Temporary regulations on the organization of development, production and operation of software and hardware for protecting information from unauthorized access in automated systems and computing equipment.

Temporary regulations on the organization of development, manufacture and operation of software and technical means of protecting information from unauthorized access in automated systems and computing equipment..

GUIDELINES DOCUMENT

TEMPORARY REGULATION
ON THE ORGANIZATION OF DEVELOPMENT, MANUFACTURING AND OPERATION OF SOFTWARE AND HARDWARE MEANS OF INFORMATION PROTECTION
FROM UNAUTHORIZED
ACCESS IN AUTOMATED SYSTEMS AND COMPUTING EQUIPMENT

Abbreviations used:

AS — automated system
VD — temporary document
ZAS — classified communications equipment
KSZ — complex of security tools
NSD — unauthorized access
NTD— normative and technical documentation
OS — operating system
PPP — application program package
PRD — access control rules
RD — guidance document
SVT — computing equipment
ISP — information security system
ISP NSD — information protection system from unauthorized access
SZSI — system for protecting classified information
SNTP— special scientific and technical division
SRD — access control system
DBMS — database management system
TOR — technical assignment
COMPUTER — electronic computer
ECT — electronic computing equipment

1. GENERAL PROVISIONS

1.1. These Regulations establish a uniform procedure for research and development in the Russian Federation in the field of:

protection of information processed by automated systems of various levels and purposes from unauthorized access;

creation of general-purpose and special-purpose computing equipment protected from leakage, distortion, or destruction of information due to unauthorized access[1], including software and hardware for protecting information from unauthorized access;

creation of software and hardware means of protecting information from unauthorized access as part of systems for protecting classified information in the AS being created.

1.2. The Regulation defines the following main issues:

• the organizational structure and procedure for carrying out work on protecting information from unauthorized access and interaction at the state level;

• the system of state regulations, standards, guidelines and requirements on this issue;

• the procedure for the development and acceptance of secure computer equipment, including software and hardware (in particular, cryptographic) means and systems for protecting information from unauthorized access;

• the procedure for the acceptance of the specified means and systems before commissioning as part of the AS, the procedure for their operation and monitoring the operability of these means and systems during operation.

1.3. The Regulation has been developed in development of Instruction No. 0126-87 in terms of requirements for software and hardware and systems for protecting information from unauthorized access and is based on the Concept of protecting computer systems and automated systems from unauthorized access to information.

Organizational measures to prevent leakage and protect information, which are an integral part of the solution to the problem of protecting information from unauthorized access, are based on the requirements of the specified instruction, supplement software and hardware and systems and in this part are the subject of consideration of this Temporary Regulation.

1.4. The temporary regulation is mandatory for all government bodies, state enterprises, military units, other institutions, organizations and enterprises (regardless of the form of ownership) that possess state secrets, and is intended for customers, developers and users of protected computer equipment, automated systems that operate using information of varying degrees of secrecy.

1.5. The developed and operated software and hardware tools and systems for protecting information from unauthorized access must be an integral part of protected computer equipment and automated systems that process information of varying levels of secrecy.

1.6. When developing tools and systems for protecting information in automated systems and computer equipment, it is necessary to be guided by the requirements of the following guidelines:

• Concept of protecting computer equipment and automated systems from unauthorized access to information;

• this Temporary Regulation;

• Protection from unauthorized access to information. Terms and definitions;

• Computer equipment. Protection from unauthorized access to information. Indicators of protection from unauthorized access to information;

• Automated systems. Protection from unauthorized access to information. Classification of automated systems and requirements for information protection.

2. ORGANIZATIONAL STRUCTURE, PROCEDURE FOR CARRYING OUT WORK ON PROTECTING INFORMATION
FROM NSD AND INTERACTION AT THE STATE LEVEL

2.1. The customer of protected computer equipment is the customer of the corresponding AS, designed on the basis of these computer equipment.

The customer of protected computer equipment finances their development or takes a share in the financing of the development of general-purpose computer equipment in terms of implementing its requirements.

2.2. The customer of software and hardware for protecting information from unauthorized access may be a government agency or a collective enterprise, regardless of its form of ownership.

2.3. The State Technical Commission of Russia shall set tasks for the comprehensive[2] protection of information processed by automated systems, as well as monitor the status and development of this area of ​​work.

2.4. Developers of protected general-purpose and special-purpose computer equipment, including their system-wide software, are state enterprises — computer equipment manufacturers, as well as other organizations licensed to carry out activities in the field of information security.

2.5. Developers of software and hardware and systems for protecting information from unauthorized access may be enterprises licensed to carry out the specified activities.

2.6. Conducting research and development work in the field of protecting classified information from unauthorized access, creating protected general-purpose computer equipment is carried out by government order upon submission of interested departments, agreed upon with the State Technical Commission of Russia.

2.7. The organization and functioning of state and industry certification centers are determined by the Regulation on these centers. They are responsible for conducting certification tests of software and hardware for protecting information from unauthorized access. The list of certification centers is approved by the State Technical Commission of Russia.

3. SYSTEM OF STATE REGULATIONS, STANDARDS, GUIDELINES
AND REQUIREMENTS FOR PROTECTING INFORMATION FROM UNAUTHORIZED ACCESS

3.1. The system of state regulations, standards, guidelines and requirements for protecting information from unauthorized access is based on laws defining issues of protecting state secrets and information computer law.

3.2. The system of the specified documents defines work in two directions:

First — development of general and special-purpose computer equipment protected from leakage, distortion or destruction of information, software and hardware (including cryptographic) means and systems for protecting information from unauthorized access;

the second — development, implementation and operation of AS protection systems of various levels and purposes both on the basis of protected computer equipment, including software and hardware and systems for protecting information from unauthorized access that have passed certification tests, and on the basis of proprietary tools and systems.

3.3. The documentation system of the first direction includes documents (including GOSTs, RDs and requirements) that define:

• various levels of computer equipment with tools for protecting information from unauthorized access and methods for assessing these levels (security criteria);

• the procedure for developing secure computer equipment; interaction, rights and obligations of customers and developers at the stages of ordering and developing secure computer equipment;

• the procedure for accepting and certifying secure computer equipment; interaction, rights and obligations of customers and developers at the stages of accepting and certifying secure computer equipment;

• development of operational documents and certificates.

3.4. The documentation system of the second direction includes documents (including GOSTs, RDs and requirements) defining:

• the procedure for organizing and conducting the development of a system for protecting classified information, interaction, rights and obligations of the customer and developer of the AS in general and the SZSI in particular;

• the procedure for developing and borrowing software and hardware and systems for protecting information from unauthorized access during the development of the SZSI;

• the procedure for configuring protected computer equipment, including software and hardware and systems for protecting information from unauthorized access to specific operating conditions of the AS;

• the procedure for commissioning and accepting software and hardware and systems for protecting information from unauthorized access as part of the accepted AS;

• the procedure for using protected computer equipment, including software and hardware and systems for protecting information from unauthorized access that have passed certification tests, in accordance with the classes and requirements for protection in specific systems;

• the procedure for operating the specified means and systems;

• development of operational documents and certificates;

• procedure for monitoring the security of the AS;

• responsibility of officials and various categories of performers (users) for compliance with the established procedure for the development and operation of the AS in general and the SZSI in particular.

3.5. The composition of the documentation defining the work in these areas is established by the State Standard of the Russian Federation and the State Technical Commission of Russia.

3.6. A mandatory requirement for the technical specifications for the development of computer equipment and automated systems must be the presence of a section on requirements for protection against unauthorized access, and the documentation accompanying the release of computer equipment and automated systems must necessarily include a document (certificate) containing the results of the analysis of their protection against unauthorized access.

4. PROCEDURE FOR DEVELOPING AND MANUFACTURING PROTECTED COMPUTER SYSTEMS, INCLUDING SOFTWARE AND HARDWARE MEANS AND SYSTEMS FOR PROTECTING INFORMATION FROM NSD

4.1. When developing and manufacturing secure computer equipment, including software and hardware protection systems, it is necessary to be guided by the existing system for developing and putting products into production, as defined by GOST 21552-84 and its VD, GOST 16325-88 and its VD, GOST 15.001-88, GOST 23773-88, GOST 34.201-89, GOST 34.602-89, RD 50-601-10-89, RD 50-601-11-89, RD 50-601-12-89 and other documents.

4.2. The development of protected general-purpose computer equipment, including their system-wide software, is carried out by computer equipment manufacturing enterprises under government orders in accordance with the terms of reference agreed upon with the State Technical Commission of Russia (in the case of built-in cryptographic means and systems, with the Main Cryptographic Authority of the country and the enterprise developing these means and systems).

4.3. Development of protected special-purpose computer equipment, including their software (general system and application), is carried out by computer equipment manufacturing enterprises under government orders in accordance with the terms of reference agreed upon with the State Technical Commission of Russia (in the case of built-in cryptographic means and systems — the Main Encryption Authority of the country and the enterprise developing these means and systems) and approved by the customer of special-purpose computer equipment.

4.4. The procedure for developing protected software based on general system software in operation.

4.4.1. Development of protected software based on general-system software (OS, DBMS, network software) in operation or supplied together with unprotected computer equipment by the manufacturers of these computer equipment or the State Fund of Algorithms and Programs (GosFAP) may be carried out by order for state needs in accordance with the terms of reference agreed upon with the developer of the relevant general-system software, with the State Technical Commission of Russia within the limits of its competence and approved by the customer of these software.

4.4.2. In this case, the enterprise developing the general-system software is obliged to provide the enterprise developing the protected software with all necessary documentation and provide consultations during development.

4.4.3. If necessary, as determined by the customer of the work, the enterprise developing the general system software may be a co-executor of the development of the protected software.

4.4.4. The development of protected software may also be carried out by enterprises of interested departments under an industry order. In this case, the technical specifications, which meet the same requirements, are agreed upon by the parent organization of this industry with the State Technical Commission of Russia within the limits of its competence and approved by the customer of the protected software.

4.5. The procedure for developing protected software based on imported system-wide software prototypes.

4.5.1. Development (adaptation) of protected software based on imported general-system software prototypes is carried out under a government or industry order by enterprises developing the corresponding types of computer equipment, specialized organizations and enterprises of interested departments in agreement with the purchasing department and in accordance with the terms of reference agreed upon with the State Technical Commission of Russia within its competence and approved by the customer of these protected tools depending on the order level.

4.5.2. The preliminary stage of developing protected software based on imported general-system software prototypes is removing the copy protection and disclosure of the prototype operating mechanism, as well as analyzing the prototype's protective tools for their compliance with the requirements of the terms of reference for the purpose of using the involved protective tools, supplementing and modifying them.

The preliminary stage work may be carried out according to a separate technical specification.

4.6. The procedure for developing software tools for monitoring the security of developed protected computer equipment, software tools and protection systems.

4.6.1. All enterprises developing protected computer equipment, including software tools and protection systems, are required to develop test software tools for monitoring security during the acceptance and operation of protected computer equipment and software tools.

4.6.2. To create software control tools, specialized organizations licensed by the State Technical Commission of Russia may be involved as co-executors, whose functional focus is “breaking” the protection mechanisms of general system software tools.

4.6.3. The development of software control tools may be carried out both under a general TOR with the development of protected tools, and under a specific TOR, the procedure for coordinating and approving which is similar to that set out in paragraph 4.5.1.

4.7. The procedure for developing technical means of protecting information from unauthorized access.

4.7.1. The development of technical means of protecting information from unauthorized access for use in government agencies may be carried out under a government or industry order.

4.7.2. The development of technical means of protecting information from unauthorized access is carried out jointly with software that ensures their operability as part of protected computer equipment.

In addition, technical means can support the security of general system software for information security purposes.

4.7.3. The development of technical means of information protection from unauthorized access is carried out both by enterprises developing protected computer equipment and by competent enterprises of interested departments according to the technical specifications, the procedure for coordinating and approving which is similar to that set out in paragraph 4.5.1.

5. PROCEDURE FOR ACCEPTANCE AND CERTIFICATION OF PROTECTED GENERAL AND SPECIAL-PURPOSE SPECIFIC EQUIPMENT, INCLUDING SOFTWARE AND HARDWARE TOOLS AND SYSTEMS FOR PROTECTING INFORMATION FROM NSD

5.1. Research (checks, tests) and acceptance of protected general-purpose and special-purpose computer equipment, including software and hardware and systems for protecting information from unauthorized access, are carried out in accordance with the established procedure in accordance with GOST B15.307-77, GOST B15.210-78, GOST 23773-88 and NTD on information security.

5.2. Certification tests of protected general-purpose and special-purpose computer equipment, including software and hardware and systems for protecting information from unauthorized access, are carried out by state and industry certification centers.

5.3. The right to conduct certification tests of protected computer equipment, including software and hardware and systems for protecting information from unauthorized access is granted by the State Technical Commission of Russia in agreement with the State Standard of Russia and, in the case of using cryptographic means and protection systems, with the Main Encryption Authority of the country, to enterprises developing protected computer equipment, specialized organizations of departments developing protected computer equipment, including software and hardware and systems for protecting information from unauthorized access.

5.4. In accordance with the Regulation on the certification of computing and communication equipment and systems for information security requirements[3], based on the results of certification tests, a report is drawn up, and the developer is issued a certificate certified by the State Technical Commission of Russia and granting the right to use and distribute these tools as protected.

5.5. Tools that have received a certificate are included in the nomenclature of protected computer equipment, including software and hardware tools and systems for protecting information from unauthorized access.

Processing classified information is permitted only with the use of certified security tools and systems.

5.6. The developed software, after its acceptance, is submitted for registration to the specialized fund of the State Fund of Algorithms and Programs.

6. PROCEDURE FOR DEVELOPMENT, CERTIFICATION, IMPLEMENTATION AND OPERATION
OF MEANS OF CRYPTOGRAPHIC PROTECTION OF INFORMATION FROM UNAUTHORIZED ACCESS

6.1. This section defines the interaction of the parties and the procedure for carrying out work during the creation, certification and operation of cryptographic information protection tools (CIPS) against unauthorized access at state enterprises and departments.

This section applies to software, hardware and software-hardware tools in the computer and automated systems used for cryptographic protection against unauthorized access to information processed, stored, accumulated and transmitted in computing systems built on the basis of individual computers, computer complexes and local area networks located within the same controlled zone.

The provisions of this section may also be applied in the case of several controlled zones, provided that the communication between them is carried out using channels protected by means of ZAS or CIPF equipment, through which, in accordance with the current regulatory documents, the transmission of classified information of the corresponding classification is permitted (see paragraph 6.15 of this section).

6.2. Organizational and methodological management of the work on the creation and operation of the cryptographic information protection tool, certification of the cryptographic information protection tool, as well as control over the status and development of this area of ​​work are carried out by the State Technical Commission of Russia and the Main Cipher Authority of the country through a number of specialized organizations authorized by them.

6.3. With the help of the cryptographic information protection tool, protection against unauthorized access to non-classified and official information, as well as to information classified as “Secret,” “Top Secret,” and “Special Importance” can be implemented.

6.4. When developing a cryptographic information protection tool (or a computer technology product containing a cryptographic information protection tool) intended to protect classified information of any classification, as well as to protect valuable and especially valuable information[4], the technical specifications for the cryptographic information protection tool must be agreed upon with the State Technical Commission of Russia and the Main Encryption Authority of the country.

Along with the technical specifications, a configuration diagram of the protected computer equipment or automated system, a description of the structure of the information objects to be protected (indicating the maximum secrecy classification), as well as data on the characteristics of the access and the proposed administrative structures of the users must be sent.

6.5. Based on the results of reviewing the initial data, the above-mentioned bodies provide the developer of the cryptographic information protection tool with recommendations on the use of one of the certified encryption algorithms, as well as (if necessary) a description of its cryptographic scheme, cryptographic constants, test examples for checking the correctness of the algorithm implementation, recommendations on the construction of the key cryptographic information protection tool system, and a number of other documents.

6.6. Based on the documents received, the developer implements the cryptographic information protection tool in the form of a software or hardware product and, with the involvement of specialized organizations, prepares the necessary materials for certification of the cryptographic information protection tool in accordance with the Certification Regulation.

The acceptance of the prototypes obtained as a result of development is carried out by a commission created by the Customer of the cryptographic information protection tool. The commission must include representatives of the State Technical Commission of Russia and the Main Cipher Authority of the country.

6.7. Certification of the cryptographic information protection tool is carried out on a cost-accounting basis. Positive certification of the cryptographic information protection tool is completed by issuing a certification certificate.

6.8. The use of cryptographic information protection tools that have not been certified in the established manner for protection against unauthorized access to classified information of any classification, as well as valuable and especially valuable information, is prohibited.

6.9. When implementing an AS containing a certified cryptographic information protection tool and provided that this AS is intended for processing classified information with a classification no higher than “Top Secret” or for processing valuable information, no additional permission to operate the certified cryptographic information protection tool is required (except for cases specifically stipulated in the certification certificate for the cryptographic information protection tool).

For AS intended for processing information classified as «Special Importance» or for processing particularly valuable information, written permission must be obtained from the State Technical Commission of Russia and the Main Cipher Authority of the country for the operation of the cryptographic information protection tool as part of a specific AS.

6.10. The operation of the cryptographic information protection tool used to protect classified or valuable information must be carried out in accordance with the requirements of the Instructions being developed for ensuring the safety of the operation of the cryptographic information protection tool as part of the AS and the Instructions on the procedure for using current replaceable keys.

An organization operating the AS must create an information security service (body) that is responsible for implementing the measures provided for by the above instructions.

6.11. The secrecy classification of current replaceable keys and corresponding key documents when protecting information from unauthorized access using cryptographic information protection tools must correspond to the maximum secrecy classification of information encrypted using these keys.

Media with key documentation of the cryptographic information protection tool recorded on them are accounted for, stored and destroyed as ordinary documents of the corresponding secrecy classification in accordance with the Instruction on Ensuring the Secrecy Regime No. 0126-87.

6.12. CIPF without entered cryptographic constants and active replaceable keys have a secrecy classification corresponding to the classification of the cryptoscheme description. CIPF with loaded cryptographic constants has a secrecy classification corresponding to the classification of the cryptographic constants. The secrecy classification of CIPF with loaded cryptographic constants and entered keys is determined by the maximum classification of the keys and cryptographic constants contained in the CIPF.

6.13. The ciphertext obtained by encrypting open secret information of any classification using CIPF is non-secret.

External data carriers (magnetic tapes, disks, cassettes, floppy disks, etc.) with encrypted information can be sent, stored and accounted for as non-secret if they do not contain and have not previously contained open secret information.

6.14. Unprotected communication channels may be used to transmit ciphertext obtained by encrypting non-classified information using a cryptographic information protection tool outside the controlled area.

If the initial information (before encryption) was classified as “For Official Use Only,” then only a certified cryptographic information protection tool may be used.

6.15. To transmit ciphertext obtained by encrypting information classified as «Secret» or higher using cryptographic information protection tools outside the controlled area, communication channels protected by communication encryption equipment must be used, for which permission to transmit classified information has been obtained in accordance with applicable regulatory documents. In this case, no special permission to operate cryptographic information protection tools is required.

The procedure for creating encryption equipment, i.e. cryptographic means of various types (hardware and software-hardware), intended to protect information transmitted outside the controlled area via unprotected communication channels, is regulated by the Regulation on the development, manufacture and operation of encryption equipment, state and departmental communication and control systems and weapons systems using encryption equipment.

6.16. Responsibility for proper compliance with the rules for the operation of cryptographic information protection tools (including during the period of acceptance testing) is assigned to the management of enterprises operating these cryptographic information protection tools.

6.17. Control over compliance with the requirements of the operating instructions for the cryptographic information protection tool is assigned to the information security services of the enterprises operating these cryptographic information protection tools.

7. PROCEDURE FOR ORGANIZING AND CONDUCTING DEVELOPMENT OF A SYSTEM FOR PROTECTING SECRET INFORMATION IN DEPARTMENTS AND
AT INDIVIDUAL ENTERPRISES

7.1. In order to solve scientific, technical, methodological and fundamental practical issues on the problem of protecting information from unauthorized access in the AS, a set of scientific research and experimental design work may be carried out in the system of departments according to industry plans.

7.2. In order to organize problematic research, centralize the development of means and systems for protecting information from unauthorized access, and implement scientific and methodological guidance for the work on this problem in the system of departments, specialized industry divisions may be created at the head organizations for the AS, interacting with similar divisions of other ministries and departments.

7.3. Scientific management of work on protecting information from unauthorized access is carried out by the chief designer of the country's integrated AS.

7.4. General management of work on protecting information from unauthorized access, implementation of a unified technical policy, organizational and methodological management and coordination of work, financing of R & D for industry orders, interaction with the State Technical Commission of Russia, other departments, as well as control over the organization and implementation of work on protecting information from unauthorized access in the central offices of departments are carried out by scientific and technical and security divisions or curators of this area of ​​work are appointed.

7.5. At an enterprise, scientific and technical management and direct organization of work on creating an integrated AS SZSI is carried out by the chief designer of this system, and for AS types — by the chief designers of these systems, scientific supervisors of topics, heads of electronic computer facilities or other officials providing scientific and technical management of the entire development of the corresponding AS.

7.6. When developing a security system in an AS, one should be guided by the classification of automated systems subject to protection from unauthorized access to information, and the requirements for protecting information in automated systems of various classes.

The system for protecting classified information is implemented as a subsystem of the AS and includes a set of organizational, software, technical (including cryptographic) means, systems and measures for protecting information from unauthorized access. The SZSI consists of system and functional parts. The system part is general and is used in the development, implementation and operation of all or most of the AS tasks, the functional part ensures information protection when solving specific tasks.

7.7. The development of the AS SZSI is carried out by the division developing the AS at the enterprise, a group or individual specialists in the development of means and measures of protection[5] and (or) specialized research, design and engineering enterprises (including other ministries and departments) under contracts concluded by the AS customer.

In the structure of large divisions with a large volume of work on security support, security services or secret agencies are also allocated.

7.8. The division for developing information security tools and measures is responsible for developing and implementing system security support (adapting and configuring software and hardware and centralized development systems), as well as developing requirements for functional security support.

Specialists — developers of supporting and functional subsystems of the AS, security services or secret agencies — are involved in the development and implementation of system security support.

The development and implementation of the AS security support is carried out in cooperation with special scientific and technical departments — information security services and departments of the enterprise's security and secret service.

7.9. The enterprise's scientific and technical department carries out methodological guidance and participation in the development of requirements for the protection of information from unauthorized access, analytical justification of the need to create the AS security support, coordination of the choice of computer equipment (including general system software), software and hardware and security systems, and the organization of work to identify opportunities and prevent leakage of classified information during its automated processing.

In developing requirements for protecting information from NSD, the SNTP participates jointly with the customer of the relevant AS, the industry security agency, and the military representative of the Ministry of Defense in terms of issues related to its competence.

7.10. General management of work to ensure the secrecy regime during the development of the AS is carried out by the deputy head of the developer enterprise for the regime.

General management of work to ensure the secrecy regime during the operation of the AS is carried out by the deputy head of the enterprise (organization) responsible for ensuring the secrecy regime.

The organization of control over the effectiveness of information protection tools and measures is developed by the enterprise and carried out by the head responsible at the enterprise for organizing work on information protection.

7.11. When developing the ISSI, it is necessary to make maximum use of existing or developed standard general system components, borrowing software and hardware and information protection systems from centralized development of unauthorized access, using protected ICS.

7.12. Within the framework of the existing stages and phases of the creation of the AS (GOST 34.601-90), the necessary stages of work on the creation of the ISSI are carried out.

7.13. The complex of works on the creation of the AS must provide for the advanced development and implementation of the system part of the ISSI.

7.14. At the pre-project stage of survey of the automation object by the survey group appointed by the order of the AS customer:

• the presence or absence of classified information in the AS to be developed is established, its level of secrecy and volumes are assessed;

• the mode of processing classified information, the AS class, the set of basic technical computer equipment, and general system software tools intended for use in the AS being developed are determined;

• the possibility of using standard or centrally developed and mass-produced means of information protection is assessed;

• the degree of participation of the personnel of the computer center, functional and production services, scientific and auxiliary workers of the automation facility in information processing, the nature of interaction with each other and with the divisions of the security and secret service are determined;

• measures are determined to ensure the secrecy regime at the stage of developing secret tasks.

7.15. Based on the results of the pre-project survey, an analytical justification for the creation of the SZSI and a section of the technical specifications for its development are developed.

7.16. At the stage of developing SZSI projects, the customer controls its development.

7.17. At the stages of technical and working design, the developer of the system part of the SZSI is obliged to:

• clarify the composition of the protection tools in the applied versions of the OS and software, describe the procedure for their configuration and operation, formulate requirements for the development of functional tasks and databases of the AS;

• develop or adapt software and hardware protection tools, develop organizational measures for the system part of the SZSI;

• develop organizational, administrative and design documentation of the SZSI and working documentation for the operation of protection tools and measures;

• provide methodological assistance to developers of the functional part of the ISSI.

7.18. At the stages of technical and detailed design, the developer of the functional part of the ISSI is obliged to:

• submit to the developer of the system part of the ISSI the necessary initial data for design;

• with methodological assistance from the developers of the system part of the ISSI, provide for the use of protective means and measures when solving the functional tasks of the AS;

• develop design documentation for the security support of the AS task and working instructions for the operation of the functional tasks of the AS, determining the work procedure of the personnel of the computer center and users when processing classified information, taking into account the functioning of the SZSI;

• justify the number of persons (and their qualifications) required for the direct operation (application) of the developed means (system) for protecting classified information;

• determine the procedure and conditions for using standard regular means of protecting processed information included by the developer in the OS, PPP, etc.;

• generate a package of application programs in conjunction with the selected standard means of protection.

7.19. The development, implementation and operation of the AS IS is carried out in the industry or at a separate enterprise in accordance with the requirements of the following organizational, administrative and design documentation, taking into account the specific conditions of the functioning of AS of various levels and purposes:

— Regulations on the procedure for organizing and conducting work in the industry (at the enterprise) on the protection of classified information in the AS;

— Instructions for the protection of classified information processed in the AS of the industry (at the enterprise or in the divisions of the enterprise);

— section of the Regulation on the permit system for admitting performers to documents and information at the enterprise, defining the features of the admission system in the process of developing and operating the AS;

orders, instructions, decisions:

• on the creation of relevant developer units, on the formation of a survey group, on the creation of expert commissions;

• on the start of processing information of a certain level of secrecy at the EVT facility;

• on the appointment of persons responsible for the operation of the computing system, SZSI databases;

• on the appointment of authorized security service representatives, etc.;

— design documentation for various stages of the creation of the SZSI.

7.20. The development, implementation and operation of the SZSI in the NPP is carried out in accordance with the established procedure in accordance with the requirements of GOST 34.201-89, GOST 34.602-89, GOST 34.601-90, RD 50-680-88, RD 50-682-89,
RD 50-34.698-90 and other documents.

7.21. The modernization of the NPP should be considered as an independent development of the NPP itself and the SZSI for it. The organization of work in this case should correspond to the content of this section.

8. PROCEDURE FOR ACCEPTANCE OF THE SZSI BEFORE PUTTING
INTO OPERATION AS PART OF THE NPP

8.1. At the stage of putting the SZSI into operation, the following is carried out:

• preliminary tests of protective equipment;

• trial operation of protective equipment and functional tasks of the AS under their operating conditions;

• acceptance tests of protective equipment;

• acceptance tests of the SZSI as part of the automated system by a commission of the appropriate rank.

8.2. Preliminary tests of security tools are carried out by the developer of these tools together with the customer and with the involvement of specialists from industry information security agencies in order to check individual tools according to GOST 21552-84, GOST 16325-88 and GOST 23773-88, compliance of technical documentation with the requirements of the technical specifications, development of recommendations for their revision and determination of the procedure and timing of trial operation.

8.3 It is permitted to conduct trial operation of protection means before operation of the functional tasks of the AS or in parallel with it. Trial operation is carried out by the customer with the participation of the developer in accordance with the program in order to check the operability of protection means on real data and to refine the technological process. At the trial operation stage, it is permitted to process information classified as «Secret» and «Top Secret».

For information classified as «Special Importance», the possibility of processing at the trial operation stage is determined jointly by the customer, the developer and the industry information security agency.

Trial operation of the functional tasks of the AS must include checking their functioning under the operating conditions of protection means.

8.4. If the results of the trial operation are positive, all software, hardware, and organizational documentation are handed over to the customer under an act.

Acceptance of technical means of protection into operation consists of checking their characteristics and functioning under specific conditions, and software means of protection — in solving a control example (test) that is closest to the specific conditions of the AS operation, with planned attempts to bypass the protection systems. The control example is prepared by the developers together with the customer.

8.5. Acceptance tests of the SZSI are carried out as part of the automated system presented to the customer's commission.

The customer is responsible for organizing the work during the commissioning of the SZSI, for the functioning of the protection means after acceptance tests.

8.6. Reporting materials based on the results of acceptance tests of the SZSI are prepared in accordance with GOST 34.201-89 and RD 50-34.698-90 and sent to the certification body for issuance of a certificate.

The types of documents for software protection tools are defined by GOST 19.101-77, for technical means — GOST 2.102-68, and for operational documents — GOST 2.601-68.

9. PROCEDURE FOR OPERATING SOFTWARE
AND TECHNICAL MEANS
AND SYSTEMS FOR PROTECTING SECRET
 INFORMATION FROM NSD

9.1. Information processing in the AS must be carried out in accordance with the technological process for processing classified information, developed and approved in the manner established at the enterprise for the design and operation of the AS.

9.2. For the operation of the SZSI — a set of software and hardware tools and organizational measures for their support, aimed at eliminating unauthorized access to the information processed in the AS, by order of the head of the enterprise (structural unit) persons are appointed who carry out:

• support of the SZSI, including issues of organizing work and monitoring the use of the SZSI in the AS;

• operational monitoring of the functioning of the SZSI;

• monitoring the compliance of the general system software environment with the standard;

• development of instructions regulating the rights and obligations of operators (users) when working with classified information.

10. PROCEDURE FOR CONTROLLING THE EFFICIENCY OF PROTECTION OF SECRET INFORMATION IN AS

10.1. Control over the effectiveness of information protection in AS is carried out for the purpose of checking certificates for protection tools and compliance of information protection tools with the requirements of standards and regulatory documents of the State Technical Commission of Russia on information protection from unauthorized access at the following levels:

• state, carried out by the Inspectorate of the State Technical Commission of Russia for Defense Work and Work Using Information Constituting a State Secret;

• industry, carried out by departmental control bodies (main scientific, technical and security departments, lead organizations for information protection in the AS);

• at the enterprise (separate organization) level, carried out by military representatives of the Armed Forces (for defense work), special scientific and technical units and security and secret services (security agencies, services).

10.2. The initiative to conduct checks belongs to the organizations whose information is processed in the AS, the State Technical Commission of Russia and departmental (industry) control bodies.

10.3. Checking the functioning means and systems of information protection from unauthorized access is carried out using software (software and hardware) tools for compliance with the requirements of the TZ, taking into account the classification of the AS and the degree of secrecy of the information processed.

10.4. Based on the results of the inspection, a report is drawn up, which is communicated to the head of the enterprise, the user and other organizations and officials in accordance with the level of control.

10.5. Depending on the nature of the violations associated with the functioning of the means and systems for protecting information from unauthorized access, the current AS in accordance with the regulations on the State Technical Commission of Russia may file claims up to and including suspension of information processing, identification and elimination of the causes of the violations.

Resumption of work is carried out after measures have been taken to eliminate violations and the effectiveness of protection has been verified by control bodies and only with the permission of the body that authorized the verification.

In the event of termination of work based on the results of an inspection by the Inspectorate of the State Technical Commission of Russia, they may be resumed only with the permission of the State Technical Commission of Russia, and with regard to officials guilty of these violations, the issue of bringing them to justice in accordance with the requirements of Instruction No. 0126-87 and current legislation is decided.

11. PROCEDURE FOR TRAINING, RETRAINING AND ADVANCED TRAINING OF SPECIALISTS IN THE FIELD OF INFORMATION PROTECTION FROM NSD

11.1. Training of young specialists and retraining of personnel in the field of protection of information processed in AS from unauthorized access is carried out in the system of the State Committee of the Russian Federation for Science, Higher Education and the Armed Forces by the departments of computer technology and automated systems of higher educational institutions under agreements with ministries, departments and individual enterprises.

11.2. Training is carried out according to educational programs agreed with the State Technical Commission of Russia.

11.3. Advanced training of specialists working in this field is carried out by inter-industry and industry institutes for advanced training and the above-mentioned departments of universities according to programs agreed with the State Technical Commission of Russia and industry control bodies.

[1] Hereinafter referred to as «protected SVT»

[2] Comprehensive information protection means the implementation of protection requirements: from unauthorized access to information, from leakage via technical channels, from possibly introduced special electronic devices and «virus» programs.

[3] Hereinafter referred to as Certification Regulation

[4] Valuable information is information, the damage from a breach of whose protection (associated, for example, with a leak of industrial and commercial secrets) may exceed 100 thousand rubles in the public sector of the economy (but not more than 1 million rubles). Particularly valuable information is this is information, the damage from a breach of the protection of which may exceed 1 million rubles in the public sector of the economy.

[5] Hereinafter: the division for the development of means and measures of protection.