Certified means of cryptographic information protection (cryptographic information protection). purpose and areas of application of cryptographic information. Certified cryptographic information services - what you need to know to choose them correctly Certified cryptographic information services FSB

Use cryptographic means protection (CIPF) topic is very controversial and slippery. However, the PD Operator has the right to use CIPF to ensure protection in case of actual threats. But it’s not always clear how to use this right. And now the FSB makes life easier; a document of methodological recommendations has been published, applicable both to state information systems and to all other PD Operators. Let's look at this document in more detail.

And so, it happened, the 8th FSB Center posted describing recommendations in the field of development of regulations for the protection of personal data. At the same time, it is recommended that ISDN operators use this same document when developing private threat models.

So what does the FSB think about how and where CIPF should be used?

It is quite important that this document published only on the FSB website,has no registrationin the Ministry of Justice anddoes not bear anyone's signatureAnd- that is, its legal significance and binding remains only within the framework of recommendations. This is important to remember.

Let's take a look inside, the preamble of the document defines that the recommendations “for federal executive authorities... other government agencies... which ... adopt regulatory legal acts that define threats to the security of personal data that are relevant when processing personal data in personal data information systems (hereinafter referred to as ISPD), operated in the implementation of relevant types of activities". Those. there is an explicit reference to government information systems.

However, at the same time, it is also advisable to be guided by these same standards when developing private threat models operators of personal data information systems who have decided to use funds cryptographic information protection(hereinafter referred to as CIPF) to ensure the security of personal data.” Those. In this case, the document becomes universal for all users.

When is it necessary to use CIPF?

The use of CIPF to ensure the security of personal data is necessary in the following cases:

1. if personal data is subject to cryptographic protection in accordance with the law Russian Federation;
2. if in information system There are threats that can only be neutralized with the help of CIPF.

1. transfer of personal data through communication channels that are not protected from interception by an intruder of information transmitted through them or from unauthorized influences on this information (for example, when transferring personal data over public information and telecommunication networks);
2. storage of personal data on storage media, unauthorized access to which by the violator cannot be excluded using non-cryptographic methods and methods.

And this is what we come to. If the second point is also quite logical, then the first is not so obvious. The fact is that according to the current version of the Law “On Personal Data” first name, last name and patronymic are already personal data. Accordingly, any correspondence or registration on the site (taking into account how much data is now required during registration) formally falls under this definition.

But, as they say, there are no rules without exceptions. There are two tables at the end of the document. Let's give just one line Applications No. 1.

Current threat:

1.1. carrying out an attack while within a controlled area.

Reason for absence (list slightly shortened):

1. employees who are users of ISPD, but are not users of CIPF, are informed about the rules of work in ISPD and responsibility for non-compliance with information security rules;
2. CIPF users are informed about the rules for working in ISPD, the rules for working with CIPF and responsibility for non-compliance with information security rules;
3. the premises in which the cryptographic information protection system is located are equipped with entrance doors with locks, ensuring that the doors of the premises are permanently locked and opened only for authorized passage;
4. rules for access to the premises where cryptographic information protection systems are located during working and non-working hours, as well as in emergency situations, were approved;
5. a list of persons entitled to access the premises where cryptographic information protection systems are located has been approved;
6. the delimitation and control of user access to protected resources is carried out;
7. registration and accounting of user actions with personal data is carried out;

8. on workstations and servers on which CIPF is installed:

   certified means of protecting information from unauthorized access are used;
9. Certified anti-virus protection products are used.

That is, if users are informed about the rules and responsibilities, and protection measures are applied, then there is nothing to worry about.

• To ensure the security of personal data during their processing in the ISPD, CIPF must be used that has undergone the conformity assessment procedure in the prescribed manner.

True, it is said just below that the list of certified cryptographic information protection devices can be found on the website of the TsLSZ FSB. It has been said more than once that conformity assessment is not certification.

• in the absence of those who have passed the compliance assessment procedure for CIPF in accordance with the established procedure... at the stage of preliminary design or preliminary (draft technical) design, the developer of the information system, with the participation of the operator (authorized person) and the proposed developer of CIPF, prepares a justification for the feasibility of developing a new type of CIPF and determines the requirements for its functional properties.

It really makes me happy. The point is that certification The process is very long - up to six months or more. Often, customers use the latest operating systems that are not supported by the certified version. In accordance with this document, customers can use products that are in the process of certification.

The document states that:

When using communication channels (lines) from which it is impossible to intercept protected information transmitted through them and (or) in which it is impossible to carry out unauthorized influences on this information, when general description information systems must indicate:

1. description of methods and methods for protecting these channels from unauthorized access to them;
2. conclusions based on the results of studies of the security of these communication channels (lines) from unauthorized access to protected information transmitted through them by an organization that has the right to conduct such studies, with reference to the document containing these conclusions.

Registration N 33620

In accordance with part 4 of article 19 Federal Law dated July 27, 2006 N 152-FZ “On Personal Data” 1 I order:

approve the attached composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems using cryptographic information protection tools necessary to fulfill the requirements established by the Government of the Russian Federation for the protection of personal data for each level of security.

Director A. Bortnikov

1 Collection of Legislation of the Russian Federation, 2006, No. 31 (Part I), Art. 3451; 2009, N 48, art. 5716; N 52 (part I), art. 6439; 2010, N 27, art. 3407; N 31, art. 4173, art. 4196; N 49, art. 6409; N 52 (part I), art. 6974; 2011, N 23, art. 3263; N 31, art. 4701; 2013, N 14, art. 1651; N 30 (part I), art. 4038.

Application

The composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems using cryptographic information protection tools necessary to fulfill the requirements established by the Government of the Russian Federation for the protection of personal data for each level of security

I. General provisions

1. This document defines the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems (hereinafter referred to as the information system) using cryptographic information protection tools (hereinafter referred to as cryptographic information protection) necessary to fulfill those established by the Government of the Russian Federation requirements for the protection of personal data for each level of security.

2. This document is intended for operators using CIPF to ensure the security of personal data when processed in information systems.

3. The application of organizational and technical measures defined in this document is ensured by the operator, taking into account the requirements of operational documents for CIPF used to ensure the security of personal data when processed in information systems.

4. Operation of the CIPF must be carried out in accordance with the documentation for the CIPF and the requirements established in this document, as well as in accordance with other regulatory legal acts governing relations in the relevant area.

II. Composition and content of organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to the protection of personal data for level 4 security

5. In accordance with paragraph 13 of the Requirements for the protection of personal data during their processing in personal data information systems, approved by Decree of the Government of the Russian Federation of November 1, 2012 N1119 1 (hereinafter referred to as the Requirements for the Protection of Personal Data), to ensure level 4 of personal data protection When processing data in information systems, the following requirements must be met:

a) organizing a security regime for the premises in which the information system is located, preventing the possibility of uncontrolled entry or stay in these premises by persons who do not have access to these premises;

b) ensuring the safety of personal data carriers;

c) approval by the head of the operator of a document defining the list of persons whose access to personal data processed in the information system is necessary for the performance of their official (labor) duties;

d) the use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in cases where the use of such means is necessary to neutralize current threats.

6. To fulfill the requirement specified in subparagraph “a” of paragraph 5 of this document, it is necessary to ensure a regime that prevents the possibility of uncontrolled entry or stay in the premises where the CIPF used is located, CIPF and (or) carriers of key, authentication and password information of CIPF are stored ( hereinafter referred to as the Premises), persons who do not have the right of access to the Premises, which is achieved by:

a) equipping the Premises with entrance doors with locks, ensuring that the doors of the Premises are always locked and opened only for authorized passage, as well as sealing the Premises at the end of the working day or equipping the Premises with appropriate technical devices, signaling an unauthorized opening of the Premises;

b) approval of rules for access to the Premises during working and non-working hours, as well as in emergency situations;

c) approval of the list of persons entitled to access the Premises.

7. To fulfill the requirement specified in subparagraph “b” of paragraph 5 of this document, it is necessary:

a) store removable computer storage media of personal data in safes (metal cabinets) equipped with internal locks with two or more duplicate keys and devices for sealing keyholes or combination locks. If only personal data is stored on a removable computer storage medium encrypted using CIPF, such media may be stored outside of safes (metal cabinets);

b) carry out copy-by-instance accounting of machine personal data carriers, which is achieved by maintaining a log of personal data carriers using registration (factory) numbers.

8. To fulfill the requirement specified in subparagraph “c” of paragraph 5 of this document, it is necessary:

a) develop and approve a document defining a list of persons whose access to personal data processed in the information system is necessary for the performance of their official (labor) duties;

b) maintain up to date a document defining a list of persons whose access to personal data processed in the information system is necessary for the performance of their official (labor) duties.

9. To fulfill the requirement specified in subparagraph "d" of paragraph 5 of this document, it is necessary for each of the levels of personal data security to use CIPF of the appropriate class, allowing to ensure the security of personal data when implementing targeted actions using hardware and (or) software with the aim of violating the security of personal data protected by CIPF or creating conditions for this (hereinafter referred to as an attack), which is achieved by:

a) obtaining initial data to form a set of assumptions about the capabilities that can be used when creating methods, preparing and carrying out attacks;

b) formation and approval by the operator’s manager of a set of assumptions about the capabilities that can be used in creating methods, preparing and carrying out attacks, and determining on this basis and taking into account the type of current threats the required class of CIPF;

c) used to ensure the required level of security of personal data when processed in a CIPF information system of class KS1 and higher.

10. CIPF class KS1 is used to neutralize attacks, when creating methods, preparing and carrying out which, the following capabilities are used:

a) creating methods, preparing and carrying out attacks without the involvement of specialists in the field of development and analysis of CIPF;

b) creating methods, preparing and carrying out attacks at various stages life cycle CIPF 2;

c) carrying out an attack while being outside the space within which control is exercised over the stay and actions of persons and (or) vehicles(hereinafter referred to as the controlled area) 3 ;

d) carrying out the following attacks at the stages of development (modernization), production, storage, transportation of CIPF and the stage of commissioning of CIPF (commissioning works):

making unauthorized changes to the cryptographic information protection system and (or) to the components of hardware and software, together with which the cryptographic information protection system functions normally and collectively representing the functioning environment of the cryptographic information protection system (hereinafter referred to as SF), which can affect the fulfillment of the requirements for the cryptographic information protection system, including the use of malicious programs;

making unauthorized changes to the documentation for CIPF and components of the SF;

e) carrying out attacks at the stage of operation of CIPF on:

personal data;

key, authentication and password information of CIPF;

software components CIPF;

CIPF hardware components;

SF software components, including BIOS software;

SF hardware components;

data transmitted via communication channels;

other objects that are established when forming a set of proposals on capabilities that can be used when creating methods, preparing and carrying out attacks, taking into account those used in the information system information technology, hardware (hereinafter - AS) and software(hereinafter referred to as software);

f) obtaining from freely accessible sources (including information and telecommunication networks, access to which is not limited to a certain circle of persons, including the Internet information and telecommunication network) information about the information system in which CIPF is used. The following information can be obtained:

general information about the information system in which CIPF is used (purpose, composition, operator, objects in which the information system resources are located);

information about information technologies, databases, AS, software used in the information system together with CIPF, with the exception of information contained only in the design documentation for information technologies, databases, AS, software used in the information system together with CIPF;

general information about protected information used during the operation of CIPF;

information about the communication channels through which the personal data protected by CIPF is transmitted (hereinafter referred to as the communication channel);

all possible data transmitted to open form through communication channels that are not protected from unauthorized access to information by organizational and technical measures;

information about all violations of the rules of operation of CIPF and SF that occur in communication channels that are not protected from unauthorized access to information by organizational and technical measures;

information about all malfunctions and failures of the hardware components of CIPF and SF that appear in communication channels that are not protected from unauthorized access to information by organizational and technical measures;

information obtained as a result of analysis of any signals from hardware components of CIPF and SF;

g) application:

AS and software that are in the public domain or used outside the controlled area, including hardware and software components of CIPF and SF;

specially developed speakers and software;

h) use at the operation stage as a medium for transferring from subject to object (from object to subject) of an attack actions carried out during the preparation and (or) conduct of an attack:

communication channels that are not protected from unauthorized access to information by organizational and technical measures;

signal propagation channels accompanying the functioning of CIPF and SF;

i) carrying out an attack from information and telecommunication networks at the operational stage, access to which is not limited to a certain circle of persons, if information systems that use CIPF have access to these networks;

j) use during the operation stage of AS and software located outside the controlled area from the information system tools used at the sites of CIPF operation (hereinafter referred to as standard tools).

11. CIPF class KS2 is used to neutralize attacks, when creating methods, preparing and carrying out which, the capabilities listed in paragraph 10 of this document and at least one of the following additional capabilities are used:

a) carrying out an attack while within the controlled area;

b) carrying out attacks at the stage of operation of CIPF on the following objects:

documentation for CIPF and SF components.

Premises that contain a set of software and technical elements of data processing systems that can function independently or as part of other systems (hereinafter referred to as SVT), on which CIPF and SF are implemented;

c) obtaining, within the framework of the powers granted, as well as as a result of observations, the following information:

information about physical measures to protect objects in which information system resources are located;

information on measures to ensure the controlled area of ​​objects in which information system resources are located;

information on measures to restrict access to the Premises in which the electronic devices are located, where CIPF and SF are implemented;

d) use regular funds, limited by measures implemented in the information system in which CIPF is used, and aimed at preventing and suppressing unauthorized actions.

12. CIPF class KS3 is used to neutralize attacks, when creating methods, preparing and carrying out which, the capabilities listed in paragraphs 10 and 11 of this document and at least one of the following additional capabilities are used:

a) physical access to electronic devices on which CIPF and SF are implemented;

b) the ability to have hardware components of CIPF and SF, limited by measures implemented in the information system in which CIPF is used, and aimed at preventing and suppressing unauthorized actions.

13. CIPF class KB is used to neutralize attacks, when creating methods, preparing and carrying out which, the capabilities listed in paragraphs 10 - 12 of this document and at least one of the following additional capabilities are used:

a) creating methods, preparing and carrying out attacks with the involvement of specialists in the field of analysis of signals accompanying the functioning of CIPF and SF, and in the field of using undocumented (undeclared) capabilities of application software to implement attacks;

b) conducting laboratory studies of cryptographic information protection used outside the controlled area, limited by measures implemented in the information system in which the cryptographic information protection system is used, and aimed at preventing and suppressing unauthorized actions;

c) carrying out work to create methods and means of attacks in research centers specializing in the development and analysis of CIPF and IP, including using the source codes of application software included in the IP, which directly uses calls to CIPF program functions.

14. CIPF class KA is used to neutralize attacks, when creating methods, preparing and carrying out which, the capabilities listed in paragraphs 10 - 13 of this document and at least one of the following additional capabilities are used:

a) creating methods, preparing and carrying out attacks with the involvement of specialists in the field of using undocumented (undeclared) capabilities of system software to implement attacks;

b) the ability to have information contained in the design documentation for the hardware and software components of the SF;

c) the ability to have all the hardware components of CIPF and SF.

15. In the process of forming a set of assumptions about the capabilities that can be used to create methods, prepare and carry out attacks, additional features, not included in those listed in paragraphs 10 - 14 of this document, do not affect the procedure for determining the required class of CIPF.

III. Composition and content of organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to the protection of personal data for level 3 security

16. In accordance with paragraph 14 of the Requirements for the Protection of Personal Data, in order to ensure level 3 security of personal data when processed in information systems, in addition to fulfilling the requirements provided for in paragraph 5 of this document, it is necessary to fulfill the requirement to appoint an official (employee) responsible for ensuring security personal data in the information system.

17. To fulfill the requirement specified in paragraph 16 of this document, it is necessary to appoint an official (employee) of the operator with sufficient skills responsible for ensuring the security of personal data in the information system.

18. To fulfill the requirement specified in subparagraph "d" of paragraph 5 of this document, it is necessary, instead of the measure provided for in subparagraph "c" of paragraph 9 of this document, to use to ensure the required level of security of personal data when processing it in the information system:

IV. Composition and content of organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to the protection of personal data for level 2 security

19. In accordance with paragraph 15 of the Requirements for the protection of personal data, in order to ensure level 2 security of personal data during their processing in information systems, in addition to meeting the requirements provided for in paragraphs 5 and 16 of this document, it is necessary to fulfill the requirement that access to the contents of the electronic message log was only possible for officials(employees) of the operator or authorized person for whom the information contained in the specified journal is necessary to perform official (labor) duties.

20. To fulfill the requirement specified in paragraph 19 of this document, it is necessary:

a) approval by the head of the operator of the list of persons admitted to the content of the electronic message log, and maintaining the specified list up to date;

b) providing an information system by automated means, registering requests from users of the information system to obtain personal data, as well as the facts of providing personal data on these requests in the electronic message log;

c) provision of the information system with automated means that exclude access to the contents of the electronic log of messages of persons not indicated in the list of persons approved by the head of the operator approved for the content of the electronic log of messages;

d) ensuring periodic monitoring of the performance of the automated means specified in subparagraphs “b” and “c” of this paragraph (at least once every six months).

21. To fulfill the requirement specified in subparagraph "d" of paragraph 5 of this document, it is necessary, instead of the measures provided for in subparagraph "c" of paragraph 9 and paragraph 18 of this document, to ensure the required level of security of personal data when processing it in the information system:

CIPF class KB and higher in cases where type 2 threats are relevant to the information system;

CIPF class KS1 and higher in cases where type 3 threats are relevant to the information system.

V. Composition and content of organizational and technical measures necessary to fulfill the requirements established by the Government of the Russian Federation to the protection of personal data for 1 security level

22. In accordance with paragraph 16 of the Requirements for the Protection of Personal Data, in order to ensure level 1 security of personal data when processing it in information systems, in addition to meeting the requirements provided for in paragraphs 5, 16 and 19 of this document, the following requirements must be met:

a) automatic registration in the electronic security log of changes in the powers of the operator’s employee to access personal data contained in the information system;

b) the creation of a separate structural unit responsible for ensuring the security of personal data in the information system, or the assignment of its functions to one of the existing structural units.

23. To fulfill the requirement specified in subparagraph “a” of paragraph 22 of this document, it is necessary:

a) providing the information system with automated means that allow automatically recording in the electronic security log changes in the powers of the operator’s employee to access personal data contained in the information system;

b) reflection in the electronic security log of the powers of the employees of the personal data operator to access personal data contained in the information system. The specified powers must correspond job responsibilities operator's employees;

c) appointment by the operator of a person responsible for periodically monitoring the maintenance of an electronic security log and the compliance of the powers of the operator’s employees reflected in it with their job responsibilities (at least once a month).

24. To fulfill the requirement specified in subparagraph “b” of paragraph 22 of this document, it is necessary:

a) conduct an analysis of the feasibility of creating a separate structural unit responsible for ensuring the security of personal data in the information system;

b) create a separate structural unit responsible for ensuring the security of personal data in the information system, or assign its functions to one of the existing structural units.

25. To fulfill the requirement specified in subparagraph “a” of paragraph 5 of this document, to ensure level 1 of security it is necessary:

a) equip the windows of the Premises located on the first and (or) top floors of buildings, as well as the windows of the Premises located near fire escapes and other places from which unauthorized persons can enter the Premises, with metal bars or shutters, a security alarm or other means preventing uncontrolled entry of unauthorized persons into premises;

b) equip the windows and doors of the Premises in which the information system servers are located with metal bars, security alarms or other means that prevent the uncontrolled entry of unauthorized persons into the premises.

26. To fulfill the requirement specified in subparagraph "d" of paragraph 5 of this document, it is necessary, instead of the measures provided for in subparagraph "c" of paragraph 9, paragraphs 18 and 21 of this document, to ensure the required level of protection of personal data when processed in the information system :

CIPF class KA in cases where type 1 threats are relevant to the information system;

CIPF class KB and higher in cases where type 2 threats are relevant to the information system.

1 Collection of Legislation of the Russian Federation, 2012, N 45, 6257.

2 The stages of the CIPF life cycle include the development (modernization) of these means, their production, storage, transportation, commissioning (commissioning), and operation.

3 The border of the controlled zone can be the perimeter of the protected territory of the enterprise (institution), the enclosing structures of the protected building, the protected part of the building, the allocated premises.

The requirements for information security when designing information systems indicate the characteristics that characterize the information security means used. They are defined by various acts of regulators in the field of security information security, in particular - FSTEC and the FSB of Russia. What security classes there are, types and types of protective equipment, as well as where to find out more about this, are reflected in the article.

Introduction

Today, issues of ensuring information security are the subject of close attention, since technologies being implemented everywhere without ensuring information security become a source of new serious problems.

The Russian FSB reports on the seriousness of the situation: the amount of damage caused by attackers over several years around the world ranged from $300 billion to $1 trillion. According to information provided by the Prosecutor General of the Russian Federation, in the first half of 2017 alone in Russia the number of crimes in the field of high technology increased sixfold, the total amount of damage exceeded $18 million. An increase in targeted attacks in the industrial sector in 2017 was noted throughout the world. In particular, in Russia the increase in the number of attacks compared to 2016 was 22%.

Information technologies began to be used as weapons for military-political, terrorist purposes, to interfere in the internal affairs of sovereign states, as well as to commit other crimes. The Russian Federation stands for the creation of an international information security system.

On the territory of the Russian Federation, information holders and information system operators are required to block attempts of unauthorized access to information, as well as monitor the security status of the IT infrastructure on an ongoing basis. At the same time, information protection is ensured by taking various measures, including technical ones.

Information security tools, or information protection systems, ensure the protection of information in information systems, which are essentially a collection of information stored in databases, information technologies that ensure its processing, and technical means.

Modern information systems are characterized by the use of various hardware and software platforms, the territorial distribution of components, as well as interaction with open networks data transfer.

How to protect information in such conditions? The corresponding requirements are presented by authorized bodies, in particular, FSTEC and the FSB of Russia. Within the framework of the article, we will try to reflect the main approaches to the classification of information security systems, taking into account the requirements of these regulators. Other ways of describing the classification of information security, reflected in the regulatory documents of Russian departments, as well as foreign organizations and agencies, are beyond the scope of this article and are not considered further.

The article may be useful to novice specialists in the field of information security as a source of structured information on methods of classifying information security based on the requirements of the FSTEC of Russia (to a greater extent) and, briefly, the FSB of Russia.

The structure that determines the procedure and coordinates the provision of information security using non-cryptographic methods is the FSTEC of Russia (formerly the State Technical Commission under the President of the Russian Federation, State Technical Commission).

If the reader has ever seen the State Register of Certified Information Security Tools, which is formed by the FSTEC of Russia, then he certainly paid attention to the presence in the descriptive part of the purpose of the information protection system such phrases as “RD SVT class”, “level of absence of non-compliance with non-compliance data”, etc. (Figure 1) .

Figure 1. Fragment of the register of certified information protection devices

Classification of cryptographic information security tools

The FSB of Russia has defined classes of cryptographic information protection systems: KS1, KS2, KS3, KV and KA.

The main features of KS1 class IPS include their ability to withstand attacks carried out from outside the controlled area. This implies that the creation of attack methods, their preparation and implementation is carried out without the participation of specialists in the field of development and analysis of cryptographic information security. It is assumed that information about the system in which the specified information security systems are used can be obtained from open sources.

If a cryptographic information security system can withstand attacks blocked by means of class KS1, as well as those carried out within the controlled area, then such information security corresponds to class KS2. It is assumed, for example, that during the preparation of an attack, information about physical measures to protect information systems, ensuring a controlled area, etc. could become available.

If it is possible to resist attacks if there is physical access to computer equipment with installed cryptographic security information, such equipment is said to comply with the KS3 class.

If cryptographic information security resists attacks, the creation of which involved specialists in the field of development and analysis of these tools, including research centers, and it was possible to conduct laboratory studies of security means, then we are talking about compliance with the HF class.

If specialists in the field of using NDV system software were involved in the development of attack methods, the corresponding design documentation and there was access to any hardware components of cryptographic information security, then protection against such attacks can be provided by means of the KA class.

Classification of electronic signature protection means

Means electronic signature depending on the ability to withstand attacks, it is customary to compare them with the following classes: KS1, KS2, KS3, KV1, KV2 and KA1. This classification is similar to that discussed above in relation to cryptographic information security.

Conclusions

The article examined some methods of classifying information security systems in Russia, the basis of which is regulatory framework regulators in the field of information security. The considered classification options are not exhaustive. Nevertheless, we hope that the presented summary information will allow a novice specialist in the field of information security to quickly navigate.

Comments...

Alexey, good afternoon!
The response from the 8th Center does not indicate anything about the need to use certified CIPF. But there are “Methodological Recommendations...” approved by the leadership of the 8th Center of the FSB of Russia dated March 31, 2015 No. 149/7/2/6-432, in which there is the following paragraph in the second part:

To ensure the security of personal data during their processing in the ISPD, CIPF must be used that has undergone the conformity assessment procedure in the prescribed manner. List of CIPF, certified by the FSB Russia, published on the official website of the Center for Licensing, Certification and Protection of State Secrets of the FSB of Russia (www.clsz.fsb.ru). Additional information It is recommended to obtain information about specific information security tools directly from the developers or manufacturers of these tools and, if necessary, from specialized organizations that have conducted case studies of these tools;

Why is this not a requirement to use certified CIPF?

There is an order of the FSB of Russia dated July 10, 2014 No. 378, which states in subparagraph “d” of paragraph 5: “the use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in cases where the use of such means is necessary to neutralize current threats."

This “when the use of such means is necessary to neutralize current threats” is a little confusing. But all this need must be described in the intruder model.

But in this case, again in section 3 " Methodological recommendations..." of 2015 states that "When using communication channels (lines) from which it is impossible to intercept protected information transmitted through them and (or) in which it is impossible to carry out unauthorized influences on this information, in the general description of information systems it is necessary to indicate:
- description of methods and means of protecting these channels from unauthorized access to them;
- conclusions based on the results of studies of the security of these communication channels (lines) from unauthorized access to protected information transmitted through them by an organization that has the right to conduct such studies, with reference to the document containing these conclusions."

What I mean by all this - yes, there is no need to use cryptographic information protection always and everywhere when ensuring the security of personal data processing. But to do this, you need to create a model of the offender, where all this can be described and proven. You wrote about two cases when you need to use them. But the fact that to ensure the security of personal data processing over open communication channels, or if the processing of these personal data goes beyond the boundaries of the controlled zone, you can use uncertified CIPF - it’s not so simple. And it may happen that it is easier to use certified cryptographic information protection devices and comply with all requirements during their operation and storage than to use uncertified products and butt heads with the regulator, who, seeing such a situation, will try very hard to rub their nose in.

The case when the use of such means is necessary to neutralize current threats: the requirement of the Order of the FSTEC of Russia No. 17 of February 11, 2013 (requirements for state and municipal ISPDn),

clause 11. To ensure the protection of information contained in the information system, information security tools are used that have passed the conformity assessment in the form of mandatory certification for compliance with information security requirements in accordance with Article 5 of the Federal Law of December 27, 2002 No. 184-FZ “On technical regulation".

Proximo: FSB recommendations are illegitimate. Order 378 is legitimate, but must be considered in the context of all legislation, and it says that the specifics of compliance assessment are established by the Government or the President. Neither one nor the other issued such legal acts

Anton: In state government, the certification requirement is established by law, the 17th order simply repeats them. And we are talking about PDn

Alexey Lukatsky: No. FSB recommendations are illegitimate" How illegitimate? I'm talking about document No. 149/7/2/6-432 dated May 19, 2015 (http://www.fsb.ru/fsb/science/single.htm!id%3D10437608 %40fsbResearchart.html), but not about the document dated 02/21/2008 No. 149/54-144.

Another specialist also previously made a request to the FSB on a similar topic, and he was told that the “Methodology...” and “Recommendations...” of the FSB from 2008 do not need to be used if you are talking about these documents. But again, these documents were not officially canceled. And whether these documents are legitimate or not, I believe, FSB inspectors will decide on the spot during the inspection.

The law says that personal data must be protected. By-laws from the Government, FSB, FSTEC determine exactly how they need to be protected. The regulations from the FSB say: “Use certified. If you don’t want certified, prove that you can use it. And be so kind as to attach a conclusion on this from a company that has a license to issue such conclusions.” Somehow...

1. Any recommendation is a recommendation, and not a mandatory requirement.
2. The 2015 manual has nothing to do with PD operators - it applies to government officials who write threat models for subordinate institutions (taking into account point 1).
3. The FSB does not have the right to conduct inspections of commercial PD operators, and for government agencies the issue of using uncertified CIPF is not worth it - they are obliged to use certified solutions, regardless of the availability of PD - these are the requirements of Federal Law-149.
4. By-laws tell you how to protect and this is normal. But they cannot determine the form of assessment of protective equipment - this can only be done by the regulations of the Government or the President. The FSB is not authorized to do this

According to Decree 1119:

4. The choice of information security means for the personal data protection system is carried out by the operator in accordance with regulatory legal acts adopted by the Federal Security Service of the Russian Federation and the Federal Service for Technical and Export Control in pursuance of Part 4 of Article 19 of the Federal Law “On Personal Data”.
13.g. The use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in cases where the use of such tools is necessary to neutralize current threats.

How to justify the non-relevance of the threat when transmitting personal data through the channels of a telecom operator?

Those. if not CIPF, then apparently
- terminal access and thin clients, but at the same time terminal information security data
access must be certified.
- protection of channels by the telecom operator, responsibility for the telecom operator (provider).

Irrelevance is determined by the operator and he does not need anyone for this