Licensing and certification in the field of information security. How to get an FSTEC license

FSTEC license is a special state permit that allows you to conduct legitimate activities that are directly related to the creation and use of software or innovative technologies. The licenses apply to the storage of information data or the creation of databases for their storage.

FSTEC license in Moscow and other regions of Russia with specialists from AP-Rial Group - hassle-free obtaining of a license. Information protection license - a full range of services in FSTEC licensing.

Licensing authority: Federal Service for Technical and export controls
License validity period: indefinitely.
Coverage area: Entire territory Russian Federation
License issuance period: 45 working days.

FSTEC license price (assistance in obtaining): from 250,000 rub.

The FSTEC Russia license is available to applicants from various regions of the country, but the licensing authority is exclusively the Federal Service for Technical and Export Control, located in Moscow. The period of validity of the official permit is defined as unlimited, and the geography of influence is limited to the official borders of the state.

The period during which the applicant receives permits is 45 days from the date of submission of documents to the controlling government agency.

Obtaining various types of FSTEC license

The licensing process can proceed in three options:

1. Self-referral. Name this method optimal is difficult. An unprepared applicant, as a rule, misses a number of basic points related to applying for required type documentation and timely training for employees and managers. In this regard, the process of obtaining permits may take large quantity time, and, as a result, reduce the potential profit of the enterprise.
2. Partial transfer of authority for pre-licensing training to specialists. It's more effective method passing the licensing procedure. The specialist oversees the process, guiding the head of the company. But it is worth noting that in in this case, legal support cannot be complete, and, accordingly, there can be no guarantees of results.
3. Full support of the process. Obtaining a FSTEC license with the participation of specialists guarantees a successful result. We have not only qualified specialists with experience in conducting licensing cases, but also the necessary technical and regulatory framework to ensure full compliance of the applicant with the requirements of the regulatory authority.

A full range of services allows us not only to help enterprises obtain the necessary license for their activities, but also to be prepared for possible inspections during scheduled or unscheduled inspections.

Types of FSTEC license

Federal Law No. 99 dated May 4, 2011 “On licensing of certain types of activities” clearly regulates the list of industries required for licensing. First of all, you need to obtain a FSTEC license:

• to participate in government tenders;
• carrying out activities related to the development and production of CIPF;
• carrying out activities related to TZKI;
• when processing personal data.

Licensing by FSTEC of Russia in the TZKI industry is regulated by Decree of the Government of the Russian Federation of February 3, 2012 No. 79 “On licensing of technical protection activities confidential information" The validity period is unlimited, but enterprises in the course of their activities must be prepared to confirm the requirements for licensees.

Licensing in the CIPF industry () is controlled by Decree of the Government of the Russian Federation of March 3, 2012 No. 171 “On licensing activities for the development and production of means of protecting confidential information.” The official document defines the requirements for applicants for this license.

Requirements for a FSTEC license in Moscow

In order for an applicant to receive official permission to operate in the industry, he needs documentary evidence of compliance with the following requirements:

• Availability of employees with higher education in Information Security. It is permissible to attract specialists with secondary technical education of a similar profile, provided they have passed professional retraining, lasting at least 360 academic hours (presentation of a certificate of successful completion of training is required). It is also important to have work experience in the field of information security.
• Availability of premises, owned or leased or subleased (a valid lease agreement is required), necessary for the implementation of professional activity. Work premises must meet current government requirements.
• Owned or leased (must present a valid lease agreement) necessary equipment. Each technical unit must be accompanied by verification reports and the necessary certificates confirming the accuracy of the data provided.
• Availability of up-to-date software necessary for conducting activities in the industry.
• Availability of normative and methodological documents marked “DSP” and GOST standards.
• Availability of a certified premises and a certified automated workstation (AWS) in accordance with current requirements

The FSTEC license provides for full compliance of the licensee and training of staff to carry out this activity.

Licensing Process Procedure

The license of FSTEC of Russia with our participation is that our specialists undertake the following obligations:

• preparing the necessary documentation and bringing it to established form;
• carrying out, if necessary;
• preparation and submission of an application to the licensing authority (regardless of the location of the applicant);
• conducting certification of premises and automated workstations;
• obtaining documentary confirmation of the submission of documents;
• carrying out procedures to eliminate published shortcomings and comments, if necessary;
• obtaining official permission (license) and transferring it to the licensee.

Certain types of FSTEC licenses require an FSB license to work with information that is a state secret.

We guarantee applicants obtaining a license and full compliance of the enterprise with state requirements at all stages of its further entrepreneurial activity.

Participation in exhibitions and conferences in the field of information security

AP-Rial Group specialists regularly attend thematic exhibitions and conferences, thus they are always in the trend of all innovations in the field of information security. All the experience gained is always put into practice. Our wealth of experience enables our lawyers to provide high-quality advice on what equipment an organization engaged in data protection or developing information protection tools should have.

The other day our employees visited an exhibition on information protection from "INTERPOLITEX - 2018". The organizers of the exhibition were the forces of the Ministry of Internal Affairs (MVD), the Federal Security Service (FSB) and the Russian Guard. The photo report can be viewed on the page.

Licensing in the field of information security is an activity involving the transfer or acquisition of rights to carry out work in the field of information security. State policy in the field of licensing certain types of activities and ensuring the protection of vital interests of the individual, society and the state is determined by Decree of the Government of the Russian Federation of December 24, 1994 No. 1418 “On licensing of certain types of activities” (as amended by Decrees of the Government of the Russian Federation of 05.05.95 No. 450, dated 06/03/95 No. 549, dated 08/07/95 No. 796, dated 10/12/95 No. 1001, dated 04/22/97 No. 462, dated 12/01/97 No. 1513, also see resolution dated 02/11/02 No. 135).

A license is a permission to carry out work in the field of information security. A license is issued for specific types of activities for three years, after which it is re-registered in the manner established for issuing a license.

A license is issued if the enterprise that has applied for a license has the conditions for licensing: a production and testing base, regulatory and methodological documentation, and has scientific, engineering and technical personnel.

The organizational structure of the state licensing system for the activities of enterprises in the field of information security is formed by:

· state licensing authorities;

· licensing centers;

· applicant enterprises.

Government bodies for licensing:

· organize compulsory state licensing of enterprises’ activities;

· issue state licenses to applicant enterprises;

· coordinate the composition of expert commissions represented by licensing centers;

· exercise control and supervision over the completeness and quality of work carried out by licensees in the field of information security.

License centers:

· form expert commissions and submit their composition for approval to the heads of the relevant state licensing bodies, which are the FSTEC and the FSB;

· plan and carry out work on the examination of applicant enterprises;

· control the completeness and quality of work performed by licensees.

Licensing centers under state licensing bodies are created by orders of the heads of these bodies. Expert commissions are formed from among specialists from industries and bodies competent in the relevant field of information protection government controlled, other organizations and institutions. Expert commissions are created in one or more areas of information protection.

The following are subject to licensing by FSTEC of Russia:

· certification, certification tests of protected technical means information processing (ITI), technical and software security tools, means of monitoring the effectiveness of information security measures, software processing tools, protection and security control;

· certification of information systems, automated control systems, communication and data transmission systems, VT facilities and dedicated premises for compliance with the requirements of guidelines and regulatory documents on information security;

· development, production, sales, installation, commissioning, installation, repair, maintenance of protected computer science objects, technical means of protection and control of the effectiveness of information security measures, protected software tools for processing, protection and control of information security;

Conducting special studies for side effects electromagnetic radiation and guidance (PEMIN) TSOI;

· design of protected objects.

The licensing body is responsible for:

· development of rules, procedures and regulatory and methodological documents on licensing issues;

· implementation of scientific and methodological management of licensing activities;

· publication necessary information about the licensing system;

· consideration of applications from organizations and military units on the issuance of licenses;

· coordination of applications with military units responsible for the relevant areas of information protection;

· coordination of the composition of expert commissions;

· organizing and conducting special examinations;

· making a decision on issuing a license;

· issuance of licenses;

· making a decision on suspension, renewal of a license or its cancellation;

· maintaining a register of issued, suspended, renewed and canceled licenses;

· acquisition, accounting and storage of license forms;

· organization of work of certification centers;

· monitoring the completeness and quality of work carried out by licensees.

In accordance with Article 17 Federal Law dated 08.08.2001 No. 128-FZ “On licensing of certain types of activities” (as amended by Federal Law dated 02.07.2005 No. 80-FZ), the following types of activities are subject to licensing (in the field of information security):

· activities for the distribution of encryption (cryptographic) tools;

· activities on maintenance encryption (cryptographic) means;

· provision of services in the field of information encryption;

· development, production of encryption (cryptographic) means protected using encryption (cryptographic) means information systems, telecommunication systems;

· activities for the development and (or) production of means of protecting confidential information; activities for technical protection of confidential information;

· activities to identify electronic devices, intended for secretly obtaining information in premises and technical means (except for the case if the specified activity is carried out to meet the own needs of a legal entity or individual entrepreneur).

Within the framework of the types of activities under consideration, separate decrees of the Government of the Russian Federation were issued, explaining the licensing procedure. Among them:

· Decree of the Government of the Russian Federation dated January 26, 2006 No. 45 “On the organization of licensing of certain types of activities”; Decree of the Government of the Russian Federation of August 15, 2006 No. 504 “On licensing activities for the technical protection of confidential information”;

· Decree of the Government of the Russian Federation dated August 31, 2006 No. 532 “On licensing activities for the development and (or) production of means of protecting confidential information”;

· Decree of the Government of the Russian Federation dated September 23, 2002 No. 691 “On approval of regulations on licensing of certain types of activities related to encryption (cryptographic) means.”

In accordance with these documents, licensees are required to annually submit to the licensing authority or certification center information on the number of works performed for specific types of activities specified in the license. Licensees are responsible for the completeness and quality of the work performed, ensuring the safety of state secrets entrusted to them in the course of practical activities.

Send your good work in the knowledge base is simple. Use the form below

Good work to the site">

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Ministry of Transport of the Russian Federation

Federal Agency for Railway Transport federal state budgetary educational institution higher professional education

"Far Eastern State University ways of communication"

Department of Civil, Business and Transport Law

Discipline: Legal support information security

Topic: Licensing and certification in the field of information security

Completed by student

Nepomnyashchaya Natalya Evgenievna

Checked by: department teacher:

Zheleznyakov Anatoly Mikhailovich.

Khabarovsk

Introduction

1. Licensing in the field of information security

1.1 Licensing authority - FSTEC of Russia

1.2 Licensing authority - FSB of Russia

2. Certification in the field of information security

2.1 Organizational structure of the certification system

2.2 Certification procedure

Conclusion

Bibliography

Introduction

One of the problems in the field of information protection in Russia is the lack of official documents with detailed recommendations on building secure information systems similar to those developed, for example, by the American Institute standard technologies(USA) and British standard. Although there are no regulations in the UK requiring compliance with government standards, about 60% of British firms and organizations voluntarily use the developed standard, and the rest intend to implement its recommendations in the near future

Licensing and certification in the field of information security systems can reduce the severity of this problem. It is necessary to provide the user with guarantees that the information security tools they use are capable of providing the required level of protection. It is licensing that can ensure that only highly qualified specialists in this field will deal with the problem of information security, and the products they create will be at the appropriate level and will be able to pass certification.

Without certification, it is impossible to assess whether a product contains potentially harmful undocumented capabilities, the presence of which is especially typical for most foreign products, which can at some point lead to malfunctions in the system and even irreversible consequences for it. A typical example of such undocumented features is laid down by Ericsson during its development telephone exchanges, on the basis of which the Ministry of Railways of the Russian Federation builds its telephone network, the ability to block their work when receiving a specific call phone number, which the firm declines to name. And this example is not the only one.

The process of certification of a software product takes approximately the same time as its development, and is practically impossible without source codes of programs with comments. At the same time, many foreign companies do not want to represent source texts their software products to Russian certification centers. For example, despite agreement in principle Microsoft certification in Russia of the Windows NT operating system, in which more than 50 security-related errors have already been identified, this issue has not been able to move forward for many months due to the lack of its source codes.

Difficulties with certification lead to the fact that among products of the same class, the simplest ones receive a certificate first, which is why they seem more reliable to the user. Long certification periods lead to the fact that the development company manages to bring it to the market new version of your product, and the process becomes endless.

Certification of technical means of information security is difficult to carry out without appropriate standards, the creation of which in Russia is not least hampered by the lack of financial resources. This problem can be solved if there are several firms interested in sales and several organizations interested in using the appropriate technical means. For example, the fruit of the joint efforts of such organizations, firms and FSTEC (formerly the State Technical Commission (STC)) was the development of the Guiding Technical Material of the State Customs Committee of the Russian Federation "Means computer technology. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information." It made it possible to classify tools that are capable, to some extent, of protecting corporate networks from external intrusions.

The document assumes the existence of several classes of firewalls: from the simplest, allowing only control of information flows, to the most complex, performing complete recoding of incoming information, completely protecting corporate network from external influences. Already today certification for compliance technical specifications, developed in accordance with the Technical Guidance Material, which is permitted current legislation, passed such firewalls, like Sun Screen, SKIPbridge and Pandora. However, their certification was not without struggle.

1. Licensing in the field of information security

1.1 Licensing authority - FSTEC of Russia

The licensing requirements for an applicant for a license to carry out activities for the development and production of SZKI (hereinafter referred to as the license) are:

1. the presence on the staff of the license applicant of at least two specialists who have a higher professional education in the field of technical information security or a higher technical or secondary vocational (technical) education and have undergone retraining or advanced training in the development and (or) production of information security; user protection guarantee specialist

2. availability of premises for carrying out the licensed type of activity that meet the requirements of technical and technological documentation, national standards and methodological documents in the OZI and belong to the license applicant on the right of ownership or on another legal basis;

3. availability, on the right of ownership or on another legal basis, of control and measuring equipment necessary for carrying out the licensed type of activity (which has passed metrological verification (calibration) and marking in accordance with the legislation of the Russian Federation), production and testing equipment;

4. the availability of programs intended for the implementation of the licensed type of activity (including software for developing SZKI) for electronic computers and databases owned by the license applicant on the right of ownership or on another legal basis;

5. availability of licenses owned by the applicant on the right of ownership or on another legal basis, technical and technological documentation, documentation containing national standards, and methodological documents necessary for carrying out the licensed type of activity in accordance with the list approved by the FSTEC of Russia;

6. the presence of a production control system, including rules and procedures for checking and assessing the system for developing the SZKI, taking into account changes made to the design and design documentation for the products being developed

7. the presence of a production control system, including rules and procedures for checking and assessing the SZKI production system, assessing the quality of products and consistency set parameters, accounting for changes made to the technical and design documentation for manufactured products, accounting for finished products V. Kiyaev, O. Granichin // Security of information systems // National Open University "INTUIT" * 2016 // pp. 105-106

1.2 Licensing authority - FSB of Russia

The licensing requirements for a license applicant are:

1Persons on staff of the license applicant for the main job according to staffing table the following qualified personnel:

2. a manager and (or) a person authorized to manage work in a licensed type of activity, having a higher professional education in the field of information security in accordance with the "All-Russian Classifier of Specialties" and (or) having undergone retraining in one of the specialties in this field (normative period - over 500 classroom hours), as well as having at least 5 years of experience in the field of work performed in a licensed type of activity;

3.engineering and technical workers (at least two people) who have a higher professional education in the field of information security in accordance with the “All-Russian Classifier of Specialties” and (or) have undergone retraining in this specialty (normative period - over 100 classroom hours);

4.availability of premises for carrying out the licensed type of activity that meet the requirements of technical and technological documentation, national standards and methodological documents in the field of industrial property and owned by the license applicant on the right of ownership or on another legal basis;

5. the license applicant has, on the right of ownership or on another legal basis, control and measuring equipment (which has undergone metrological verification (calibration) and marking in accordance with the legislation of the Russian Federation), production, testing equipment and other facilities necessary for the implementation of the licensed type of activity;

6. the availability of programs intended for the implementation of the licensed type of activity (including software for the development of SZKI) for electronic computers and databases owned by the license applicant on the right of ownership or on another legal basis;

7.availability of information processing tools certified according to information security requirements, used for the development and production of information protection systems, in accordance with information protection requirements;

8. the presence of a production control system, including rules and procedures for checking and assessing the system for developing the SZKI, taking into account changes made to the design and design documentation for the products being developed

9. the presence of a production control system, including rules and procedures for checking and assessing the SZKI production system, assessing the quality of manufactured products and the constancy of established parameters, accounting for changes made to the technical and design documentation for manufactured products, accounting for finished products Snytikov A.A. Licensing and certification in the field of information security.-M: Gelios ARV, 2012 // pp. 223-224

2. Information Security Certification

2.1 Organizational structure of the certification system

The organizational structure of the certification system is formed by:

1.State Technical Commission of Russia (federal body for certification of information security means);

2.central body of the information security certification system;

3. bodies for certification of information security means;

4.testing centers (laboratories);

5. applicants (developers, manufacturers, suppliers, consumers of information security products).

2The State Technical Commission of Russia, within its competence, performs the following functions:

1. creates a certification system for information security tools and establishes rules for certification of specific types of information security tools in this system;

2.organizes the functioning of the certification system for information security tools;

3. defines a list of information security tools that are subject to mandatory certification in this system;

4. establishes the rules for accreditation and issuance of licenses to carry out certification work;

5.organizes and finances the development of normative and methodological documents for the information security certification system;

6. determines the central body of the information security certification system (if necessary) or performs the functions of this body;

7. approves regulatory documents on information security, for compliance with which certification of information security means in the system is carried out, and methodological documents on conducting certification tests;

8.accredits certification bodies and testing centers (laboratories), issues them licenses to carry out certain types works;

9.leads State Register participants and objects of certification;

10. carries out state control and supervision and establishes the procedure for inspection control over compliance with certification rules and certified information security means;

11.considers appeals regarding certification issues;

12.presents on state registration Gosstandart of Russia certification system and mark of conformity;

13. organizes periodic publication of information on certification;

14. interacts with relevant authorized bodies of other countries and international organizations on certification issues, makes decisions on the recognition of international and foreign certificates;

15.organizes the training and certification of expert auditors;

16. issues certificates and licenses for the use of the mark of conformity;

17.suspends or cancels the validity of issued certificates.

2.2 Certification procedure

The certification procedure includes the following steps:

submission and consideration of an application for certification of information security tools; testing of certified information security tools and certification of their production;

examination of test results, registration, registration and issuance of a certificate and license for the right to use the mark of conformity;

implementation of state control and supervision, inspection control over compliance with the rules of mandatory certification and certified information security means.

informing about the results of certification of information security tools;

consideration of appeals.

Submission and consideration of an application for certification of information security tools.

To obtain a certificate, the applicant submits an application (Appendix 1) to the State Technical Commission of Russia for testing, indicating the certification scheme, standards and other regulatory documents for compliance with the requirements of which certification must be carried out.

The State Technical Commission of Russia, within one month after receiving the application, sends to the applicant, to the certification body and testing center (laboratory) designated for certification, a decision to carry out certification (Appendix 2). At the request of the applicant, the certification body and testing center (laboratory) can be changed.

After receiving the decision, the applicant is obliged to submit to the certification body and testing center (laboratory) an information security device in accordance with the technical specifications for this product, as well as a set of technical and operational documentation, in accordance with the regulatory documents for the ESKD, ESPD for the information security device being certified.

Testing of certified information security tools in testing centers (laboratories).

Tests of certified information security means are carried out on samples, the design, composition and manufacturing technology of which must be the same as those of the samples supplied to the consumer, customer according to programs and test methods agreed upon with the applicant and the approved certification body. Technical and operational documentation for serial information security means must have a letter not lower than “O1” (according to ESKD).

The number of samples, the procedure for their selection and identification must comply with the requirements of regulatory and methodological documents for this type information security means.

If there are no testing centers (laboratories) at the time of certification, the certification body determines the possibility, location and conditions of testing to ensure the objectivity of their results.

The timing of the tests is established by an agreement between the applicant and the testing center (laboratory).

At the request of the applicant, his representatives must be given the opportunity to familiarize themselves with the conditions of storage and testing of samples of information security means in the testing center (laboratory). Kiyaev V., Granichin O. // Security of information systems // National Open University "INTUIT" * 2016 //pp. 105-106

The test results are documented in protocols and conclusions, which are sent by the testing center (laboratory) to the certification body, and in a copy - to the applicant.

When changes are made to the design (composition) of information security means or their production technology, which may affect the characteristics of information security means, the applicant (developer, manufacturer, supplier) notifies the certification body about this. The latter decides on the need to conduct new tests of these information security tools.

Certification of imported information security tools is carried out according to the same rules as domestic ones.

Conclusion

And so, this is a conformity assessment procedure, through which an organization independent of the manufacturer (seller) and consumer (buyer) certifies writing that the product meets the established requirements. If we talk about certification in relation to information security tools, then this is an activity to confirm their compliance with the requirements of technical regulations, national standards or other regulatory documents on information security.

The certification system itself is represented by the FSTEC of Russia, which has jurisdiction over accredited bodies for certification of information security means and testing laboratories.

The entire certification system ensures the achievement, first of all, of national security in the field of informatization. No less important is the formation and implementation of a unified scientific, technical and industrial policy in the field of informatization. As well as promoting the formation of a market for protected information technologies and the means to ensure them, regulation and control of the development, as well as the subsequent production of information security tools, assistance to consumers in the competent choice of information security tools, consumer protection from dishonesty of the contractor (producer, manufacturer), confirmation of product quality indicators.

Licensing - activities related to the provision of licenses, re-issuance of documents confirming the availability of licenses, suspension and renewal of licenses, cancellation of licenses and monitoring by licensing authorities of compliance by licensees when carrying out licensed types of activities with the relevant licensing requirements and conditions.

License - a special permit to carry out a specific type of activity, subject to mandatory compliance with licensing requirements and conditions, issued by a licensing authority to a legal entity or individual entrepreneur.

Licensing activities in the field of information security are carried out by the FSB and FSTEC of Russia. Let's consider licensed types of activities in the field of protecting confidential information.

FSB of Russia:

1. Development and (or) production of means of protecting confidential information (within the competence of the FSB)

2. Development, production, sale and acquisition for the purpose of sale of special technical means intended for secretly obtaining information by individual entrepreneurs and legal entities engaged in business activities

3. Activities to identify electronic devices intended for secretly obtaining information in premises and technical means (except for the case if this activity is carried out to meet the own needs of a legal entity or individual entrepreneur)

4. Activities for the distribution of encryption (cryptographic) tools

5. Activities for the maintenance of encryption (cryptographic) tools

6.Providing services in the field of information encryption

7. Development and production of encryption (cryptographic) tools, protected using encryption (cryptographic) tools for information systems and telecommunication systems.

Bibliography

1 . Kiyaev V., Granichin O. // Information systems security// National Open University "INTUIT" * 2016 //page 105-106

2. Snytikov A.A. Licensing and certification in the field of information security.-M: Gelios ARV, 2012 // pp. 223-224

3. Certification system for cryptographic information protection means: No. ROSS RU.0001.030001 dated November 15, 2012.

4. Bumazhkov A. Kirina A. Licensing and certification in the field of information security

5.Terms and definitions in the field of information security.Moscow 2011

Posted on Allbest.ru

...

Similar documents

Basic principles that information security and its regulatory framework should ensure. State bodies of the Russian Federation that control activities in the field of information security, regulatory documents in this area. Methods of protecting information.

abstract, added 09/24/2014


Means and methods of solution various tasks on information protection, leak prevention, ensuring the security of protected information. Technical (hardware), software, organizational, mixed hardware and software information security tools.

abstract, added 05/22/2010


Regulatory and legal support of information security in the Russian Federation. Legal regime of information. Bodies ensuring information security of the Russian Federation. Services that organize information security at the enterprise level. Information security standards.

presentation, added 01/19/2014


The main methods of unauthorized access to information in computer systems and protection from it. International and domestic organizational, legal and regulatory acts to ensure information security of information processing processes.

abstract, added 04/09/2015


Information how the most important part modern communication system. Legal regulation in the field of information security. Regulatory documents governing information protection. Organizational and legal forms of protection of state secrets.

test, added 11/03/2009


Recommendations for small business development. Protection of property rights, development of market institutions. Taxes and their administration. Licensing and permitting system. Inspections, fines and punishments. Access to information and openness of the state.

abstract, added 05/31/2009


Purposes of licensing in the field of protection environment and use of natural resources. A list of types of licenses - documents giving the right to use one type of natural resource in a specified location and under certain conditions.

test, added 12/19/2012


Licensing as a civil law institution. Government program privatization of state and municipal enterprises in Russia. Functions of the federal service for supervision in the field of transport. Licensing of business activities.

The concept of information information resources, their place in modern law. Signs of information with limited access. Legal regime for protection constituting state, official, professional secrets; ensuring inaccessibility to third parties.

abstract, added 12/13/2013


Licensing as a form of government regulation. The procedure for licensing the activities of banks and non-banking financial institutions. Licensing of activities for the design and construction of buildings and engineering surveys.

The licensing process is described in detail in the Decree of the Government of the Russian Federation “On licensing activities for the technical protection of confidential information.” The document specifies in detail which documents, in what form and in what order, are required to be submitted to the licensing authority (LO).

On paper everything looks simple enough.

1. The legal entity submits a fully formed application in accordance with the requirements.
2. Within three days, the licensing authority must review it and report what errors are in the application or what documents are missing. If the LO has comments, the applicant must correct the shortcomings within 30 days.
3. If the application is completed correctly, then within five days from the date of acceptance of the application, the LO checks the completeness of the documents supplementing the application, and this is usually approximately 200-300 pages.
4. If there is a deficiency in supplementary documents, the LO refuses to accept the application until the violations are eliminated. The legal entity has the same 30 days to do this.
5. Having recognized the package of documents as complete, the LO must, within 45 working days, make a decision on issuing a license or on a reasoned refusal to issue it.

However, in reality everything is more complicated. There is only one licensing authority for the entire country, and it is located in Moscow; several people are involved in reviewing applications, and the number of organizations wishing to obtain a license is growing every year. You can ask questions over the phone, for this you are given two hours twice a week, no more than five minutes per communication session, you won’t be able to find out much. All this means that it is almost impossible to carry out licensing in a matter of days or even weeks, especially if there are misunderstandings in the licensing rules or difficulties in fulfilling at least one of the requirements. In addition, for some types of services, the list of legal acts that must be attached to the application alone may consist of 15 pages.

The application for a license must be accompanied by:

• documents for automated systems, for protected premises, for the right to legal ownership of premises, equipment, software, or that they are leased (with confirmation of the fact of transfer);
• documents for security clearance (to confidential information to which access is limited);
• copies of work books, work contracts, educational documents of the license applicant’s employees;
• documents for ownership of equipment, for verification work confirming the correct operation of this equipment, for software, etc.;
• information on regulatory documents necessary to carry out information security activities;
• description technological process processing confidential information in the prescribed form.

First-time licensees must submit notarized incorporation documents of the organization.

Stumbling blocks

During licensing work, organizations face three main difficulties:

1. Equipment. To perform work and provide services for certification of protected premises and automated systems, it is necessary to purchase (own or have on any other legal basis) equipment. The cost of the kit varies, but is about a million rubles. And if you start licensing work with the purchase of equipment, then by the time the application is submitted, it may turn out that it will have to be verified again (verification certificates are valid for one year). You can try to save money and rent equipment, but it must be specially designed. It is required to periodically confirm ownership of the equipment and enter into additional agreements to the lease agreements stating that the equipment is in the possession of the lessee. The disadvantage of the rental option is that it reduces the chances of obtaining a license - there is a high probability of registering the relationship incorrectly and being refused.
2. Rental of premises. If the license applicant rents premises from a subtenant, then it is necessary to submit the entire chain of documents right up to the owner of the premises. It is also necessary to ensure that the actual numbers of the premises coincide with the cadastral numbers, so that the premises are clearly identified based on documents alone.
3. Personnel documentation. Employees must have diplomas of higher professional education in the field of technical information security and more than three years of experience, or a diploma of higher education from retraining courses / higher technical education and more than five years of experience. There must be at least three employees, and they must be employed by the applicant at the main place of work.

Life hack for successful licensing

In order to obtain a license and then successfully pass, if necessary, scheduled FSTEC inspections for compliance with requirements, we suggest taking into account a number of points:

1. It is better to buy equipment (if it is necessary for the type of activity you have chosen) rather than rent it.
2. Constantly monitor changes in legislative framework and keep the documentation up to date, including periodically updating and purchasing additional GOST standards (information about this is not a secret, the official website of the FSTEC of Russia is open to everyone).
3. Timely update anti-virus software and test licenses software and equipment.
4. Re-certify premises and automated systems in a timely manner, since certificates are valid for a maximum of three years.

Initial licensing and routine inspection: differences

When an applicant first receives a license, communication with the licensing authority is remote: the parties exchange documents and communicate by phone. The regulatory authorities do not make any personal visits to the applicant.

A scheduled inspection may be carried out three years after obtaining a license. In this case, FSTEC representatives study whether the personnel, premises, equipment and software that were declared when obtaining the license actually exist. This includes an assessment of the knowledge and competencies of personnel declared in the documents for obtaining a license. Inspectors may request a list of certificates issued by the certifying organization (if this type of activity is included in the license), as well as a list of clients to whom these certificates were issued. In this way, regulatory authorities verify whether the certifying organization really provided these services and how high quality they are.

An unscheduled inspection is also possible, which is carried out at any time at the request of citizens, legal entities, the prosecutor's office or by court decision.

Licensing work: cost

From January 1, 2015, the state fee for the initial receipt of a FSTEC license for activities related to the technical protection of confidential information is 7,500 rubles, for renewal - 3,500 rubles. These are unavoidable expenses and the least expensive part of the work.

In accordance with the requirements of the licensing regulations, it is necessary to carry out certification and develop documents for the certification of the protected premises and automated system processing of confidential information. These services are provided by FSTEC licensees, for example representatives of the project.

The range of services includes:

1. Initial consultation. This is an acquaintance with the customer organization in order to understand why a license is required and explain to the client what it will give him, what costs it will cost to obtain it and how much investment (time and financial) will be required in the future. In particular, specialists immediately report what the organization’s chances of successful licensing are, based on the client’s readiness to submit an application now.
2. Help with certification. Employees of the Kontur.Security project carry out certification of meeting rooms and automated systems for processing confidential information according to security requirements.
3. Consultation on the acquisition of equipment and software.
4. Consultation on the acquisition of regulatory documents (GOSTs). Most of the GOSTs are in in electronic format V reference and legal systems. But it is not enough to download and print them, since it is the copyright ownership that needs to be confirmed.
5. Assistance in coordinating issues related to the rental of premises and equipment.
6. Consultation on correct design to the staff of employees working with confidential information.
7. Help in filling out the application. The application is posted on the resources of the FSTEC of Russia, it is not difficult to fill out, but you need to fulfill quite a lot of conditions regarding the documents supplementing the application - timely, accurately and in full accordance with the requirements.

Licensing of activities for the technical protection of confidential information is carried out by the FSTEC of Russia. To obtain a license, the applicant must fulfill the following requirements and conditions:

1. the presence on staff of specialists who have higher professional education in the field of technical information security or higher or secondary vocational (technical) education and have undergone retraining or advanced training in technical information security issues;
2. the license applicant has premises for carrying out licensed activities that comply with technical standards and requirements for technical protection of information established by regulatory legal acts of the Russian Federation, and belong to him by right of ownership or on another legal basis;
3. the presence, on any legal basis, of production, testing and control equipment that has undergone metrological verification (calibration), marking and certification in accordance with the legislation of the Russian Federation;
4. the use of automated systems that process confidential information, as well as means of protecting such information that have passed the conformity assessment procedure (certified and (or) certified according to safety requirements information) in accordance with the legislation of the Russian Federation;
5. use of programs for electronic computers and databases intended for carrying out licensed activities on the basis of an agreement with their copyright holder;
6. availability of regulatory legal acts, normative, methodological and methodological documents on technical information security issues in accordance with the list established Federal service on technical and export control

To obtain a license, the applicant sends to FSTEC the documents discussed in the previous section of this lecture. In addition to these documents, the applicant must provide the following:

1. copies of documents confirming the qualifications of information security specialists (diplomas, certificates, certificates);
2. copies of documents confirming ownership, right of economic management or operational management for premises intended for carrying out licensed activities, or copies of lease agreements for these premises or for the free use of them;
3. copies of certificates of conformity of protected premises safety requirements information;
4. copies of the technical passport of the automated system with attachments, the certificate of classification of the automated system according to safety requirements information, layout plan for main and auxiliary technical equipment and systems, certificate of conformity of the automated system safety requirements information or certificate of conformity automated system safety requirements information, as well as a list of resources protected in automated systems with documentary evidence of the degree of confidentiality of each resource, a description of the technological process of processing information in the automated system;
5. copies of documents confirming the right to computer programs and databases used to carry out licensed activities;
6. information on the availability of production and control equipment, information security tools and funds security control information necessary for carrying out licensed activities, with copies of documents on verification of control and measuring equipment attached;
7. information about the regulatory legal acts, regulatory and methodological and methodological documents available to the license applicant on issues of technical information security

FSTEC checks the completeness of the documents provided, the completeness and accuracy of the information specified in them. If any information (documents) is missing, FSTEC notifies the applicant about this within 15 days. Within a period not exceeding 45 days after receiving documents from the applicant, FSTEC makes a decision on issuing a license. The decision is formalized by the relevant FSTEC act.

The license is issued for 5 years, and after the end of this period can be extended at the request of the licensee.

4.3. Monitoring compliance with license requirements and conditions

The function of monitoring the licensee’s compliance with licensing requirements and conditions is carried out by the licensing authority, that is, in the case of technical protection of confidential information - FSTEC. The control method is scheduled and unscheduled inspections, which are carried out in the manner established by Federal Law No. 294 “On the protection of the rights of legal entities and individual entrepreneurs in the exercise of state control (supervision) and municipal control."

The purpose of the scheduled inspection is to verify the licensee’s compliance with licensing requirements and conditions in the process of carrying out activities for the technical protection of confidential information. In relation to one legal entity or individual entrepreneur, it can be carried out no more than once within three years. Scheduled inspections are carried out in accordance with the annual inspection plan, which is published on the official website of the FSTEC of Russia.

The licensee is included in the scheduled inspection if three years have passed from the date of:

• state registration of the licensee;
• completion of the last scheduled inspection of the licensee.

The licensee is notified no later than three business days before the inspection.

The subject of an unscheduled inspection is the licensee’s compliance with licensing requirements and conditions, compliance with orders to eliminate identified violations, and implementation of measures to ensure state security.

The grounds for conducting an unscheduled inspection are:

1. expiration of the deadline for execution of an order previously issued to the licensee to eliminate the identified violation of licensing requirements and conditions;
2. receipt by the FSTEC of Russia of requests and applications from citizens, legal entities, individual entrepreneurs, information from government bodies, authorities local government, from funds mass media about the following facts:
   • the emergence of a threat to harm the security of the state;
   • harming the security of the state.

Scheduled and unscheduled inspections are carried out in documentary or on-site forms. Documentary verification checks the licensee’s documents and is carried out at the location of FSTEC. During the on-site inspection, not only the licensee’s documents are checked, but also its compliance with licensing requirements and conditions.

The duration of each inspection cannot exceed 20 working days. Based on the results of the inspection, a report is drawn up in two copies, to which protocols (conclusions) of the studies (tests) and examinations carried out are attached.

To summarize, the process of obtaining a license for technical protection Confidential information is very labor-intensive, time-consuming and, last but not least, costly, because to obtain a license it is necessary to fulfill all licensing requirements and conditions. The longest training for specialists is in advanced training courses. Despite the fact that the number of organizations dealing with confidential information is quite large, specialists with higher vocational education in the field of technical information, not every one of them can afford it. Private advanced training courses approved by FSTEC are usually designed for 72 hours. The most costly requirement in economic terms is the certification of informatization objects (automated systems and secure premises) intended for processing confidential information. Moreover, the problem arises of purchasing control and measuring equipment, which after certification is not needed at all, unless the organization intends to provide services for certification of informatization objects. Alternative option– rent such equipment, but this also costs money. Thus, the duration of the licensing process can take from 2 to 6 months and entail significant material costs. An option to solve this problem is outsourcing. Outsourcing (from the English outsourcing) literally “use external sources". Outsourcing involves the transfer from the customer company to a third party organization (contractor) of certain functions of statutory activities, for example, technical protection of confidential information. In this case, the contractor uses its own software, technical and other means of protection, licenses, certificates, etc., as well as bears responsibility for the results of his work.