83.8 million rubles will be allocated by the Moscow government to search for the vulnerabilities of the public services portal

2021: Tender for the development of state information systems in Moscow

On October 11, 2021, it became known that the Department of the Capital for Competition Policy posted information on the public procurement website on the tender for the development of state information systems in the city of Moscow, involved in the provision of public services, regarding the modernization of the information protection system. The initial cost of the state contract is 83.8 million rubles. The tender commission will accept applications until October 29, 2021.

The Contractor shall regularly review the security of information systems, identify vulnerabilities and upgrade protection services. The documentation indicates that when analyzing vulnerabilities, it is necessary, among other things, to use information obtained from any "public sources."

The terms of reference indicate that when analyzing vulnerabilities of the information system, it is necessary to check:

• absence of known vulnerabilities of IE MIS, hardware and software, including taking into account information available to developers and obtained from other publicly available sources,
• correctness of installation and setting of information protection tools, hardware and software, as well as correctness of operation of information protection tools during their interaction with technical tools and software.

The IE architecture should be analyzed, an individual IE scanning policy should be drawn up, instrumental IE scanning should be carried out, additional instrumental scanning (by highly specialized means) for each IE segment was carried out, false vulnerabilities were identified using an expert method in a non-automated mode.

The security analysis shall be carried out according to the developed and agreed with the customer method of IE security analysis.

Based on the received information, the Contractor shall identify priority vulnerabilities, the elimination of which will lead to prevention of the most dangerous attacks, develop recommendations for elimination of identified vulnerabilities, and prepare a report on the performance of the IE security analysis.

The IE security analysis report shall contain:

• list and description of detected vulnerabilities and errors (flaws) of information resources configuration;
• comprehensive assessment of security of information resources and analysed information system;
• Specific practical recommendations for correcting detected vulnerabilities and errors (flaws) of information resource configuration;
• compensating measures that will make it impossible (or significantly reduce the likelihood to an acceptable level) for attackers to exploit identified vulnerabilities in order to damage information resources if it is impossible to eliminate identified vulnerabilities;
• specific practical recommendations for implementing additional or configuring existing mechanisms for protecting information resources.

The recommendations presented in the IE Security Analysis Report should be aimed at:

• Prevent or significantly reduce the likelihood of security risks associated with detected vulnerabilities and information resource configuration errors.
• neutralization of detected vulnerabilities and errors (flaws) of information resources configuration;
• prevention of possible vulnerabilities and errors (flaws) of information resources configuration;
• Improving the overall level of security of information resources and information security in general.

In case of detection of IP vulnerabilities leading to additional threats to information security, the document "Model of information security threats" should be updated and, if necessary, additional measures of information protection should be taken to eliminate detected vulnerabilities or exclude the possibility of the violator using identified vulnerabilities.

Based on the results of the security analysis, a CTT for the modernization of IE ASW should be developed, which, among other things, should contain requirements for built-in ASW security functions. ChT for modernization of IE ASW shall be provided to the customer at least 30 calendar days before the end of the respective stage and shall be agreed with the customer.

As a result of the work, the integrated functionality of the IE ASW should be modernized in accordance with the requirements for the built-in functionality defined in the ChTZ for the modernization of the IE ASW^[1].

Notes