Golovna  /  TVs  /  Tu technical mind certification program FSTEC. FSTEC Certificates

Tu technical mind certification program FSTEC. FSTEC Certificates

TVs
06.10.2021

Let's take a closer look at the results of certification from FSTEC of Russia.

  1. Submitting an application for certification to FSTEC of Russia.

    The applicant has:

    • applicant's name
    • applicant's addresses
    • the name of the product, which the Applicant would like to be certified
    • transfer of regulatory and methodological documents, in order to ensure that the applicant needs to certify their products.
    • certification scheme (single product or serial production)
    • testing laboratory in which the Applicant would like to conduct testing
    • additional intelligence and benefits

    The applicant indicates that he/she undertakes:

    • cancel all certifications;
    • ensure the stability of the certified characteristics of products marked with the certification mark;
    • pay all expenses for certification.

    Important: the applicant is responsible for his FSTEC license for a specific type of activity!

    The application for certification of the software package is submitted to Malyunku 5.1.

  2. Solutions for certification testing

    FSTEC for a month after the cancellation of the application forces the Applicant, the designated body from the certification and testing laboratory, to decide to carry out certification tests, such as:

    • name of the Applicant, addresses of the Applicant;
    • name of the product to be certified, OKP code, specifications;
    • certification scheme (testing of a single sample of a product/lot of N samples/sample of a product for serial production);
    • a testing laboratory is assigned to the same address;
    • transfer of normative and methodological documents, certification of which may be carried out;
    • testing laboratory, designated for further inspection control;
    • certification body assigned to carry out an examination of the results of certification testing;
    • payment method robit.

    The certification body and testing laboratory may be changed upon request by the Deputy. The decision is a basis for testing and a “drive” for establishing an agreement between the Applicant and the testing laboratory. Example of a solution for certification of baby presentations 5.2.

  3. Establishment of the contract with the testing laboratory

    The agreement with the testing laboratory for conducting certification tests establishes the terms, the procedure for conducting certification tests, and how it works. Call the testing laboratory and the egg is ready commercial proposition With priming of lines and vartosti it works, as well as the draft agreement. As a rule, the set of contractual documents includes: an agreement, technical specifications for the work, a contract statement, and a price protocol. In addition to the important information, it is recommended to transfer the following points in the contract, such as the responsibility for passing test letters and the order of testing each time any changes are made.

  4. Preparation of output data.

    This stage includes the development, development and validation of programs and certification testing methods.

    The testing laboratory develops a program and testing methodology, and provides the applicant with information about the data necessary for testing. The same program and methodology are sent to the certification body for approval.

    The applicant selects a testing laboratory program and testing method, as appropriate, and prepares all necessary output data. It provides testing laboratories with the ability to secure information from the kit, which provides technical minds with a form, as well as a set of all necessary documentation in accordance with the USP D chi ESKD.

  5. Certification testing.

    The testing laboratory selects samples of products to be certified, identifies them and carries out certification testing of products according to a validated program and methodology. In this case, the Applicant prepares and sets up a stand for certification testing. It is important to note that it is prohibited to make changes to the warehouse or design of the certification object, as well as to the documentation during testing. This can lead to a complete “restart”, so that the line will work.

  6. Formalization of testing results

    The testing results are documented in the form of certification protocols for testing and technical improvements. These documents are sent to the certification body, and copies are sent to the Applicant. Whenever applicants are required to respect the results provided by the testing laboratory, the Applicant and the certification body are responsible for the contract.

  7. Compliance with the agreement with the certification body

    The testing laboratory enters into an agreement with the certification body to carry out an examination of the results of certification testing, in which terms (usually 1 month) are agreed upon, the procedure and validity. Another body from certification relies on the agreement with the Applicant, and not with the testing laboratory. This point is controversial and not regulated. It is best to discuss this with your testing laboratory as soon as possible.

  8. Examination of the results of certification testing

    The certification body must, prior to the contract, carry out an examination of the results of certification testing, as well as technical and operational documents for the products that are being certified. The result is the preparation of an expert approval, including technical approval, certification testing materials, and a set of necessary technical and operational documentation for the certification object, provided by F STACK of Russia to praise the decision to issue the certificate.

  9. Decision about issuing the certificate.

    On the basis of documents received from the certification body, as well as technical and expert approval, FSTEC makes decisions about issuing a certificate. As it was designated more, the term of the certificate is 3 years old. Attachment of the certificate of conformity of the baby 5.3.

If, as a result of the FSTEC verification, the results of testing are inconsistent with the law, the decision on the issue of the certificate will be praised. In this case, the applicant will be sent a statement of reasons. In case of misfortune with the case, the Applicant has the right to appeal to the Federal Certification Authority for further consideration of the certification materials. The appeal is being considered for a month from the received opinions of the parties and independent experts. The appellant is informed of the praise of the decision.

The Federal Service for Technical and Export Control is a federal body of the British Empire that carries out verification and control in the field of sovereign security. Today's laptop leather when purchasing one or another antivirus programs But software security has often felt this way as FSTEC certification. But few people know what they are FSTEC certificate.

Today's need for information is closely intertwined with the interests of marriage, business and power. Please note that every country does not control information related to national security. Therefore, the main tasks should be the development and operation of well-protected information systems and personal data bases. In such systems, a large amount of information is saved and processed, practically related to all types of activities of the state. In fact, software developers are responsible for the legislative provisions that are imposed on information systems that take part in government activities. The FSTEC certification procedure is used to verify compliance with the main safety indicators.

FSTEC Certificate The progress of the offensive stages can be seen behind the pouches:

  • filing an application for this verification procedure;
  • decision making before certification is carried out;
  • drawing up an agreement for the certification process;
  • hardening of programs and testing;
  • testing;
  • registration of the testing protocol;
  • agreement with an expert organization;
  • examination of laboratory samples;
  • registration of the certificate.

The Russian certification system for PZ is being radically expanded upon entry certification. First of all, a skin copy of the software that claims to FSTEC certificate, undergo a series of tests and examinations, which are used to produce the cob product. In other words, the skin company, which has added certification to the product, may be able to steal access to information base of this software security, the organization is ready to update.

Since 2004, the federal body of the British government has gained the following new importance:

  1. Security for protection and security in key systems infrastructure;
  2. Development of technical information;
  3. protection of information from foreign technical intelligence;
  4. Export control security.

FSTEC is not involved in certification activities, but is the main organizer of certification. The left part of the market will consist of licensors – testing laboratories and expert centers. Laboratories are investigating security software, And expert organizations check the accuracy of testing. Absolutely, the applicant can apply FSTEC certificate for the results of testing with third-party organizations. Ale in this regard in front of him, as you can see certificate, FSTEC deprives itself of the right to re-verify the results of another expert organization. For these reasons in the FSTEC system, the applicant’s institution handles it. They are to carry out an equalization of copies of products that are sold with programs that were previously rejected FSTEC certificate.

Bring back the respect that's in present moment Our certification center issues only an identification certificate under FSTEC within the framework of export control. The article is of an informational nature!

FSTEC Certificate of Compliance- This is literally a document issued by the federal structure FSTEC, which confirms the identity of the object that is certified in accordance with Russian regulatory acts. Let's try to decipher it on a conceptual level, and figure out what it's connected to and what's going on.

FSTEC of Russia - Federal Service for Technical and Export Control, a function that enables special control in certain areas. FSTEC is subordinated to the Ministry of Defense of the Russian Federation. Until the 2004 serpnya rock service given There is little or no other ordering. Cebula State Technical Commission for the President of the Russian Federation. One of the functions assigned to FSTEC by the state is technical manager information.

The scope of the FSTEC certificate is to ensure the protection of information (SZI) without vicarious cryptography and not to become a sovereign secret. To be safe for zakhist information security non-cryptographic methods.

Our certification center does not currently issue this permissible document for software security. Return to us for more information.

Products that qualify for FSTEC certification

The objects for which an FSTEC certificate of conformity is issued must be as follows:

  • antivirus programs mass vikoristannya for implementation on Russian market(ReGOST Center does not issue an FSTEC certificate for the security program);
  • inter-intermediate screens;
  • take care of the system protection border region(Security scanners, security monitoring features, protection against unauthorized access);
  • Operating systems;
  • database systems;
  • applied information systems;
  • password generation systems for access to information resources;
  • electronic document management systems and others.

State authorities, as well as state corporations, may have access to software that requires necessary licenses and information security certificates, including FSTEC certifications .

The main law that regulates certification in the sphere of industrial protection Resolution of the Russian Federation No. 608 “On certification of SZI”, Put into operation in 1995. This law punishes: mandatory certification and registration of a certificate of FSTEK certification is transferred only for products that must be subject to the protection of information for storing information, which is the state a dungeon.

To protect against unauthorized access to confidential data, you do not need a compliance certificate from FSTEC or a Declaration of compliance on the 3rd party. And here the assessment of the type of information security is voluntary.

FSTEC certification system

FSTEC (formerly the Order Commission) has created a Certification System for information security to ensure the security of information as it may be Certificate No. Р0СС UA.0001.01БИ00 it is registered in State register 1995 roku.

The certification bodies of this system evaluate the type of information and information based on the Key Documents (RD) “Protection against unauthorized access to information.” These documents are divided into different groups of products that include software, technical security to automated systems in general.

All documents have a legend. Estimated Confidence Rate (ERR). Vіn introductions u diyu By order of the State Technical Commission of Russia dated June 19, 2002. No. 187. OUD characterizes the level of trust to practical knowledge and the protection of information.

Classes of virus predation

For the protection of information, the significance of which is determined by the gradation of “secrecy/confidentiality”, the following classes of protection of Information Technology (IT) viruses have been established:

  • fourth grade protection of viruses IT is sufficient for protection confidential information;
  • third grade Vikorist protection is subject to the protection of information marked “Secret”;
  • other class— stamped “Totally dark”;
  • first class Vikorist is used to protect information marked “Specially Significant”.

FSTEC Certificate of Compliance: on the basis of certain regulatory documents, products were manufactured that meet the requirements of the designated regulatory acti. The class of stolen goods is also indicated here for the purpose of classification to control the presence of non-declared goods.

The FSTEC certificate of conformity also contains information about certification testing, about expert tests and about the laboratory where it took place laboratory research From the assignments, if such inspection control of this certification laboratory has been established.

The procedure for obtaining an FSTEC certificate

Certification laboratories for issuing a FSTEC certificate of conformity can carry out whole row Try different things:

  • to comply with any claims arising from the protection of unauthorized access to information;
  • for the relevance of technical minds;
  • the conformity of the functional capabilities that actually exist in the product in accordance with the descriptions included in the operating documentation;
  • on the conformity of the declared safety of the traced product;
  • to the extent possible that are not stated in the documentation and are subject to the security of the information of the future client;
  • for compliance with the standards of enterprises and international standards in the field of information and technology;
  • Monitoring of key number sensors for compliance with cryptographic capabilities and other investigations.

Federal Law “On Personal Data”

FSTEC Order No. 58, having reached the rank of 5th 2010, is set out in the Regulations, which means the methods and methods of protecting information about personal data in various information systems. Everyone is required to undergo certification in established order. However, such a document, introduced by the President and the Government of the Russian Federation, has not yet been seen.

Tim no less, owners of information systems who may be subject to Federal Law No. 152 “On Personal Data”, refuse to obtain an FSTEC Certificate of Compliance, which confirms that information managers systems that can Danish document, steal information about personal data through unauthorized access in accordance with the law.

Voluntary certificate FSTEC

A voluntary certificate for SZI can be issued not only as an FSTEC certificate, but can also be upgraded to other certification systems. It is clear to them:

  • Voluntary certification system "Gazpromsert". Qia system VAT "Gazprom" was created for the needs of its corporation. In some cases, before tenders are held, the participant is required to obtain a certificate of compliance with the system.
  • The voluntary certification system "ITCertification" was created by the association "EBRAAS".

Microsoft products certified by FSTEC, From the point of view of the program code, there is nothing different from the original licensed legal Microsoft products, since the software implementation of Microsoft products allows you to obtain additional FSTEC certificates without changing the program new code. However, it is subject to Russian legislation certified products FSTEC has a low level of other important considerations in the form of non-certified products, and itself:

  • A skin sampler of a certified product that is in the possession of a dealer is required to undergo a procedure for verifying the authenticity of this sampler to the sampler who has undergone certification;
  • a copy of a certified product that is in the possession of a dealer, once a positive verification of its type of copy that has passed certification is obtained, a package of certification documents of the government, including a holograph, is removed Original FSTEK certification mark with unique number on a skin copy (since the manager has 1000 computers with a certified product, then 1000 holograms are visible), which identifies this copy in the sovereign system of certified products;
  • skin organization that has purchased a certified product denies theft of access to personal page for obtaining certification updates.

Microsoft products are certified by other authorities, to replace additional security programs, the service packages themselves, developed by Russian organizations, which allow these Microsoft products to satisfy your needs. These service packages 'Secure Pack Rus' use Russian certified cryptography, which Microsoft does not compromise.

Victimization of certified products

If an organization wants to vikorize a software product that has not yet been certified, then with this product it is obliged to vikorize “overlays” (third-party) for the protection of information that has passed certification, and the purposes for the work and with cym product. The use of additional protection features significantly increases the price of the product and often sharply reduces the possibility of interaction between the product and other software and hardware. That's why Microsoft certifies its software products using information security methods - it's easier and cheaper for depositors.

Russia has organized a mass production of all certified versions of Microsoft products. This allows agents to purchase any number of certified products. Continuous certification of thousands of product updates allows customers to have a certified version not only with themselves the remaining updates security systems, and I will comply with whatever the regulator requires.

YA MICROSOFT PRODUCTS ARE CERTIFIED BY FSTEC

Currently the following Microsoft products are certified by FSTEC:

  • client operation Microsoft system Windows XP Professional, Russian version (including OEM manufacturing);
  • client operating system Microsoft Windows Vista (Business, Enterprise, Ultimate), Russian version (including OEM version);
  • Microsoft server operating system Windows Server 2003 (Standard Edition and Enterprise Edition), Russian versions;
  • server operating system Microsoft Windows Server 2003 R2 (Standard Edition and Enterprise Edition), Russian versions;
  • database management system Microsoft data SQL Server 2005 (Standard Edition and Enterprise Edition), Russian versions;
  • platform office add-ons Microsoft Office 2003 Professional, Russian version, including the built-in digital rights management technology for documents, which is based on RMS server technology, built into Microsoft Windows Server 2003;
  • office platform Microsoft program Office 2007 Professional, Russian version, including the integrated digital rights management technology for documents, which is based on RMS server technology, derived from Windows Server 2003;
  • Intermediate screen Microsoft ISA Server 2006 (Standard Edition), Russian version - for compliance with both the official criteria and the core documents “SVT. Intermediate screens..." are of the third class of security;
  • Microsoft Forefront antivirus products for servers and workstations (Forefront for Exchange Server, Forefront for SharePoint Server and Forefront Client);
  • control server postal notifications Microsoft Exchange Server 2007;
  • server for managing business processes Microsoft BizTalk Server 2006 R2;
  • server operating system Microsoft Windows Server 2008 (all versions), including the Hyper-V virtualization server; Russian versions;
  • database management system Microsoft SQL Server 2008 (all versions), Russian versions;
  • office software platform Microsoft Office Professional Plus 2007, Russian version;
  • system for managing operations in information systems Microsoft System Center Operations Manager 2007;
  • system for managing configurations in information systems Microsoft System Center Configuration Manager 2007;
  • data protection system in information systems Microsoft System Center Data Protection Manager 2007;
  • control system virtual machines for information systems Microsoft System Center Virtual Machine Manager 2008;
  • drain management system with Microsoft clients Dynamics CRM 4.0;
  • corporate banking system Microsoft Dynamics AX 2009;
  • corporate banking system Microsoft Dynamics AX 4.0;
  • corporate banking system Microsoft Dynamics NAV 5.0;
  • client operating system Windows 7 (all versions), Russian and English versions;
  • server operating system Windows Server 2008 R2 (all versions), Russian and English versions;
  • server for managing business processes Microsoft BizTalk Server 2009 (all versions), Russian version;
  • Identity management server for heterogeneous systems Microsoft Forefront Identity Manager 2010, Russian and English versions;
  • server with mailing notifications Microsoft Exchange Server 2010 (all versions), Russian and English versions;
  • service management system in information systems Microsoft System Center Service Manager 2010, Russian and English versions;
  • client account management system Microsoft Dynamics CRM 2011, Russian version;
  • corporate banking system Microsoft Dynamics NAV 2009 R2, Russian version;
  • office software platform Microsoft Office Professional Plus 2010, Russian and English versions;
  • antivirus system thanks to Microsoft Forefront Endpoint Protection 2010, Russian and English versions;
  • document server Microsoft SharePoint Server 2010 (all versions), Russian and English versions;
  • communication server Microsoft Lync Server 2010 Enterprise, Russian and English versions;
  • corporate banking system Microsoft Dynamics AX 2012 R2;
  • client operating system Microsoft Windows 8 ( Windows versions 8, Windows 8 (Professional, Windows 8 Enterprise);
  • server operating system Microsoft Windows Server 2012 (Windows Server Standard 2012, Windows Server Datacenter 2012, Windows Storage Server 2012 Standard, Windows Storage Server 2012 Workgroup, Windows Server Essentials 2012, Windows Server Foundation 2012);
  • information structure management system Microsoft System Center 2012 (Standard and Datacenter versions);
  • database management system Microsoft SQL Server 2012 (versions Standard, Enterprise, Business Intelligence, Web);
  • office platform Office program Professional Plus 2013;
  • Server with virtual structures Microsoft Hyper-V Server 2012;
  • information structure management system Microsoft System Center 2012 R2 (Standard and Datacenter versions);
  • client account management system Microsoft Dynamics CRM 2013;
  • server for mail-order notifications Microsoft Exchange Server 2013 (Standard and Enterprise versions);
  • document server Microsoft SharePoint Server 2013;
  • database management systems Microsoft SQL Server 2014 in the editions Enterprise Edition (EE), Business Intelligence (BI), Standard (Std), Web, Express, Express with tools;
  • payment system for payments from Microsoft Dynamics CRM Server 2015 clients.

Subject to the withdrawal of FSTEC certificates, certified products allow automated systems up to security class 1G inclusive. In addition, those that came out after the adoption of Federal Law-152 “On Personal Data” are certified and comply with the legislation on personal data.

At this time, FSTEC has completed certification of current products, all relevant documents are in the certification bodies:

  • Lync Server 2013;
  • Windows 8.1;
  • Windows Server 2012 R2.

ALL MICROSOFT PRODUCTS ARE CERTIFIED BY OTHER GOVERNING AUTHORITIES

FSB certified Microsoft offensive products:

  • client operating system Microsoft Windows XP Professional, Russian version;
  • server operating system Microsoft Windows Server 2003 Enterprise Edition, Russian version;
  • document server Microsoft SharePoint Server 2007;
  • Microsoft SQL Server 2008 database system;
  • Microsoft Windows 7 Professional, Enterprise and Maximum all with SP1;
  • Microsoft Windows 8 Professional and Enterprise;
  • Microsoft Windows 8.1 Professional and Enterprise;
  • Microsoft Windows Server 2008 Standard R2 and Enterprise R2 are supported by SP1;
  • Microsoft Windows Server 2012 Standard with SP1;
  • Microsoft Windows Server 2012 R2 with SP1.

Certificates certify that these products comply with the requirements of the renewed authorities of Russia up to

  • protection of information, so as not to destroy records, so as to become a state dungeon,
  • protection against unauthorized access in automated information systems of class AK2 (all products are certified at the level of AK3).

In addition, the authorized bodies have developed a positive result of the results of certification testing of the center, which ensures that it is included in the Windows Server 2003 warehouse, and its level of KS2 is consistent with national imog.

Positive results have recently been obtained from certification testing of the following products:

  • Microsoft Exchange Server 2010

As stated in the documents, these products may be used to protect confidential information and personal data.

Removing the results of certification allows you to create systems of stolen document processing for government authorities and electronic government systems, based on the Microsoft platform.

All over the world today it is practiced to test the code of information systems for the sake of information security, despite the expansion of certification practices, there are a low number of myths and excuses around it.

02.08.2011 Oleksiy Markov, Valentin Tsirlov

All over the world today it is practiced to test the code of information systems to ensure the security of information. For example, behind the border of obligatory verification, state and payment software systems pass, and in Russia, directive certification methods are respected to ensure the security of information. However, despite the expansion of certification practices, a number of myths and excuses have developed around it.

At the end of the obligatory inspection of the transfer for state and payment software systems And banks, brokerage, investment, insurance and service companies that provide services in the industry and on the Internet undergo voluntary audits. In our country, it is traditional to value prescriptive methods for assessing the availability of data, while the software for low-level information systems supports mandatory language certification to ensure information security .

Historically, the information security certification system in Russia was introduced after the collapse of the USSR, when there was a need to control the security of foreign software, as well as the quality of Russian software systems associated with processing and the protection of the sovereign prison. The Ministry of Defense, FSB and FSTEC became active participants in the certification process.

Until recently, certification was carried out by the top officials of the power ministries and industrial enterprises, which is the result of state agreements, and the bulk of the representatives in the region information technologies little attention was paid to this problem. The situation has significantly changed with the adoption of Federal Law-152 “On personal data” and the regulatory and methodological documents that followed it. It turned out that software security certification and attestation of informatization objects are necessary for most commercial companies and all government organizations that work in medicine, traffic, transport. This has inevitably given rise to an indifferent diet and, as a rule, negative judgments associated largely with the incomprehensible essence of the certification processes.

U Zagalny Vipadka Under certification, it is generally accepted to independently confirm the conformity of these and other characteristics of goods and services to customers. In our case, we are talking about the program features of the protector or the program of the stolen computer - obviously, as possible, there are regulatory documents and documentation that ensures the security of information.

How is certification carried out?

p align="justify"> The principle feature of any certification testing is the independence of the testing laboratory that conducts the testing, and the certification organization that provides independent control of the test results Van, conducted by the laboratory. The certification scheme looks like this.

  1. The applicant (the retailer or another company associated with the certification) submits to the federal certification authority (FSB, FSTEK or the Ministry of Defense) an application for certification testing of the song product.
  2. The federal body means an accredited testing laboratory and a certification body.
  3. The testing laboratory, together with the applicant, conducts certification testing. If, during the testing process, other inconsistencies with the stated benefits are revealed, they may be submitted by the applicant to the work procedure, which will occur in most cases, or they may be accepted information about changes to the product, for example, about lowering the security class. A possible option if certification testing ends with a negative result. The biggest blow can be called a failure, if the testing laboratory of the National Research and Development Institute of the Navy, after a fatal review, received a negative certification for the program of special purpose devices. There are at least five failures, if the current versions of OZ and the DBMS were unable to revoke the certificate for the presence of undeclared capabilities through the loss of a part exit code old modules. If you look at the FSTEC registry, you can note that a number of software systems (for example, the Oracle DBMS and the IBM Guardium application security system) only issued certificates for the validity of technical specifications, and not for the validity of the original document Holding technical commissions - this means that the certification body is respectful, However, not all features of the original document are confirmed at the time of testing.
  4. The tested materials are transferred to the certification body, which carries out their independent examination. As a rule, at least two experts take part in the examination, as they can independently confirm the correctness and completeness of the testing.
  5. The federal authority that issues the certificate of conformity issues a certificate of conformity. It must be said that if any inconsistencies are identified, the federal body can conduct an additional examination by obtaining experts from various accredited laboratories and bodies.

Obligatory language certification systems have a practice of issuing and suspending licenses and accreditation certificates whenever serious violations are identified in the certification process. There were problems when it was doubtful that three laboratories and a certification body would be allowed to continue their activities, as a result of which the two organizations continued to be active in the field of certification. In addition, in case of any incidents at information facilities related to the flow of information, regulatory authorities can inspect the laboratory where the testing was carried out.

Certification systems and benefits

The activity of Russian certification systems is regulated by Federal Law No. 184 “On technical regulation”. Certification of protection features can be voluntary or obligatory - it is important to carry out between the Ministry of Defense, the FSB and the FSTEC. For most commercial companies, the term “certification” is synonymous with “certification with the FSB system” for cryptographic features there is protection from “certification with the FSTEC system” for all other products. However, it is necessary to take into account that, in addition to cryptography, it is within the competence of the FSB to protect the information that is secured by the higher authorities of the state. The information security certification system of the Ministry of Defense, in its turn, is focused on a program that will be implemented on military-related objects.

Voluntary certification systems for information security practices have not yet become widespread. The only common name for this type of system is “IT-Certificate”. Unfortunately, they don’t care that in voluntary systems it is possible to revoke a certificate for the validity of any regulatory document for the protection of confidential information, when certifying the objects of informatization of such certificates The FSTEC of Russia is not recognized.

As for the documents that are tested for consistency, they are practically identical for all certification systems. There are two main approaches to certification – and, obviously, two types of regulatory documents.

  1. p align="justify"> Functional testing of information protection features, which allows us to determine that the product effectively implements the stated functions. This testing is most often carried out in accordance with a specific regulatory document - for example, one of the key documents of the State Technical Commission of Russia. Such documents are inserted, for example, for inter-boundary screens and protection against unauthorized access. Since there is no document that certifies the product as a whole world, then functional benefits can be formulated in a clear manner - for example, in technical minds, or in the view of safety strictly in accordance with the GOST R 15408 standard).
  2. Structural testing of program code includes the presence of undeclared capabilities. A classic example of undeclared capabilities is software bookmarks, which in many minds initiate the creation of functions not described in the documentation, allowing unauthorized access to information (per GOST R 51275-99 ). The identification of undeclared capabilities is carried out through a series of tests of the output texts of programs, given by necessary mental for certification testing.

In most cases, the loss of information is due to certifications both as part of the main functionality and due to the lack of undeclared capabilities. Finding faults for systems for processing personal data of another and third class with the method of reducing costs for information security for small private organizations. Yakshcho software assib There are no mechanisms for the protection of information, it can be certified without the need for undeclared capabilities.

Mythology about certification

The process of organizing and testing with any certification system is strictly formalized, and most IT specialists are aware of their participation in such testing, as well as in With regulators there is a low level of myths and misfortunes that require nutritional certification.

Myth No. 1: certification is about trading. Unfortunately, some people highly respect certification as a formal procedure for removing permissible documentation, which is naturally corrupt and completely sloppy. Therefore, for many applicants, it comes as a shock to know that the protection requirements that are presented for certification are seriously verified, and the result of the verification may be negative. Independent control of certification bodies over testing laboratories guarantees the integrity of communication between the applicant and the laboratory.

Myth No. 2: certification is carried out by government agencies. Incredibly, the federal authorities of all compulsory certification systems are state-owned, but testing laboratories and certification bodies can be a form of power, and in practice most of them are commercial. and organization.

Myth No. 3: certification is only required for security purposes. Today, more than 80% of security devices are certified for use in automated systems, in order to avoid compromising records and creating a state prison.

Myth No. 4: certification is only required by government structures. In fact, the end manager says certification of the information object - formal confirmation of the fact that automated systemє stolen. In most cases, for successful certification, the system may be subject to a number of requirements, including certification protection features – which is not less true for systems that are subject to the sovereign information resource, and in systems that collect personal data. You can ensure that your software products are subject to mandatory compliance certification regardless of the type of content that is being stolen; For example, it is also useful for systems that deal with the credit histories of citizens, gaming systems are sometimes given access to resources through international exchange, etc.

Myth No. 5: a foreign product cannot be certified. In fact, products from such retailers as Microsoft, IBM, SAP, Symantec, Trend Micro, etc. successfully undergo certification testing, including testing for the presence of undeclared capabilities.

As a rule, overseas companies do not transmit output texts to Russia, so testing is carried out on-site to the distributor. I realized program codes are carried out under the absolute control of the retailer's security services, which turns off any kind of power. Carrying out work in this mode will be difficult and will require highly qualified specialists, so no testing laboratory is ready to replicate such services. However, the number of foreign products that undergo certification in Russia is increasing with skin problems. Today there are close to 20 foreign companies, which Microsoft numbers, IBM, Oracle and SAP provided the output codes of their products for certification testing. This plan is notable for the initiative of the Microsoft Corporation - Government Security Program, for which the base code of all the company's products has been transferred to the territory of Russia for further investigation. Over the past five years, as many as 40 foreign products have had their certificates for undeclared capabilities revoked.

Myth No. 6: certification means theft. This is not entirely true. The correct formulation would be: a certification product also demonstrates these and other benefits. In this case, the customer must clearly understand the quality of which the product itself is certified for, in order to ensure that the characteristics of the product are verified during the testing period, which is what the agent is referring to.

If the testing of the product was carried out by technical experts, then the certificate will be recorded, unless your colleagues who have not read the technical information on the product are unable to determine The characteristics were verified, which creates an opportunity to deceive an unqualified employee. Similarly, the presence of a certificate for the existence of undeclared capabilities does not say anything about functional capabilities product.

It is important to familiarize yourself with the differences in various products that are specified in technical minds: specific operating systems and platforms, operating modes, configurations, conditions additional costs zakhistu ta in. For example, a certificate for every version of the operating system Windows systems That WSWS is only operational with a trusted acquisition module. It is possible that all certificates for external security functions are only valid for specific versions of the OS, and depending on a number of trusted security functions, it is indicated that the physical security of the computer may be guaranteed. It's a curious twist, since in the case of one long-standing service it was stated that Windows may not work in command mode.

Myth No. 7: There is nothing to be gained from certification. Regardless of regulatory documents, today there is an unspoken rule that, within the framework of certification testing, experts carefully check the output code (in each case), as well as carry out various variants of the inspection test. In addition, experts have read various bulletins on the safety of products and the environment of their functioning. Following this, the laboratory produces a list of critical hazards, which the applicant is required to correct and describe in the documentation. For example, during certification, such differences are revealed as the use of passwords and their generation algorithms, architectural errors (incorrect implementation of discrete and mandatory access principles, etc.), incorrect programming (inconsistency up to buffer replenishment, changes in logic operators, overruns, the possibility of introducing untrusted files ін), as well as problems with the processing of these add-ons (SQL injections, cross-site scripting), the implementation of which can significantly reduce the level of system security. Based on our practice, 70% of verified communication devices were found to have forgotten master passwords, and even 30% of verified operating systems It was revealed that there were problems with the implementation of the access separation system. Outbreaks were also recorded when logical time bombs were present in products.

Myth No. 8: the product of certifications for the presence of undeclared capabilities - well, there are no spillovers in anything. Today, there are no methods for guaranteed detection of all possible software security vulnerabilities - successful certification for the presence of undeclared vulnerabilities guarantees the identification of the highest class of vulnerabilities that I detect Learn about specific methods. On the other hand, passing certification for the presence of undeclared capabilities guarantees that the developer of the program generation system will find and record all real output texts and compilation Dovishche, compilation and folding can be guaranteed to be repeated, as well as Russian documentation.

Myth No. 9: It is better to analyze the output code in our country. You can often come across criticism of the harshness of the official certification associated with the publication of the output texts of the program. True, in international system Common Criteria certification allows testing of products that contain information that has not been submitted to the holder, without providing output codes, however, in this case, verification may be required no reception channels and conflicts. For storage processing systems and payment systems, a structural analysis of the security of the output code was transferred. Information on how to audit the security of the output code of commercial software products can be found in the international standards PCI DSS, PA DSS and NISTIR 4909.

Myth No. 10: certification is expensive. Software security certification ensures the security of information, but it is not a time-consuming and labor-intensive process that cannot be cost-free. At the same time, the availability of a certificate of conformity significantly expands the market for the applicant’s product and increases the number of sales, and thus the effectiveness of the certification in relation to other costs is revealed small.

Future certification

There is no certification in a universal way In order to overcome all the existing problems in information security, today there is a single, truly functional mechanism that ensures independent control over the protection of information and its no more, no harm. When properly designed, the certification mechanism allows you to successfully achieve the guaranteed level of security of automated systems.

Looking ahead, it can be assumed that certification as a regulator tool will change directly from the comprehensive regulatory documents that represent reasonable measures to protect against current threats, on the one hand, and on the other hand, a shorter method iv verification of critical components according to the “efficiency/hour” criterion - s other.

Oleksiy Markov([email protected]), Valentin Tsirlov- Spіvrobіtniki NVO "Eshelon" (Moscow).