The Department of Information Technology, Communications and Information Protection of the City of N requires ...

  • Tutorial

Public IT is often the subject of jokes and criticisms. However, it cannot be denied that in recent years, work to develop the information society, and in particular, work to increase the availability of public electronic services, has yielded results.

The following elements of the e-government system have been created in the Russian Federation:
2008 - a network of multifunctional service delivery centers (MFCs);
2009 - a single portal for the provision of state and municipal services (EPGU), regional portals and portals of municipalities (EPGU) associated with the system of interagency electronic interaction (SMEV);
2011 - an open government system;
2013 - integrated government (MFC + EPGU + SMEV).

Government agencies are interested in highly qualified personnel, reducing risks and costs, joining forces with the private sector in the provision of services. Perhaps you are an IT specialist who is thinking about working in the Information Technology Department of your city, or an employee of an IT company with a private form of ownership that would like to provide its services to government organizations. What you need to know and what to be prepared for such a job?

For our part, we offer a cloud infrastructure for hosting state information systems in them and have experience in implementing such projects.

The most relevant issue for government customers is the issue of compliance with legal requirements. The purpose of this article is to increase the awareness of specialists in matters of work in the field of public IT. This article is devoted to one of the main regulatory legal acts in the field of information security in the State and Municipal Information Systems - the 17th order of the FSTEC.

At the time of adoption, during the amendment of Order No. 17 of February 11, 2013, “On the Approval of the Requirements for the Protection of Information Not constituting State Secrets Contained in State Information Systems”, many copies were broken.

Let me remind you that the latest version of this order is now in the edition of February 15, 2017. But we will be fair, most of the claims related to Appendix No. 2 of this order, namely, the composition of the protective measures. The initial questions about the application of measures were removed after the release of the methodological document dated February 11, 2014 “Information security measures in state information systems” , which answered “how” to implement the requirements of the Order.

We would like to consider the main postulates of the 17th order, without going over to the options for the implementation and application of specific protective measures.

So, let's proceed to the theoretical creation of our information system, taking into account the requirements of order No. 17.

It should immediately be noted here that
«В документе не рассматриваются требования о защите информации, связанные с применением криптографических методов защиты информации и шифровальных (криптографических) средств защиты информации».
So we will not consider cryptography.

For ease of perception, I recommend an example of a leak from the article “And so it goes ... or how the data of 14 million Russians were in my hands . It will be much easier to perceive the “dry” legal norms if you think about something more specific. Let's see how order No. 17 helps us in this situation.

Omitting the non-essential and trivial parts of the Order, we move on to its second section, namely, to item number 9. We begin to create a defense by appointing the “guilty”:
«Для обеспечения защиты информации, содержащейся в информационной системе, оператором назначается структурное подразделение или должностное лицо (работник), ответственные за защиту информации»
Someone must make decisions and be responsible for various development mistakes that lead to leaks. The order also clarifies that this responsible person should take part in all stages of the life cycle of the information system, which in general is quite logical. We quote point 12.
«Защита информации, содержащейся в информационной системе, является составной частью работ по созданию и эксплуатации информационной системы и обеспечивается на всех стадиях (этапах) ее создания, в ходе эксплуатации и вывода из эксплуатации…»
Protection measures are reduced to the following points:

  • formation of requirements for the protection of information contained in the information system;
  • development of an information system information security system;
  • implementation of an information system information security system;
  • certification of the information system according to the requirements of information security (hereinafter - certification of the information system) and putting it into effect;
  • ensuring the protection of information during the operation of a certified information system;
  • ensuring the protection of information during the decommissioning of a certified information system or after a decision is made to end information processing.

Formation of requirements


This stage, however, like the other stages, is divided into several sub-stages, but we will try to explain all this more succinctly.

The formation of requirements begins with the decision that our information system needs to be protected. After we have made such a decision, we must classify this system, and for this we need to understand the purpose of creating the system, examine the information being processed in the IP, and also understand what regulatory acts our information system falls under.

In addition to the fact that IP is state-owned and is subject to the 17th order, it can also be a public information system, which means that other NPAs also apply to it. In particular, the order of the Federal Security Service of the Russian Federation N 416 and the FSTEC of the Russian Federation N 489 dated 08/31/2010 "On the approval of the Requirements for the protection of information contained in public information systems", probably forgotten by all.

We omit the norms of this order in this article. But I would like to note that the reduction of the requirements of various documents to a single denominator, sometimes almost contradicting each other, is a separate issue when working with our legislation.

Having clarified all of the above, we need to classify our IP and move on to modeling threats. In the current edition of the Order, there are three classes of GIS out of four in its first edition, but this will not hinder us in any way. The classification is fairly well described and should not arise with this difficulty. What you should pay attention to is the following text:
«Класс защищенности определяется для информационной системы в целом и, при необходимости, для ее отдельных сегментов»
Thus, we can break down our information system into its constituent parts and classify each of them individually. For example, to classify separately the servers of the information system and its workplaces.

In the future, respectively, each set of protection measures will be applied to each of the segments, which is very convenient. It is also necessary to remember that the GIS class is not constant and can vary depending on the circumstances (changing the scale of the IP, the significance of the processed information, etc.).

Threat modeling, the topic itself is quite extensive, so here we restrict ourselves to mentioning this stage. For a detailed review of it, it is advisable to refer you to our previous article “On Threat Modeling” .

The requirements for the protection system are determined directly depending on the security class of the information system and the threats to information security that we identified at the previous stages. These requirements are included in the TOR for the creation of a protection system.

As the Order tells us, they should include the following:

  • the purpose and objectives of ensuring the protection of information in the information system;
  • information system security class;
  • a list of regulatory legal acts, methodological documents and national standards to which the information system must comply;
  • list of information system protection objects;
  • requirements for measures and means of information protection used in the information system;
  • stages (work stages) of creating an information system protection system;
  • requirements for supplied hardware, software, information security;
  • the functions of the customer and operator to ensure the protection of information in the information system;
  • requirements for the protection of tools and systems that ensure the functioning of the information system (providing infrastructure);
  • requirements for the protection of information during information interaction with other information systems and information and telecommunication networks, including information systems of an authorized person, as well as the use of computing resources (capacities) provided by an authorized person for information processing.

As you can see, these items list everything that we had to determine at the previous stages. So, if earlier we went through all the points in good faith, then problems with filling TK should not arise.

Development of an information security system


The protection system is developed in accordance with the ToR formed earlier. Development includes three large stages:

  • design directly;
  • development of operational documentation;
  • prototyping and testing.

As you can see, there are three stages that are quite lengthy in time and labor. The development phase is actually very important and avoids most of the problems that arise in subsequent stages.

Unfortunately, many do not pay due attention to this stage, and many factors push them towards this. So the work is built in a huge number of offices of the middle hand. The serious implementation of all three points is typical mainly for large organizations and projects. Therefore, leaks from systems in the development of which these stages were ignored or performed “through the sleeves” are not surprising. Let me explain a little how this happens with this approach.

When we talk about state information systems, we can most likely say that the owner of these systems is a government agency with all the consequences. Recall public procurement, budget constraints, add the likelihood that outside the window is autumn, you need to win back and hand over the project before the end of the new year and get ... We get at least a 70 percent probability that in fact there will be enough time only for design. In the process of “prototyping and testing”, yeah, someone else would have put the finances on the prototype, the operational documentation will be finalized. Testing will come down to verifying that the system will not crash when installing security features. Well, at the output - the expected result: it works and okay!

This is how it should not be. And if this happens, then the possibility of leaks should not after surprise.

Of the three points, I would like to focus on design. So, at the design stage:

  • types of access subjects and access objects that are objects of protection are determined;
  • defines access control methods, types of access and rules for differentiating access of access subjects to access objects;
  • information protection measures to be implemented in the information security system of the information system are selected;
  • the types and types of information protection tools that ensure the implementation of technical measures to protect information are determined;
  • the structure of the information protection system is determined, including the composition and placement of its elements;
  • the selection of information protection tools certified for compliance with information security requirements is carried out, taking into account their cost , compatibility with information technologies and technical means, the security functions of these tools and the features of their implementation, as well as the security class of the information system;
  • requirements for software settings are defined, including software for information security tools that ensure the implementation of information security measures, as well as the elimination of possible vulnerabilities in the information system that lead to information security threats;
  • measures of information protection are determined during information interaction with other information systems and information and telecommunication networks, including information systems of an authorized person, as well as when using computing resources provided by an authorized person for information processing.

All of the above is executed in the form of a technical project or a similar document. The final version of the technical project is only after the stage of prototyping and testing. The order allows, based on the test results, to make changes to the technical design.

Security system implementation


So, the protection system is developed, tested and ready for implementation. The implementation of the protection system includes:

  • installation and configuration of information security tools;
  • development of documents defining the rules and procedures implemented by the operator to ensure the protection of information;
  • implementation of organizational measures to protect information;
  • preliminary tests of the information security system;
  • trial operation of an information security system;
  • analysis of information system vulnerabilities and adoption of information protection measures to eliminate them;
  • acceptance tests of the information system information protection system.

Installation and configuration of protective equipment is based on previously developed documentation.

The documents being developed at this stage specify the rules and procedures for various aspects of the operation of the created system (incident response, configuration management, monitoring, etc.).

The implementation of organizational measures also includes control over the possibility of their implementation and completeness of coverage. In fact, at this stage, conflicts between implemented measures and existing business processes are monitored.

After the installation of protective equipment and the implementation of organizational protective measures, preliminary tests are carried out and the trial operation phase begins.

During the trial operation, a very important stage is carried out - vulnerability analysis. Based on the results of this analysis, both the threat model and the technical decisions made can be adjusted. In the latest edition of the Order, it was added that
«По результатам анализа уязвимостей должно быть подтверждено, что в информационной системе отсутствуют уязвимости, содержащиеся в банке данных угроз безопасности информации ФСТЭК России, а также в иных источниках, или их использование (эксплуатация) нарушителем невозможно».
As the name implies, it is at this stage that the state of the so-called “real security” is checked and the result directly depends on the qualifications of the testers.

After conducting checks and adjusting (if necessary) the applied solutions, we proceed to acceptance tests.

Certification of the information system


After successful acceptance tests, you can proceed to Certification.

Certification is certification, it’s difficult to clarify something, therefore I’ll just list the methods of verification (testing) during certification tests:

  • expert-documentary method, which provides for checking the compliance of the information system information protection system with the established requirements for information protection, based on the assessment of operational documentation, organizational and administrative documents for information protection, as well as the operating conditions of the information system;
  • analysis of information system vulnerabilities, including those caused by improper configuration (configuration) of software and information protection tools;
  • testing the information protection system by attempting unauthorized access (exposure) to the information system bypassing its information protection system.

Raising the issue of certification, I would like to draw attention to the following text of the Order:
«Допускается аттестация информационной системы на основе результатов аттестационных испытаний выделенного набора сегментов информационной системы, реализующих полную технологию обработки информации.

В этом случае распространение аттестата соответствия на другие сегменты информационной системы осуществляется при условии их соответствия сегментам информационной системы, прошедшим аттестационные испытания».
Thus, in the presence of, say, hundreds of typical jobs, the Order allows certification of not all hundreds, but for example 3-5 jobs. Provided that the applied means and protective measures are fully consistent, the certificate may apply to workplaces that have not passed the full certification process. For such jobs, it is advisable to limit it to inspection control, confirming the conformity of the configuration of such jobs to reference samples that have passed certification.

Having successfully passed the certification tests, you can begin to commission the system. An important note here is the following:
«В случае, если информационная система создается на базе центра обработки данных уполномоченного лица, такой центр обработки данных должен быть аттестован по классу защищенности не ниже класса защищенности, установленного для создаваемой информационной системы.»
That is, if you plan to place your system, for example, on the site of a cloud provider , you need to make sure that its infrastructure is certified in the class corresponding to your IS.

Information security during operation


In the course of operation of a put-in IS, tasks arise that are related both to maintaining operability and keeping the protection system up to date.

General operation includes four stages:

  • management (administration) of the information system information security system;
  • incident detection and response;
  • configuration management of a certified information system and its information protection system;
  • control (monitoring) over ensuring the level of security of information contained in the information system.

At this stage, it is rather problematic to single out some particular points, because the general steps are highlighted, and the details vary greatly from the configuration of a particular IC. It would seem that this can be finished, but, in fact, it is still early. One of the important stages in the life cycle of any IP is decommissioning.

Information security during decommissioning


The decommissioning of the information system, according to the Order, includes two stages:

  • archiving information contained in the information system;
  • destruction (erasing) of data and residual information from computer storage media and (or) destruction of computer storage media.

It is worth noting here that if you erase, rather than physically destroy the media, then you should do this with certified tools that guarantee the destruction of information. Of course, at the same time, all the necessary acts must be drawn up, according to previously developed operational documentation.

Other articles on our corporate blog


State and IT
“State in the Clouds” and one example of GIS from our practice
FAQ on integration with ESIA
About threat modeling
For children - ice cream, information system - backup
How does blocking access to pages distributing prohibited content (now ILV checks and search engines)
Protection of the rights of subjects of personal data
"Scarecrow" about GDPR
Checks and plans of Roskomnadzor for 2018
Those who brought ISPDn into medicine in accordance with the law do not laugh in the circus
PD operator errors related to personnel work
Brief FAQ about Federal Law N 242-ФЗ