Certification of informatization objects: terms of passage, conditions, basic provisions and requirements of GOST

The certification of information objects for information security requirements is carried out in Russia by the Federal Service for Technical and Export Control, which is engaged in interagency cooperation and coordination, performing special functions in the field of state security.

The essence of certification of objects of informatization

The objects of computerization are a combination of resources with data, as well as systems and means of their processing, which are used in accordance with pre-installed technology. Also objects of informatization are means of providing computerized items, premises (structures, buildings), technical devices that are intended for confidential meetings and negotiations.

Certification of an object of informatization according to information security requirements is a set of organizational and technical measures. The result of such a check is a document drawn up by specialists - a “certificate of conformity”. This paper confirms that the inspected object meets all the requirements of the regulations and standards approved by the FSTEC. After receiving the final document, the organization receives the right to process information with a different level of confidentiality or secrecy for a certain period of time. This period is indicated in the report issued by the FSTEC during the certification of information objects.

Conducting compliance checks is carried out in accordance with the rules established by a special regulatory legal act. Such a document is the "Regulation on the certification of objects of informatization" of 1994. An examination of information storage items is carried out before any data that needs processing is received on the storage media. This requirement is due to the fact that the organization must have official confirmation of the effectiveness of the means and measures used by it to protect data on a particular storage medium.

Areas of activity of organizations requiring mandatory certification

Certification of the object of informatization is carried out without fail during the implementation of the enterprise in the following cases:

• there are elements of state secrets ;
• information state resources are protected;
• the company's activities are associated with the management of facilities that are considered environmentally hazardous;
• as part of the organization’s work, secret negotiations are ongoing.

If none of these cases occurs at the enterprise, verification is not necessary. At the same time, many companies conduct certification of informatization facilities according to data security requirements on a voluntary basis. The customer or the owner of the specified informatized object can declare a desire to conduct an audit.

The audit includes a set of measures (tests) of objects in which data are stored and processed in real operating conditions. The purpose of certification of information objects is to analyze the compliance of protective measures and means used by the organization with the required standards.

During the audit, the following areas are examined:

1. Protection against unauthorized access, including computer viruses.
2. The degree of safety of the object from leakage through PEMIN.
3. Information security from exposure or leakage with the help of special objects and devices that are built into the subject of verification.

Regardless of whether voluntary or compulsory certification of information objects is carried out, the costs of its implementation are borne by the customer.

The list of actions implemented in the certification process

Bodies for certification of objects of informatization carry out work according to the scheme chosen by them. The list of verification activities includes the following actions:

• Analysis of available information on the analyzed object of computerization.
• Preliminary study of the certified subject of informatization.
• Expert examination of a computerized object and analysis of documentation developed by the audited organization to protect the information contained in the company. The purpose of the analysis is to establish the conformity of securities to the requirements of methodological and regulatory documentation.
• Testing of individual systems and data protection facilities at a specific computerization facility using special equipment and instruments.
• Conducting similar testing and various tests in testing laboratories and certification centers for protective information tools for computer security requirements.
• Implementation of a set of certification testing activities at the computerization facility during direct operation.
• Analysis of the survey results obtained by experts and comprehensive tests within the framework of certification, approval based on the results of verification of the conclusion.

Certification bodies for objects of informatization undergo mandatory accreditation at the FSTEC, approved by the relevant Regulation. When conducting an audit of organizations, the control bodies bear the responsibility for the quality performance of the functions assigned to them by legislative norms, as well as for the safety of information that they received during the certification. If during the check the customer’s copyrights were analyzed (or otherwise affected), they must also be respected.

List of certification bodies

Certification of the object of informatization according to OKPD 2 is carried out by the following bodies:

1. Federal level authority for the certification of protective information tools and certification of relevant computerization facilities for data protection requirements.
2. Subordinate FSTEC bodies that verify specific facilities for their compliance with safety standards and standards.
3. Testing laboratories and certification centers for various products.
4. Applicants (owners, customers or developers of computer-certified certified objects).

Certified bodies can be regional and industry institutions, organizations and enterprises for information protection, centers and branches of the Russian FSTEC that have been accredited in accordance with the norms of legal legislative acts.

The powers of certification bodies

Bodies providing services for certification of objects of informatization are endowed with the following powers:

• They check the objects of computerization and issue special documents, “Certificates of conformity,” based on the results of the analysis.
• During the verification process, information security is monitored, which circulates at the objects of verification, as well as the operation of specific storage media.
• They suspend the officiality of action and revoke previously issued certificates of compliance of organizations with established safety standards.
• They form separate funds for methodological and normative documentation, which is suitable for certification of each specific type of computerization objects, and take part in their development.
• They make up the information base of certified computerization objects.
• They constantly interact with the Russian FSTEC, quarterly informing him of the work carried out in the field of certification of organizations.

According to the regulation on certification of informatization objects, the Federal Service exercises other powers in the field of conformity checks:

1. Organizes the mandatory certification of computerization facilities.
2. Creates certification systems for organizations undergoing verification, establishes requirements for the analysis of organizations for the protection of information in each system.
3. Defines the rules for accreditation and obtaining a license to carry out activities on mandatory compliance checks.
4. Organizes and finances the planning of certification of the object of informatization according to OKPD 2, develops and approves the relevant methodological and regulatory documents.
5. It accredits bodies that will subsequently verify compliance with the standards of data security in the organization, issue licenses to these bodies for the implementation of certain types of powers.
6. It implements measures for state control and supervision over the observance of the correctness of the certification of informatization facilities, as well as for the further activities of organizations that have been tested.
7. Takes into consideration the appeals that arise in the process of analyzing objects of computerization.
8. Conducts training on certification of objects of informatization.
9. Carries out the organization of periodic publication of information on the operation of the system of checks of various objects for compliance with information protection standards.

Testing centers and laboratories test products that have not passed certification if they are used in an enterprise undergoing compliance testing. The official site of the FSTEC contains information on the certification procedure for informatization facilities and the bodies that carry out these checks.

Applicants credentials

To protect information during the certification of objects of informatization, each entity must fulfill its duties and exercise authority. The credentials of the applicants are as follows:

1. To prepare objects of informatization for conducting compliance checks by applying the necessary organizational and technical measures used in the field of information protection.
2. Attract certification bodies for the organization and implementation of scheduled inspections in relation to objects of informatization.
3. Provide the inspection bodies with the necessary package of documents and conditions for the verification.
4. If necessary, involve information security equipment that have not passed certification for testing at the test facility. They may also involve testing laboratories and certification centers.
5. Implement the operation of computer facilities, in accordance with the requirements and conditions that are established in the Regulation on certification of informatization facilities.
6. Notify certification bodies that issue certificates of changes in information technology, in the placement and composition of computer systems and means, operating conditions of these tools, which affect the effectiveness of protective information measures.
7. Provide the required documents and conditions for the supervision and control of the operation of a computer facility that has passed the mandatory certification.

Documents submitted by the applicant to the inspection body

According to the general provisions of GOST on the certification of objects of informatization (GOST RO 0043-003-2012), the list of papers submitted by the applicant for verification includes the following documents:

• Acceptance documentation for the computerization object.
• Acts on the division of premises and objects of informatization into categories.
• Instructions on the rules for the use of protective information tools.
• Technical passports for objects undergoing certification.
• Documents on the operation of TSOI (certificates of compliance of these facilities with information security requirements).
• Acts on covert work.
• Certificates of compliance of facilities with information security requirements at VTSS.
• Protocols on measuring the degree of sound insulation of allocated rooms and other rooms, as well as the efficiency of installing screens in buildings and cabins.
• Certificates of compliance of facilities with information security requirements in relation to technical means of data protection.
• Protocols for measuring the degree of grounding resistance.
• Protocols for measuring the actual attenuation of signals from information devices to potential locations for reconnaissance equipment.
• Data on the level of personnel training of persons providing information protection.
• Information about providing the organization with technical means to monitor the effectiveness of data protection and carry out their metrological verification.
• Documentation of a methodological and regulatory nature related to the protection of information and monitoring its effectiveness. The indicated documents can be supplemented with other papers, if this is due to the characteristics of the certification object, if the provision of other data is agreed with the audited commission.
• Explanatory notes with informational characteristics and an indication of the organizational structure of the protected object, data on measures of an organizational and technical type carried out in order to protect information from leakage through technical channels.
• A list of computerized objects to be protected, with an exact indication of their locations and the established degree of protection.
• A list of the premises in which the protected information media are located, with an exact indication of their location and the established degree of protection.
• The list of TSOI installed in the organization, with a note on the presence or absence of certificates or operating instructions, as well as the determination of their location.
• List of technical protective information tools with an indication of their location.
• The list of HTSC installed in the organization, with a note on the presence or absence of certificates or operating instructions, as well as the determination of their location.
• The plan diagram of the electrical power system indicating the location of the isolation substation, each switchboard and wiring box.
• A large-scale scheme with a plan of the building in which there are objects of protection, the boundaries of the control zone, transformer substations, grounding devices, locations of power lines and utilities, the location of security and fire alarms and separation devices.
• Layout plan of the laid telephone lines with the location of each junction box and telephones.
• Floor-by-floor technological plans of the object of verification with the determination of the locations of specific objects of computerization, the locations of premises allocated for equipment, as well as the characteristics of ceilings, walls, types of windows and doors and used finishing materials.
• The layout of the grounding system and ground electrode system.
• General plans for the location of each object with the location of the VTSS, TSOI, their connection lines, as well as the routes along which engineering communications and extraneous conductors are laid.
• Layout of communications of an engineering type of a building together with a ventilation system.
• Scheme of active protection systems (if any).
• The plan diagram of the fire and security alarm systems with the location of each sensor and junction box.

The certification procedure

Certification of the object of informatization by OKPD is carried out in the following order:

1. Direction and consideration by the commission of an application for certification. The application is made in the form approved in the Regulation. The term for considering the request is one month. If the commission decided to conduct an audit, the certification scheme is determined and agreed with the applicant.
2. A preliminary study of the certified object, if the information submitted by the applicant is not enough to form a complete picture.
3. Conducting laboratory tests of systems and means of protection of the facility that have not passed certification.
4. Development of a methodology and test program during certification. The list and duration of work, the verification methodology, the composition of the study group, the instruments and tools used in the analysis are determined.
5. Conclusion of a certification agreement between the inspection body and the applicant, as well as between the body and external experts involved.
6. Testing at the facility.

The final step includes the following list of actions:

• analysis of the structure of the organization as a whole, the flow of information within the audited object, the structure and composition of a set of programs and means of a technical nature, information security systems, documentation, as well as checking compliance of documents with regulatory requirements;
• determination of the correctness of the separation of objects into the categories of electronic computers and nuclear power plants, compliance with the selection and use of non-certified and certified data protection systems and means;
• testing of protective systems and means that have not passed certification, analysis of their verification in testing laboratories and centers;
• checking the level of personnel training of personnel, distribution of their responsibility for fulfilling information protection requirements;
• conducting comprehensive certification activities in real-life conditions;
• drawing up test reports, drawing up a conclusion indicating recommendations for the correction of identified shortcomings and the organization of control over the normal functioning of data warehouses.

Test report content

, , :

1. .
2. .
3. .
4. .
5. , .
6. , .
7. .
8. .
9. .

, (, , ). , , .

, , . , . – .

,

, , , :

• ;
• ;
• ;
• , ;
• ;
• () ;
• () , ;
• ;
• , ;
• , ;
• ;
• ;
• , ;
• , ;
• , , , .

The certificate of compliance of the object with the necessary requirements is signed by the head of the verification commission and approval by the direct head of the certification body.

The document of conformity is issued for a period during which the constancy of the procedure and working conditions of the computerization object should be ensured. Also during this period, the technologies used in the processing of protected data should be preserved. The maximum validity of the certificate is three years.

Certification of objects of informatization is a necessary procedure for organizations whose activities are related to confidential information and their protection.