About a year ago, on April 3, 2018, the FSTEC of Russia published . He approved the Regulations on the system of certification of information security.
This determined who is a member of the certification system. It also clarified the organization and procedure for certification of products that are used to protect confidential information constituting a state secret, the means for protecting which also need to be certified through the specified system.
So, what exactly does the Regulation refer to products that need to be certified?
β’ Means for combating foreign technical intelligence and means for monitoring the effectiveness of technical protection of information.
β’ IT security tools, including secure information processing tools.
The members of the certification system included:
β’ Bodies accredited by the FSTEC.
β’ Testing laboratories accredited by FSTEC.
β’ Manufacturers of information security tools.
To get certified, you need to take the following steps:
β’ Apply for certification.
β’ Wait for a decision on certification.
β’ Pass certification tests.
β’ Issue an expert opinion and a draft certificate of conformity based on the results.
Further, the certificate can be issued or denied issuance.
In addition, in one case or another, the following is performed:
β’ Provision of a duplicate certificate.
β’ Labeling of protective equipment.
β’ Making changes to already certified protective equipment.
β’ Certificate renewal.
β’ Certificate suspension.
β’ Termination of its action.
The 13th paragraph of the Regulation should be quoted:
"13. Certification tests of information security tools are carried out at the material and technical base of the testing laboratory, as well as at the material and technical bases of the applicant and (or) the manufacturer located on the territory of the Russian Federation.
Not so long ago, on March 29, 2019, the FSTEC published another improvement, which was entitled βΒ».
The document modernized the certification system for information security tools. Thus, the Information Security Requirements have been approved. They establish levels of trust in technical information protection and information technology security tools. They, in turn, determine the conditions for the development and production of information security tools, testing of information security tools, as well as for ensuring the security of information security tools during their use. There are six levels of trust in total. The lowest level is six. The highest is the first.
First of all, the levels of trust are intended for developers and manufacturers of protective equipment, applicants for certification, as well as for testing laboratories and certification bodies. Fulfillment of the Requirements for the level of trust is mandatory for certification of information security tools.
All this will come into force on June 1, 2019. In connection with the approval of the Requirements for the level of trust, FSTEC will no longer accept applications for certification of protection equipment for compliance with the requirements of the guidance document βProtection against unauthorized access. Part 1. Information security software. Classification by the level of control of the absence of undeclared capabilities.
Information security tools corresponding to the first, second and third levels of trust are used in information systems that process information containing information constituting a state secret.
The use of protection tools from the fourth to the sixth level of trust for GIS and ISPD of the corresponding classes / levels of security are given in the table:
Particular attention should be paid to the fact that:
βThe validity of certificates of conformity of information security tools, in respect of which the specified conformity assessment will not be carried out before January 1, 2020 on the basis of paragraph 83 of the Regulation on certification of information security tools, approved by order of the FSTEC of Russia dated April 3, 2018 No. 55, may be suspended ."
While legislators continue to work on improvements to certification requirements, we are providing that meets all the requirements of the adopted laws. The solution provides for an already prepared infrastructure, a turnkey solution to comply with federal law 152.
Source: habr.com