leakage through technical channels (hereinafter referred to as «information protection»).
3. Work on information protection in government bodies and enterprises is carried out on the basis of the legislative acts of the Russian Federation.
4. Information protection is carried out by implementing a set of measures to prevent information leakage through technical channels, unauthorized access to it, preventing deliberate software and hardware impacts with the purpose of destroying (destroying) or distorting information during processing, transmission and storage, counteracting foreign technical intelligence, as well as by carrying out special work, the procedure for organizing and implementing which is determined by the Council of Ministers — the Government of the Russian Federation.
5. Information protection measures are an integral part of management, scientific and production activities and are carried out in conjunction with other measures to ensure the established secrecy regime for the work being carried out.
6. The main areas of work on information protection are:
ensuring effective management of the information security system;
defining information protected from technical intelligence and unmasking features that reveal this information;
analysis and assessment of the real danger of interception of information by technical means of reconnaissance, unauthorized access, destruction (destruction) or distortion of information by deliberate software and hardware impacts during its processing, transmission and storage in technical means, identification of possible technical channels of information leakage subject to protection;
development of organizational and technical measures for information protection and their implementation;
organization and implementation of control over the state of information protection.
7. The main organizational and technical measures for information protection are:
licensing of the activities of enterprises in the field of information protection;
certification of facilities for compliance with requirements for ensuring information security when working with information of the appropriate level of secrecy;
certification of information security tools and control over its effectiveness, information technology and communication systems and tools in terms of information security from leakage through technical channels;
categorization of weapons and military equipment, enterprises (facilities) according to the degree of importance of information security in defense, economic, political, scientific and technical and other areas of state activity;
ensuring conditions for the protection of information in the preparation and implementation of international treaties and agreements;
notification of flights of space and air vehicles, ships and vessels conducting reconnaissance of objects (interception of information subject to protection) located on the territory of the Russian Federation;
introduction of territorial, frequency, energy, spatial and temporal restrictions in the modes of use of technical means subject to protection;
creation and application of information and automated control systems in a secure design;
development and implementation of technical solutions and elements of information protection in the creation and operation of weapons and military equipment, in the design, construction (reconstruction) and operation of facilities, systems and means of information and communication;
development of means of information protection and control over its effectiveness (special and general application) and their use;
application of special methods, technical measures and means of protection that exclude the interception of information transmitted via communication channels.
8. Specific methods, techniques and measures for protecting information are developed depending on the degree of possible damage in the event of its leakage, destruction (annihilation).
9. Carrying out any activities and work using information classified as a state or official secret without taking the necessary measures to protect the information is not permitted.
II. STATE INFORMATION PROTECTION SYSTEM
10. The main tasks of the state information protection system:
implementing a unified technical policy, organizing and coordinating work on information protection in defense, economic, political, scientific, technical and other areas of activity;
exclusion or significant obstruction of obtaining information by technical means of intelligence, as well as prevention of its leakage through technical channels, unauthorized access to it, prevention of deliberate software and technical influences with the purpose of destruction (annihilation) or distortion of information in the process of its processing, transmission and storage;
adoption, within the limits of competence, of legal acts regulating relations in the field of information protection;
analysis of the state and forecasting of the capabilities of technical intelligence equipment and methods of their use, formation of a system of information exchange on the awareness of foreign intelligence services;
organization of forces, creation of means of information protection and control over its effectiveness;
control of the state of information protection in government bodies and at enterprises.
18. The organization of work on information protection at enterprises is carried out by their managers.
Depending on the scope of work on information protection, the head of the enterprise creates a structural division for information protection or appoints full-time specialists on these issues.
Information security departments (staff specialists) at enterprises implement information security measures during the execution of work using information classified as a state or official secret, determine the main areas of comprehensive information security together with the customer of the work, participate in the coordination of technical (tactical and technical) assignments for the performance of work, and provide an opinion on the possibility of performing work with information containing information classified as a state or official secret.
The specified departments (staff specialists) report directly to the head of the enterprise or his deputy. The employees of these departments (staff specialists) are equal in terms of wages to the corresponding categories of employees of the main structural divisions.
Specialized enterprises that have licenses for the right to carry out work in the field of information protection may be engaged on a contractual basis to carry out work on information protection.
19. Enterprises that intend to engage in activities in the field of information protection must obtain an appropriate license for a specific type of this activity. Licenses are issued by the State Technical Commission of Russia and the Federal Agency for Government Communications and Information in accordance with their competence upon the submission of a government agency.
20. Higher educational institutions and institutes for advanced training in the training and retraining of personnel in the field of information security carry out:
primary training of specialists in comprehensive information security;
retraining (advanced training) of specialists in information security of government bodies and enterprises;
improving the knowledge of heads of government bodies and enterprises in the field of information security.
Training of personnel for the state information security system is carried out under the methodological guidance of the State Technical Commission of Russia.
III. ORGANIZATION OF INFORMATION SECURITY IN SYSTEMS AND MEANS OF INFORMATIZATION AND COMMUNICATION
21. The protection of information in information technology and communication systems and means is an integral part of the work on their creation and operation and is carried out in all government bodies and enterprises that have information containing data classified as a state or official secret.
22. Requirements for information protection in information technology and communication systems and means are determined by customers together with developers at the stage of preparation and approval of decisions of the Council of Ministers-Government of the Russian Federation, orders and directives, work plans and programs, technical and tactical-technical assignments for conducting research, development (modernization), testing, production and operation (use) based on standards, normative-technical and methodological documents approved by the Committee of the Russian Federation for Standardization, Metrology and Certification, the State Technical Commission under the President of the Russian Federation and other government bodies in accordance with their competence. The specified requirements are agreed with the information protection departments.
23. The organization of information security in information technology and communication systems and means is assigned to the heads of government bodies and enterprises, customers and developers of information technology and communication systems and means, heads of departments operating these systems and means, and responsibility for ensuring information security lies directly with the user (consumer) of the information.
24. In the interests of ensuring information security in information technology and communication systems and means, THE FOLLOWING SHOULD BE PROTECTED:
information resources containing information classified as a state or official secret, presented in the form of magnetic and optical media, information physical fields, information arrays and databases;
information technology tools and systems (computer technology tools, information and computing complexes, networks and systems), software (operating systems, database management systems, other general system and application software), automated control systems, communication and data transmission systems, technical means of receiving, transmitting and processing information (sound recording, sound amplification, sound reproduction, intercom and television devices, means of producing, replicating documents and other technical means of processing graphic, semantic and alphanumeric information) used to process information containing data classified as a state or official secret;
technical means and systems that do not process information, but are located in premises where information is processed (circulated) containing data classified as a state or official secret, as well as the premises themselves, intended for conducting secret negotiations.
25. The objectives of information protection are:
prevention of information leakage through technical channels;
prevention of unauthorized destruction, distortion, copying, blocking of information in information systems;
compliance with the legal regime for the use of arrays, information processing programs, ensuring the completeness, integrity, and reliability of information in its processing systems;
preserving the ability to manage the process of processing and using information.
26. Information protection is carried out by:
preventing the interception by technical means of information transmitted via communication channels;
preventing leakage of processed information due to side electromagnetic radiation and interference created by operating technical means, as well as electroacoustic transformations;
preventing unauthorized access to information processed or stored in technical means;
preventing special software and hardware impacts that cause destruction, annihilation, distortion of information or failures in the operation of information technology;
detecting electronic devices for intercepting information (e.g. bugs) that may have been introduced into facilities and technical means;
preventing the interception of speech information from premises and objects by technical means.
Preventing the interception of information transmitted via communication channels by technical means is achieved by using cryptographic and other methods and means of protection, as well as by carrying out organizational, technical and security measures.
Prevention of leakage of processed information due to side electromagnetic radiation and interference created by operating technical means, as well as electroacoustic transformations, is achieved by using protected technical means, hardware protection, active countermeasures, shielding of buildings or individual premises, establishing a controlled zone around information technology equipment and other organizational and technical measures.
Preventing unauthorized access to information processed or stored in technical means is achieved by using special software and hardware protection tools, using cryptographic protection methods, as well as organizational and security measures.
Preventing special software and hardware impacts that cause destruction, annihilation, distortion of information or failures in the operation of information technology tools is achieved by using special software and hardware protection tools (anti-virus processors, anti-virus programs), organizing a software security control system.
The detection of electronic devices for intercepting information (bugs) possibly introduced into facilities and technical means is achieved by conducting special checks to detect these devices.
Prevention of interception of speech information from premises and facilities by technical means is achieved by using special means of protection, design solutions that ensure soundproofing of premises, detection of special eavesdropping devices and other organizational and security measures.
27. Information containing data classified as a state or official secret must be processed using secure systems and means of information technology and communication or using technical and software protection tools certified in accordance with the established procedure.
The compliance of the hardware and its software with the security requirements is confirmed by a certificate issued by an enterprise licensed for this type of activity, based on the results of certification tests, or by an order for operation, issued based on the results of special studies and special checks of the hardware and software.
To assess the readiness of information and communication systems and means for processing (transmitting) information containing information classified as a state or official secret,
certification of the specified systems and means in real operating conditions is carried out for compliance of the adopted methods, measures and means of protection with the required level of information security.
VI. MONITORING THE STATE OF INFORMATION PROTECTION
47. Monitoring the state of information protection is carried out for the purpose of timely detection and prevention of information leakage through technical channels, unauthorized access to it, deliberate software and hardware impacts on information and assessment of its protection from foreign technical intelligence.
Control consists of checking the implementation of the Russian Federation legislation on information protection issues, decisions of the State Technical Commission under the President of the Russian Federation, as well as assessing the validity and effectiveness of the adopted security measures to ensure compliance with the approved requirements and standards for information protection.
48. Control is organized by the State Technical Commission of Russia, the Ministry of Security of the Russian Federation, the Ministry of Internal Affairs of the Russian Federation, the Ministry of Defense of the Russian Federation, the Foreign Intelligence Service of the Russian Federation, the Federal Agency for Government Communications and Information under the President of the Russian Federation, structural and inter-industry divisions of government bodies that are part of the state information security system, and enterprises in accordance with their competence.
Reports on inspections of enterprises are sent to the body that conducted the inspection and to the government body where the enterprise is subordinate.
49. The State Technical Commission of Russia organizes control by the central office and special centers subordinate to it in a special respect. It may involve for these purposes the information protection units of state authorities.
The central office of the State Technical Commission of Russia carries out, within the limits of its competence, control in state authorities and at enterprises, provides methodological guidance for control work (with the exception of facilities and technical means, the protection of which is within the competence of the Ministry of Defense of the Russian Federation, the Ministry of Internal Affairs of the Russian Federation, the Federal Security Service of the Russian Federation, the Foreign Intelligence Service of the Russian Federation, the Federal Agency for Government Communications and Information, and the Main Directorate for Security of the Russian Federation).
Special centers, subordinate in a special relationship to the State Technical Commission under the President of the Russian Federation, within the limits of their competence, carry out control in government bodies and at enterprises located in the areas of responsibility of these centers.
Control in government bodies by the central office of the State Technical Commission under the President of the Russian Federation and special centers subordinate in a special respect to the State Technical Commission under the President of the Russian Federation is carried out in agreement with the relevant government bodies.
50. Government bodies organize and carry out control at enterprises subordinate to them through their information protection departments. Daily control over the state of information protection at enterprises is carried out by their information protection departments.
51. Control at non-governmental enterprises during the performance of work using information classified as a state or official secret is carried out by government agencies, the State Technical Commission of Russia, the Federal Grid Company of the Russian Federation, the Federal Agency for Government Communications and Information (FAPSI) and the customer of the work in accordance with their competence.
52. Information protection is considered effective if the measures taken comply with the established requirements or standards.
Non-compliance of measures with the established requirements or standards for information protection is a violation.
VIOLATIONS are divided into THREE CATEGORIES according to their degree of importance:
FIRST — failure to comply with requirements or standards for the protection of information, as a result of which there was or is a real possibility of its leakage through technical channels;
SECOND — failure to comply with requirements for the protection of information, as a result of which the preconditions for its leakage through technical channels are created;
THIRD — failure to comply with other requirements for the protection of information.
53. Upon detection of violations of the first category, heads of government bodies and enterprises are obliged to:
immediately stop work at the site (workplace) where violations were discovered and take measures to eliminate them;
organize, in accordance with the established procedure, an investigation into the causes and conditions of the occurrence of violations in order to prevent them in the future and bring the guilty parties to justice;
report to the State Technical Commission under the President of the Russian Federation, the management of the state authority, the federal state security agency and the customer about the violations discovered and the measures taken.
Resumption of work is permitted after the violations have been eliminated and the adequacy and effectiveness of the measures taken has been verified by the State Technical Commission under the President of the Russian Federation or, at its request, by the information security departments of government agencies.
If violations of the second and third categories are detected, the heads of the inspected state authorities and enterprises must take measures to eliminate them within the timeframes agreed upon with the body that conducted the inspection or the customer (representative of the customer). Control over the elimination of these violations is carried out by the information security departments of these state authorities and enterprises.
54….
Admission of representatives of the central office of the State Technical Commission under the President of the Russian Federation, special centers subordinate to it in a special respect, to facilities for monitoring the state of information protection, their access to works and documents necessary for monitoring, is carried out in the established manner upon presentation of a special certificate of a representative of the State Technical Commission under the President of the Russian Federation and an order for the right to conduct an inspection of this facility. Admission to military facilities is carried out with the permission of the Chief of the General Staff of the Armed Forces of the Russian Federation.
Orders for the right to check the state of information protection are issued:
for objects of state authorities — the chairman of the State Technical Commission under the President of the Russian Federation (deputy chairman);
for enterprises throughout the territory of the Russian Federation — the head of the inspection of the State Technical Commission under the President of the Russian Federation;
for enterprises within the established areas of responsibility — the heads of special centers subordinate in a special respect to the State Technical Commission under the President of the Russian Federation;
for subordinate enterprises — by heads of government bodies.
VII. FINANCING OF INFORMATION PROTECTION MEASURES
55. Financing of measures to protect information containing data classified as a state or official secret, as well as information protection units in government bodies and at budgetary enterprises, is provided for in the cost estimates for their maintenance.
56. The creation of technical means of information protection that do not require capital investments is carried out within the limits of funds allocated by customers for research and development work related to product development. The costs of developing technical means of protection include the cost of developing a product sample.
The creation of technical means of information protection, requiring capital investments, is carried out within the limits of funds allocated to customers for the construction of a structure or facilities.