Preparation of OSK for certification and certification of information systems

In the work OSK uses a large number of the branched information systems (IS) containing and processing diverse information of both organizational and administrative, and scientific and technical character. The specifics of activity of OSK define need of information security support (cybersecurity) of all complex of the used ICs at the level of compliance to mandatory requirements to personal data protection and the systems processing confidential information, regulated by orders No. 17, No. 21 of FSTEC of Russia and Federal law No. 149-FZ.

For the purpose of reduction of the IC OSK in compliance to the regulated regulations of ensuring level of the data protection which is not containing the data which are the state secret a competition on accomplishment of the complex project of preparation for certification and certification of the IC was held. Based on tender by the contractor of the project there was an AST company, having broad experience of implementation of large-scale projects in the field and offered the best terms of contract performance.

Main objectives of the project were ensuring confidentiality, integrity and availability of information which is not the state secret, protection against leaks on technical channels, unauthorized access, special types of impacts on information and information media for the purpose of its production, destruction, distortion or blocking of access to it with the subsequent certification on compliance to mandatory requirements of security.

Project works were performed at the central office OSK and two branches, the term of implementation was 4 months, and implementation demanded staging of accomplishment of tasks:

• Formation of requirements to the information security tools (IST)
• Design of the information security facility
• Implementation of the information security facility

Project Objectives:

• Ensuring confidentiality, integrity and availability of information which is not state secret
• Protection against leaks on technical channels, unauthorized access, special types of impacts on information and information media for the purpose of its production, destruction, distortion or blocking of access to it
• Certification on compliance to mandatory requirements of security

Within the first stage data on an initial status of the IC and structure of IT infrastructure, including the server park, the automated workplace, SPD, technology processing of the protected information were obtained. On the basis of these data classification of the IC OSK by requirements of data protection according to orders No. 17 and No. 21 of FSTEC is carried out. The subsequent results of development of models of threats allowed to define and fix requirements for the data protection processed in the IC.

At the same time it was defined that the available system of measures for data protection requires completion and implementation of the additional systems capable to provide implementation as all range of requirements, and risk minimization, relevant for the customer's infrastructure.

These measures and systems were designed and offered within the engineering design and implemented at a stage of delivery and implementation of the information security facility:

• Subsystem of protection against NSD
• Subsystem of network security
• Subsystem of the analysis of security
• Subsystem of protection of a system of virtualization
• Control system of privileged users

Based on executed the project the following tasks are solved:

• Relevant security risks of information are revealed.
• The providing Information Security required for implementation of a complex of technical and organizational measures according to the regulating documentation is developed and implemented the information security facility.
• Delivery, installation and setup of software and technical means of data protection, including means of cryptographic protection is performed.
• The set of ORD on creation of body of cryptographic information protection in OSK is prepared.
• The set of ORD defining a legal regime of the information processing of limited access which is not containing the data which are the state secret is prepared.
• The set of ORD for representation of the IC to evaluation tests on compliance to requirements for security of information is prepared.
• Certification is carried out and the certificate of compliance is issued.