Security standards mean mandatory documentation that defines approaches to assessing the level of existing security. In addition, these documents establish certain rules established for the safety of systems as a whole.

Standards information security are aimed at performing certain functions, in particular:

to develop certain terminologies and concepts used in the field of data security;
formation of a scale necessary to measure the level of security;
conducting agreed product assessments;
a significant increase in the compatibility of products used for security;
accumulation of information about best practices establishing a steady state;
providing information about best practices to interested groups, for example, security vendors, subject matter experts, directors, administrators and any other users information systems;
establishing requirements aimed at mandatory implementation of certain standards, giving them legal force.

International safety standards

International sustainability standards are a set of practices and recommendations aimed at implementing systems that ensure data protection.

One of the international standards, BS 7799 aims to formulate the goal of information data protection. According to this certificate, the purpose of safety is to ensure the smooth operation of the company, as well as the ability to prevent or reduce to the minimum possible damage resulting from violation of established sustainability requirements.

Another of the main international standards, ISO 27002, contains an exhaustive list practical advice on information sustainability. These tips are suitable for those employees who, in the course of their work, are responsible for the creation, implementation and subsequent maintenance of sustainability systems for such technologies.

International information security standards: ISO 27001

The complex represented by international certificates means a set of certain practices and recommendations that are aimed at implementing systems and equipment of technological protection means.

If we take into account certain rules established by the international certificate ISO 27001 2013, the security of the technologies in question must be represented by certain characteristics.

This ISO allows for separation unified system into four sections. ISO 27001 is based on, which defines the basic requirements for quality management. Based on Russian standardization standards, these requirements must be met by every organization that wishes to demonstrate its ability to provide products that meet customer needs.

Our company will help you with. The cost of such a service is 30,000 rubles.

International safety standards: ISO 17799

ISO 17799 was created by the International Organization in 2000. In accordance with its requirements, when creating a resilience framework that is considered effective, special attention must be paid to an integrated approach aimed at managing safety. It is for this reason that measures aimed at ensuring certain requirements established for information are considered as a control element:

its confidentiality;
reliability of information;
availability;
integrity of the information provided.

National System of Information Security Standards

The national standardization system is represented by a set of national certificates and all-Russian classifiers. IN this structure includes not only the certificates themselves, but also the rules for their development and subsequent application.

In the Russian Federation, a national certificate can be applied on a voluntary basis, regardless of the country or place of origin.

At the same time, there is a rule under which such a national system is applied only if there is a conformity mark.

Russian GOST R ISO 17799 defines all samples aimed at ensuring information security as standards aimed at maintaining confidentiality. Consequently, only certain employees who can ensure the integrity, availability and security of information may be allowed to work with such technologies.

GOST R ISO 27001 is the main standard, containing an exhaustive list of features that any method of ensuring the security of each individual information technology must have.

Domestic samples of GOST ISO IEC 15408, compiled on the basis of international ISO in the field of relevant technologies, are aimed at ensuring the comparability of the results obtained as a result of an independent assessment.

Satisfaction of the requirements presented in this GOST ISO RF is achieved by establishing unified list requirements that may be imposed on certain technologies in this area, as well as on the confidence measures used in assessing such technologies in the course of ensuring their safety.

In the Russian Federation, technology products can be sold in several forms:

hardware;
software;
software and hardware.

The results obtained in the process of assessing compliance in this area with the Russian ISO of the Russian Federation make it possible to determine whether the technologies being inspected satisfy the state security requirements established for them.

As a rule, Russian GOST ISO RF certificates are used:

as a guide to technology product development;
as a guide to the state of technological safety of products;
as an assessment of technology products when purchasing them.

Security Management Systems - Specification with guidance for use" (Systems - specifications with guidance for use). On its basis, the ISO/IEC 27001:2005 "Information Technology" standard was developed. Security techniques. Information security management systems. Requirements", for compliance with which certification can be carried out.

In Russia on this moment GOST R ISO/IEC 17799-2005 standards "Information technology. Practical rules" apply information security management"(authentic translation of ISO/IEC 17799:2000) and GOST R ISO/IEC 27001-2006 "Information technology. Methods and means of ensuring security. Information security management systems. Requirements" (translation of ISO/IEC 27001:2005). Despite some internal discrepancies associated with different versions and translation features, the presence of standards allows us to bring the system information security management in accordance with their requirements and, if necessary, certify.

GOST R ISO/IEC 17799:2005 "Information technology. Practical rules for information security management"

Let us now consider the contents of the standard. The introduction states that “information, the processes that support it, information systems and network infrastructure are essential assets of an organization. Confidentiality, integrity and availability of information can significantly contribute to competitiveness, liquidity, profitability, compliance and business reputation organization." Thus, we can say that this standard considers information security issues, including from the point of view of economic effect.

Three groups of factors are indicated that must be taken into account when developing requirements in the field of information security. This:

organization risk assessment. Through risk assessment, threats to the organization's assets are identified, vulnerability assessment relevant assets and the likelihood of threats occurring, as well as an assessment of possible consequences;
legal, statutory, regulatory and contractual requirements that must be met by the organization, its trading partners, contractors and service providers;
a specific set of principles, objectives and requirements developed by an organization regarding the processing of information.

Once the requirements have been determined, the stage of selecting and implementing measures that will ensure risk reduction to an acceptable level begins. Selection of events by information security management should be based on the ratio of the cost of their implementation, the effect of reducing risks and possible losses in the event of a security breach. Factors that cannot be expressed in monetary terms, such as loss of reputation, should also be taken into account. A possible list of activities is given in the standard, but it is noted that it can be supplemented or formed independently based on the needs of the organization.

Let us briefly list the sections of the standard and the information protection measures proposed in them. The first group concerns security policy. It is required that it be developed, approved by the management of the organization, published and brought to the attention of all employees. It should determine the procedure for working with the organization’s information resources, the duties and responsibilities of employees. The policy is reviewed periodically to reflect the current state of the system and identified risks.

The next section addresses organizational issues related to information security. The standard recommends creating management councils (with the participation of the company's senior management) to approve the security policy, appoint responsible persons, distribution of responsibilities and coordination of implementation of activities for information security management In the organisation. The process for obtaining permission to use information processing tools (including new software and hardware) in the organization should also be described so that this does not lead to security problems. It is also necessary to determine the procedure for interaction with other organizations on information security issues, consultations with “external” specialists, and independent verification (audit) of information security.

When providing access to information systems to specialists from third-party organizations, special attention must be paid to security issues. An assessment of the risks associated with different types access (physical or logical, i.e. remote) of such specialists to various resources of the organization. The need to provide access must be justified, and contracts with third parties and organizations must include requirements regarding compliance with the security policy. It is proposed to do the same in the case of involving third-party organizations in information processing (outsourcing).

The next section of the standard is devoted to issues of classification and asset management. To ensure information security of an organization, it is necessary that all key information assets are accounted for and assigned to responsible owners. We suggest starting with an inventory. The following classification is given as an example:

information assets (databases and data files, system documentation etc.);
software assets (application software, system software, development tools and utilities);
physical assets (computer equipment, communications equipment, storage media, other technical equipment, furniture, premises);
services (computing and communication services, basic public utilities).

Next, it is proposed to classify information in order to determine its priority, necessity and degree of protection. At the same time, the relevant information can be assessed taking into account how critical it is for the organization, for example, from the point of view of ensuring its integrity and availability. After this, it is proposed to develop and implement a labeling procedure when processing information. Labeling procedures should be defined for each classification level to take into account following types information processing:

copying;
storage;
transmission by mail, fax and e-mail;
voice transmission, including mobile phone, voicemail, answering machines;
destruction.

The next section addresses safety issues related to personnel. The standard determines that responsibilities for compliance with safety requirements are distributed at the stage of personnel selection, included in employment contracts and monitored throughout the entire period of the employee’s employment. In particular, when hiring a permanent employee, it is recommended to check the authenticity of the documents submitted by the applicant, the completeness and accuracy of the resume, and the recommendations submitted to him. It is recommended that employees sign a confidentiality agreement stating what information is confidential or sensitive. Disciplinary responsibility for employees who violate the organization's security policies and procedures must be determined. Where necessary, this responsibility should continue for a specified period after leaving employment.

Users need to be trained security procedures and the correct use of information processing tools to minimize possible risks. In addition, the procedure for informing about information security violations, which must be familiarized to staff. A similar procedure should be followed in cases of software failures. Such incidents need to be recorded and analyzed to identify recurring problems.

The next section of the standard addresses issues of physical and environmental protection. It is stated that “means for processing critical or important service information must be located in security zones designated by a certain security perimeter with appropriate protective barriers and intrusion controls. These areas must be physically protected from unauthorized access, damage and impact." In addition to organizing access control to protected areas, the procedure for carrying out work in them and, if necessary, procedures for organizing visitor access must be determined. It is also necessary to ensure the safety of equipment (including , which is used outside the organization) to reduce the risk of unauthorized access to data and protect it from loss or damage. This group of requirements also includes the provision of protection against power failures and cable network protection. Procedures must also be defined Maintenance equipment, taking into account safety requirements, and procedures for the safe disposal or reuse of equipment. For example, write-off storage media containing important information, it is recommended to physically destroy or overwrite in a secure manner rather than using standard data deletion functions.

To minimize the risk of unauthorized access to or damage to paper documents, storage media and information processing media, it is recommended to implement a "clean desk" policy for paper documents and removable storage media, as well as a "clean screen" policy for information processing equipment. Equipment, information or software may be removed from the organization's premises only with appropriate permission.

The title of the next section of the standard is “Management of data transfer and operational activities.” It requires that the responsibilities and procedures associated with the operation of all information processing facilities be established. For example, configuration changes in information processing facilities and systems must be controlled. It is required to implement the principle of segregation of responsibilities in relation to management functions, performance of certain tasks and areas.

It is recommended to separate the development, testing and production environments of software. The rules for transferring software from the status of being developed to the status of accepted for operation must be defined and documented.

Additional risks arise when using third-party contractors to manage information processing facilities. Such risks must be identified in advance and appropriate measures taken to information security management agreed with the contractor and included in the contract.

To provide the necessary processing and storage capacity, it is necessary to analyze current performance requirements, as well as forecast future ones. These predictions must take into account new functional and system requirements, as well as current and future plans for the development of information technologies in the organization. Requirements and criteria for the adoption of new systems must be clearly defined, agreed upon, documented and tested.

Measures must be taken to prevent and detect the introduction of malicious software such as computer viruses, network worms, Trojan horses and logic bombs. It is noted that protection against malware should be based on an understanding of security requirements, appropriate systems access controls and proper change management.

The procedure for carrying out auxiliary operations, which includes backup of software and data, must be determined 1 As an example, laboratory work No. 10 examines the organization Reserve copy V Windows Server 2008. , logging events and errors and, where necessary, monitoring hardware status. Redundancy arrangements for each individual system should be tested regularly to ensure that they meet the requirements of business continuity plans.

To ensure the security of information on networks and protect supporting infrastructure, the introduction of funds is required security control and protection of connected services from unauthorized access.

Particular attention is paid to media security issues various types: documents, computer storage media (tapes, disks, cassettes), input/output data and system documentation from damage. It is recommended to establish a procedure for using removable media computer information(procedure for content control, storage, destruction, etc.). As noted above, storage media should be disposed of securely and safely after use.

In order to ensure the protection of information from unauthorized disclosure or misuse, it is necessary to establish procedures for processing and storing information. These procedures should be designed taking into account categorization information, and act in relation to documents, computing systems, networks, laptop computers, mobile communications, mail, voice mail, voice communications in general, multimedia devices, fax use and any other important objects, such as forms, checks and bills. System documentation may contain certain important information, and therefore must also be protected.

The process of exchanging information and software between organizations must be controlled and comply with current legislation. In particular, the security of information carriers during transmission must be ensured, determined usage policy Email and electronic office systems. Care should be taken to protect the integrity of information published electronically, such as information on a Web site. An appropriate formalized authorization process is also required before such information is made publicly available.

The next section of the standard is devoted to access control issues.

It is required that the access control rules and rights of each user or group of users are clearly defined by the security policy. Users and service providers must be made aware of the need to comply with these requirements.

Using password authentication, it is necessary to exercise control over user passwords. In particular, users must sign a document agreeing to maintain complete confidentiality of passwords. It is required to ensure the security of the process of obtaining a password for the user and, if this is used, for the users to manage their passwords (forced password change after the first login, etc.).

Access to both internal and external network services must be controlled. Users should be provided with direct access only to those services for which they have been authorized. Particular attention must be paid to authenticating remote users. Based on the risk assessment, it is important to determine the required level of protection in order to select the appropriate authentication method. The security of using network services must also be monitored.

Many network and computing devices have built-in remote diagnostics and management capabilities. Security measures must also apply to these facilities.

When networks are shared by multiple organizations, access control policy requirements must be defined to take this into account. It may also be necessary to introduce additional measures to information security management to limit users' ability to connect.

At the operating system level, information security measures should be used to restrict access to computer resources 2 An example of organizing access control to files and folders in Windows Server 2008 will be discussed in laboratory work No. 9.. It refers to identification and authentication terminals and users. It is recommended that all users have unique identifiers, which should not contain any indication of the user's privilege level. In systems password management effective interactive capabilities must be provided to support their required quality 3 An example of password quality management in the OS Windows family discussed in laboratory work No. 3.. Usage system utilities must be limited and carefully controlled.

It is advisable to provide an alarm in case the user may become a target of violence 4 An example of this would be “duress” login passwords. If the user enters such a password, the system displays the user's normal login process and then simulates a failure to prevent attackers from gaining access to the data.(if such an event is assessed as probable). Responsibilities and procedures for responding to such an alarm must be defined.

Terminals serving high-risk systems, when located in easily accessible locations, should be switched off after a certain period of inactivity to prevent access by unauthorized persons. A restriction on the period of time during which terminals are allowed to connect to computer services may also be introduced.

Information security measures also need to be applied at the application level. In particular, this may be a restriction of access for certain categories users. Systems that process important information must be provided with a dedicated (isolated) computing environment.

Monitoring of the system is necessary to detect deviations from access control policy requirements and provide evidence in the event of an information security incident. Monitoring results should be reviewed regularly. The audit log can be used to investigate incidents, so it is quite important correct installation(synchronization) of computer clocks.

When using portable devices, such as laptops, it is necessary to take special measures to counteract the compromise of proprietary information. Formalized policies should be adopted that address the risks associated with working with portable devices, particularly in unsecured environments.

The next section of the standard is called “Development and maintenance of systems.” Already at the stage information systems development it is necessary to ensure that safety requirements are taken into account. And during the operation of the system, it is necessary to prevent loss, modification or misuse of user data. For this purpose, it is recommended that application systems provide confirmation of the correctness of data input and output, control of data processing in system, authentication messages, logging user actions.

To ensure confidentiality, integrity and data authentication Cryptographic security measures may be used.

Ensuring software integrity plays an important role in the process of information security. To minimize damage to information systems, the implementation of changes should be strictly controlled. From time to time there is a need to make changes to operating systems. In these cases, it is necessary to analyze and test the application systems to ensure that there is no adverse impact on their functionality and safety. As far as it's possible, ready-made packages It is recommended to use the programs without making any changes.

A related issue is countering Trojan horses and the use of covert leakage channels. One countermeasure is to use software obtained from trusted vendors and monitor system integrity.

In cases where a third-party organization is involved in software development, it is necessary to provide measures to control the quality and correctness of the work performed.

The next section of the standard is devoted to business continuity management. At the initial stage, it is supposed to identify events that may cause interruption of business processes (equipment failure, fire, etc.). In this case, it is necessary to assess the consequences, and then develop recovery plans. The adequacy of the plans must be confirmed by testing, and they themselves must be periodically revised to take into account changes occurring in the system.

The final section of the standard addresses compliance issues. First of all, this concerns the compliance of the system and the procedure for its operation with legal requirements. This includes issues of compliance with copyright (including software), protection of personal information (employees, clients), and prevention of misuse of information processing tools. Using cryptographic means information protection, they must comply with current legislation. The procedure for collecting evidence in case of litigation related to incidents in the field of information system security should also be thoroughly worked out.

The information systems themselves must comply with security policy organization and standards used. The security of information systems must be regularly analyzed and assessed. At the same time, it is necessary to observe security measures when conducting a security audit so that this does not lead to undesirable consequences (for example, the failure of a critical server due to an audit).

To summarize, it can be noted that the standard addresses a wide range of issues related to ensuring the security of information systems. Practical recommendations are given in a number of areas.

Requirements for knowledge and skills

The student must have an idea:

on the role of the State Technical Commission in ensuring information security in the Russian Federation;
on documents on assessing the security of automated systems in the Russian Federation.

The student must know:

the main content of standards for assessing the security of automated systems in the Russian Federation.

The student must be able to:

determine classes of protected systems based on a set of protection measures.

Key term

Key term: Information security standards in the Russian Federation.

Information security standards in the Russian Federation are developed within the framework of the State Technical Commission of the Russian Federation.

Minor terms

The State Technical Commission and its role in ensuring information security in the Russian Federation.
Documents on assessing the security of automated systems in the Russian Federation.

Structural diagram of terms

1.7.1 State Technical Commission and its role in ensuring information security in the Russian Federation

In the Russian Federation, information security is ensured by compliance with Presidential decrees, federal laws, decrees of the Government of the Russian Federation, governing documents of the State Technical Commission of Russia and other regulatory documents.

The most common documents were reviewed earlier when studying the legal foundations of information security. In the Russian Federation, from the point of view of standardization of provisions in the field of information security, the guiding documents (RD) of the State Technical Commission of Russia are of paramount importance, one of the tasks of which is “carrying out a unified state policy in the field of technical information security.”

The State Technical Commission of Russia is very active in rule-making activities, issuing guidance documents that play the role of national assessment standards in the field of information security. As a strategic direction, the State Technical Commission of Russia chose to focus on the “General Criteria”.

Over the 10 years of its existence, the State Technical Commission has developed and brought dozens of documents to the level of national standards, including:

Guiding document “Regulations on the certification of informatization objects according to information security requirements” (Approved by the Chairman of the State Technical Commission of Russia on November 25, 1994);
Guiding document “Automated systems (AS). Protection against unauthorized access (UNA) to information. Classification of nuclear power plants and requirements for information protection" (State Technical Commission of Russia, 1997);
Guiding document “Computer facilities. Protection from unauthorized access to information. Indicators of security from unauthorized access to information" (State Technical Commission of Russia, 1992);
Guiding document “Concept for the protection of computer equipment from unauthorized access to information” (State Technical Commission of Russia, 1992);
Guiding document “Protection from unauthorized access to information. Terms and definitions" (State Technical Commission of Russia, 1992);
Guiding document “Computer technology (CT). Firewalls. Protection from unauthorized access to information. Indicators of security from unauthorized access to information" (State Technical Commission of Russia, 1997);
Guiding document “Protection against unauthorized access to information. Part 1. Information security software. Classification according to the level of control over the absence of undeclared capabilities” (State Technical Commission of Russia, 1999);
Guiding document “Special requirements and recommendations for the technical protection of confidential information” (State Technical Commission of Russia, 2001).

1.7.2 Documents on assessing the security of automated systems in the Russian Federation

Let's consider the most significant of these documents that define the criteria for assessing the security of automated systems.

Establishes a classification of electronic equipment according to the level of security against unauthorized access to information based on a list of security indicators and a set of requirements describing them. The basis for the development of this document was the Orange Book. This evaluation standard establishes seven classes of security of SVT from unauthorized access to information.

The lowest class is seventh, the highest is first. The classes are divided into four groups, differing in the level of protection:

First group contains only one seventh class, which includes all SVT that do not meet the requirements of higher classes;
Second group characterized by discretionary protection and contains sixth and fifth grades;
Third group characterized by mandatory protection and contains the fourth, third and second classes;
Fourth group characterized by verified protection and includes only the first class.

establishes a classification of automated systems subject to protection from unauthorized access to information, and requirements for the protection of information in automated systems of various classes.

The defining characteristics by which speakers are grouped into various classes include:

The document defines nine classes of AS security from unauthorized access to information. Each class is characterized by a certain minimum set of protection requirements. The classes are divided into three groups, differing in the characteristics of information processing in the AS.

Within each group, a hierarchy of protection requirements is observed depending on the value and confidentiality of information and, consequently, a hierarchy of AS security classes.

Table 2 shows the security classes of the speakers and the requirements to ensure them.

Table 1. Security requirements for automated systems

Subsystems and requirements	Classes
Subsystems and requirements	3B	3A	2B	2A	1D	1G	1B	1B	1A
1. Access control subsystem 1.1. Identification, authentication and access control of subjects: into the system;	+	+	+	+	+	+	+	+	+
to terminals, computers, computer network nodes, communication channels, external computer devices;	—	—	—	+	—	+	+	+	+
to programs;	—	—	—	+	—	+	+	+	+
to volumes, directories, files, records, record fields.	—	—	—	+	—	+	+	+	+
1.2. Information flow management	—	—	—	+	—	—	+	+	+
2. Registration and accounting subsystem 2.1. Registration and accounting: entry/exit of access subjects to/from the system (network node);	+	+	+	+	+	+	+	+	+
issuing printed (graphic) output documents;	—	+	—	+	—	+	+	+	+
starting/ending programs and processes (tasks, tasks);	—	—	—	+	—	+	+	+	+
access of programs of access subjects to terminals, computers, computer network nodes, communication channels, external computer devices, programs, volumes, directories, files, records, record fields;	—	—	—	+	—	+	+	+	+
changes in the powers of access subjects;	—	—	—	—	—	—	+	+	+
created protected access objects.	—	—	—	+	—	—	+	+	+
2.2. Accounting for storage media.	+	+	+	+	+	+	+	+	+
2.3. Cleaning (zeroing, depersonalizing) freed areas of computer RAM and external storage devices.	—	+	—	+	—	+	+	+	+
2.4. Signaling attempts to violate security.	—	—	—	—	—	—	+	+	+
3. Cryptographic subsystem 3.1. Encryption of confidential information.	—	—	—	+	—	—	—	+	+
3.2. Encryption of information belonging to different access subjects (groups of subjects) using different keys.	—	—	—	—	—	—	—	—	+
3.3. Use of certified (certified) cryptographic tools.	—	—	—	+	—	—	—	+	+
4. Integrity subsystem 4.1. Ensuring the integrity of software and processed information.	+	+	+	+	+	+	+	+	+
4.2. Physical security of computer equipment and storage media.	+	+	+	+	+	+	+	+	+
4.3. Availability of an information administrator (protection service) in the AS.	—	—	—	+	—	—	+	+	+
4.4. Periodic testing of the NSD information protection system.	+	+	+	+	+	+	+	+	+
4.5. Availability of means for restoring the information and data protection equipment of the NSD.	+	+	+	+	+	+	+	+	+
4.6. Use of certified protective equipment.	—	+	—	+	—	—	+	+	+

“-” there are no requirements for this class;

“+” are the requirements for this class;

As such, Table 2 codifies the minimum requirements that must be followed to ensure confidentiality of information.

Security requirements integrity represented by a separate subsystem (number 4).

Guiding document “SVT. Firewalls. Protection from unauthorized access to information. Indicators of security from unauthorized access to information" is the main document for analyzing the external perimeter protection system corporate network. This document determines the security indicators of firewalls (FW). Each security indicator is a set of security requirements that characterize a specific area of ME operation.

There are five security indicators in total:

access control;
integrity control;

Based on security indicators, the following five ME security classes are determined:

the simplest filtering routers – 5th grade;
network layer packet filters – 4th grade;
the simplest ME of the application level - 3rd grade;
Basic level ME – 2nd grade;
advanced ME – 1 class.

MEs of the first security class can be used in class 1A systems that process “Specially Important” information. The second security class of the ME corresponds to security class AS 1B, intended for processing “top secret” information, etc.

According to the first of them, nine classes of AS security from unauthorized access to information are established.

Each class is characterized by a certain minimum set of protection requirements. The classes are divided into three groups, differing in the characteristics of information processing in the AS. Within each group, a hierarchy of protection requirements is observed depending on the value (confidentiality) of information and, consequently, a hierarchy of AS security classes.

The third group classifies systems in which one user works and has access to all information in the system located on media of the same confidentiality level. The group contains two classes - 3B and 3A.

The second group classifies AS in which users have the same access rights (authorities) to all AS information processed and (or) stored on media of varying levels of confidentiality. The group contains two classes – 2B and 2A.

The first group classifies multi-user AS, in which information of different levels of confidentiality is simultaneously processed and (or) stored and not all users have the right to access all AS information. The group contains five classes - 1D, 1G, 1B, 1B and 1A.

Conclusions on the topic

In the Russian Federation, information security is ensured by compliance with Presidential Decrees, federal laws, decrees of the Government of the Russian Federation, governing documents of the State Technical Commission of Russia and other regulatory documents.
The standards in the field of information security in the Russian Federation are the governing documents of the State Technical Commission of Russia, one of the tasks of which is “carrying out a unified state policy in the field of technical information security.”
When developing national standards, the State Technical Commission of Russia is guided by the “General Criteria”.

Guiding document “SVT. Protection from unauthorized access to information. Indicators of security from unauthorized access to information" establishes a classification of electronic equipment according to the level of security against unauthorized access to information based on a list of security indicators and a set of requirements describing them. This evaluation standard establishes seven classes of security of electronic devices from non-accessible information to information. The lowest class is seventh, the highest is first. The classes are divided into four groups, differing in the level of protection.

Guiding document “AS. Protection from unauthorized access to information. NPP classification and information protection requirements" establishes a classification of automated systems subject to protection from unauthorized access to information and requirements for the protection of information in automated systems of various classes. The defining characteristics by which speakers are grouped into various classes include:

the presence in the AS of information of varying levels of confidentiality;
level of authority of AS access subjects to access confidential information;
mode of data processing in the AS - collective or individual.

Guiding document “SVT. Firewalls. Protection from unauthorized access to information. Indicators of security from unauthorized access to information" is the main document for analyzing the protection system for the external perimeter of a corporate network. This document defines the security indicators of firewalls. Each security indicator is a set of security requirements that characterize a specific area of ME operation. There are five security indicators in total:

access control;
identification and authentication;
event registration and notification;
integrity control;
restoration of performance.

Control questions:

How many classes of SVT security from non-compliance with information are established by the SVT RD. Protection from unauthorized access to information. Indicators of security from unauthorized access to information?

Document's name:
Document Number:	53113.1-2008
Document type:	GOST R
Receiving authority:	Rosstandart
Status:	Active
Published:
Acceptance date:	December 18, 2008
Start date:	01 October 2009
Revision date:	October 01, 2018

GOST R 53113.1-2008 Information technology (IT). Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions

GOST R 53113.1-2008

Group T00

NATIONAL STANDARD OF THE RUSSIAN FEDERATION

Information technology

PROTECTION OF INFORMATION TECHNOLOGIES AND AUTOMATED SYSTEMS FROM INFORMATION SECURITY THREATS USING COVERT CHANNELS

Part 1

General provisions

Information technology. Protection of information technologies and automated systems against security threats posed by use of covert channels. Part 1. General principles

OKS 35.040

Date of introduction 2009-10-01

Preface

1 DEVELOPED by Limited Liability Company "Cryptocom"

2 INTRODUCED by the Federal Agency for technical regulation and metrology

3 APPROVED AND ENTERED INTO EFFECT by Order of the Federal Agency for Technical Regulation and Metrology dated December 18, 2008 N 531-st

4 INTRODUCED FOR THE FIRST TIME

5 REPUBLICATION. October 2018

The rules for the application of this standard are established in Article 26 of the Federal Law of June 29, 2015 N 162-FZ "On Standardization in the Russian Federation". Information about changes to this standard is published in the annual (as of January 1 of the current year) information index "National Standards", and the official text of changes and amendments is published in the monthly information index "National Standards". In case of revision (replacement) or cancellation of this standard, the corresponding notice will be published in the next issue of the monthly information index "National Standards". Relevant information, notices and texts are also posted in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet (www.gost.ru)

Introduction

The development, implementation and use of distributed information systems and technologies, the use of imported software and hardware platforms without design documentation have led to the emergence of a class of information security (IS) threats associated with the use of so-called hidden information channels, “invisible” to traditional information security means.

Traditional information security tools, such as access control tools, firewalls, and intrusion detection systems, control only information flows that pass through channels intended for their transmission. The possibility of exchanging information outside this framework through covert channels (CC) is not taken into account.

In systems that require an increased level of trust, security threats arising from the possibility of unauthorized action using the CS must be taken into account.

The danger of IC for information technologies (IT) and automated systems (AS) and other assets of the organization is associated with the lack of control by means of protecting information flows, which can lead to information leakage, violate the integrity of information resources and software in computer systems, or create other obstacles to implementation IT.

To ensure the protection of information processed in the automated system, it is necessary to identify and neutralize all possible information channels of unauthorized action - both traditional and hidden.

This standard is part of a series of interrelated standards, united by the common name "Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels", including:

- general provisions;

- recommendations for organizing the protection of information, IT and AS from attacks using CS.

The general provisions define the tasks to be solved when analyzing the security system, describe the classification of the security system and provide a classification of assets according to the degree of danger of attacks using the security system.

An essential aspect of the security of IT and AS systems is trust in the security systems. Ensuring trust is carried out through in-depth analysis or examination of software and hardware products from the point of view of their security. In many cases, this analysis is difficult due to the lack of source data for its implementation, that is, source codes, design and test documentation, which results in threats to information resources that can be implemented using unknown software and hardware systems and through interfaces of interacting software and hardware products.

The requirements for trust in information security are established in GOST R ISO/IEC 15408-3, according to which for systems with an estimated level of confidence (EAL), starting with EAL5, mandatory analysis of the IC is provided. When using hardware and software products from foreign manufacturers in the absence of design, test documentation and source codes, it is impossible to guarantee the absence of potentially malicious components included on purpose or that arose accidentally (for example, a software vulnerability). Thus, the requirement to analyze the IC in the Russian Federation is a necessary condition for the safe operation of systems that process valuable information or use imported hardware and software, including for systems with EAL below EAL5.

Recommendations for organizing the protection of information, IT and AS from attacks using CS define the procedure for searching for CS and countering CS.

This standard was developed as a development of GOST R ISO/IEC 15408-3, GOST R ISO/IEC 27002 (regarding measures to counter information security threats implemented using security systems) and.

1 area of use

This standard establishes the classification of the security system and defines the tasks to be solved during the analysis of the security system, which is a necessary component for determining the further procedure for organizing the protection of information from attacks using the system, and also establishes the procedure for conducting the analysis of the security system for IT and AS products and systems, the results of which are used when assessing confidence in information systems and IT protection measures.

This standard is intended for customers, developers and users of IT as they formulate requirements for the development, acquisition and use of IT products and systems that are intended to process, store or transmit information that is subject to protection in accordance with the requirements of regulatory documents or requirements established by the owner of the information. This standard is also intended for certification bodies and testing laboratories when conducting security assessments and certification of IT and AS security, as well as for analytical units and security services for comparing threats to valuable information assets with the potential for damage through the security system.

2 Normative references

This standard uses normative references to the following standards:

GOST R ISO/IEC 15408-3 Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3: Components of Security Trust

GOST R ISO/IEC 27002 Information technology. Methods and means of ensuring security. Set of norms and rules for information security management

Note - When using this standard, it is advisable to check the validity of the reference standards in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet or using the annual information index "National Standards", which was published as of January 1 of the current year, and on issues of the monthly information index "National Standards" for the current year. If a reference standard to which an undated reference is given is replaced, it is recommended that the current version of that standard be used, taking into account all changes made to it. this version changes. If a dated reference standard is replaced, it is recommended to use the version of that standard with the year of approval (adoption) indicated above. If, after the approval of this standard, a change is made to the referenced standard to which a dated reference is made affecting the referenced provision, it is recommended that that provision be applied without regard to this change. If the reference standard is canceled without replacement, then the provision in which a reference to it is given is recommended to be applied in the part that does not affect this reference.

3 Terms and definitions

The following terms with corresponding definitions are used in this standard:

3.1 automated system: A system consisting of personnel and a set of automation tools for their activities, implementing information technology for performing installed functions.

3.2 offender agent: Person, software, firmware or hardware acting in the interests of the offender.

3.3 assets(assets): Anything that has value to an organization and is in its possession.

Note: An organization's assets may include:

- computing, telecommunications and other resources;

- information assets, incl. various types of information in the following phases of their life cycle: generation (creation), processing, storage, transmission, destruction;

- products and services provided to third parties.

3.4 blocking access (to information): Termination or obstruction of legitimate users' access to information.

3.5 malware: A program designed to provide unauthorized access and (or) influence on information or resources of an information system.

3.6 covert channel analysis depth: The degree of variation in complexity of the means used to identify the covert channel and its characteristics.

3.7 confidence assurance: The basis for confidence that an object meets security objectives.

3.8 covert channel identification: Identifying the possibility of the existence of a hidden channel and determining its place in the classification.

3.9 restricted information: A type of information to which access is limited and the disclosure of which may harm the interests of other persons, society and the state.

3.10 Information Security(information security): All aspects related to defining, achieving and maintaining the confidentiality, integrity, availability, non-repudiation, accountability, authenticity and reliability of information or means of processing it.

3.11 Information system: An organizationally ordered set of documents (arrays of documents) and information technologies, including the use of computer technology and communications that implement information processes.

Note - Information systems are designed to store, process, search, distribute, transmit and provide information.

3.12 information technology: Techniques, methods and methods of using computer technology in performing the functions of collecting, storing, processing, transmitting and using data.

3.13 information object: A program element containing pieces of information circulating in the program.

Note - Depending on the programming language, variables, arrays, records, tables, files, fragments can act as information objects random access memory and so on.

3.14 information flow information flow: The process of interaction between the source of information and its recipient.

Note - An information flow can be permitted or unauthorized. Information flow between objects X and Y exists if the average mutual information I (X, Y) is greater than 0. Mathematical model An information flow can be defined as a finite state machine in which the source of the message sends an input word to the input of the machine, and the recipient of the message sees the output sequence of the machine.

3.15 comprehensive covert channel analysis Exhaustive covert channel analysis: An analysis that requires the presentation of additional evidence showing that the covert channel identification plan is sufficient to establish that all possible covert channel investigations have been tried.

3.16 key: A specific secret state of some parameters of a cryptographic data transformation algorithm, ensuring the selection of one transformation from a set of all possible transformations for a given algorithm.

3.17 communication channel: A set of information carriers that deliver a message from a source to a receiver.

3.18 critical objects: Objects, the disruption or cessation of operation of which leads to loss of control, destruction of infrastructure, irreversible negative change or destruction of the economy of a country, subject or administrative-territorial unit, or to a significant deterioration in the safety of life of the population living in these territories for a long period of time.

3.19 information transfer mechanism: An implemented method of transmitting information from the sender to the recipient.

3.20 information modification: Purposeful change in the form of presentation and content of information.

3.21 information security violator(adversary): Individual(subject) who accidentally or intentionally committed actions that result in a violation of the security of information when processed by technical means in information systems.

3.22 unauthorized access to information(unauthorized access to information): Access to information or actions with information that violate the rules of access control using standard means provided by computer technology or automated systems.

Note - Access to an object also includes access to the information contained in it.

3.23 an object(object): A passive component of a system that stores, receives, or transmits information.

3.24 hazard assessment: Determining the degree of possible destructive impact.

3.25 estimated level of confidence evaluation assurance level: A package of assurance components representing some position on the assurance scale predefined within it.

Note - The package of trust components is determined in accordance with the requirements of GOST R ISO/IEC 15408-3.

3.26 access password(password): The identifier of the access subject, which is his (the subject's) secret.

3.27 Personal Information: Any information relating to an individual identified or determined on the basis of such information (subject of personal data).

Note - Last name, first name, patronymic, year, month, date and place of birth of the subject of personal data, as well as address, family, social, property status, education, profession, income and other information can be used as personal data.

3.28 information security policy information security policy: A set of documented rules, procedures, practices, or guidelines in the field of information security that guide an organization's activities.

3.29 product(product): A set of software, firmware and/or information technology hardware that provides specific functionality and is intended for direct use or inclusion in various systems.

3.30 covert channel capacity covert channel capacity: The amount of information that can be transmitted over a covert channel per unit of time or relative to some other scale of measurement.

3.31 system(system): A specific embodiment of information technology with a specific purpose and operating conditions.

3.32 systematic analysis of covert channels systematic covert channel analysis: Analysis in which the designer of an information technology and automated systems system must identify covert channels in a structured and repeatable manner, as opposed to identifying covert channels in a particular method applicable to a particular situation.

NOTE Covert channels are usually identified in accordance with the security plan.

3.33 hidden channel(covert channel): A communication channel not intended by the developer of an information technology and automated systems system that can be used to violate security policy.

3.34 transmission medium: Physical implementation of the information transfer process.

3.35 subject(subject): An active component of a system, usually represented by a user, process, or device, that can cause the flow of information from object to object or change the state of the system.

3.36 security threat(threat): A set of conditions and factors that create a potential or actual danger associated with information leakage and/or unauthorized and/or unintentional impacts on it.

3.37 authorized user(authorized user): A user who is authorized by security policy to perform an operation.

3.38 damage: Negative consequences arising from damage to assets.

3.39 vulnerability: A property of a system that can be used to violate the information security of an information technology system and automated systems.

4 General provisions

4.1 This standard defines the following procedure for determining the degree of danger of a system for an organization’s assets, identifying and countering a system:

- classification of assets depending on the degree of danger of attacks using CS, taking into account possible security threats to assets;

- determining the required depth of analysis of the insurance system depending on the type of assets;

- conducting an analysis of the quality control system, which includes performing the following tasks:

identification (detection) of SC,

assessment of the capacity of the SC and assessment of the danger posed by their hidden functioning;

- measures to protect against threats implemented using the security system, and including the implementation of the following tasks:

making decisions on the implementation of protective measures to counter the specified security threats,

opposition to the implementation of the IC up to its destruction.

4.2 The classification of protected assets depending on the degree of danger of attacks using CC is given in Section 7.

4.3 The depth of the analysis of the security system is determined by the value of the assets, that is, the damage that can be caused as a result of the implementation of security threats implemented using the security system, that is, the risks arising from the presence of these threats. The classification of such threats is given in section 6.

4.4 Identification of the CS determines the subjects (source and recipient) between whom the CS can potentially exist, the parameters, when manipulated, the information is transmitted, the parameters, due to the variation of which the information is read, the information transmission medium, the logical conditions under which the information is transmitted. Identification of SCs can be carried out both during system development by examining potential leakage channels or exposure channels, and during system operation by observing signs identifying the presence of SCs. In the latter case, SCs are identified by monitoring the system parameters. The information security documentation should reflect which classes of security systems can be identified using the surveillance system used.

4.5 The capacity of identified SCs is assessed using formal, technical or modeling methods.

4.6 When making decisions on the implementation of protective measures to counter security threats implemented using the CS, it is necessary to take into account the possible risk of damage to the organization’s assets, which is also associated with the throughput of the CS.

4.7 Countering dangerous SCs can be carried out using the following means and methods:

- building an IT or AS architecture that allows you to block the IC or make their throughput so low that the channels become harmless. This method is used at the IT or AS design stage;

- the use of technical means that make it possible to block SCs or reduce their throughput below a given level;

- use of software and hardware tools that make it possible to identify the operation of dangerous SCs during system operation. Identification of signs of the operation of the IC may make it possible to block their impact on information resources;

- application of organizational and technical measures to eliminate SCs or reduce their capacity to a safe value.

5 Classification of covert channels

5.1 CS according to the information transmission mechanism is divided into:

- SC from memory;

- SC by time;

- hidden statistical channels.

5.2 Memory based systems are based on the presence of memory into which the transmitting subject writes information and the receiving subject reads it.

The concealment of memory channels is determined by the fact that an outside observer does not know the place in memory where the hidden information is recorded.

Memory based systems involve the use of memory resources, but the way memory is used is not taken into account by the security system developers and therefore cannot be detected by the security tools used.

5.3 CS in time assume that the subject transmitting information modulates with the help of the transmitted information some time-varying process, and the subject receiving the information is able to demodulate the transmitted signal by observing the information-carrying process in time. For example, in multitasking operating system(OS) CPU is a shared information and computing resource for application programs. By modulating the CPU time, applications can transfer illegal data to each other.

5.4 The hidden statistical channel uses to transmit information changes in the parameters of probability distributions of any characteristics of the system that can be considered random and described by probabilistic statistical models.

The secrecy of such channels is based on the fact that the recipient of the information has less uncertainty in determining the parameters of the distributions of the observed characteristics of the system than an observer who does not have knowledge about the structure of the social network.

For example, the appearance of a real but unlikely combination in a sent packet within a given period of time may signal a failure in the computer system.

5.5 CS from memory, in turn, is divided into:

- SC based on hiding information in structured data;

- SC based on hiding information in unstructured data.

5.6 SCs based on hiding information in structured data use data embedding into information objects with a formally described structure and formal processing rules. For example, the internal file format used by modern word processors contains a number of fields that are not displayed when the file is edited, so they can be used to insert hidden information.

5.7 SCs based on hiding information in unstructured data use data embedding in information objects without taking into account the formally described structure (for example, writing hidden information into the least significant bits of the image, which does not lead to visible image distortions).

5.8 SC according to throughput is divided into:

- low-bandwidth channel;

- a high-capacity channel.

5.9 CS is a low-bandwidth channel if its capacity is sufficient to transmit valuable information objects of a minimum volume (for example, cryptographic keys, passwords) or commands over a period of time during which this transfer is relevant.

5.10 CS is a high-capacity channel if its capacity allows the transmission of medium-sized and large-sized information objects (for example, text files, images, databases) for the period of time during which these information objects are valuable.

To solve complex problems, a combination of SCs based on various transmission mechanisms can be used.

6 Classification of security threats implemented using covert channels

6.1 Security threats that can be implemented using CS include:

- implementation malware and data;

- the attacker issuing commands to the agent for execution;

- leakage of cryptographic keys or passwords;

- leakage of individual information objects.

6.2 The implementation of these threats may lead to:

- violation of the confidentiality of information assets;

- disruption of IT and AS functionality;

- blocking access to resources;

- violation of the integrity of data and software.

6.3 The systems most susceptible to attacks using CS are:

- multi-user distributed systems;

- systems with access to global networks;

- systems using cryptographic security measures;

- systems that use a multi-level (mandatory) access control policy;

- systems in which software and hardware agents cannot be detected (due to the use of software and hardware with inaccessible source code and due to the lack of design documentation).

6.4 The relationship between threats implemented using CS and types of CS depending on their throughput is shown in Table 1.

Table 1 - Relationship between threats implemented through covert channels and types of covert channels depending on their capacity


	Type of hidden channels
	Covert channels with low bandwidth	Covert channels with high bandwidth
Injection of malware and data
An attacker sending commands to an agent to execute
Leakage of cryptographic keys or passwords
Leakage of individual information objects
Note - the “+” sign means that there is a connection between the threat and the corresponding type of covert channel; the sign "-" means that the connection does not exist.

7 Classification of assets according to the degree of danger of attacks using covert channels

7.1 Depending on the degree of danger of attacks using CS, the protected assets of the organization are divided into the following classes:

1st class - assets containing information, the degree of susceptibility of which to attacks implemented using an automated system is determined by the owner.

2nd class - assets containing restricted access information or personal data and processed in systems that have technical interfaces with open networks or computer systems public access, as well as computer systems that do not provide protection against leakage through technical channels.

3rd class - assets containing information constituting a state secret.

7.2 In addition, there is a special class of assets that are vulnerable to threats carried out using low-bandwidth security systems. This group includes:

Class A - assets related to the operation of critical facilities. For example, transmission of a command capable of initializing a destructive effect on an object of this type can be carried out via an CS with low throughput.

Class B - assets containing key/password information, including keys of cryptographic information protection systems and passwords for access to other assets. For example, a leak of key/password information via an insurance system can jeopardize the functioning of the entire information system.

Bibliography


	Guiding document. State Technical Commission of Russia
Keywords: covert channels, analysis of covert channels, classification of covert channels, attacks using covert channels, security threats implemented using covert channels, classification of assets according to the degree of danger of attacks using covert channels

Electronic document text
prepared by Kodeks JSC and verified against:
official publication
M.: Standartinform, 2018

GOST R 53113.1-2008 Information technology (IT). Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions

Document's name:
Document Number:	53113.1-2008
Document type:	GOST R
Receiving authority:	Rosstandart
Status:	Active
Published:	Official publication. M.: Standartinform, 2018
Acceptance date:	December 18, 2008
Start date:	01 October 2009
Revision date:	October 01, 2018

Name:

Data protection. Ensuring information security in the organization.

Valid

Date of introduction:

Cancellation date:

Replaced by:

Text GOST R 53114-2008 Information protection. Ensuring information security in the organization. Basic terms and definitions

FEDERAL AGENCY FOR TECHNICAL REGULATION AND METROLOGY

NATIONAL

STANDARD

RUSSIAN

FEDERATION

Data protection

ENSURING INFORMATION SECURITY IN THE ORGANIZATION

Basic terms and definitions

Official publication

Oteidartenform

GOST R 53114-2008

Preface

The goals and principles of standardization in the Russian Federation are established by Federal Law No. 184-FZ of December 27, 2002 “On Technical Regulation”, and the rules for applying national standards of the Russian Federation are GOST R 1.0-2004 “Standardization in the Russian Federation. Basic provisions »

Standard information

1 DEVELOPED by the Federal State Institution “State Research Testing Institute for Problems of Technical Information Security of the Federal Service for Technical and Export Control” (FGU “GNIIII PTZI FSTEC of Russia”), Limited Liability Company “Research and Production Company “Kristall” (OOO NPF "Crystal")

2 INTRODUCED by the Department of Technical Regulation and Standardization of the Federal Agency for Technical Regulation and Metrology

3 APPROVED AND ENTERED INTO EFFECT by order of the Federal Agency for Technical Regulation and Metrology dated December 18, 2008 No. 532-st

4 8DRIVEN FOR THE FIRST TIME

Information about changes to this standard is published in the annually published information index “National Standards” and the text of changes and amendments is published in the monthly published information index “National Standards”. In case of revision (replacement) or cancellation of this standard, the corresponding notice will be published in the monthly published information index “National Standards”. Relevant information, notifications and texts are also posted in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet

This standard cannot be fully or partially reproduced, replicated or distributed as an official publication without permission from the Federal Agency for Technical Regulation and Metrology

GOST R 53114-2008

1 area of use............................................... ....1

3 Terms and definitions................................................... ..2

3.1 General concepts................................................... .....2

3.2 Terms related to the object of information protection............................................4

3.3 Terms related to information security threats....................................7

3.4 Terms related to organizational information security management......8

3.5 Terms related to the control and assessment of an organization's information security. ... 8

3.6 Terms related to information security controls

organizations........................................................ .......9

Alphabetical index of terms...................................................11

Appendix A (for reference) Terms and definitions of general technical concepts.................................13

Appendix B (for reference) Interrelation of basic concepts in the field of information security in an organization....................................................15

Bibliography................................................. .......16

GOST R 53114-2008

Introduction

The terms established by this standard are arranged in a systematic order, reflecting the system of concepts in this field of knowledge.

There is one standardized term for each concept.

The presence of square brackets in a terminology article means that it includes two terms that have common term elements. These terms are listed separately in the alphabetical index.

The part of a term enclosed in parentheses may be omitted when using the term in standardization documents, while the part of the term not included in parentheses forms its short form. Following the standardized terms are their short forms, separated by semicolons, represented by abbreviations.

The given definitions can be changed if necessary by introducing derived characteristics into them. revealing the meanings of the terms used in them, indicating the objects included in the scope of the defined concept.

Changes must not affect the scope and content of the concepts defined in this standard.

Standardized terms are typed in bold, their short forms are in the text and in the alphabetical index, including abbreviations. - light, and synonyms - italics.

Terms and definitions of general technical concepts necessary for understanding the text of the main part of this standard are given in Appendix A.

GOST R 53114-2008

NATIONAL STANDARD OF THE RUSSIAN FEDERATION

Data protection

ENSURING INFORMATION SECURITY 8 ORGANIZATIONS

Basic terms and definitions

Protection of information. Information security provision In organization.

Basic terms and definitions

Date of introduction - 2009-10-01

1 area of use

This standard establishes the basic terms used when carrying out standardization work in the field of information security in an organization.

The terms established by this standard are recommended for use in regulatory documents, legal, technical and organizational and administrative documentation, scientific, educational and reference literature.

This standard is applied in conjunction with GOST 34.003. GOST 19781. GOST R 22.0.02. GOST R 51897. GOST R 50922. GOST R 51898, GOST R 52069.0. GOST R 51275. GOST R ISO 9000. GOST R ISO 9001. GOST R IS014001. GOST R ISO/IEC 27001. GOST R ISO/IEC13335-1. . (2J.

The terms given in this standard comply with the provisions of the Federal Law of the Russian Federation of December 27, 2002 M"184*FZ "Technical Regulation" |3]. Federal Law of the Russian Federation of July 27, 2006 No. 149-FZ “On information, information technologies and information protection”. Federal Law of the Russian Federation of July 27, 2006 No. 152-FZ “On Personal Data”. Doctrines of information security of the Russian Federation, approved by the President of the Russian Federation on September 9, 2000 Pr -1895.

2 Normative references

GOST R 22.0.02-94 Safety in emergency situations. Terms and definitions of basic concepts

GOST R ISO 9000-2001 Quality management systems. Fundamentals and Vocabulary

GOST R ISO 9001-2008 Quality management systems. Requirements

GOST R IS0 14001-2007 Environmental management systems. Requirements and instructions for use

GOST R ISO/IEC 13335-1-2006 Information technology. Methods and means of ensuring security. Part 1. Concept and models of security management of information and telecommunication technologies

GOST R ISO/IEC 27001-2006 Information technology. Methods and means of ensuring security. Information security management systems. Requirements

GOST R 50922-2006 Information protection. Basic terms and definitions

GOST R 51275-2006 Information protection. Information object. Factors influencing information. General provisions

GOST R 51897-2002 Risk management. Terms and Definitions

Official publication

GOST R 53114-2008

GOST R51898-2003 Safety aspects. Rules for inclusion in standards GOST R 52069.0-2003 Information protection. System of standards. Basic provisions of GOST 34.003-90 Information technology. Set of standards for automated systems. Automated systems. Terms and Definitions

GOST 19781-90 Software for information processing systems. Terms and Definitions

Note - When using this standard, it is advisable to check the validity of the reference standards in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet or according to the annually published information index “National Standards”, which was published as of January 1 of the current year , and according to the corresponding monthly information indexes published in the current year. If the reference standard is replaced (changed), then when using this standard you should be guided by the replaced (changed) standard. If a reference standard is canceled without replacement, then the provision in which a reference to it is given applies to the part not affecting this reference.

3 Terms and definitions

3.1 General concepts

security of information [data]: The state of security of information [data], in which its [their] confidentiality, availability and integrity are ensured.

[GOST R 50922-2006. paragraph 2.4.5]

information technology security: The state of security of information technology. which ensures the security of the information for which it is used for processing. and information security of the information system in which it is implemented.

[R 50.1.056-2006. paragraph 2.4.5]

information sphere: The totality of information, information infrastructure, subjects. carrying out the collection, formation, dissemination and use of information, as well as systems for regulating the social relations that arise in this case.

3.1.4 information infrastructure: A set of informatization objects that provides consumers with access to information resources.

informatization object: A set of information resources, tools and information processing systems used in accordance with a given information technology, as well as support facilities, premises or facilities (buildings, structures, technical means) in which these tools and systems are installed, or premises and facilities , intended for conducting confidential negotiations.

[GOST R 51275-2006. clause 3.1]

3.1.6 assets of the organization: All. what is of value to the organization in the interests of achieving its goals and is at its disposal.

Note: An organization's assets may include:

Information assets, including various types of information circulating in the information system (service, management, analytical, business, etc.) at all stages of the life cycle (generation, storage, processing, transmission, destruction):

Resources (financial, human, computing, information, telecommunications and others):

Processes (technological, information, etc.);

Manufactured products or services provided.

GOST R 53114-2008

information processing system resource: An information processing system facility that can be allocated to the data processing process for a certain time interval.

Note - The main resources are processors, main memory areas, data sets. peripheral devices, programs.

[GOST 19781-90. paragraph 93)

3.1.8 information process: The process of creation, collection, processing, accumulation, storage, search. dissemination and use of information.

information technology; IT: Processes, methods of searching, collecting, storing, processing, providing. dissemination of information and ways of carrying out such processes and methods. [ The federal law Russian Federation dated December 27, 2002 No. 184-FZ. article 2. paragraph 2)]

technical support automated system; NPP technical support: The totality of all technical means used in the operation of the NPP.

[GOST R 34.003-90. clause 2.5]

automated system software; AS software: A set of programs on storage media and program documents intended for debugging, operating and testing the functionality of the AS.

[GOST R 34.003-90. paragraph 2.7]

information support of the automated system; AS information support: A set of document forms, classifiers, regulatory framework and implemented solutions on the volume, placement and forms of existence of information used in the AS during its operation.

[GOST R 34.003-90. clause 2.8]

3.1.13 service; service: The result of the performer’s activities to satisfy the consumer’s needs.

Note - 8 an organization, an individual or a process can act as a performer (consumer) of a service.

3.1.14 information technology services: IT services: The set of functional capabilities of information and. possibly non-information technology provided to end users as a service.

NOTE Examples of IT services include messaging, business applications, file and print services, network services, etc.

3.1.15 critical information infrastructure system; key information infrastructure system: FIAC: Information management or information telecommunication system that manages or provides information to a critical object or process, or is used to officially inform society and citizens, the disruption or interruption of the functioning of which (as a result of destructive information influences, as well as failures or failures) can lead to an emergency with significant negative consequences.

3.1.18 critical object: An object or process, disruption of the continuity of operation of which could cause significant damage.

GOST R 53114-2008

Note - Damage may be caused to the property of individuals or legal entities. state or municipal property, the environment, as well as causing harm to the life or health of citizens.

personal data information system: An information system that is a set of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without the use of such tools.

personal data: Any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name. patronymic, year month, date and place of birth, address, family, social, property status, education, profession, income, other information.

3.1.19 automated system in a protected design; AS in a protected design: An automated system that implements information technology to perform established functions in accordance with the requirements of standards and/or regulatory documents on information protection.

3.2 Terms related to the object of information protection

3.2.1 information security of the organization; Organizational intelligence: The state of protection of the organization's interests in the face of threats in the information sphere.

Note - Security is achieved by ensuring a set of information security properties - confidentiality, integrity, availability of information assets and the organization's infrastructure. The priority of information security properties is determined by the significance of information assets for the interests (goals) of the organization.

object of information protection: Information or information carrier, or information process. which must be protected in accordance with the purpose of protecting information.

[GOST R 50922-2006. clause 2.5.1]

3.2.3 protected process (information technology): A process used by information technology to process protected information with the required level of its security.

3.2.4 violation of the organization’s information security: violation of the organization’s information security: Accidental or intentional unlawful action of an individual (subject, object) in relation to the organization’s assets, the consequence of which is a violation of the security of information when it is processed by technical means in information systems, causing negative consequences (damage/ harm) for the organization.

emergency; unforeseen situation; Emergency: A situation in a certain territory or water area that has developed as a result of an accident, a dangerous natural phenomenon, a catastrophe, a natural or other disaster that may result in loss of life or entail human casualties, damage to human health or the environment, significant material losses and disruption of living conditions of people.

Note - Emergency situations are distinguished by the nature of the source (natural, man-made, biological-social and military) and by scale (local, local, territorial, regional, federal and transboundary).

(GOST R 22.0.02-94. Article 2.1.1)

GOST R 53114-2008

3.2.6

hazardous situation: Circumstances in which people, property or the environment are at risk.

(GOST R 51898-2003. paragraph 3.6)

3.2.7

information security incident: Any unexpected or unwanted event that may disrupt operations or information security.

Note - Information security incidents are:

Loss of services, equipment or devices:

System failures or overloads:

User errors.

Violation of physical protection measures:

Uncontrolled changes to systems.

Software failures and hardware failures:

Violation of access rules.

(GOST R ISO/IEC 27001 -2006. Article 3.6)

3.2.8 event: The occurrence or presence of a certain set of circumstances.

Notes

1 The nature, likelihood and consequences of the event may not be fully known.

2 An event can occur one or more times.

3 The probability associated with an event can be estimated.

4 An event may consist of the non-occurrence of one or more circumstances.

5 An unpredictable event is sometimes called an "incident".

6 An event in which no losses occur is sometimes called a prerequisite for an incident (incident), a dangerous condition, a dangerous combination of circumstances, etc.

3.2.9 risk: The impact of uncertainties on the process of achieving goals.

Notes

1 Goals may have various aspects: financial, health, safety and environmental aspects, and may not be set different levels: at the strategic level, across the organization, at the project, product and process levels.

3 Risk is often expressed in terms of a combination of the consequences of an event or change in circumstances and their likelihood.

3.2.10

Risk Assessment: A process that combines risk identification, risk analysis and risk quantification.

(GOST R ISO/IEC 13335-1 -2006, paragraph 2.21]

3.2.11 information security risk assessment (of the organization); information security risk assessment (organization): The overall process of identifying, analyzing and determining the acceptability of an organization's information security risk level.

3.2.12 risk identification: The process of detecting, recognizing and describing risks.

Notes

1 Risk identification includes the identification of risk sources, events and their causes, as well as their possible consequences.

NOTE 2 Risk identification may include statistical data, theoretical analysis, informed views and expert opinions, and stakeholder needs.

GOST R 53114-2008

risk analysis: The systematic use of information to identify sources of risk and quantify risk.

(GOST R ISO/IEC 27001-2006. Article 3.11)

3.2.14 risk acceptability determination: The process of comparing the results of a risk analysis with risk criteria to determine the acceptability or tolerability of the risk level.

NOTE Determining the acceptability of the level of risk helps make treatment decisions

3.2.15 handling the organization’s information security risk; Organizational Information Security Risk Treatment: The process of developing and/or selecting and implementing measures to manage an organization's information security risks.

Notes

1 Risk treatment may include:

Avoiding risk by deciding not to initiate or continue activities that create conditions

Seeking an opportunity by deciding to initiate or continue activities that may create or increase risk;

Eliminating the source of risk:

Changes in the nature and magnitude of risk:

Changing consequences;

Sharing risk with another party or parties.

Persistence of risk both as a result of a conscious decision and “by default.”

2 Risk treatments with negative consequences are sometimes called mitigation, elimination, prevention. reduction, suppression and risk correction.

3.2.16 risk management: Coordinated actions to direct and control the organization's activities in relation to risks.

3.2.17 source of risk for the organization’s information security; source of organizational information security risk: An object or action that can cause [create) a risk.

Notes

1 There is no risk if there is no interaction between an object, person or organization with the source of risk.

2 The source of risk can be tangible or intangible.

3.2.18 information security policy (of the organization); information security policy (organization): A formal statement of the information security rules, procedures, practices, or guidelines that guide an organization's activities.

Note - Policies must contain.

Subject, main goals and objectives of the security policy:

Conditions for applying the security policy and possible restrictions:

Description of the position of the organization's management regarding the implementation of the security policy and the organization of the organization's information security regime as a whole.

Rights and responsibilities, as well as the degree of responsibility of employees for compliance with the organization's security policy.

Emergency procedures in case of security policy violation

3.2.19 information security goal (of the organization); IS (organization) goal: A predetermined result of ensuring the information security of an organization in accordance with the established requirements in the IS (organization) policy.

Note - The result of ensuring information security may be the prevention of damage to the information owner due to possible information leakage and (or) unauthorized and unintentional impact on information.

3.2.20 system of documents on information security in the organization; system of information security documents in an organization: an ordered set of documents united by a target orientation. interconnected on the basis of origin, purpose, type, scope of activity, uniform requirements for their design and regulating the organization’s activities to ensure information security.

GOST R 53114-2008

3.3 Terms related to information security threats

3.3.1 threat to the organization’s information security; information security threat to an organization: A set of factors and conditions that create a danger of a violation of an organization’s information security, causing or capable of causing negative consequences (damage/harm) for the organization.

Notes

1 The form of implementation (manifestation) of an information security threat is the outbreak of one or more interrelated information security events and information security incidents. leading to violations of the information security properties of the organization's protected object(s).

2 A threat is characterized by the presence of an object of threat, a source of threat and a manifestation of the threat.

threat (information security): A set of conditions and factors that create a potential or actual danger of a violation of information security.

[GOST R 50922-2006. clause 2.6.1]

3.3.3 threat (information security) model: Physical, mathematical, descriptive representation of the properties or characteristics of information security threats.

Note - a special regulatory document can be a type of descriptive representation of the properties or characteristics of information security threats.

vulnerability (of information system); breach: A property of an information system that makes it possible to implement threats to the security of the information processed in it.

Notes

1 The condition for the implementation of a security threat processed in the information system may be a deficiency or weakness in the information system.

2 If the vulnerability matches the threat, then there is a risk.

[GOST R 50922-2006. clause 2.6.4]

3.3.5 violator of the organization’s information security; organization's information security violator: An individual or logical entity that accidentally or intentionally committed an action, the consequence of which is a violation of the organization's information security.

3.3.6 unauthorized access: Access to information or to resources of an automated information system, carried out in violation of established access rights (or) rules.

Notes

1 Unauthorized access may be intentional or unintentional.

2 Rights and rules for access to information and information system resources are established for information processing processes, maintenance of an automated information system, and software changes. technical and information resources, as well as obtaining information about them.

3.3.7 network attack: Actions using software and (or) hardware and using a network protocol, aimed at implementing threats of unauthorized access to information, influencing it or the resources of an automated information system.

Application - Network protocol - a set of semantic and syntax rules, which determine the interaction of network management programs located on the same computer. with programs of the same name located on another computer.

3.3.8 blocking access (to information): Termination or difficulty of access to information of persons. entitled to do so (legitimate users).

3.3.9 denial of service attack: Network attack resulting in blocking information processes in an automated system.

3.3.10 information leakage: Uncontrolled dissemination of protected information as a result of its disclosure, unauthorized access to information and receipt of protected information by foreign intelligence services.

3.3.11 disclosure of information: Unauthorized communication of protected information to persons. not authorized to access this information.

GOST R 53114-2008

interception (of information): Illegal receipt of information using a technical means that detects, receives and processes informative signals.

(R 50.1.053-2005, paragraph 3.2.5]

informative signal: A signal whose parameters can be used to determine the protected information.

[R 50.1.05S-2005. clause 3.2.6]

3.3.14 declared capabilities: Functionality computer hardware and software that are not described or do not correspond to those described in the documentation. which may lead to a decrease or violation of the security properties of information.

3.3.15 spurious electromagnetic radiation and interference: Electromagnetic radiation technical means of information processing, arising as a side effect and caused by electrical signals acting in their electrical and magnetic circuits, as well as electromagnetic interference of these signals on conductive lines, structures and power circuits.

3.4 Terms related to organizational information security management

3.4.1 information security management of the organization; management of information security organization; Coordinated actions for the leadership and management of the organization in terms of ensuring its information security in accordance with the changing conditions of the internal and external environment of the organization.

3.4.2 information security risk management of the organization; organization's information security risk management: Coordinated actions to guide and manage an organization in relation to information security risk in order to minimize it.

NOTE The core processes of risk management are setting the context, assessing the risk, treating and accepting the risk, monitoring and reviewing the risk.

information security management system; ISMS: Part of the overall management system. based on the use of bioenergy risk assessment methods for development, implementation, and operation. monitoring, analysis, support and improvement of information security.

NOTE A management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

[GOST R ISO/IEC 27001 -2006. paragraph 3.7]

3.4.4 the role of information security in the organization; role of information security in an organization: A set of specific functions and tasks for ensuring the information security of an organization that establish acceptable interaction between a subject and an object in an organization.

Notes

1 Subjects include persons from among the managers of the organization, its personnel or processes initiated on their behalf to perform actions on objects

2 Objects can be hardware, software, software and hardware, or an information resource on which actions are performed.

3.4.5 information security service of an organization: The organizational and technical structure of the information security management system of an organization that implements the solution of a specific task aimed at countering threats to the organization’s information security.

3.5 Terms related to monitoring and assessing an organization's information security

3.5.1 control over ensuring the information security of the organization; control of the organization's information security provision: Checking the compliance of information security provision in the organization.

GOST R 53114-2008

3.5.2 monitoring the organization’s information security; organization's information security monitoring: Constant monitoring of the information security process in the organization in order to establish its compliance with information security requirements.

3.5.3 audit of the organization’s information security; audit of an information security organization: A systematic, independent and documented process of obtaining evidence of the organization’s activities to ensure information security and establishing the degree of fulfillment of information security criteria in the organization, as well as allowing the possibility of forming a professional audit judgment about the state of the organization’s information security.

3.5.4 evidence (evidence) of an organization’s information security audit; Organizational information security audit data: Records, statements of facts, or other information that are relevant to the organization's information security audit criteria and can be verified.

NOTE Information security evidence can be qualitative or quantitative.

3.5.5 assessment of compliance of the organization’s information security with established requirements; assessment of compliance of an organization's information security with established requirements: Activities involved in directly or indirectly determining compliance or non-compliance with established information security requirements in an organization.

3.5.6 criterion for auditing an organization’s information security; audit criterion of an information security organization: A set of principles, provisions, requirements and indicators of current regulatory documents* related to the organization’s activities in the field of information security.

Application - Information security audit criteria are used to compare information security audit evidence with them.

3.5.7 certification of an automated system in a secure design: The process of comprehensive verification of the performance of the specified functions of an automated system for processing protected information for compliance with the requirements of standards and/or regulatory documents in the field of information protection and the preparation of documents on its compliance with the performance of the function of processing protected information at a specific facility informatization.

3.5.8 criterion for ensuring the information security of the organization; organization's information security criterion: An indicator on the basis of which the degree of achievement of the organization's information security goal(s) is assessed.

3.5.9 effectiveness of information security; effectiveness of information security: The relationship between the achieved result and the resources used to ensure a given level of information security.

3.6 Terms related to an organization's information security controls

3.6.1 ensuring the information security of the organization; providing an organization's information security: Activities aimed at eliminating (neutralizing, countering) internal and external threats to an organization's information security or minimizing damage from the possible implementation of such threats.

3.6.2 security measure; security control: A established practice, procedure, or mechanism for handling risk.

3.6.3 measures to ensure information security; information security measures: A set of actions aimed at the development and/or practical application of methods and means of ensuring information security.

3.6.4 organizational measures to ensure information security; organizational measures to ensure information security: Measures to ensure information security, providing for the establishment of temporary, territorial, spatial, legal, methodological and other restrictions on the conditions of use and operating modes of an informatization object.

3.6.5 technical means of ensuring information security; information security technical means: Equipment used to ensure the information security of an organization using non-cryptographic methods.

Note - Such equipment can be represented by hardware and software built into the protected object and/or operating autonomously (independent of the protected object).

GOST R 53114-2008

3.5.6 intrusion detection tool, attack detection tool: A software or software-hardware tool that automates the process of monitoring events occurring in a computer system or network, and also independently analyzes these events in search of signs of an information security incident.

3.6.7 means of protection against unauthorized access: Software, hardware or software and hardware designed to prevent or significantly hinder unauthorized access.

GOST R 53114-2008

Alphabetical index of terms

organization assets 3.1.6

risk analysis 3.2.13

Speakers in protected version 3.1.19

denial of service attack 3.3.9

network attack 3.3.7

certification of an automated system in a protected version 3.5.7

organization information security audit 3.5.3

security (data] 3.1.1

information security 3.1.1

information technology security 3.1.2

organization information security 3.2.1

blocking access (to information) 3.3.8

breach 3.3.4

undeclared capabilities 3.3.14

personal data 3.1.18

unauthorized access 3.3.6

Organizational information security 3.2.1

risk identification 3.2.12

information infrastructure 3.1.4

information security incident 3.2.7

source of organizational information security risk 3.2.17

source of risk for the organization's information security 3.2.17

control of the organization's information security 3.5.1

control over the information security of the organization 3.5.1

criteria for ensuring the organization's information security 3.5.8

organizational IS audit criterion 3.5.6

organization information security audit criterion 3.5.6

criterion for ensuring information security of the organization 3.5.8

organization information security management 3.4.1

organization information security risk management 3.4.2

security measure 3.6.2

information security measures 3.6.3

organizational information security measures 3.6.4

information security measures 3.6.3

organizational information security measures 3.4.6

threat model (information security) 3.3.3

organization information security monitoring 3.5.2

monitoring of organization information security 3.5.2

violation of the organization's information security 3.2.4

organization information security violator 3.3.5

violator of an organization's information security 3.3.5

automated information system support 3.1.12

automated system software 3.1.11

technical support of the automated system 3.1.10

AS information support 3.1.12

AC software 3.1.11

AC technical support 3.1.10

ensuring the organization's information security 3.6.1

ensuring the information security of the organization 3.6.1

organization's information security risk treatment 3.2.15

GOST R 53114-2008

managing the organization's information security risk 3.2.1S

information protection object 3.2.2

informatization object 3.1.5

critical object 3.1.16

determination of acceptable level of risk 3.2.14

risk assessment 3.2.10

risk assessment I6 (organizations) 3.2.11

information security risk assessment (organization) 3.2.11

assessing the organization's IS compliance with established requirements 3.5.5

assessment of compliance of the organization's information security with established requirements 3.5.5

interception (information) 3.3.12

IS policy (organization) 3.2.18

information security policy (organization) 3.2.18

process (information technology) protected 3.2.3

information process 3.1.8

disclosure of information 3.3.11

information processing system resource 3.1.7

role of information security in the organization 3.4.4

role of information security 8 in the organization 3.4.4

certificates (evidence) of an organization's IS audit 3.5.4

evidence (evidence) of an organization’s information security audit 3.5.4

service 3.1.13

informative signal 3.3.13

secure automated system 3.1.19

information security document system in the organization 3.2.20

system of documents on information security in the organization 3.2.20

key information infrastructure system 3.1.15

critical information infrastructure system 3.1.15

information security management system 3.4.3

personal data information system 3.1.17

unforeseen situation 3.2.5

dangerous situation 3.2.6

emergency situation 3.2.5

organization information security service 3.4.6

event 3.2.8

protection against unauthorized access 3.6.7

technical information security tool 3.6.5

Attack Detection Tool 3.6.6

Intrusion Detection Tool 3.6.6

information sphere 3.1.3

information technology 3.1.9

threat (information security) 3.3.2

threat to the organization's information security 3.3.1

risk management 3.2.16

service 3.1.13

information technology services 3.1.14

IT services 3.1.14

information leak 3.3.10

vulnerability (information system) 3.3.4

IS goal (organization) 3.2.19

information security goal (organization) 3.2.19

electromagnetic radiation and side interference 3.3.15

IS efficiency 3.5.9

effectiveness of information security 3.5.9

GOST R 53114-2008

Appendix A (reference)

Terms and definitions of general technical concepts

organization: A group of workers and necessary resources with the distribution of responsibilities, powers and relationships.

(GOST R ISO 9000-2001, paragraph 3.3.1]

Notes

1 Organizations include: company, corporation, firm, enterprise, institution, charitable organization, retail trade enterprise, association. as well as their subdivisions or a combination of them.

2 The distribution is usually ordered.

3 An organization can be public or private.

A.2 business: Economic activity that produces profit; any type of activity that generates income and is a source of enrichment.

A.Z business process: Processes used in the economic activities of an organization.

information: Information (messages, data) regardless of the form of their presentation.

assets: All. what is of value to the organization. (GOST R ISO/IEC13335-1-2006, paragraph 2.2(

A.6 resources: Assets (of an organization) that are used or consumed during the execution of a process. Notes

1 Resources can include such diverse items as personnel, equipment, fixed assets, tools, and utilities such as energy, water, fuel and communications network infrastructure.

2 Resources can be reusable, renewable or consumable.

A.7 danger: A property of an object that characterizes its ability to cause damage or harm to other objects. A.8 emergency event: An event leading to an emergency situation.

A.9 damage: Physical damage or harm to human health or damage to property or the environment.

A. 10 threat: A set of conditions and factors that can cause a violation of integrity and availability. privacy.

A.11 vulnerability: Internal properties of an object that create susceptibility to the effects of a risk source that can lead to some consequence.

A. 12 attack: An attempt to overcome the security system of an information system.

Notes - The degree of “success” of an attack depends on the vulnerability and effectiveness of the defense system.

A.13 management: Coordinated activities for the direction and management of the organization

A.14 business (continuity) management: Coordinated management and control activities

business processes of the organization.

A. 15 role: A predetermined set of rules and procedures for the activities of an organization that establish acceptable interaction between the subject and object of the activity.

owner of information: A person who independently created information or received, on the basis of law or agreement, the right to permit or restrict access to information determined by any criteria.

GOST R 53114-2008

infrastructure: The totality of buildings, equipment and support services necessary for the functioning of an organization.

[GOST R ISO 9000-2001. clause 3.3.3]

A.18 audit: A systematic, independent and documented process of obtaining audit evidence and evaluating it objectively to determine the extent to which agreed audit criteria have been met.

Notes

1 Internal audits, called first-party audits, are carried out for internal purposes by the organization itself or on its behalf by another organization. The results of the internal audit may serve as the basis for a declaration of conformity. In many cases, especially in small businesses, the audit must be carried out by specialists (people who are not responsible for the activity being audited).

NOTE 2 External audits include audits called second party audits and third party audits. Second party audits are carried out by parties interested in the activities of the enterprise, for example.

consumers or others on their behalf. Third party audits are carried out by external independent organizations. These organizations carry out certification or registration for compliance with requirements, for example, the requirements of GOST R ISO 9001 and GOST R ISO 14001.

3 An audit of quality and environmental management systems carried out simultaneously is called a “comprehensive audit”.

4 If the audit of the audited organization is carried out simultaneously by several organizations, then such an audit is called a “joint audit”.

A.19 monitoring: Systematic or continuous monitoring of an object, ensuring control and/or measurement of its parameters, as well as conducting analysis to predict the variability of parameters and make decisions on the need and composition of corrective and preventive actions.

declaration of conformity: A form of confirmation of product compliance with the requirements of technical regulations.

A.21 technology: A system of interconnected methods, methods, techniques of objective activity. A.22

document: Information recorded on a tangible medium with details that allow it to be identified.

[GOST R 52069.0-2003. paragraph 3.18]

A.23 information processing: A set of operations of collection, accumulation, input, output, reception, transmission, recording, storage, registration, destruction, transformation, display, carried out on information.

GOST R 53114-2008

Appendix B (for reference)

The relationship of basic concepts in the field of information security in an organization

The relationship between the basic concepts is shown in Figure B.1.

Figure B.1 - relationship between basic concepts

GOST R 53114-2008

Bibliography

(1] R 50.1.053-2005

(2]PS0.1.056-2005

Information Technology. Basic terms and definitions in the field of technical information security Technical protection information. Basic terms and definitions

About technical regulation

About information, information technologies and information protection

About personal data

Information Security Doctrine of the Russian Federation

UDC 351.864.1:004:006.354 OKS 35.020 LLP

Key words: information, information security, information security in an organization, threats to information security, information security criteria

Editor V.N. Cops soya Technical editor V.N. Prusakova Corrector V.E. Nestorovo Computer software I.A. NapeikinoO

Delivered for recruitment on 11/06/2009. Signed stamp 12/01/2009. Format 60"84 Offset paper. Arial typeface. Offset printing. Usp. oven l. 2.32. Uch.-ed. l. 1.90. Circulation 373 »kz. Zach. 626

FSUE "STANDARTINFORM*. 123995 Moscow. Pomegranate por.. 4. info@goslmlo gi

Typed into FSUE "STANDARTINFORM" on a PC.

Printed at the branch of FSUE "STANDARTINFORM* - type. "Moscow Printer". 105062 Moscow. Lyalin lane.. 6.

GOST 22731-77 Data transmission systems, data link control procedures in the main mode for half-duplex information exchange
GOST 26525-85 Data processing systems. Usage metrics
GOST 27771-88 Procedural characteristics at the interface between data terminal equipment and data channel termination equipment. General requirements and standards
GOST 28082-89 Information processing systems. Methods for detecting errors in serial data transmission
GOST 28270-89 Information processing systems. Data Description File Specification for Information Exchange
GOST R 43.2.11-2014 Information support for equipment and operator activities. Operator language. Structured presentation of text information in message formats
GOST R 43.2.8-2014 Information support for equipment and operator activities. Operator language. Message Formats for Technical Activities
GOST R 43.4.1-2011 Information support for equipment and operator activities. “Man-information” system
GOST R 53633.10-2015 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Organization management. Organizational risk management
GOST R 53633.11-2015 Information technologies. Telecommunications control network. Extended communication organization activity diagram (eTOM). Decomposition and process descriptions. eTOM Level 2 Processes. Organization management. Organizational Performance Management
GOST R 53633.4-2015 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Service management and operation
GOST R 53633.7-2015 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Development and resource management
GOST R 53633.9-2015 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Organization management. Planning strategy and development of the organization
GOST R 55767-2013 Information technology. European ICT Competence Framework 2.0. Part 1. Common European Competence Framework for ICT Professionals for all Industry Sectors
GOST R 55768-2013 Information technology. Model of an open Grid system. Basic provisions
GOST R 56093-2014 Information protection. Automated systems in a secure design. Means for detecting intentional force electromagnetic influences. General requirements
GOST R 56115-2014 Information protection. Automated systems in a secure design. Means of protection against intentional force electromagnetic influences. General requirements
GOST R 56545-2015 Information protection. Vulnerabilities of information systems. Rules for describing vulnerabilities
GOST R 56546-2015 Information protection. Vulnerabilities of information systems. Classification of information system vulnerabilities
GOST IEC 60950-21-2013 Information technology equipment. Safety requirements. Part 21. Remote power supply
GOST IEC 60950-22-2013 Information technology equipment. Safety requirements. Part 22. Equipment intended for installation outdoors
GOST R 51583-2014 Information protection. The procedure for creating automated systems in a secure design. General provisions
GOST R 55766-2013 Information technology. European ICT Competence Framework 2.0. Part 3. Creation of e-CF - combining methodological foundations and expert experience
GOST R 55248-2012 Electrical safety. Classification of interfaces for equipment connected to information and communication technology networks
GOST R 43.0.11-2014 Information support for equipment and operator activities. Databases in technical activities
GOST R 56174-2014 Information technologies. Architecture of services of an open Grid environment. Terms and Definitions
GOST IEC 61606-4-2014 Audio and audiovisual equipment. Components of digital audio equipment. Basic methods for measuring sound characteristics. Part 4. Personal computer
GOST R 43.2.5-2011 Information support for equipment and operator activities. Operator language. Grammar
GOST R 53633.5-2012 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Marketing and product offering management
GOST R 53633.6-2012 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Service development and management
GOST R 53633.8-2012 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Supply chain development and management
GOST R 43.0.7-2011 Information support for equipment and operator activities. Hybrid-intellectualized human-information interaction. General provisions
GOST R 43.2.6-2011 Information support for equipment and operator activities. Operator language. Morphology
GOST R 53633.14-2016 Information technologies. Telecommunications management network is an extended communications organization operation framework (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Organization management. Stakeholder and external relations management
GOST R 56938-2016 Information protection. Information protection when using virtualization technologies. General provisions
GOST R 56939-2016 Information protection. Secure software development. General requirements
GOST R ISO/IEC 17963-2016 Specification of web services for management (WS-management)
GOST R 43.0.6-2011 Information support for equipment and operator activities. Naturally intellectualized human-information interaction. General provisions
GOST R 54817-2011 Ignition of audio, video, information technology and communications equipment accidentally caused by a candle flame
GOST R IEC 60950-23-2011 Information technology equipment. Safety requirements. Part 23. Equipment for storing large volumes of data
GOST R IEC 62018-2011 Energy consumption of information technology equipment. Measurement methods
GOST R 53538-2009 Multi-pair cables with copper conductors for broadband access circuits. General technical requirements
GOST R 53633.0-2009 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). General structure of business processes
GOST R 53633.1-2009 Information technology. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Managing relationships with suppliers and partners
GOST R 53633.2-2009 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Resource Management and Operation
GOST R 53633.3-2009 Information technology. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Customer Relationship Management
GOST R ISO/IEC 20000-2-2010 Information technology. Service management. Part 2: Code of Practice
GOST R 43.0.3-2009 Information support for equipment and operator activities. Noon technology in technical activities. General provisions
GOST R 43.0.4-2009 Information support for equipment and operator activities. Information in technical activities. General provisions
GOST R 43.0.5-2009 Information support for equipment and operator activities. Information exchange processes in technical activities. General provisions
GOST R 43.2.1-2007 Information support for equipment and operator activities. Operator language. General provisions
GOST R 43.2.2-2009 Information support for equipment and operator activities. Operator language. General provisions for use
GOST R 43.2.3-2009 Information support for equipment and operator activities. Operator language. Types and properties of iconic components
GOST R 43.2.4-2009 Information support for equipment and operator activities. Operator language. Syntactics of sign components
GOST R 52919-2008 Information technology. Methods and means of physical protection. Classification and test methods for fire resistance. Data rooms and containers
GOST R 53114-2008 Information protection. Ensuring information security in the organization. Basic terms and definitions
GOST R 53245-2008 Information technologies. Structured cable systems. Installation of the main components of the system. Test methods
GOST R 53246-2008 Information technologies. Structured cable systems. Design of the main components of the system. General requirements
GOST R IEC 60990-2010 Methods for measuring touch current and protective conductor current
GOST 33707-2016 Information technologies. Dictionary
GOST R 57392-2017 Information technologies. Service management. Part 10. Basic concepts and terminology
GOST R 43.0.13-2017 Information support for equipment and operator activities. Directed training of specialists
GOST R 43.0.8-2017 Information support for equipment and operator activities. Artificially intellectualized human-information interaction. General provisions
GOST R 43.0.9-2017 Information support for equipment and operator activities. Informational resources
GOST R 43.2.7-2017 Information support for equipment and operator activities. Operator language. Syntax
GOST R ISO/IEC 38500-2017 Information technologies. Strategic IT management in an organization
GOST R 43.0.10-2017 Information support for equipment and operator activities. Information objects, object-oriented design in the creation of technical information
GOST R 53633.21-2017 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. Primary activity. Management and operation of services. eTOM Level 3 Processes. Process 1.1.2.1 - Support and Availability of SM&O Processes
GOST R 57875-2017 Telecommunications. Connection diagrams and grounding in telecommunication centers
GOST R 53633.22-2017 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. Primary activity. Management and operation of services. eTOM Level 3 Processes. Process 1.1.2.2 - Configuring and activating services

International safety standards

International information security standards: ISO 27001

International safety standards: ISO 17799

National System of Information Security Standards

GOST R ISO/IEC 17799:2005 "Information technology. Practical rules for information security management"

Requirements for knowledge and skills

The student must have an idea:

on the role of the State Technical Commission in ensuring information security in the Russian Federation;

on documents on assessing the security of automated systems in the Russian Federation.

The student must know:

the main content of standards for assessing the security of automated systems in the Russian Federation.

The student must be able to:

determine classes of protected systems based on a set of protection measures.

Key term

Key term: Information security standards in the Russian Federation.

Information security standards in the Russian Federation are developed within the framework of the State Technical Commission of the Russian Federation.

Minor terms

The State Technical Commission and its role in ensuring information security in the Russian Federation.

Documents on assessing the security of automated systems in the Russian Federation.

Structural diagram of terms

1.7.1 State Technical Commission and its role in ensuring information security in the Russian Federation

In the Russian Federation, information security is ensured by compliance with Presidential decrees, federal laws, decrees of the Government of the Russian Federation, governing documents of the State Technical Commission of Russia and other regulatory documents.

Over the 10 years of its existence, the State Technical Commission has developed and brought dozens of documents to the level of national standards, including:

Guiding document “Regulations on the certification of informatization objects according to information security requirements” (Approved by the Chairman of the State Technical Commission of Russia on November 25, 1994);

Guiding document “Automated systems (AS). Protection against unauthorized access (UNA) to information. Classification of nuclear power plants and requirements for information protection" (State Technical Commission of Russia, 1997);

Guiding document “Computer facilities. Protection from unauthorized access to information. Indicators of security from unauthorized access to information" (State Technical Commission of Russia, 1992);

Guiding document “Concept for the protection of computer equipment from unauthorized access to information” (State Technical Commission of Russia, 1992);

Guiding document “Protection from unauthorized access to information. Terms and definitions" (State Technical Commission of Russia, 1992);

Guiding document “Computer technology (CT). Firewalls. Protection from unauthorized access to information. Indicators of security from unauthorized access to information" (State Technical Commission of Russia, 1997);

Guiding document “Protection against unauthorized access to information. Part 1. Information security software. Classification according to the level of control over the absence of undeclared capabilities” (State Technical Commission of Russia, 1999);

Guiding document “Special requirements and recommendations for the technical protection of confidential information” (State Technical Commission of Russia, 2001).

1.7.2 Documents on assessing the security of automated systems in the Russian Federation

Let's consider the most significant of these documents that define the criteria for assessing the security of automated systems.

The lowest class is seventh, the highest is first. The classes are divided into four groups, differing in the level of protection:

First group contains only one seventh class, which includes all SVT that do not meet the requirements of higher classes;

Second group characterized by discretionary protection and contains sixth and fifth grades;

Third group characterized by mandatory protection and contains the fourth, third and second classes;

Fourth group characterized by verified protection and includes only the first class.

establishes a classification of automated systems subject to protection from unauthorized access to information, and requirements for the protection of information in automated systems of various classes.

The defining characteristics by which speakers are grouped into various classes include:

The document defines nine classes of AS security from unauthorized access to information. Each class is characterized by a certain minimum set of protection requirements. The classes are divided into three groups, differing in the characteristics of information processing in the AS.

Within each group, a hierarchy of protection requirements is observed depending on the value and confidentiality of information and, consequently, a hierarchy of AS security classes.

Table 2 shows the security classes of the speakers and the requirements to ensure them.

Table 1. Security requirements for automated systems

Subsystems and requirements

Classes

3B

3A

2B

2A

1D

1G

1B

1B

1A

1. Access control subsystem

1.1. Identification, authentication and access control of subjects:

into the system;

+

+

+

+

+

+

+

+

+

to terminals, computers, computer network nodes, communication channels, external computer devices;

—

—

—

+

—

+

+

+

+

to programs;

—

—