The process of obtaining a license to carry out information security activities. License FSTEC Russia

Licensing in the field of information security is an activity that involves transferring or obtaining rights to carry out work in the field of information security. State policy in the field of licensing certain types of activities and ensuring the protection of vital interests of the individual, society and the state is determined by Government Resolution Russian Federation dated December 24, 1994 No. 1418 “On licensing of certain types of activities” (as amended by Resolutions of the Government of the Russian Federation dated 05.05.95 No. 450, dated 06.03.95 No. 549, dated 08.07.95 No. 796, dated 12.10.95 No. 1001, dated 04/22/97 No. 462, dated 12/01/97 No. 1513, also see resolution dated 02/11/02 No. 135).

A license is a permission to carry out work in the field of information security. A license is issued for specific types of activities for three years, after which it is re-registered in the manner established for issuing a license.

A license is issued if the enterprise that has applied for a license has the conditions for licensing: a production and testing base, regulatory and methodological documentation, and has scientific, engineering and technical personnel.

The organizational structure of the state licensing system for the activities of enterprises in the field of information security is formed by:

· state licensing authorities;

· licensing centers;

· applicant enterprises.

Government bodies for licensing:

· organize compulsory state licensing of enterprises’ activities;

· issue state licenses to applicant enterprises;

· coordinate the composition of expert commissions represented by licensing centers;

· exercise control and supervision over the completeness and quality of work carried out by licensees in the field of information security.

License centers:

· form expert commissions and submit their composition for approval to the heads of the relevant state licensing bodies, which are the FSTEC and the FSB;

· plan and carry out work on the examination of applicant enterprises;

· control the completeness and quality of work performed by licensees.

Licensing centers under state licensing bodies are created by orders of the heads of these bodies. Expert commissions are formed from among specialists from industries and bodies competent in the relevant field of information protection government controlled, other organizations and institutions. Expert commissions are created in one or more areas of information protection.

The following are subject to licensing by FSTEC of Russia:

· certification, certification tests of protected technical means of information processing (TSI), technical and software protection, means of monitoring the effectiveness of information security measures, software processing tools, protection and security control;

· certification of information systems, automated systems management, communication and data transmission systems, VT facilities and dedicated premises for compliance with the requirements of guidelines and regulatory documents on information security;

· development, production, sales, installation, commissioning, installation, repair, maintenance of protected computer science objects, technical means of protection and control of the effectiveness of information security measures, protected software tools for processing, protection and control of information security;

Conducting special studies for side effects electromagnetic radiation and guidance (PEMIN) TSOI;

· design of protected objects.

The licensing body is responsible for:

· development of rules, procedures and regulatory and methodological documents on licensing issues;

· implementation of scientific and methodological management of licensing activities;

· publication necessary information about the licensing system;

· consideration of applications from organizations and military units on the issuance of licenses;

· coordination of applications with military units responsible for the relevant areas of information protection;

· coordination of the composition of expert commissions;

· organizing and conducting special examinations;

· making a decision on issuing a license;

· issuance of licenses;

· making a decision on suspension, renewal of a license or its cancellation;

· maintaining a register of issued, suspended, renewed and canceled licenses;

· acquisition, accounting and storage of license forms;

· organization of work of certification centers;

· monitoring the completeness and quality of work carried out by licensees.

In accordance with Article 17 of the Federal Law dated 08.08.2001 No. 128-FZ “On licensing of certain types of activities” (as amended by the Federal Law dated 02.07.2005 No. 80-FZ), the following types of activities (in the field of information security) are subject to licensing:

· activities for the distribution of encryption (cryptographic) tools;

· activities on maintenance encryption (cryptographic) means;

· provision of services in the field of information encryption;

· development, production of encryption (cryptographic) means protected using encryption (cryptographic) means information systems, telecommunication systems;

· activities for the development and (or) production of protective equipment confidential information; activities on technical protection confidential information;

· activities to identify electronic devices, intended for secretly obtaining information in premises and technical means (except for the case if the specified activity is carried out to meet their own needs legal entity or individual entrepreneur).

Within the framework of the types of activities under consideration, separate decrees of the Government of the Russian Federation were issued, explaining the licensing procedure. Among them:

· Decree of the Government of the Russian Federation dated January 26, 2006 No. 45 “On the organization of licensing of certain types of activities”; Decree of the Government of the Russian Federation of August 15, 2006 No. 504 “On licensing activities for the technical protection of confidential information”;

· Decree of the Government of the Russian Federation dated August 31, 2006 No. 532 “On licensing activities for the development and (or) production of means of protecting confidential information”;

· Decree of the Government of the Russian Federation dated September 23, 2002 No. 691 “On approval of regulations on licensing of certain types of activities related to encryption (cryptographic) means.”

In accordance with these documents, licensees are required to annually submit to the licensing authority or certification center information on the number of works performed for specific types of activities specified in the license. Licensees are responsible for the completeness and quality of the work performed, ensuring the safety of state secrets entrusted to them in the course of practical activities.

Licensing in the field of information security is an activity that involves transferring or obtaining rights to carry out work in the field of information security. State policy in the field of licensing certain types of activities and ensuring the protection of vital interests of the individual, society and the state is determined by Decree of the Government of the Russian Federation of December 24, 1994 No. 1418 “On licensing of certain types of activities” (as amended by Decrees of the Government of the Russian Federation of 05.05.95 No. 450, dated 06/03/95 No. 549, dated 08/07/95 No. 796, dated 10/12/95 No. 1001, dated 04/22/97 No. 462, dated 12/01/97 No. 1513, also see resolution dated 02/11/02 No. 135).

The organizational structure of the state licensing system for the activities of enterprises in the field of information security is formed by:

· state licensing authorities;

· licensing centers;

· applicant enterprises.

State licensing authorities:

· organize compulsory state licensing of enterprises’ activities;

· issue state licenses to applicant enterprises;

· coordinate the composition of expert commissions represented by licensing centers;

· exercise control and supervision over the completeness and quality of work carried out by licensees in the field of information security.

License centers:

· form expert commissions and submit their composition for approval to the heads of the relevant state licensing bodies, which are the FSTEC and the FSB;

· plan and carry out work on the examination of applicant enterprises;

· control the completeness and quality of work performed by licensees.

Licensing centers under state licensing bodies are created by orders of the heads of these bodies. Expert commissions are formed from among specialists from industries, government bodies, and other organizations and institutions competent in the relevant field of information security. Expert commissions are created in one or more areas of information protection.

The following are subject to licensing by FSTEC of Russia:

· certification, certification tests of secure technical means of information processing (TSI), hardware and software security tools, means of monitoring the effectiveness of information security measures, software processing tools, protection and security control;

· certification of information systems, automated control systems, communication and data transmission systems, VT facilities and dedicated premises for compliance with the requirements of guidelines and regulatory documents on information security;

· Conducting special studies on spurious electromagnetic radiation and interference (PEMIN) TSOI;

· design of protected objects.

The licensing body is responsible for:

· development of rules, procedures and regulatory and methodological documents on licensing issues;

· implementation of scientific and methodological management of licensing activities;

· publication of the necessary information about the licensing system;

· consideration of applications from organizations and military units for the issuance of licenses;

· coordination of applications with military units responsible for the relevant areas of information protection;

· coordination of the composition of expert commissions;

· organizing and conducting special examinations;

· making a decision on issuing a license;

· issuance of licenses;

· making a decision on suspension, renewal of a license or its cancellation;

· maintaining a register of issued, suspended, renewed and canceled licenses;

· acquisition, accounting and storage of license forms;

· organization of work of certification centers;

· monitoring the completeness and quality of work carried out by licensees.

In accordance with Article 17 of the Federal Law of 08.08.2001 No. 128-FZ “On licensing of certain types of activities” (as amended by the Federal Law of 02.07.2005 No. 80-FZ) are subject to licensing the following types activities (in the field of information security):

· activities for the distribution of encryption (cryptographic) tools;

· activities for the maintenance of encryption (cryptographic) tools;

· provision of services in the field of information encryption;

· development, production of encryption (cryptographic) means protected using encryption (cryptographic) means of information systems, telecommunication systems;

· activities for the development and (or) production of means of protecting confidential information; activities for technical protection of confidential information;

· activities to identify electronic devices intended for secretly obtaining information on premises and technical means(except for the case if the specified activity is carried out to meet the own needs of a legal entity or individual entrepreneur).

Within the framework of the types of activities under consideration, separate decrees of the Government of the Russian Federation were issued, explaining the licensing procedure. Among them:

For the normal functioning of electronic document management (EDM) systems, it is necessary to develop procedures for resolving possible conflicts. A party to such conflicts, in addition to the EDF participants and the provider company, may also be a software development company.

It is assumed that the contract with the development company takes into account the availability of a reference sample software, which can be stored only by the provider company or by all EDF participants. This requires the fulfillment of two basic conditions:

it must be documented that each participant in the EDF system (including the provider company) has installed software that corresponds to the reference sample;

storage of reference samples is organized in such a way as to exclude the possibility of changing the reference sample of software without the knowledge of the parties.

This mode can be provided by a system of several public keys.

Today, when modern information technologies are being intensively introduced into all spheres of life and activity of society, the national, and as part of it, the economic security of the state begins to directly depend on ensuring information security. That is why, in order to create guarantees to ensure the necessary durability of information protection means, the state assumes responsibility for licensing the activities of organizations involved in information protection and certification of relevant technical means.

The current level of protection against external information threats in global open networks cannot be considered satisfactory: Russia still lacks a comprehensive and technically proven strategy in this area. In order to change the situation, a set of measures in the field of legislation and standardization of means ensuring information security in Russia must be immediately developed and implemented. Priority tasks in this direction include:

· the adoption of a special law, similar to the “Computer Security Act” in the USA, which makes specific government agencies responsible for methodological support of work in the field of information security;

· development of unified approaches to ensuring security for organizations of various profiles, sizes and forms of ownership;

· ensuring the appearance on the market of a sufficient number of various certified tools for solving information security problems.

One of the problems in the field of information protection in Russia is the lack of official documents with detailed recommendations on building secure information systems similar to those developed, for example, by the American Institute standard technologies(USA) and British standard. Although there are no regulations in the UK requiring compliance with government standards, about 60% of British firms and organizations voluntarily use the developed standard, and the rest intend to implement its recommendations in the near future.

Licensing and certification in the field of information security systems can reduce the severity of this problem. It is necessary to provide the user with guarantees that the information security tools they use are capable of providing the required level of protection. It is licensing that can ensure that only highly qualified specialists in this field will deal with the problem of information security, and the products they create will be at the appropriate level and will be able to pass certification.

Without certification, it is impossible to assess whether a product contains potentially harmful undocumented capabilities, the presence of which is especially typical for most foreign products, which can at some point lead to malfunctions in the system and even irreversible consequences for it. A typical example of such undocumented features is laid down by Ericsson during its development telephone exchanges, on the basis of which the Ministry of Railways of the Russian Federation builds its telephone network, the ability to block their operation when receiving a call of a certain phone number, which the firm declines to name. And this example is not the only one.

The process of certification of a software product takes approximately the same time as its development, and is practically impossible without source codes of programs with comments. At the same time, many foreign companies do not want to represent source texts their software products to Russian certification centers. For example, despite agreement in principle Microsoft certification in Russia of the Windows NT operating system, in which more than 50 security-related errors have already been identified, this issue has not been able to move forward for many months due to the lack of its source codes.

Difficulties with certification lead to the fact that among products of the same class, the simplest ones receive a certificate first, which is why they seem more reliable to the user. Long certification periods lead to the fact that the development company manages to bring it to the market new version of your product, and the process becomes endless.

Certification of technical means of information security is difficult to carry out without appropriate standards, the creation of which in Russia is not least hampered by the lack of financial resources. This problem can be solved if there are several firms interested in sales and several organizations interested in using the appropriate technical means. For example, the fruit of the joint efforts of such organizations, firms and FSTEC (formerly the State Technical Commission (STC)) was the development of the Guiding Technical Material of the State Customs Committee of the Russian Federation "Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information." It made it possible to classify tools that are capable, to some extent, of protecting corporate networks from external intrusions.

The document assumes the existence of several classes of firewalls: from the simplest, allowing only control of information flows, to the most complex, performing complete recoding of incoming information, completely protecting corporate network from external influences. Already today certification for compliance technical specifications, developed in accordance with the Technical Guidance Material, which is permitted current legislation, passed such firewalls, like Sun Screen, SKIPbridge and Pandora. However, their certification was not without struggle.

Taking into account the requirements of information security and world practice in the field of information security, it seems appropriate for Russia to join the existing systems of international standardization and certification information technologies, which in practice means:

· bringing national and industry standards into compliance with international ones;

· participation of Russian representatives in international certification systems (including certification tests);

· possibility of recognition of international certificates in Russia.

In addition, in accordance with current legislation, any organization engaged in the collection and processing of personal data (for example, transactions with plastic cards) must have a license to engage in such activities and use certified means for this.

FSTEC of Russia (formerly State Technical Commission) has developed the necessary normative base in the field of information protection from unauthorized access. Let's consider the structure of the main governing documents.

1. « Protection against unauthorized access to information. Terms and Definitions"– establishes a uniform terminological standard in the field of funds protection computer technology and automated systems against unauthorized access to information, which is mandatory for use in all types of documentation.

2. « The concept of protecting computer equipment and automated systems from unauthorized access to information"– describes the basic principles on which the problem of protecting information from unauthorized access and its relationship to common problem information security. The concept reflects the following issues: definition of unauthorized access, basic principles of protection, model of an intruder in automated systems, main methods of unauthorized access, main directions of ensuring protection, main characteristics of technical means of protection, classification of automated systems, organization of protection work. This concept is intended for customers, developers and users of computer technology and automated systems, the main purpose of which is processing, storing and transmitting protected information.

3. “Means of information security. Protection of information in cash registers and automated cash systems. Classification of cash registers, automated cash systems and requirements for information protection"– establishes the classification of cash registers, automated cash systems, information technologies and requirements for the protection of tax-related information. In accordance with this document, 2 classes of cash register machines, automated cash systems and information technology. The first class includes systems that process information on cash flows in the amount of up to 350 minimum wages per day, and the second - in the amount of over 350 minimum wages.

4. “Computer technology. Protection against unauthorized access to information. Indicators of security against unauthorized access to information"– regulates the requirements for the security of computer equipment from unauthorized access, applied to system-wide software and operating systems. There are seven security classes, which are divided into four groups. Each class contains a list of mechanisms necessary for the implementation of information protection from unauthorized access.

5. “Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection"– classifies automated systems depending on the presence of information in them of various levels of confidentiality, levels of authority of access subjects, data processing modes into nine classes and stipulates a set of requirements for each of them. Depending on the characteristics of information processing in automated systems, classes are divided into three groups.

6. “Computer technology. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information"– declares requirements for various classes of firewalls. In total, there are five classes of firewall security. The classification is made depending on the security class of automated systems, for the protection of which a firewall is used.

Based on the governing documents and regulatory framework of the FSTEC of Russia, the development, certification and use of means of protecting information from unauthorized access is carried out, as well as licensing of enterprises for the right to operate in the field of information protection on the territory of the Russian Federation.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Ministry of Transport of the Russian Federation

Federal Agency for Railway Transport federal state budgetary educational institution higher professional education

"Far Eastern State University ways of communication"

Department of Civil, Business and Transport Law

Discipline: Legal support information security

Topic: Licensing and certification in the field of information security

Completed by student

Nepomnyashchaya Natalya Evgenievna

Checked by: department teacher:

Zheleznyakov Anatoly Mikhailovich.

Khabarovsk

Introduction

1. Licensing in the field of information security

1.1 Licensing authority - FSTEC of Russia

1.2 Licensing authority - FSB of Russia

2. Certification in the field of information security

2.1 Organizational structure of the certification system

2.2 Certification procedure

Conclusion

Bibliography

Introduction

One of the problems in the field of information security in Russia is the lack of official documents with detailed recommendations for building secure information systems, similar to those developed, for example, by the American Institute of Standard Technology (USA) and the British standard. Although there are no regulations in the UK requiring compliance with government standards, about 60% of British firms and organizations voluntarily use the developed standard, and the rest intend to implement its recommendations in the near future

Without certification, it is impossible to assess whether a product contains potentially harmful undocumented capabilities, the presence of which is especially typical for most foreign products, which can at some point lead to malfunctions in the system and even irreversible consequences for it. A typical example of such undocumented capabilities is the one laid down by Ericsson when developing telephone exchanges, on the basis of which the Ministry of Railways of the Russian Federation builds its telephone network, the ability to block their work when receiving a call from a specific phone number, which the company refuses to name. And this example is not the only one.

The process of certification of a software product takes approximately the same time as its development, and is practically impossible without source codes of programs with comments. At the same time, many foreign companies do not want to provide the source codes of their software products to Russian certification centers. For example, despite Microsoft's agreement in principle to certify the Windows NT operating system in Russia, in which more than 50 security-related errors have already been identified, this issue has not been able to move forward for many months due to the lack of its source code.

Difficulties with certification lead to the fact that among products of the same class, the simplest ones receive a certificate first, which is why they seem more reliable to the user. Long certification periods lead to the fact that the development company has time to bring a new version of its product to the market, and the process becomes endless.

The document assumes the existence of several classes of firewalls: from the simplest, allowing only control of information flows, to the most complex, performing complete recoding of incoming information, completely protecting the corporate network from outside influences. Already today, such firewalls as Sun Screen, SKIPbridge and Pandora have been certified for compliance with technical specifications developed in accordance with the Technical Guidance Material, which is permitted by current legislation. However, their certification was not without struggle.

1. Licensing in the field of information security

1.1 Licensing authority - FSTEC of Russia

The licensing requirements for an applicant for a license to carry out activities for the development and production of SZKI (hereinafter referred to as the license) are:

1. the license applicant has at least two specialists with a higher education professional education in the field of technical information security or higher technical or secondary vocational (technical) education and those who have undergone retraining or advanced training in the development and (or) production of information security; user protection guarantee specialist

2. availability of premises for carrying out the licensed type of activity that meet the requirements of technical and technological documentation, national standards and methodological documents in the OZI and belong to the license applicant on the right of ownership or on another legal basis;

3. availability, on the right of ownership or on another legal basis, of control and measuring equipment necessary for carrying out the licensed type of activity (which has passed metrological verification (calibration) and marking in accordance with the legislation of the Russian Federation), production and testing equipment;

4. the availability of programs intended for the implementation of the licensed type of activity (including software for developing SZKI) for electronic computers and databases owned by the license applicant on the right of ownership or on another legal basis;

5. availability of licenses owned by the applicant on the right of ownership or on another legal basis, technical and technological documentation, documentation containing national standards, and methodological documents necessary for carrying out the licensed type of activity in accordance with the list approved by the FSTEC of Russia;

6. the presence of a production control system, including rules and procedures for checking and assessing the system for developing the SZKI, taking into account changes made to the design and design documentation for the products being developed

7. the presence of a production control system, including rules and procedures for checking and assessing the SZKI production system, assessing the quality of products and consistency set parameters, accounting for changes made to the technical and design documentation for manufactured products, accounting for finished products V. Kiyaev, O. Granichin // Security of information systems // National Open University "INTUIT" * 2016 // pp. 105-106

1.2 Licensing authority - FSB of Russia

The licensing requirements for a license applicant are:

1Persons on staff of the license applicant for the main job according to staffing table the following qualified personnel:

2. a manager and (or) a person authorized to manage work in a licensed type of activity, having a higher professional education in the field of information security in accordance with the "All-Russian Classifier of Specialties" and (or) having undergone retraining in one of the specialties in this field (normative period - over 500 classroom hours), as well as having at least 5 years of experience in the field of work performed in a licensed type of activity;

3.engineering and technical workers (at least two people) who have a higher professional education in the field of information security in accordance with the “All-Russian Classifier of Specialties” and (or) have undergone retraining in this specialty (normative period - over 100 classroom hours);

4.availability of premises for carrying out the licensed type of activity that meet the requirements of technical and technological documentation, national standards and methodological documents in the field of industrial property and owned by the license applicant on the right of ownership or on another legal basis;

5. the license applicant has, on the right of ownership or on another legal basis, control and measuring equipment (which has undergone metrological verification (calibration) and marking in accordance with the legislation of the Russian Federation), production, testing equipment and other facilities necessary for the implementation of the licensed type of activity;

6. the availability of programs intended for the implementation of the licensed type of activity (including software for the development of SZKI) for electronic computers and databases owned by the license applicant on the right of ownership or on another legal basis;

7.availability of information processing tools certified according to information security requirements, used for the development and production of information protection systems, in accordance with information protection requirements;

8. the presence of a production control system, including rules and procedures for checking and assessing the system for developing the SZKI, taking into account changes made to the design and engineering documentation for the products being developed

9. the presence of a production control system, including rules and procedures for checking and assessing the SZKI production system, assessing the quality of manufactured products and the constancy of established parameters, accounting for changes made to the technical and design documentation for manufactured products, accounting for finished products Snytikov A.A. Licensing and certification in the field of information security.-M: Gelios ARV, 2012 // pp. 223-224

2. Information Security Certification

2.1 Organizational structure of the certification system

The organizational structure of the certification system is formed by:

1.State Technical Commission of Russia (federal body for certification of information security means);

2.central body of the information security certification system;

3. bodies for certification of information security means;

4.testing centers (laboratories);

5. applicants (developers, manufacturers, suppliers, consumers of information security products).

2The State Technical Commission of Russia, within its competence, performs the following functions:

1. creates a certification system for information security tools and establishes rules for certification of specific types of information security tools in this system;

2.organizes the functioning of the certification system for information security tools;

3. defines a list of information security tools that are subject to mandatory certification in this system;

4. establishes the rules for accreditation and issuance of licenses to carry out certification work;

5.organizes and finances the development of regulatory and methodological documents for the certification system of information security tools;

6. determines the central body of the information security certification system (if necessary) or performs the functions of this body;

7. approves regulatory documents on information security, for compliance with which certification of information security means in the system is carried out, and methodological documents on conducting certification tests;

8.accredits certification bodies and testing centers (laboratories), issues them licenses to carry out certain types works;

9.leads State Register participants and objects of certification;

10. carries out state control and supervision and establishes the procedure for inspection control over compliance with certification rules and certified information security means;

11.considers appeals regarding certification issues;

12.presents on state registration Gosstandart of Russia certification system and mark of conformity;

13. organizes periodic publication of information on certification;

14. interacts with relevant authorized bodies of other countries and international organizations on certification issues, makes decisions on the recognition of international and foreign certificates;

15.organizes the training and certification of expert auditors;

16. issues certificates and licenses for the use of the mark of conformity;

17.suspends or cancels the validity of issued certificates.

2.2 Certification procedure

The certification procedure includes the following steps:

submission and consideration of an application for certification of information security tools; testing of certified information security tools and certification of their production;

examination of test results, registration, registration and issuance of a certificate and license for the right to use the mark of conformity;

implementation of state control and supervision, inspection control over compliance with the rules of mandatory certification and certified information security means.

informing about the results of certification of information security tools;

consideration of appeals.

Submission and consideration of an application for certification of information security tools.

To obtain a certificate, the applicant submits an application (Appendix 1) to the State Technical Commission of Russia for testing, indicating the certification scheme, standards and other regulatory documents for compliance with the requirements of which certification must be carried out.

The State Technical Commission of Russia, within one month after receiving the application, sends to the applicant, to the certification body and testing center (laboratory) designated for certification, a decision to carry out certification (Appendix 2). At the request of the applicant, the certification body and testing center (laboratory) can be changed.

After receiving the decision, the applicant is obliged to submit to the certification body and testing center (laboratory) an information security device in accordance with the technical specifications for this product, as well as a set of technical and operational documentation, in accordance with the regulatory documents for the ESKD, ESPD for the information security device being certified.

Testing of certified information security tools in testing centers (laboratories).

Tests of certified information security means are carried out on samples, the design, composition and manufacturing technology of which must be the same as those of the samples supplied to the consumer, customer according to programs and test methods agreed upon with the applicant and the approved certification body. Technical and operational documentation for serial information security means must have a letter not lower than “O1” (according to ESKD).

The number of samples, the procedure for their selection and identification must comply with the requirements of regulatory and methodological documents for this type information security means.

If there are no testing centers (laboratories) at the time of certification, the certification body determines the possibility, location and conditions of testing to ensure the objectivity of their results.

The timing of the tests is established by an agreement between the applicant and the testing center (laboratory).

At the request of the applicant, his representatives must be given the opportunity to familiarize themselves with the conditions of storage and testing of samples of information security means in the testing center (laboratory). Kiyaev V., Granichin O. // Security of information systems // National Open University "INTUIT" * 2016 //pp. 105-106

The test results are documented in protocols and conclusions, which are sent by the testing center (laboratory) to the certification body, and in a copy - to the applicant.

When changes are made to the design (composition) of information security means or their production technology, which may affect the characteristics of information security means, the applicant (developer, manufacturer, supplier) notifies the certification body about this. The latter decides on the need to conduct new tests of these information security tools.

Certification of imported information security tools is carried out according to the same rules as domestic ones.

Conclusion

And so, this is a conformity assessment procedure, through which an organization independent of the manufacturer (seller) and consumer (buyer) certifies writing that the product meets the established requirements. If we talk about certification in relation to information security tools, then this is an activity to confirm their compliance with the requirements of technical regulations, national standards or other regulatory documents on information security.

The certification system itself is represented by the FSTEC of Russia, which has jurisdiction over accredited bodies for certification of information security means and testing laboratories.

The entire certification system ensures the achievement, first of all, of national security in the field of informatization. No less important is the formation and implementation of a unified scientific, technical and industrial policy in the field of informatization. As well as promoting the formation of a market for secure information technologies and means of supporting them, regulation and control of the development, as well as subsequent production of information security means, assistance to consumers in the competent choice of information security means, consumer protection from dishonesty of the contractor (producer, manufacturer), confirmation of quality indicators products.

Licensing - activities related to the provision of licenses, re-issuance of documents confirming the availability of licenses, suspension and renewal of licenses, cancellation of licenses and monitoring by licensing authorities of compliance by licensees when carrying out licensed types of activities with the relevant licensing requirements and conditions.

License - a special permit to carry out a specific type of activity, subject to mandatory compliance with licensing requirements and conditions, issued by a licensing authority to a legal entity or individual entrepreneur.

Licensing activities in the field of information security are carried out by the FSB and FSTEC of Russia. Let's consider licensed types of activities in the field of protecting confidential information.

FSB of Russia:

1. Development and (or) production of means of protecting confidential information (within the competence of the FSB)

2. Development, production, sale and acquisition for the purpose of sale of special technical means intended for secretly obtaining information, individual entrepreneurs and legal entities engaged in business activities

3. Activities to identify electronic devices intended for secretly obtaining information in premises and technical means (except for the case if this activity is carried out to meet the own needs of a legal entity or individual entrepreneur)

4.Activities for the distribution of encryption (cryptographic) tools

5. Activities for the maintenance of encryption (cryptographic) tools

6.Providing services in the field of information encryption

7. Development and production of encryption (cryptographic) tools, protected using encryption (cryptographic) tools for information systems and telecommunication systems.

Bibliography

1 . Kiyaev V., Granichin O. // Information systems security// National Open University "INTUIT" * 2016 //page 105-106

2. Snytikov A.A. Licensing and certification in the field of information security.-M: Gelios ARV, 2012 // pp. 223-224

3. Certification system for cryptographic information protection means: No. ROSS RU.0001.030001 dated November 15, 2012.

4. Bumazhkov A. Kirina A. Licensing and certification in the field of information security

5.Terms and definitions in the field of information security.Moscow 2011

Posted on Allbest.ru

...

Obligation to obtain permission

Protection of personal and commercial information- a rather delicate and important task. It is unacceptable to provide such services without permission. The following types of measures are needed to protect information:

Development, production and distribution encryption tools
Work on technical protection of confidential information
Detection electronic means used for secret data acquisition
Production and development of SZKI (means for protecting confidential information)
Maintenance cryptographic means protection of information, telecommunications and information systems.

An exception to this is the development of encryption tools for personal use or. Also, a license is not required for maintenance of information and other systems used for internal information specific company.

Why you need a license to operate in technical (and other) protection of confidential information, we will explain below.

License for activities related to technical protection of confidential information

Main licensing tasks

It is worth understanding that the level of confidentiality of information may vary.

For some companies, a data leak can only bring moral inconvenience, while other companies will lose the ability to function as a result.
Also, do not forget about the trade secrets of production of various goods. If they are published, it is likely different development events.

The main task of licensing is to suppress incompetent activities. License applicants must meet multiple criteria to ensure quality data protection services and diligent technical support.

This video will tell you about information security technologies:

Normative documents

The issuance of licenses is regulated by a number of regulations, laws and regulations. One of the main documents is the federal law No. 99 of May 4, 2011 “On licensing of certain types of activities.”

The following Russian Government Decrees also apply to information protection activities:
No. 45 of January 26, 2006
No. 532 of August 31, 2006

No. 691 of September 23, 2002. It is also worth reading the Decree of the Government of the Russian Federation No. 1418 of December 24, 1994. All these documents provide detailed consideration

the procedure for obtaining permission and the conditions for its provision, along with a list of necessary documents.

The procedure for obtaining a license from the FSTEC of Russia for the technical protection of confidential information, writing a statement on this matter - all this is described below.

Obtaining a license to carry out information security activities

Information protection activities require compliance with a large list of conditions and systematic preparation. After submitting the application, the license applicant must undergo an expert examination consisting of FSB and FSTEC employees. The specific composition of the expert commission depends on the chosen type of activity.

Application and place of submission of documents

An application for a license permitting information protection activities is completed in the form prescribed by law. A sample application is provided by state licensing authorities. Two organizations are involved in issuing licenses for information security activities:
Federal Security Service (FSB). Federal Service for Technical and export controls

(FSTEK).

The required conditions for licensing activities for the technical protection of confidential information (obtaining a license for this) are described below.

Conditions

The main difficulty in obtaining a license is the terms of provision. The list is quite wide, and if any item is missing, the applicant is deprived of the right to issue a permit. At the same time, the conditions for different types activities differ, although there is a general list.

The following conditions must be met:

Have at least 2 employees who have appropriate education or have completed retraining courses
Own or lease premises with mandatory technical compliance with the declared type of activity
Form a material and technical base from control, measuring, testing and other equipment required type equipment depending on the type of activity
Confirm that the required software is owned or otherwise legally owned
Availability specialized system control in accordance with the selected type of activity and its specific sub-item
Legally possess technical documentation, methodological developments, as well as other paper and digital data necessary to conduct business.

Also, certain types of activities may require certain information processing facilities certified for safety.

Another requirement relating to all types of activities, except for the production and development of SZKI, is the presence at the post of a manager who has higher education specialty " Information Security» or who has completed a retraining course exceeding 500 classroom hours.

Required documents

Along with the stated conditions, you must provide the following package of documents:

Employment contracts, certificates and diplomas of employees
Application and supporting documents for payment of state duty
Documents confirming the legal existence of control systems
Title documents for premises and software
Data on the availability of technical and other documentation necessary for work
Documents confirming the availability of the required material and technical base
Certificates of conformity of information processing facilities and/or protected premises.

All data is provided along with the applicant’s constituent documents. The number of paper forms varies greatly depending on the type of activity chosen, the presence of several premises, programs and technical documentation. That is why, when collecting a package of documents, it is necessary to clarify the presence of new regulations regarding licensing of information protection activities.

The stages of licensing activities for organizing information security are described below.

Stages

The procedure for granting a license takes a large number of time. Legal deadlines for issuance of this document limited to 45 days. One of important steps is the preliminary stage of obtaining permission; the very possibility of granting the right to information protection activities depends on the quality of its implementation.

Preparatory stages of licensing:

Study of the regulatory framework
Determining compliance with stated conditions
Collecting a package of documents and drawing up an application
Re-analysis of the conditions and documents provided.

If the preparatory licensing period is carried out correctly, the likelihood of obtaining a license is very high. Often the reason for refusal is precisely errors in the submitted documents or non-compliance with the necessary conditions.

After the preliminary stage, it is necessary to submit documents to the required licensing authority, selected depending on the type of activity (FSB or FSTEC). The next point will be the examination of documents by an expert commission. If they comply, a check is organized technical capabilities and conditions for conducting activities. Final stages is the issuance of an official license form.

Helpful information

Particular attention should be paid to the fact that all existing licensees are subject to routine inspections by FSB officers. Moreover, this type of activity is characterized by spontaneous inspections without warning. They are carried out legally to achieve maximum quality information storage services provided.
For this reason, the validity period of the license is determined to be a minimum of 5 years, and the procedure for renewing the permit has been simplified. It is necessary to re-issue the document confirming the permit. Upon application of the licensee, he is issued new form with an extended validity period. This is possible only in the absence of gross violations - if there are any, the license is revoked.

Obtaining permission to conduct information security activities in itself is not particularly difficult. Much more difficult to assemble required package documents and correctly comply with all required conditions. When applying for a license, the most important thing to pay attention to is preparatory stage and if it is done well, obtaining permission will not be difficult.

Even more useful information information protection and licensing of such activities is contained in this video:

The process of obtaining a license to carry out information security activities. License FSTEC Russia

Send your good work in the knowledge base is simple. Use the form below

Bibliography

1 . Kiyaev V., Granichin O. // Information systems security// National Open University "INTUIT" * 2016 //page 105-106

2. Snytikov A.A. Licensing and certification in the field of information security.-M: Gelios ARV, 2012 // pp. 223-224

3. Certification system for cryptographic information protection means: No. ROSS RU.0001.030001 dated November 15, 2012.

4. Bumazhkov A. Kirina A. Licensing and certification in the field of information security

5.Terms and definitions in the field of information security.Moscow 2011

Posted on Allbest.ru

Similar documents

Obligation to obtain permission

Main licensing tasks

Normative documents

The procedure for obtaining a license from the FSTEC of Russia for the technical protection of confidential information, writing a statement on this matter - all this is described below.

Conditions

Required documents

Stages

Helpful information