Information security licensing. How to get a fstack license? Requirements for obtaining a fstack license

04.04.2019 Televisions (Smart TV)

Licensing in the field of information protection is an activity involving the transfer or receipt of rights to carry out work in the field of information protection. The state policy in the field of licensing certain types of activities and ensuring the protection of the vital interests of the individual, society and the state is determined by the Government Decree Russian Federation dated December 24, 1994 No. 1418 "On licensing certain types of activities" (as amended by the RF Government Decisions dated 05.05.95 No. 450, dated 03.06.95 No. 549, dated 07.08.95 No. 796, dated 12.10.95 No. 1001, dated 04.22.97 No. 462, dated 01.12.97 No. 1513, see also the resolution dated 11.02.02 No. 135).

A license is a permit for the right to carry out work in the field of information protection. A license is issued for specific types of activity for three years, after which it is re-registered in accordance with the procedure established for issuing a license.

A license is issued if the company that applied for a license has the conditions for licensing: production and testing facilities, regulatory and methodological documentation, and has scientific and engineering personnel.

The organizational structure of the system of state licensing of enterprises in the field of information protection is formed by:

· State bodies for licensing;

· Licensing centers;

· Enterprises-applicants.

State licensing authorities:

· Organize compulsory state licensing of enterprises;

· Issue state licenses to applicant enterprises;

· Agree on the composition of expert commissions represented by licensing centers;

· Exercise control and supervision over the completeness and quality of work carried out by licensees in the field of information protection.

License centers:

· Form expert commissions and submit their composition for approval to the heads of the relevant state licensing bodies, which are FSTEC and FSB;

· Plan and carry out work on the examination of the applicant enterprises;

· Control the completeness and quality of the work performed by the licensees.

Licensing centers under state licensing bodies are created by orders of the heads of these bodies. Expert commissions are formed from among specialists from industries, government bodies, other organizations and institutions competent in the relevant field of information protection. Expert commissions are created in one or more areas of information protection.

Licensing FSTEC of Russia subject to:

Certification, certification testing of secure technical means of information processing (ICT), technical and software tools protection, control tools for the effectiveness of information protection measures, software processing, protection and security control;

· Certification of informatization systems, automated control systems, communication and data transmission systems, IT facilities and dedicated premises for compliance with the requirements of guidance and regulatory documents on information security;

· Development, production, sale, installation, adjustment, installation, repair, service maintenance of protected objects of informatics, technical means of protection and control of the effectiveness of information protection measures, protected software tools for processing, protection and control of information security;

· Carrying out special studies for side electromagnetic radiation and interference (PEMIN) TCOI;

· Design of objects in a protected design.

The licensing authority is responsible for:

· Development of rules, procedures and regulatory and methodological documents on licensing issues;

· Implementation of scientific and methodological management of licensing activities;

· Publication necessary information about the licensing system;

· Consideration of applications of organizations and military units for the issuance of licenses;

· Coordination of statements with military units responsible for the relevant areas of information protection;

· Coordination of the composition of expert commissions;

· Organization and conduct of special examinations;

· Making a decision on issuing a license;

· Issuance of licenses;

· Making a decision on suspension, renewal of the license or its cancellation;

· Keeping a register of issued, suspended, renewed and canceled licenses;

· Purchase, accounting and storage of license forms;

· Organization of work of certification centers;

· Control over the completeness and quality of the work carried out by the licensees.

In accordance with Article 17 of the Federal Law of 08.08.2001 No. 128-FZ "On Licensing of Certain Types of Activities" (as amended by the Federal Law of 02.07.2005 No. 80-FZ), the following activities are subject to licensing (in the field of information protection):

· Activities for the distribution of encryption (cryptographic) means;

· Activities for maintenance encryption (cryptographic) means;

· Provision of services in the field of information encryption;

· Development, production of encryption (cryptographic) means, protected using encryption (cryptographic) means of information systems, telecommunication systems;

· Activities for the development and (or) production of means of protecting confidential information; technical protection activities confidential information;

· Activities to identify electronic devices designed to secretly obtain information in premises and technical means (unless the specified activity is carried out to meet the own needs of a legal entity or individual entrepreneur).

As part of the activities under consideration, separate decrees of the Government of the Russian Federation were issued, clarifying the licensing procedure. Among them:

· Decree of the Government of the Russian Federation of January 26, 2006 No. 45 "On the organization of licensing of certain types of activities"; Decree of the Government of the Russian Federation of August 15, 2006 No. 504 "On licensing activities for technical protection confidential information ";

· Decree of the Government of the Russian Federation of August 31, 2006 No. 532 "On licensing activities for the development and (or) production of means of protecting confidential information";

· Decree of the Government of the Russian Federation of 23.09.2002 No. 691 "On approval of regulations on licensing certain types of activities related to encryption (cryptographic) means".

In accordance with these documents, licensees are required to annually submit to the licensing authority or certification center information on the number of work performed for specific types of activities specified in the license. Licensees are responsible for the completeness and quality of the work performed, ensuring the safety state secrets entrusted to them in the course of practical activities.

For the normal functioning of electronic document management (EDM) systems, it is necessary to develop procedures for resolving possible conflicts. A party to such conflicts, in addition to the EDF participants and the provider company, may also be the software development company.

It is assumed that the contract with the developer company takes into account the availability of a reference sample of software, which can only be kept by the provider company or by all EDF participants. This requires the fulfillment of two basic conditions:

it must be documented that each participant in the EDM system (including the provider company) has installed software that corresponds to the reference sample;

storage of reference samples is organized in such a way as to exclude the possibility of changing the reference sample of software without the knowledge of the parties.

Such a regime can be provided by a system of several public keys.

Today, when modern information technologies are being intensively introduced into all spheres of life and activities of society, national and, as a part of it, the economic security of the state begins to directly depend on ensuring information security. That is why, in order to create guarantees to ensure the necessary stability of information protection means, the state assumes responsibility for licensing the activities of organizations involved in information protection and certification of the corresponding technical means.

Today's level of protection against external information threats in global open networks cannot be considered satisfactory: there is still no comprehensive and technically sound strategy in this area in Russia. In order to change the situation, a set of measures in the field of legislation and standardization of means to ensure information security in Russia should be urgently developed and implemented. The priority tasks in this direction include:

· Adoption of a special law, similar to the "Computer Security Act" in the United States, making specific government agencies responsible for methodological support of work in the field of information security;

· Development of unified approaches to ensuring security for organizations of various profiles, sizes and forms of ownership;

· Ensuring the appearance on the market of a sufficient number of various certified tools to solve information security problems.

One of the problems in the field of information protection in Russia is the lack of official documents with detailed recommendations on the construction of secure information systems, similar to those developed, for example, by the American Institute of Standard Technologies (USA) and the British standard. Although there are no regulations in the UK that require compliance state standards, about 60% of British firms and organizations voluntarily use the developed standard, and the rest intend to implement its recommendations in the near future.

Information security licensing and certification can mitigate this problem. It is necessary to create guarantees for the user that the information security tools used by him are capable of providing required level protection. It is licensing that can help ensure that only highly qualified specialists in this field will deal with the problem of information protection, and the products they create will be at the appropriate level and will be able to pass certification.

Without certification, it is impossible to assess whether a particular tool contains potentially harmful undocumented capabilities, the presence of which is especially characteristic of most foreign products, which can at some point lead to system malfunctions and even to irreversible consequences for it. A typical example of such undocumented opportunities is pledged by Ericsson in the development of telephone exchanges, on the basis of which the Ministry of Railways of the Russian Federation builds its telephone network, the ability to block their work when receiving a call of a certain phone number, which the firm declines to name. And this example is not the only one.

The process of certification of a software product takes about the same time as its development, and is practically impossible without source codes of programs with comments. At the same time, many foreign firms do not wish to represent source texts of their software products to Russian certification centers. For example, despite the agreement in principle Microsoft for certification in Russia of OS Windows NT, which has already identified more than 50 errors related to security, this issue has not been able to get off the ground for many months due to the lack of its source code.

Difficulties with certification lead to the fact that the simplest ones receive the certificate faster than others among the products of the same class, which makes them seem more reliable to the user. Long certification periods lead to the fact that the development company has time to bring to the market a new version of its product, and the process becomes endless.

Certification of technical means of information protection is difficult to carry out without appropriate standards, the creation of which in Russia is hampered not least by the lack of financial resources. This problem is solved if there are several firms interested in marketing, and several organizations interested in using the appropriate technical means. For example, the fruit of joint efforts of such organizations, firms and FSTEC (formerly the State Technical Commission (STC)) was the development of the State Customs Committee of the Russian Federation Technical Guidelines "Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of protection against unauthorized access to information". He made it possible to classify the tools that are capable to some extent of protecting corporate networks from external intrusions.

The document assumes the existence of several classes of firewalls: from the simplest, allowing only control over information flows, to the most complex, performing complete transcoding of incoming information, completely protecting the corporate network from outside influences. Already today, certification for compliance technical specifications developed in accordance with the Guidelines technical material what is allowed current legislation, passed such firewalls like Sun Screen, SKIPbridge and Pandora. However, even with their certification, there was a struggle.

Taking into account the requirements of information security and world practice in the field of information protection, it seems expedient for Russia to join the established systems of international standardization and certification of information technologies, which in practice means:

· Bringing national and industry standards in line with international ones;

· Participation of Russian representatives in international certification systems (including certification tests);

· The possibility of recognizing international certificates in Russia.

In addition, in accordance with current legislation, any organization that collects and processes personal data (for example, transactions with plastic cards) must be licensed to engage in such activities and use certified means for this.

FSTEC of Russia (formerly the State Technical Commission) has developed the necessary regulatory framework for protecting information from unauthorized access. Let's consider the structure of the main guiding documents.

1. « Protection against unauthorized access to information. Terms and Definitions"- establishes a unified terminological standard in the field of protection of funds computing technology and automated systems from unauthorized access to information, which is mandatory for use in all types of documentation.

2. « The concept of protecting computer equipment and automated systems from unauthorized access to information "- describes the basic principles on which the problem of protecting information from unauthorized access is based and its relation to common problem information security. The concept reflects the following issues: the definition of unauthorized access, the basic principles of protection, the model of an intruder in automated systems, the main methods of unauthorized access, the main areas of protection, the main characteristics of technical means of protection, the classification of automated systems, the organization of work on protection. This concept is intended for customers, developers and users of computer technology and automated systems, the main purpose of which is: processing, storage and transmission of protected information.

3. "Means of information protection. Information protection in cash registers and automated cash register systems. Classification of cash registers, automated cash systems and information security requirements "- establishes the classification of cash registers, automated cash systems, information technology and requirements for the protection of information related to taxation. In accordance with this document, 2 classes of cash registers, automated cash systems and information technology are established. The first class includes systems that process information on cash turnover in the amount of up to 350 minimum wages per day, and the second - in the amount of over 350 minimum wages.

4. “Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information "- regulates the requirements for the security of computing equipment from unauthorized access, applied to system-wide software and operating systems... There are seven classes of security, which are subdivided into four groups. Each class contains a list of mechanisms for protecting information from unauthorized access required for implementation.

5. “Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection "- classifies automated systems depending on the availability of information of various levels of confidentiality, levels of authority of subjects of access, modes of data processing in nine classes and stipulates a set of requirements for each of them. Depending on the peculiarities of information processing in automated systems, the classes are divided into three groups.

6. “Computer facilities. Firewalls. Protection against unauthorized access to information. Indicators of security against unauthorized access to information "- declares requirements for different classes of firewalls. In total, there are five classes of firewall security. The classification is made depending on the security class of the automated systems, which is protected by the firewall.

Based on the guidelines and the regulatory framework of the FSTEC of Russia, the development, certification and use of information protection means from unauthorized access is carried out, as well as licensing of enterprises for the right to operate in the field of information protection on the territory of the Russian Federation.

FSTEC of Russia carries out licensing of technical protection of confidential information. To obtain a license, the applicant must meet the following requirements and conditions:

the presence in the staff of specialists with higher professional education in the field of technical protection of information or higher or secondary vocational (technical) education and those who have undergone retraining or advanced training in the field of technical protection of information;
the license applicant has premises for carrying out licensed activities that meet the technical standards and requirements for the technical protection of information established by the regulatory legal acts of the Russian Federation, and that belong to him by right of ownership or otherwise legal basis;
availability, on any legal basis, of production, testing and control and measuring equipment that has undergone metrological verification (calibration), marking and certification in accordance with the legislation of the Russian Federation;
the use of automated systems that process confidential information, as well as means of protecting such information that have passed the conformity assessment procedure (certified and (or) certified by safety requirements information) in accordance with the legislation of the Russian Federation;
use of programs for electronic computers and databases intended for the implementation of licensed activities on the basis of an agreement with their copyright holder;
availability of regulatory legal acts, regulatory and methodological and methodological documents on the technical protection of information in accordance with the list established by the Federal Service for Technical and Export Control

To obtain a license, the applicant sends to FSTEC the documents discussed in the previous section of this lecture. In addition to these documents, the applicant must provide the following:

copies of documents confirming the qualifications of information security specialists (diplomas, certificates, certificates);
copies of documents confirming the right of ownership, the right of economic management or operational management to premises intended for the implementation of licensed activities, or copies of lease agreements for these premises or free use of them;
copies of certificates of conformity of protected premises safety requirements information;
copies technical passport automated system with applications, the act of classification of the automated system according to safety requirements information, layout plan of the main and auxiliary technical means and systems, certificate of conformity of the automated system safety requirements information or certificate of conformity automated system safety requirements information, as well as a list of resources protected in automated systems with documentary evidence of the degree of confidentiality of each resource, a description technological process information processing in an automated system;
copies of documents confirming the right to use computer programs and databases for licensed activities;
information on the availability of production and control equipment, information protection means and funds security control information required for the implementation of licensed activities, with the attachment of copies of documents on the verification of control and measuring equipment;
information about the regulatory legal acts available to the license applicant, regulatory and methodological and methodological documents on the technical protection of information

FSTEC checks the completeness of the documents provided, the completeness and accuracy of the information specified in them. If there is not enough information (documents), FSTEC notifies the applicant about this within 15 days. Within a period not exceeding 45 days after receiving the documents from the applicant, FSTEC decides to issue a license. The decision is formalized by the corresponding act of the FSTEC.

The license is issued for 5 years, and after the expiration of this period it can be extended at the request of the licensee.

4.3. Monitoring compliance with licensing requirements and conditions

The function of monitoring the licensee's compliance with license requirements and conditions is carried out by the licensing authority, that is, in the case of technical protection of confidential information - FSTEC. The control method is scheduled and unscheduled inspections, which are carried out in accordance with the procedure established by Federal Law No. 294 "On the Protection of the Rights of Legal Entities and Individual Entrepreneurs in the Exercise of State Control (Supervision) and Municipal Control".

The purpose of the scheduled inspection is to verify that the licensee complies with licensing requirements and conditions in the process of carrying out activities for the technical protection of confidential information. In relation to one legal entity or individual entrepreneur, it can be carried out no more than once within three years. Scheduled inspections are carried out in accordance with the annual inspection plan, which is published on the official website of the FSTEC of Russia.

The licensee is included in the scheduled inspection in the event of the expiration of three years from the date:

state registration the licensee;
the end of the last scheduled inspection of the licensee.

The licensee is notified no later than three business days prior to the inspection.

The subject of an unscheduled inspection is the licensee's compliance with licensing requirements and conditions, compliance with instructions to eliminate detected violations, and measures to ensure the security of the state.

The basis for an unscheduled inspection is:

expiration of the term for the execution of an order previously issued to the licensee to eliminate the revealed violation of license requirements and conditions;
receipt by the FSTEC of Russia of applications and applications of citizens, legal entities, individual entrepreneurs, information from public authorities, local authorities, from funds mass media about the following facts:
- the emergence of a threat of harm to the security of the state;
- causing harm to the security of the state.

Scheduled and unscheduled inspections are carried out in documentary or on-site forms. Documentary verification checks the licensee's documents and is carried out at the location of FSTEC. During the on-site inspection, not only the licensee's documents are checked, but also its compliance licensing requirements and conditions.

The period for carrying out each of the checks cannot exceed 20 working days. Based on the results of the check, an act is drawn up in two copies, to which the protocols (conclusions) of the studies (tests) and examinations carried out are attached.

Summing up, we can say that the process of obtaining a license for the technical protection of confidential information is very laborious, time-consuming and, which is not unimportant, costly, because in order to obtain a license it is necessary to fulfill all licensing requirements and conditions. The longest time is the training of specialists in refresher courses. Despite the fact that the number of organizations dealing with confidential information is quite large, not all of them can afford specialists with higher professional education in the field of TZI. Private refresher courses approved by FSTEC are usually designed for 72 hours. The most costly requirement in economic terms is the certification of objects of informatization (an automated system and a secure room) intended for processing confidential information. Moreover, the problem arises of acquiring control and measuring equipment, which after certification is not needed at all, unless the organization is going to provide certification services for informatization objects. An alternative option is to rent such equipment, but this also costs money. Thus, the duration of the licensing process can take from 2 to 6 months and entail significant material costs. Outsourcing is a solution to this problem. Outsourcing is literally "the use of external sources". Outsourcing involves the transfer from the customer company to a third-party organization (contractor) of certain functions of statutory activities, for example, technical protection of confidential information. In this case, the contractor uses his software, technical and other means of protection, licenses, certificates, etc., and is also responsible for the result of his work.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Ministry of Transport of the Russian Federation

Federal Agency for Railway Transport Federal State Budgetary educational institution higher professional education

"Far Eastern State University ways of communication "

Department of Civil, Business and Transport Law

Discipline: Legal support of information security

Topic: Licensing and certification in the field of information security

Completed student (tka)

Nepomniachtchi Natalia Evgenievna

Checked by: teacher of the department:

Zheleznyakov Anatoly Mikhailovich.

Khabarovsk

Introduction

1. Licensing in the field of information protection

1.1 Licensing authority - FSTEC of Russia

1.2 Licensing authority - FSB of Russia

2. Certification in the field of information security

2.1 Organizational structure certification systems

2.2 Certification procedure

Conclusion

Bibliography

Introduction

One of the problems in the field of information protection in Russia is the lack of official documents with detailed recommendations for building secure information systems, similar to that developed, for example, by the American Institute of Standard Technologies (USA) and the British standard. Although there are no regulations in the UK that require compliance with government standards, about 60% of UK firms and organizations voluntarily use the developed standard, and the rest intend to implement its recommendations in the near future.

Information security licensing and certification can mitigate this problem. It is necessary to create guarantees for the user that the information security tools used by him are capable of providing the required level of protection. It is licensing that can help ensure that only highly qualified specialists in this field will deal with the problem of information protection, and the products they create will be at the appropriate level and will be able to pass certification.

Without certification, it is impossible to assess whether a particular tool contains potentially harmful undocumented capabilities, the presence of which is especially characteristic of most foreign products, which can at some point lead to system malfunctions and even to irreversible consequences for it. A typical example of such undocumented capabilities is the one laid down by Ericsson in the development of telephone exchanges, on the basis of which the RF Ministry of Railways builds its telephone network, the ability to block their work when receiving a call to a specific phone number, which the company refuses to name. And this example is not the only one.

The process of certification of a software product takes about the same time as its development, and is practically impossible without source codes of programs with comments. At the same time, many foreign companies do not want to submit the source code of their software products to Russian certification centers. For example, despite Microsoft's agreement in principle to certify Windows NT in Russia, in which more than 50 security errors have already been identified, this issue has not been able to get off the ground for many months due to the lack of its source code.

The document assumes the existence of several classes of firewalls: from the simplest, allowing only control over information flows, to the most complex, performing complete transcoding of incoming information, completely protecting the corporate network from outside influences. Already today, firewalls such as Sun Screen, SKIPbridge and Pandora have passed certification for compliance with the Technical Guidelines, as allowed by applicable law. However, even with their certification, there was a struggle.

1. Licensing in the field of information protection

1.1 Licensing authority - FSTEC of Russia

The licensing requirements for an applicant for a license to carry out activities for the development and production of SZKI (hereinafter referred to as the license) are:

1.the license applicant has at least two specialists with higher professional education in the field of technical information security or higher technical or secondary vocational (technical) education and have undergone retraining or advanced training in the development and (or) production of information security systems; user protection warranty specialist

2. the presence of premises for the implementation of the licensed type of activity that meets the requirements of technical and technological documentation, national standards and methodological documents in the OZI and belonging to the license applicant on the basis of ownership or on other legal basis;

3. the presence on the right of ownership or on another legal basis necessary for the implementation of the licensed type of activity of control and measuring equipment (passed in accordance with the legislation of the Russian Federation metrological verification (calibration) and marking), production and test equipment;

4.the availability of programs intended for the implementation of the licensed type of activity (including software development tools for SZKI) for electronic computers and databases owned by the license applicant on the basis of ownership or on other legal basis;

5.the presence of licenses belonging to the applicant on the basis of ownership or on any other legal basis, technical and technological documentation, documentation containing national standards, and methodological documents necessary for the implementation of the licensed type of activity in accordance with the list approved by the FSTEC of Russia;

6.the availability of a production control system, including the rules and procedures for checking and evaluating the system for the development of SZKI, accounting for changes made to the design and design documentation for products under development

7.the availability of a production control system, including the rules and procedures for checking and evaluating the SZKI production system, assessing the quality of products and invariability set parameters, accounting for changes in the technical and design documentation for manufactured products, accounting for finished products V. Kiyaev, O. Granichin. // Security of information systems // National Open University "INTUIT" * 2016 // pp. 105-106

1.2 Licensing authority - FSB of Russia

The licensing requirements for the license applicant are:

1Persons availability in the state of the license applicant for the main job according to the staffing table of the following qualified personnel:

2. a manager and (or) a person authorized to manage work on a licensed type of activity, having a higher professional education in the field of information security in accordance with the "All-Russian classifier of specialties" and (or) retrained in one of the specialties of this direction (the normative period is over 500 class hours), as well as those with at least 5 years of work experience in the licensed type of activity;

3.Engineers and technical workers (at least two people) who have a higher professional education in the field of information security in accordance with the "All-Russian Classifier of Specialties" and (or) have undergone retraining in this specialty (the standard period is over 100 classroom hours);

4. the presence of premises for the implementation of the licensed type of activity that meets the requirements of technical and technological documentation, national standards and methodological documents in the field of RFI and belonging to the license applicant on the basis of ownership or on other legal basis;

5. whether the applicant has a license on the right of ownership or on another legal basis, control and measuring equipment (passed in accordance with the legislation of the Russian Federation metrological verification (calibration) and labeling), production, test equipment and other objects necessary for the implementation of the licensed type of activity;

6.the availability of programs intended for the implementation of the licensed type of activity (including software development tools for SZKI) for electronic computers and databases owned by the license applicant on the basis of ownership or on other legal basis;

7. the availability of information processing facilities certified in accordance with information security requirements used for the development and production of SZKI, in accordance with the requirements for information protection;

8.the availability of a production control system, including the rules and procedures for checking and evaluating the system for the development of SZKI, accounting for changes made to the design and construction documentation for the products being developed

9.the availability of a production control system, including the rules and procedures for checking and evaluating the production system of SZKI, assessing the quality of products and the invariability of the established parameters, taking into account changes made to the technical and design documentation for manufactured products, accounting for finished products Snytikov A.A. Licensing and certification in the field of information security.-M: Helios ARV, 2012 // pp. 223-224

2. Information Security Certification

2.1 Organizational structure of the certification system

The organizational structure of the certification system is formed by:

1. State Technical Commission of Russia (federal body for certification of information security means);

2. the central body of the certification system for information security means;

3. bodies for certification of information security means;

4. testing centers (laboratories);

5. Applicants (developers, manufacturers, suppliers, consumers of information security products).

2 The State Technical Commission of Russia, within its competence, performs the following functions:

1.Creates a system for certification of information security means and establishes the rules for certification of specific types of information security means in this system;

2. organizes the functioning of the certification system for information security means;

3.determines the list of information protection means subject to compulsory certification in this system;

4. establishes the rules for accreditation and issuance of licenses for carrying out certification works;

5. organizes and finances the development of regulatory and methodological documents for the certification system for information security means;

6. determines the central body of the certification system for information security means (if necessary) or performs the functions of this body;

7. approves the normative documents on information security, for compliance with which the certification of information security means in the system is carried out, and methodological documents for conducting certification tests;

8. accredit certification bodies and testing centers (laboratories), issue them licenses for the right to carry out certain types of work;

9.leads State Register participants and objects of certification;

10. carries out state control and supervision and establishes the procedure for inspection control over compliance with the certification rules and over certified information security means;

11. considers appeals on certification issues;

12. submits a certification system and a conformity mark for state registration at the State Standard of Russia;

13. organizes the periodic publication of information on certification;

14. interacts with the relevant authorized bodies other countries and international organizations on certification issues, decides on the recognition of international and foreign certificates;

15. organizes the training and certification of experts - auditors;

16. issues certificates and licenses for the use of the conformity mark;

17. suspends or revokes the issued certificates.

2.2 Certification procedure

The certification procedure includes the following steps:

filing and consideration of an application for certification of information security means; testing of certified information security tools and certification of their production;

examination of test results, execution, registration and issuance of a certificate and license for the right to use the conformity mark;

implementation of state control and supervision, inspection control over compliance with the rules of mandatory certification and over certified information protection means.

informing about the results of certification of information security means;

consideration of appeals.

Submission and consideration of an application for certification of information security products.

To obtain a certificate, the applicant sends an application (Appendix 1) to the State Technical Commission of Russia for testing with an indication of the certification scheme, standards and other regulatory documents for compliance with the requirements of which certification must be carried out.

The State Technical Commission of Russia, within a month after receiving the application, sends the applicant, to the certification body and testing center (laboratory) designated for certification, a decision to carry out certification (Appendix 2). At the request of the applicant, the certification body and testing center (laboratory) can be changed.

After receiving the decision, the applicant is obliged to submit to the certification body and the testing center (laboratory) information security means in accordance with the TU for this tool, as well as a set of technical and operational documentation, in accordance with the regulatory documents for ESKD, ESPD for the certified information security tool.

Testing of certified information security tools in testing centers (laboratories).

Tests of certified information security tools are carried out on samples, the design, composition and manufacturing technology of which must be the same as for the samples supplied to the consumer, the customer according to the programs and test methods agreed with the applicant and the approved certification body. Technical and operational documentation for serial information security tools must have a letter not lower than "O1" (according to ESKD).

The number of samples, the procedure for their selection and identification must comply with the requirements of regulatory and methodological documents for given view information security means.

If there are no testing centers (laboratories) at the time of certification, the certification body determines the possibility, place and conditions of testing, ensuring the objectivity of their results.

The timing of the tests is established by an agreement between the applicant and the testing center (laboratory).

At the request of the applicant, his representatives should be given the opportunity to familiarize themselves with the conditions of storage and testing of samples of information security means in the testing center (laboratory). Kiyaev V., Granichin O. // Security of information systems // National Open University "INTUIT" * 2016 // pp. 105-106

The test results are documented in protocols and conclusions, which are sent by the testing center (laboratory) to the certification body, and in a copy - to the applicant.

When making changes in the design (composition) of information security means or their production technology, which may affect the characteristics of information security means, the applicant (developer, manufacturer, supplier) notifies the certification body. The latter decides on the need for new tests of these information security tools.

Certification of imported information security tools is carried out according to the same rules as domestic ones.

Conclusion

And so, this is a conformity assessment procedure through which an organization independent of the manufacturer (seller) and consumer (buyer) certifies in writing that the product meets the established requirements. If we talk about certification in relation to information security means, then this is an activity to confirm their compliance with the requirements of technical regulations, national standards or other regulatory documents on information security.

The certification system itself is represented by FSTEC of Russia, which is subordinate to accredited certification bodies for information security means and testing laboratories.

The entire certification system ensures, first of all, the achievement of national security in the field of informatization. Equally important is the formation and implementation of a unified scientific, technical and industrial policy in the field of informatization. As well as assistance in the formation of a market for secure information technologies and means of their support, regulation and control of the development, as well as subsequent production of information security means, assistance to consumers in the competent choice of information security means, protection of the consumer from dishonesty of the contractor (vendor, manufacturer), confirmation of quality indicators products.

Licensing - activities related to the granting of licenses, the re-issuance of documents confirming the availability of licenses, the suspension and renewal of licenses, the cancellation of licenses and the control of licensing authorities over the observance by licensees in the implementation of licensed activities of the relevant licensing requirements and conditions.

License - a special permit to carry out a specific type of activity subject to mandatory compliance with licensing requirements and conditions, issued by the licensing authority to a legal entity or individual entrepreneur.

Licensing activities in the field of information security are performed by the FSB and FSTEC of Russia. Consider the licensed activities in the field of confidential information protection.

FSB of Russia:

1. Development and (or) production of means of protecting confidential information (within the competence of the FSB)

2. Development, production, sale and purchase for the purpose of sale of special technical means intended for the secret receipt of information by individual entrepreneurs and legal entities engaged in entrepreneurial activities

3.Activities to identify electronic devices, intended for the secret receipt of information, in the premises and technical means (except for the case if the specified activity is carried out to meet the own needs of a legal entity or individual entrepreneur)

4.Activities for the distribution of encryption (cryptographic) means

5. Maintenance activities of encryption (cryptographic) facilities

6.Provision of services in the field of information encryption

7. Development, production of encryption (cryptographic) means, protected using encryption (cryptographic) means of information systems, telecommunication systems.

Bibliography

1 . V. Kiyaev, O. Granichin // Security of information systems // National Open University "INTUIT" * 2016 year // pp. 105-106

2. Snytikov A.A. Licensing and certification in the field of information security.-M: Helios ARV, 2012 // pp. 223-224

3. System of certification of means of cryptographic protection of information: No. ROSS RU.0001.030001 dated November 15, 2012.

4.Bumazhkov A. Kirina A. Licensing and certification in the field of information security

5. Terms and definitions in the field of information security. Moscow, 2011

Posted on Allbest.ru

...

Similar documents

Basic principles that information security should ensure, its regulatory and legal framework. State bodies RF, controlling activities in the field of information security, regulatory documents in this area. Information protection methods.

abstract added 09.24.2014

Means and methods for solving various tasks of protecting information, preventing leakage, ensuring the security of protected information. Technical (hardware), software, organizational, mixed hardware and software information security.

abstract, added 05/22/2010

Legal and regulatory support of information security in the Russian Federation. Legal regime of information. Bodies ensuring information security of the Russian Federation. Services that organize information security at the enterprise level. Information security standards.

presentation added 01/19/2014

The main methods of unauthorized access to information in computer systems and protection from it. International and domestic organizational, legal and regulatory acts to ensure information security of information processing processes.

abstract added on 04/09/2015

Information as the most important part of the modern communication system. Legal regulation in the field of information security. Legal and regulatory documents governing the protection of information. Organizational and legal forms of protection of state secrets.

test, added 11/03/2009

Recommendations for small business development. Protection of property rights, development of market institutions. Taxes and their administration. Licensing and authorization system. Checks, fines and penalties. Access to information and openness of the state.

abstract, added 05/31/2009

Objectives of the implementation of licensing in the field of protection environment and the use of natural resources. The list of types of licenses - documents giving the right to use one type of natural resource in established place and under certain conditions.

test, added 12/19/2012

Licensing as a civil institution. Government program privatization of state and municipal enterprises in Russia. Functions federal service on supervision in the field of transport. Licensing entrepreneurial activity.

The concept of information, information resources, their place in modern law. Signs of information with limited access. The legal regime of protection constituting a state, official, professional secret; ensuring inaccessibility to third parties.

abstract added on 12/13/2013

Licensing as a form state regulation... The procedure for licensing the activities of banks and non-bank credit and financial organizations. Licensing of activities for the design and construction of buildings and engineering surveys.

Licensing of activities for the technical protection of confidential information

Per last years The sub-legal framework in the field of information security has formed costly, confusing, contradictory mechanisms that do not take into account either the peculiarities of processing confidential information in various fields of activity, or the ability of operators to comply with established requirements. In addition, the requirements for operators of information systems processing confidential information, including personal data, from the FSTEC of Russia include such a mechanism of state regulation as licensing of activities for the technical protection of confidential information, for the implementation of which most operators do not have sufficient material and labor resources. This is especially true of budgetary organizations in the field of education, medical services, housing and communal services. Legal problems have arisen due to the absence in federal legislation of laws on the protection of confidential information, for example, official secrets, professional secrets, ambiguity of provisions, as well as repeated changes and additions made to the Federal Law No. 152 "On Personal Data", other regulatory legal acts ... At the same time, federal laws require further specification and clarification by decrees of the Government of the Russian Federation and methodological documents of the FSTEC and the FSB of Russia.

Adoption by the Government of the Russian Federation of Decree No. 79 of February 3, 2012 "On licensing activities for the technical protection of confidential information" with the approval of the "Regulations on licensing activities for the technical protection of confidential information" (hereinafter referred to as the Regulations) and cancellation of the previously valid Decree of August 15, 2006 No. 504, once again raises the question, what is new in the said Regulation and is a license from the FSTEC of Russia needed if the organization protects confidential information “for its own needs”, and does not provide services for money?

In accordance with clause 1, the Regulation determines the procedure for licensing activities for the technical protection of confidential information (not containing information constituting a state secret, but protected in accordance with the legislation of the Russian Federation), carried out by legal entities and individual entrepreneurs.

And the question immediately arises with the term "confidential information", which is given in the Regulations and is used in the documents of the FSTEC of Russia, but is absent in federal legislation. Federal Law No. 149 dated 27.07. 2006 " About information, information technology and on the protection of information "in clause 7 of Art. 2 gives only a definition of the confidentiality of information, as mandatory for the person who has gained access to certain information, the requirement not to transfer such information to third parties without the consent of its owner. Confidentiality in translation from Latin means "trust" (that is, by transmitting such information, we hope for its safety and non-proliferation, since its disclosure may cause certain damage to the parties). Note that the lack of clarity of certain terms, as well as sometimes unreasonable changes in definitions and concepts information legislation do not improve legal regulation v information sphere... At the same time, the FSTEC of Russia continues to use the term "confidential information", which the legislators have already abandoned.

According to the legislation of the Russian Federation, the mandatory signs of information with limited access should be:

information has actual or potential value for the owner due to its unknown to third parties. Such persons can be the state, legal or individuals;
no information available free access legally. The possibility of keeping it unknown to third parties is established by federal law;
the owner of the information takes measures to protect it.

On March 6, 1997, the President of the Russian Federation issued Decree No. 188, which approved the "List of confidential information", according to which the following information was classified as confidential information:

about facts, events and circumstances privacy a citizen, allowing his identity (personal data) to be identified, with the exception of information subject to dissemination in the media in cases established by federal laws;
constituting the secrecy of the investigation and legal proceedings;
access to which is limited by public authorities in accordance with the Civil Code of the Russian Federation and federal laws ( official secret);
connected with professional activities, access to which is limited in accordance with the Constitution of the Russian Federation and federal laws (medical, notarial, attorney's secret, privacy of correspondence, telephone conversations, postal items, telegraph or other messages, etc.);
those related to commercial activities, access to which is limited in accordance with the Civil Code of the Russian Federation and federal laws (commercial secrets);
on the essence of the invention, utility model or industrial design prior to the official publication of information about them.

The new Resolution also clarifies the term "technical protection of confidential information" (hereinafter - TZKI), which, in accordance with clause 2 of the Regulation, means:

Performance of work and (or) provision of services to protect it from unauthorized access, from leakage on technical channels, as well as from special influences on such information in order to destroy it, distort or block access to it.

In this way it comes either on the performance of work on the TZKI, or on the provision of services on the TZKI, or on joint activities.

When carrying out activities for the technical protection of confidential information The following types of work and services are subject to licensing:

control over the protection of confidential information from leakage through technical channels in:

- means and systems of informatization;

Technical means (systems) that do not process confidential

information, but placed in the premises where it is processed;

Premises with facilities (systems) to be protected;

Premises intended for conducting confidential negotiations (hereinafter - protected premises);

control over the protection of confidential information from unauthorized access and its modification in the means and systems of informatization;
certification tests for compliance with the information security requirements of products used to protect confidential information (technical means of protecting information, protected technical means of processing information, technical means of monitoring the effectiveness of measures for protecting information, software (software and hardware) means of protecting information (hereinafter - SSS) , protected software (software and hardware) information processing tools, software (software and hardware) controls for information security);
attestation tests and attestation for compliance with information protection requirements:

Protected premises;

protected design:

- means and systems of informatization;

Premises with means (systems) of informatization to be protected;

Protected premises;

installation, installation, testing, repair of information security means (technical information security systems, protected technical means of information processing, technical means of monitoring the effectiveness of information protection measures, software (software and hardware) information security means, protected software (software and hardware) information processing means, software (software and hardware) means of information security control).

At the same time, the operation of the information security system, in contrast to the operation of funds cryptographic protection, where the licensing authority is the FSB of Russia, does not apply to the licensed type of activity. This position of the FSTEC of Russia raises questions. Why is only the first stages in the creation of a protection system licensed - the design of the protection system and the installation of protection means? Why is the daily work of specialists and information security services for the operation and control of the effectiveness of information security systems not subject to licensing? After all, it is no less important than the creation of a protection system, since the tasks of licensing certain types of activities are to prevent, identify and suppress violations by a legal entity, its head and others. officials requirements that are established by the Federal Law of 4.5.2011. No. 99-FZ "On Licensing Certain Types of Activities", other federal laws and other regulatory legal acts of the Russian Federation adopted in accordance with them.

By virtue of paragraph 1 of Art. 49 of the Civil Code of the Russian Federation in certain types of activities, the list of which is determined by law, a legal entity can be engaged only on the basis of special permission(licenses). The types of activities for which it is necessary to obtain a license are indicated in the Federal Law of 4.05.2011 N 99-ФЗ "On licensing certain types of activities", clause 5 of Art. 12 of which includes among these types and activities on TZKI.

The concept of "services" means a certain type of contract (Chapter 39, Articles 779-783 of the Civil Code of the Russian Federation), that is, a multilateral transaction in which there must necessarily be another party (Clause 1 of Article 154 of the Civil Code of the Russian Federation). But the concept of "work" is not defined in the law and can be defined only on the basis of many meanings in Russian: "occupation, work, activity."

Thus, from the above formulation, we can conclude that the activities on TZKI, both of third parties ("services") and for their own needs ("works"), are subject to licensing.

Accordingly, if an organization, within the framework of the protection of internal confidential information, carries out work on its technical protection, it must obtain an appropriate license. For example, in relation to the protection of personal data, the operator does not have “own needs” for their protection, and cannot exist by virtue of the law. The sole purpose of Federal Law No. 152 "On Personal Data" is to ensure the protection of human and civil rights and freedoms when processing his personal data. The law does not specify any other goals (including meeting the needs of operators). In addition, FZ 99-FZ "On Licensing Certain Types of Activities" includes types of activities that may entail damage to the rights, legitimate interests, and health of citizens. The law does not distinguish between the interests of the subject of personal data (employee) and the subject of personal data (third party) on the constitutional right of a citizen to personal secret. The legislator (through the licensing institute) protects any subject of personal data from the consequences of poor-quality performance of work on TZKI.

Administrative regulations of the FSTEC of Russia for the execution state function on licensing activities for TZKI (hereinafter referred to as the Administrative Regulations), approved by order of 28.08.07. No. 181 s latest changes dated 30.09.2011, in accordance with order No. 515, the terms and sequence of actions (administrative procedures) of the FSTEC of Russia were determined in the exercise of the powers to license the activities of the TZKI. Licensing is the subject of TZKI activities carried out by legal entities and individual entrepreneurs.

Analysis of provisions Administrative Regulations shows that the procedure for obtaining a license for TZKI takes a lot of time, effort and money. To obtain a license for TZKI activities, it is necessary to confirm the possibility of fulfilling the licensing requirements and conditions determined by the Regulation.

The licensing requirements for an applicant for a license to carry out activities under TZKI are (clause 5 of the Regulations):

a) the license applicant has a legal entity - specialists who are on the staff of the license applicant, who have higher professional education in the field of technical information security or higher technical or secondary vocational (technical) education and have undergone retraining or advanced training in technical information security.

b) the license applicant (licensee) has premises for carrying out licensed activities that meet the technical standards and requirements for technical protection of information established by the regulatory legal acts of the Russian Federation, and that belong to him on the basis of ownership or on other legal basis;

c) availability, on any legal basis, of production, testing and control and measuring equipment that has undergone metrological verification (calibration), marking and certification in accordance with the legislation of the Russian Federation;

d) use of automated systems that process confidential information, as well as means of protecting such information that have passed the conformity assessment procedure (certified and (or) certified in accordance with information security requirements) in accordance with the legislation of the Russian Federation;

e) use of programs for electronic computers and databases intended for the implementation of licensed activities on the basis of an agreement with their rightholder;

f) the availability of regulatory legal acts, regulatory and methodological and methodological documents on the technical protection of information in accordance with the list established by the FSTEC of Russia.

As you can see, in order to fulfill the above requirements, an organization must have at least 2 specialists, which, in some cases (in the absence of specialized higher education), will require their training in refresher courses in curricula agreed with the FSTEC of Russia in the amount of at least 72 hours. In addition, regulatory documents will be required, including limited access, as well as the presence on any legal basis (owned or leased for a period not less than the license validity period) of production, testing and control and measuring equipment that has undergone metrological verification (calibration), marking and certification in accordance with the legislation of the Russian Federation. In addition to the above, it will be necessary to design, create and certify objects of informatization (an automated system and a secure room) intended for processing confidential information. In this case, the problem arises of acquiring, on any legal basis, control and measuring equipment that the licensee does not need to provide TZKI services. Moreover, most of these requirements are quite costly in economic terms, primarily for budgetary organizations in the field of education, medical services, housing and communal services.

The execution of the state function of licensing TZKI activities in accordance with clauses 12-14 of the Regulations includes the following administrative procedures (Fig. 1):

informing and consulting on the procedure for performing state functions;
consideration of an application for a license;
verification of the possibility of the license applicant fulfilling the license requirements and conditions;
making a decision on granting a license;
issuance of a document confirming the existence of a license;
issuance of a duplicate and copies of a document confirming the existence of a license;
renewal of the license validity period;
re-issuance of a document confirming the existence of a license;
control over compliance by the licensee with licensing requirements and conditions;
suspension, renewal of the license and revocation of the license;
maintaining a register of licenses;
provision of information from the register of licenses.

An official of FSTEC of Russia makes a decision on granting or refusing to grant a license within a period not exceeding 45 days from the date of receipt of the application for a license and the documents attached to it (clause 14.1 of the Regulations).

The grounds for refusal to grant a license are (clause 14.3 of the Regulations):

presence in the documents submitted by the license applicant, inaccurate or distorted information;

non-compliance of the license applicant, the objects belonging to him or the objects used by him with the license requirements and conditions.

A license to carry out activities for the technical protection of confidential information is granted for a period of 5 years (clause 14.4 of the Regulations). At the same time, since January 30, 2011, the size of state fees has been changed: for granting a license - 2600 rubles and for extending the validity of a license - 200 rubles.

As can be seen from the scheme and procedures (Fig. 1), the central office of the FSTEC of Russia is involved in licensing the TZKI with the involvement of the FSTEC of Russia departments for federal districts in contrast to the licensing procedures of the FSB of Russia, where the territorial departments of the FSB of Russia are engaged in licensing in their area of responsibility. The duration of the TZKI licensing process in time can take from two to six months and entail significant financial costs, especially in the case of the acquisition of control and measuring equipment.

Is it possible to get away from the need to license the activities of organizations and enterprises for TZKI? The recommendations of the FSTEC of Russia boil down to the need to conclude an agreement with an organization licensed for TZKI, while the operator has the said license mandatory requirement is not.

The recommendations of the FSTEC of Russia to conclude agreements with licensees, of which there are less than 2000 in the register, do not allow solving the problem of protecting confidential information. According to expert estimates, there are only 5-7 million operators of personal data in Russia, not counting operators who process other types of restricted information subject to protection in accordance with federal law. In addition, an agreement with a licensee is usually concluded only for a certain amount of work and services, as a rule, only for the creation of a system for protecting confidential information.

What are the risks faced by the majority of organizations that do not have and do not plan to obtain licenses for the TZKI or receive the services of organizations holding such a license, if they remain unchanged? public policy and the position of FSTEC of Russia? Each organization must decide for itself whether to obtain such a license. There are no administrative penalties for performance of work without a license for TZKI activities by the FSTEC of Russia, and in the current situation it is unlikely that these penalties will appear, since in the conditions of imperfection of our legislation on the protection of confidential information, the courts interpret the norms of federal laws in different ways and responsibility for their failure ... As a result, the severity of the Resolution is compensated by the non-binding nature of its implementation. For example, article 14.1 of the Administrative Code of the Russian Federation provides for liability for "Carrying out entrepreneurial activities without state registration or without special permission (license)". According to Article 2 of the Civil Code of the Russian Federation, "an entrepreneurial activity is an independent activity carried out at its own risk, aimed at systematically making a profit from the use of property, the sale of goods, the performance of work or the provision of services by persons registered in this capacity in the manner prescribed by law." This alone suggests that Article 14.1 can only be applied to those who provide services and earn money from ensuring the security of information, i.e. licensees of FSTEC and FSB of Russia. This article has nothing to do with the vast majority of organizations that process confidential information (information of limited access that does not constitute a state secret). According to many information protection specialists, for most non-governmental organizations not related to the protection of state secrets, only forms of management of the protection of confidential information are really possible through the recommendatory use of regulatory legal acts, guidelines and methodological documents of regulators, organizational and administrative documents of organizations, the use of developed and tested in the interests of public authorities and their subordinate enterprises of systems and information security. In this case, the basis for the functioning of systems for protecting confidential information is the personal choice of the owner of the information of the degree of its security and protection mechanisms. At the same time, according to the experience of countries with developed legislation in the field of information security, the determining factors are the risk of participants in information relations and their personal responsibility for the measures taken to protect confidential information. In Russia, this approach, for example, was implemented when the Bank of Russia Standards were introduced in the RF BS organization, when the requirements for obtaining licenses for the technical protection of confidential information and the requirements for certification of personal data information systems are not mandatory (in accordance with clause 9. 6 STO BR IBBS-1.0-2010).

Alexander Katarzhnov

Ph.D., Associate Professor, NOU DO Training Center"EUREKA"

Rapid growth of computerization and increase in volumes digital information are forced to increase the level of security. This resulted in active development different ways data protection, as well as companies offering privacy services. Moreover, such a type of activity is allowed only limited number companies.

Obligation to obtain permission

Protecting personal and business information is a delicate and important business. It is unacceptable to provide such services without permission. The following types of measures are needed to protect information:

Development, production and distribution of encryption tools
Work on the technical protection of confidential information
Detection electronic means used to secretly obtain data
Production and development of SZKI (means of protecting confidential information)
Maintenance cryptographic means protection of information, telecommunication and information systems.

An exception to this is the development of encryption tools for personal use or. Also, no license is required for maintenance of information and other systems used for internal information of a particular company.

Why do we need a license for technical (and other) protection of confidential information, we will tell below.

License for technical protection of confidential information

The main tasks of licensing

It should be understood that the level of confidentiality of information can be different.

For some companies, data leakage can only bring moral inconvenience, while others will lose the ability to function as a result.
Also, do not forget about the trade secrets of the production of various goods. If they are made public, it is likely different development events.

The main objective of licensing is to curb incompetent activities. License applicants must meet a variety of criteria to ensure quality data protection services and fair maintenance.

This video will tell you about information security technologies:

Normative documents

The issuance of licenses is governed by a number of regulations, laws and regulations. One of the main documents is Federal Law No. 99 of May 4, 2011 "On licensing certain types of activities." Also, the following Resolutions of the Government of the Russian Federation are applicable to information protection activities:

No 45 of January 26, 2006
No. 532 of August 31, 2006
No. 691 dated September 23, 2002.

It is also worth familiarizing yourself with the Decree of the Government of the Russian Federation No. 1418 of 12.24.1994. All these documents provide for a detailed consideration of the procedure for obtaining a permit and indicate the conditions for its provision along with a list of required documents.

The procedure for obtaining a license from the FSTEC of Russia for the technical protection of confidential information, writing a statement on this matter - all this is described below.

Obtaining a license to carry out activities for the protection of information

Information protection activities require compliance with a large list of conditions and systematic preparation. After submitting the application of the license applicant, an expert examination, consisting of employees of the FSB and FSTEK, will definitely await. Specific composition the expert commission depends on the chosen type of activity.

Application and place of submission of documents

An application for a license permitting to conduct information protection activities is filled out in the form prescribed by law. A sample application is provided by the state licensing authorities. The issuance of the licenses themselves for information protection activities are carried out by two organizations:

Federal Security Service (FSB).
Federal Service for Technical and Export Control (FSTEC).

The bulk of applications are submitted to the FSB, they provide most of the activities. FSTEC is responsible for control over the production and development of specialized means of protecting confidential information.

The required conditions for licensing (obtaining a license) for technical protection of confidential information are described below.

Conditions

The main difficulty in obtaining a license is the terms of the grant. The list is quite wide, and in the absence of any item, the applicant is deprived of the right to issue a permit. Moreover, the conditions for different types activities differ, although there is a general list.

The following conditions must be met:

Have at least 2 employees with appropriate education or completed retraining courses
Own or lease premises with mandatory technical compliance with the declared type of activity
To form a material and technical base from instrumentation, test and other necessary type of equipment, depending on the type of activity
Confirm that the required software is owned or otherwise legally available
Availability specialized system control in accordance with the selected type of activity and its specific subparagraph
Possess technical documentation legally, methodological developments, as well as other paper and digital data necessary for conducting business.

Also, for some types of activities, certain information processing facilities certified for safety precautions may be required.

Another requirement for all types of activities, except for the production and development of SZKI, is the presence in the post of a manager who has higher education in the specialty " Information Security»Or has completed a retraining course in excess of 500 classroom hours.

Required documents

Together with the stated conditions, you must provide the following package of documents:

Employment contracts, certificates and diplomas of employees
Application and supporting documents on payment of state duty
Documents confirming the legal existence of control systems
Title documents for the premises and software
Data on the availability of technical and other necessary documentation
Documents confirming the availability of the required material and technical base
Conformity certificates for information processing facilities and / or protected premises.

All data is provided along with constituent documents applicant. The number of pieces of paper forms varies greatly depending on the type of activity chosen, the presence of several premises, programs and technical documentation... That is why, when collecting a package of documents, it is necessary to clarify the presence of new regulatory legal acts concerning licensing of information protection activities.

The stages of licensing activities for the organization of information security are described below.

Stages

The licensing procedure takes a large number of time. Legally, the terms for issuing this document are limited to 45 days. One of important steps is the preliminary stage of obtaining a permit, the very possibility of granting the right to information protection activities depends on the quality of its implementation.

Preparatory stages of licensing:

Study of the regulatory framework
Revealing compliance with the stated conditions
Collecting a package of documents and drawing up an application
Re-analysis of conditions and provided documents.

With a properly conducted preparatory licensing period, the likelihood of obtaining a license is very high. Often the reason for refusal is precisely errors in the submitted documents or non-compliance with the necessary conditions.

After preliminary stage it is necessary to submit documents to the necessary licensing authority, selected depending on the type of activity (FSB or FSTEC). The next item will be the examination of the documents by the expert commission. If they match, a check is organized technical capabilities and conditions for doing business. Final stages is the issuance of an official license form.

Helpful information

Particular attention should be paid to the fact that all current licensees are subject to routine inspections by the FSB. Moreover, this type of activity is characterized by spontaneous checks without warning. They are conducted legally to achieve maximum quality services provided for the preservation of information.
For this reason, the license period is set at a minimum of 5 years, and the permit renewal procedure is simplified. It is necessary to reissue the document confirming the permit. At the request of the licensee, he is issued with a new form with an extended validity period. This is possible only in the absence of gross violations - if any, the license is revoked.

Obtaining permission to conduct data protection activities is not particularly difficult in itself. It is much more difficult to collect the necessary package of documents and correctly comply with all the required conditions. When applying for a license, it is most important to pay attention to preparatory stage and with its high-quality implementation, it will not be difficult to obtain a permit.

More useful information information protection and licensing of such activities is contained in this video:

Information security licensing. How to get a fstack license? Requirements for obtaining a fstack license

4.3. Monitoring compliance with licensing requirements and conditions

Send your good work in the knowledge base is simple. Use the form below

Bibliography

1 . V. Kiyaev, O. Granichin // Security of information systems // National Open University "INTUIT" * 2016 year // pp. 105-106

2. Snytikov A.A. Licensing and certification in the field of information security.-M: Helios ARV, 2012 // pp. 223-224

3. System of certification of means of cryptographic protection of information: No. ROSS RU.0001.030001 dated November 15, 2012.

4.Bumazhkov A. Kirina A. Licensing and certification in the field of information security

5. Terms and definitions in the field of information security. Moscow, 2011

Posted on Allbest.ru

Similar documents

Obligation to obtain permission

The main tasks of licensing

Normative documents

Obtaining a license to carry out activities for the protection of information

Application and place of submission of documents

Conditions

Required documents

Stages

Helpful information

Top related articles