Status monitoring information. Technical control measures for the effectiveness of information protection. Documentation of control results. Requirements for information security controls

Due to the fact that personal data security control / analysis measures are included in the basic sets of protection measures starting from PZ4 - PZ3, most personal data operators have acquired security scanners. Sometimes I come across the following question: is it necessary to run this scanner at all, and if so, how often and what exactly to check.

Let's try to figure it out:
Scanners are used to implement a group of measures to control (analyze) the security of personal data (ANZ) mandatory in accordance with the order of the FSTEC of Russia No. 21 dated February 18, 2013.
Let's see if there is legal acts RF some mandatory requirements for the order or frequency of security scanning:

Order of the FSTEC of Russia No. 21
“8.8. Measures to control (analyze) the security of personal data should ensure control of the level of security of personal data processed in information system, by carrying out systematic measures to analyze the security of the information system and test the performance of the personal data protection system.
ANZ.1 Identification, analysis of information system vulnerabilities and prompt elimination of newly identified vulnerabilities
ANZ.2 Update installation control software including software update tools information security
ANZ.3 Control of operability, settings and correct functioning of software and information security tools
ANZ.4 Composition control technical means, software and information security tools”

GOST R 51583-2014 the procedure for creating an AS in a protected version

More regulatory legal acts containing requirements for security analysis could not be found

So in the regulatory legal acts of the Russian Federation does not contain requirements for the order and frequency conducting security scans, respectively, settings for scanning profiles, the frequency of vulnerability analysis determined by the operator independently
How can he determine this order and periodicity?

most likely, it is necessary to proceed from the features and criticality of the information system, the composition of the software used and the internal rules for updating the software;

It is also necessary to understand that, based on the results of the scan, it generates a report on vulnerabilities, which still needs to be worked out - to eliminate vulnerabilities and install missing updates. It makes no sense to scan more often than the responsible persons have time to process the report and eliminate vulnerabilities. Scan frequency > average time to process a vulnerability report

When determining the order and frequency of scanning, the information system operator can be guided by its own expertise in the field of information security, experience in conducting security analysis activities, recommendations from external experts and FSTEC licensees, as well as documents that have the status of “recommended” or “ best practices”

In this case, it must be taken into account that security analysis measures should be systematic(clause 8.8 FSTEC order No. 21) and must be sufficient to neutralize current threats (paragraph 2 of Government Decree No. 1119)

Let's see what is in the best methodological documents and best practices:

GOST R ISO/IEC 27002-2012
“12.6 Management of technical vulnerabilities
Objective: To mitigate the risks resulting from the exploitation of published technical vulnerabilities.

Technical vulnerability management should be carried out in an efficient, systematic and repeatable manner, with measurements taken to confirm its effectiveness. These considerations should apply to operating systems and any other applications in use.
12.6.1 Technical vulnerability management

Measure and means of control and management

It is necessary to obtain timely information about the technical vulnerabilities of the information systems used, assess the organization's exposure to such vulnerabilities and take appropriate measures to address the risk associated with them.

A constantly updated and complete inventory of assets (see 7.1) is a prerequisite for effective management of technical vulnerabilities. Specific information needed to support technical vulnerability management includes information about the software vendor, version numbers, the current state of the deployment (for example, what software is installed on which systems), and the person(s) responsible for the software within the organization. security.

Likewise, timely action should be taken in response to the identification of potential technical vulnerabilities. To establish an effective management process for technical vulnerabilities, it is necessary to perform the following recommendations:
a) the organization needs to define and establish roles and responsibilities related to the management of technical vulnerabilities, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any other coordinating functions;
b) informational resources, which will be used to identify and provide awareness of significant technical vulnerabilities, should be determined for software and other technology based on the asset inventory list (see 7.1.1); these information resources should be updated following changes to the inventory or when other new or useful resources are found;
c) it is necessary to determine the time parameters for responding to notifications of potentially significant technical vulnerabilities;
d) once a potential technical vulnerability has been identified, the organization shall determine the associated risks and the actions to be taken; such actions may include patching affected systems and/or applying other controls and controls;
e) depending on the urgency of addressing the technical vulnerability, the action taken should be in accordance with the controls associated with change management (see 12.5.1) or following information security incident response procedures (see .13.2);
f) if it is possible to install a patch, the risks associated with installing it should be assessed (the risks posed by a vulnerability should be compared with the risk of installing a patch);
g) patches should be tested and evaluated prior to installation to ensure that they are effective and do not lead to unacceptable side effects; if it is not possible to install a patch, other measures and controls should be considered, for example:
1) disabling services associated with the vulnerability;
2) adaptation or addition of access controls, such as firewalls at network edges (see 11.4.5);
3) enhanced monitoring to detect or prevent real attacks;
4) raising awareness of vulnerabilities;
h) an audit trail should record all procedures undertaken;
i) the technical vulnerability management process should be regularly monitored and evaluated to provide confidence in its effectiveness and efficiency;
j) high-risk systems should be prioritized.

Additional Information

The correct functioning of the technical vulnerability management process is important for many organizations, so the process should be regularly monitored. An accurate inventory is important to ensure that potentially significant technical vulnerabilities are identified.

Technical vulnerability management can be viewed as a sub-function of change management and as such can benefit from change management processes and procedures (see 10.1.2 and 12.5.1).

Vendors often experience significant pressure to release patches as soon as possible. Therefore, the patch cannot adequately address the problem and may have side effects. Also, in some cases, once a patch has been applied, it may not be easy to uninstall it.

If adequate testing of patches cannot be done, for example due to cost or lack of resources, a delay in implementation of changes can be considered in order to assess the associated risks based on the experience of other users.”

RS BR IBBS-2.6-2014
"ten. Operational stage
10.1. The main tasks at the operation stage in terms of providing information security are:
- periodic evaluation of ABS security (carrying out activities to identify typical vulnerabilities of ABS software components, penetration testing);
10.2. The frequency of work on security assessment is determined by the decision
I eat a RF BS organization. For core banking systems used to implement bank payment technology
non-logical process, it is recommended to conduct a comprehensive assessment of the security of not
less than once a year”

methodological document of the FSTEC of Russia “Measures for protecting information in state information systems”, which can also be used to ensure the security of personal data at the discretion of the operator
“ANZ.1 IDENTIFICATION, ANALYSIS AND REMOVAL OF INFORMATION SYSTEM VULNERABILITIES
Identification (search), analysis and elimination of vulnerabilities should be carried out at the stages of creation and operation of the information system. During the operation phase, the search and analysis of vulnerabilities is carried out at intervals set by the operator. At the same time, it is mandatory for critical vulnerabilities searching and analyzing vulnerabilities in case of publication in public sources information about new vulnerabilities in information security tools, hardware and software used in the information system.
ANZ.1 reinforcement requirements:
2) the operator must update the list of vulnerabilities scanned in the information system with the frequency established by him, as well as after the appearance of information about new vulnerabilities;”

· guided by the methodological document of the FSTEC - a security analysis must be carried out without fail after the publication of information about a critical vulnerability or update;

For Windows OS, such vulnerabilities appear on average monthly;

In my opinion, to ensure the neutralization of current threats, security analysis using scanners should be carried out at least quarterly

· as a start in determining what and how to check, you can use Appendix 3 of the Recommendation for conducting a security assessment to the RS BR IBBS-2.6-2014 - section 2 “Identification of known vulnerabilities”

1. Organization of work on technical protection information:

1.1. Organization of technical protection of information classified as state and official secrets from engineering and technical data and from leakage through technical channels:

• availability of guidelines and normative-technical documents on the issues of technical protection of information;
• availability of documents regulating the activities of structural units for the technical protection of information (tasks, functional responsibilities etc.);
• analysis and assessment of the real danger of information leakage through technical channels, the completeness and correctness of identifying possible technical channels for information leakage to be protected;
• completeness, quality and validity of the development of organizational and technical measures for the protection of information, the procedure for their implementation;
• the procedure for organizing and monitoring the state of technical protection of information, its effectiveness;
• timeliness and completeness of compliance with the requirements of governing documents, decisions of the State Technical Commission of Russia, regulatory, technical and methodological documents on the technical protection of information.

1.2. Study and analysis of the activities of structural units (responsible officials) to ensure the security of information to be protected, the tasks they solve and functional responsibilities.

1.3. Analysis of materials characterizing intelligence accessibility to information circulating in structural divisions. 1000m Presence Detection foreign missions exercising the right of extraterritoriality, places of stay of foreign specialists.

1.4 Study and analysis of the list of information subject to protection:

• availability of a list of information to be protected from reconnaissance technical means and from leakage through technical channels:
• completeness and correctness of the definition of unmasking signs that reveal this information;

1.5 Availability of information security system:

• the presence of tasks for the technical protection of information in organizational and administrative documents regulating the activities of organizations and departments that are part of a single system of bodies government controlled In Russian federation;
• organization and implementation of work on the technical protection of information in the central office of the ministry (department) and in enterprises, organizations and institutions subordinate to it;
• interaction on issues of technical protection of information with other ministries (departments) and other third-party organizations;
• ensuring control over the effectiveness of the protection of information constituting state and official secrets in all enterprises, institutions and organizations that are subordinate and subordinate to the ministry (department) that work with them.

1.6 Analysis of possible technical channels for the leakage of information about information classified as state secrets in the course of the activities of the ministry (department) and their subordinate enterprises, organizations and institutions.

1.7 Analysis of information flows during the functioning of structural units.

1.8 Analysis of the composition of hardware and software involved in information processing, their location, information processing technology and the state of its protection:

• the status of accounting for all hardware and software of domestic and foreign production involved in the processing of information subject to protection;
• placement of electronic equipment, TSPI (with reference to the premises in which they are installed), routes for laying information and non-information circuits that go beyond the controlled territory.

1.9 Analysis of the availability of information processed in the automated control system, computer and other technical means.

1.10 Study of the organization and the actual state of access of maintenance and operating personnel to information resources.

2. Monitoring the state of information protection:

Organization of information security in systems and means of informatization and communication:

• certification of systems and means of automation and communication that are involved in the processing of information classified as state and official secrets;
• conducting special inspections to identify embedded devices;
• activities of structural units responsible for the automation of information processing processes, accounting, storage, access to its magnetic media, duties of persons responsible for information security;
• the timeliness and correctness of the implementation of the information security system, the issuance of permission to process confidential information;
• correct placement and use of technical means, their individual elements;
• applied measures to protect information from leakage due to spurious electromagnetic radiation and interference, electro-acoustic transformations;
• measures taken to prevent unauthorized access to information, as well as interception by technical means of speech information from premises and protected objects.

• verification of compliance with the requirements of the operating instructions and the operating procedure for the technical means of transmission, storage and processing of TSPI information (bypassing all allocated premises);
• checking the timeliness and correctness of the categorization of the allocated premises, the procedure for their certification during commissioning and the issuance of a permit for the right to conduct confidential events and conduct confidential negotiations;
• checking the availability, quality of installation and operation of means of protecting speech information from leakage through technical channels;
• verification of compliance with the requirements for conducting special inspections of technical means (for the absence of special radiating devices);

2.3.3 Carry out instrumental control of the security of speech information circulating in dedicated rooms, processed and transmitted by TSPI, in order to identify possible technical leakage channels:

. Control over the fulfillment of the requirements of the Law of the Russian Federation “On State Secrets”

The procedure for the admission of foreign citizens and its compliance with the requirements normative documents. Evaluation of the applied information protection measures when visiting organizations (enterprises) by foreign representatives. Participation of specialists in countering intelligence in the analysis of possible channels of information leakage, attestation and special inspections of premises before and after the reception of foreign specialists. Availability of admission programs, coordination with the FSB. Development and implementation (if necessary) of additional measures for the technical protection of information.

3.1 Checking the availability of structural units, employees, their level of training, qualifications, ensuring the solution of issues related to state secrets. 3.2 Checking the availability of a license for the right to carry out work related to the implementation of the law of the Russian Federation “On State Secrets”, both in full-time structural divisions and in external organizations performing work (providing services) for the technical protection of information in the interests of the ministry (department) and subordinate them enterprises, organizations and institutions. 3.3 Checking the availability of guidance documents and their content on the issue of technical protection of information (law of the Russian Federation "On State Secrets", the List of information to be protected ... etc.). 3.4 Checking the status of the confidentiality regime in the divisions and the degree of its compliance with the governing documents for record keeping (equipment of premises, accounting and storage of confidential documents, access to record keeping and confidential documents). 3.5 Checking the timeliness and correctness of communicating the requirements of the guidance documents on the technical protection of information to the employees of the departments, their knowledge by the employees. 3.6 Checking the correctness of categorizing information according to the degree of confidentiality, the procedure for its accounting and storage when using technical means (EVT, TSPI, office equipment, etc.). 3.7 Checking the correctness of printing (reproduction) of confidential documents, their accounting and the procedure for bringing them to the attention of the executors. 3.8 Checking the procedure for allowing employees to work with classified information. 3.9 Checking the organization of work to reduce the degree of confidentiality (declassification) of documents and bringing information to the executors. 3.10 Checking the availability of "Certificates of Conformity" for allocated premises and technical means involved in the processing of information to be protected, and certification documents for means of technical protection of information and control of its effectiveness.

4. Issues to be considered in the verification of licensees

4.1 Checked:

• availability of a license (permit) for the right to carry out work on the technical protection of information, verification of the validity of the license within the established deadlines and compliance with the work actually performed by the licensee (1.5)*;
• the licensee has documents about state registration entrepreneurial activity and the charter of the enterprise (1.7)*;
• the state of the production and testing base, the availability of regulatory and methodological documentation to carry out work on the declared types of activities (1.6)*;
• staffing of scientific and engineering personnel for carrying out work on the declared types of activity. The level of preparedness of specialists for work (1.6) *;
• professional training of the head of the licensee enterprise and (or) persons authorized by him to manage the licensed activities (1.7)*;
• compliance with contractual obligations to ensure the safety of confidential and material assets of individuals and legal entities who used the services of the licensee (2.4)*;
• timeliness and completeness of presentation in government agency for licensing or to the licensing center for information on the work performed on specific types of activities specified in the license in accordance with the requirements of the State Technical Commission of Russia (2.4)*;
• quality of services rendered by the licensee (assessment of the effectiveness of measures taken by licensees for the technical protection of information at 1-3 consumer enterprises that used the services of the licensee (3.2) *.

4.2 The results of the verification of licensees are reflected in the form of a separate section of the act or certificate, drawn up on the basis of the results of a scheduled inspection of ministries (departments) and their subordinate enterprises, organizations and institutions. Based on the results obtained, a conclusion is made on the compliance of the licensee with the established requirements and the possibility of further work by him in the declared areas.

Note: *) Sections “Regulations on state licensing of activities in the field of information protection” are indicated in brackets.

Checking the security of information from unauthorized access consists in checking the compliance of the effectiveness of measures to protect information with established requirements or standards for information security. All groups of means of protection against unauthorized access, considered by us in previous lectures, are tested.

Compliance is checked descriptions technological process processing and storage of protected information to a real process.

Possibility is assessed transferring information of a higher level of confidentiality to an information carrier of a lower level.

Analysis in progress permitted and prohibited connections between subjects and objects of access with reference to specific OTSS and staff.

Compliance is assessed permitted and prohibited links to the permissive system of personnel access to protected resources at all stages of processing.

Verification, as a rule, is carried out using software and software and hardware security controls. As an example, let's consider the products of one company, LLC "Center for Information Security".

The security control tool against UA "Auditor 2 XP" is designed to control the access rights to information resources.

• display of all information contained in the DRP (only viewing is possible);
• comparison of the structure of the resources of the workstation described in the DRP with the actual structure of the resources;
• creating a report on the results of the comparison;
• building a plan for testing workstation objects;
• checking the real access rights of users to access objects;
• creating a report on test results.

Network Scanner "Network Inspector" version 3.0 is designed to detect vulnerabilities in installed network software and hardware using TCP/IP stack protocols. The system has ample opportunities, one of which is the search for vulnerabilities contained in the database of threats and vulnerabilities of the FSTEC, which we considered earlier. In addition, the program searches for vulnerabilities contained in cve.mitre. org, ovaldb.altx-soft.ru, microsoft. com and some other sources.

Means of fixing and controlling the initial state software package"FIX" is designed to control the integrity subsystem. The main features of the program:

• fixing the initial state of the software package;
• control of the initial state of the software package;
• fixing and controlling directories;
• control of differences in specified files (directories);
• the ability to work with long file names and names containing Cyrillic characters.

The program of search and guaranteed destruction of information on disks "TERRIER" allows you to control the destruction of information. To check, you need to create a file with a control combination of characters on a confidential logical disk, locate the sectors using "TERRIER", delete the file using standard tools and control its deletion using TERRIER.

18.4. Documentation of control results. Requirements for information security controls

It should be noted that rather stringent requirements are imposed on the means of monitoring the effectiveness of information protection measures, as well as on the manufacturers of such means. In accordance with the "Regulations on Licensing Activities for the Development and Production of Confidential Information Protection Tools", approved by Government Decree No. 171 on March 3, 2012, the development and production of technical means for monitoring the effectiveness of information protection measures is subject to licensing. And the developed and produced means of monitoring the effectiveness of protection measures themselves should have certificate of conformity FSTEC according to the requirements of the Decree of the Government of the Russian Federation of June 26, 1995 N 608 "On certification of information security tools".

Monitoring the effectiveness of protection is completed by issuing a Conclusion with a brief assessment of the compliance of the informatization object on information security, specific recommendations for eliminating violations, bringing the protection system of the informatization object in line with the established requirements, improving this system, recommendations for monitoring the functioning of the informatization object. Test reports are attached to the Conclusion, confirming the results obtained during the tests and substantiating the conclusion given in the conclusion.

Monitoring the effectiveness of VBI consists in checking the compliance of the qualitative and quantitative indicators of the effectiveness of VBI activities with the requirements or standards for the effectiveness of VBI.

Monitoring the effectiveness of VBI includes:

Technical control of the effectiveness of VBI - control of the effectiveness of VBI, carried out using technical means of control.

Organizational control of the effectiveness of VBI - checking the compliance of the completeness and validity of activities for VBI with the requirements of guidelines and regulatory and methodological documents in the field of VBI;

Technical control of the effectiveness of the VBI (which we are considering) is the control of the effectiveness of the VBI, carried out using technical means of control.

Depending on the goals and objectives of control, as well as the characteristics of the objects being inspected, technical control of the effectiveness of VBI can be:

Comprehensive, when the organization and state of the VBI are checked against leakage through all possible technical channels characteristic of a controlled technical means (informatization object), from unauthorized access to information or special influences on it;

Targeted, when the check is carried out through one of the possible technical channels of information leakage, characteristic of a controlled technical means that has protected parameters or in which protected information circulates;

Selective, when from the entire composition of technical means at the facility, those of them are selected that, according to the results of a preliminary assessment, are most likely to have technical channels for leaking protected information.

Depending on the specific conditions of technical control, efficiency control can be carried out by the following methods:

The instrumental method, when technical measuring instruments are used in the course of control and the real operating conditions of the technical reconnaissance means are simulated;

Instrumental-calculation method, when measurements are carried out in the immediate vicinity of the object of control, and then the measurement results are recalculated to the place (conditions) of the intended location of the reconnaissance equipment;

The calculation method, when the effectiveness of the VBI is evaluated by calculation, based on the actual conditions of placement and the capabilities of the technical reconnaissance equipment and the known characteristics of the object of control.

The essence of technical control measures is the implementation of instrumental (instrument-calculated) checks of the effectiveness of protecting information from leakage through technical channels arising due to:

1) spurious electromagnetic radiation (SEMI) during the operation of the main technical means and systems (OTSS) of the informatization object;

3) interference of an information signal on the connecting lines of the VTSS located in the coverage area of ​​the PEMI OTSS;

4) uneven current consumption in the OTSS power supply network;

5) linear high-frequency imposition and electro-acoustic transformations as methods of intercepting speech information through VTSS installed in dedicated rooms.

Instrumental control is carried out according to standard programs and standard methods approved by attestation and certification bodies. All measuring equipment is certified by metrological authorities in the prescribed manner.

The main regulatory and methodological documents regulating the activities for the technical control of the objects under consideration are:

2. GOST 29339-92. Information technology. Protection of information from leakage due to spurious electromagnetic radiation and pickups during its processing by means of computer technology. General technical requirements;

3. Collection of methodological documents on the control of protected information processed by computer technology from leakage due to electromagnetic radiation and pickups (PEMIN). Approved by order of the State Technical Commission of Russia dated November 19, 2002 No. 391.

4. Order of the Federal Service for Technical and Export Control (FSTEC of Russia) dated February 11, 2013 N 17 Moscow

5. Order of the FSTEC of Russia dated February 18, 2013 No. 21 "On approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems."

The act of checking the status of the VBI should contain the following sections:

1. General information about the object of control;

2. General issues of organization of VBI at the facility;

3. Organization and state of protection of informatization objects;

4. Completeness and quality of work carried out by licensees of the FSTEC of Russia on the protection and certification of informatization objects;

Hiding information about means, complexes, objects and information processing systems. These tasks can be divided into technical and organizational.

Organizational tasks to hide information about objects are aimed at preventing the disclosure of this information by employees and their leakage through undercover channels.

Technical tasks are aimed at eliminating or weakening the technical unmasking features of protected objects and technical channels for leaking information about them. At the same time, concealment is carried out by a decrease in electromagnetic, temporal, structural and attribute accessibility, as well as a weakening of the adequacy between the structure, topology and the nature of the functioning of means, complexes, objects, information processing and control systems.

The solution to this problem is the implementation of a complex of organizational and technical measures and measures that ensure the fulfillment of the basic requirement for means, complexes and information processing systems - intelligence security and is aimed at achieving one of the main goals - the exclusion or significant difficulty of technical intelligence in the search, location, radio surveillance of radio emission sources , classification and identification of objects by technical intelligence according to the revealed unmasking signs.

Solving the problem of reducing electromagnetic accessibility makes it difficult both to detect energy and to determine the coordinates of the area where radio emission sources are located, and also increases the time for revealing unmasking signs, reduces the accuracy of measuring the parameters and signals of radio emission means.

The decrease in the temporary availability of radio-emitting means implies a reduction in the time of their operation for radiation during the transmission of information and an increase in the duration of the pause between information processing sessions. To reduce the structural and indicative availability of means, complexes and information processing systems, organizational and technical measures are being taken to weaken the unmasking signs and create the so-called "gray background".

Class 1.2. Disinformation of the enemy.

This class includes tasks that consist in the dissemination of deliberately false information regarding the true purpose of some objects and products, the actual state of some area of ​​state activity, the state of affairs at an enterprise, etc.

Disinformation is usually carried out by spreading false information through various channels, imitation or distortion of the features and properties of individual elements of the objects of protection, creating false objects, similar in appearance or manifestations to the objects of interest to the opponent, etc.

The role of disinformation was emphasized by A.F. Viviani, an expert in the field of counter-espionage: A huge amount of information is falling on us, falling down, erupting. It is fake, but it looks believable; it is true, but in fact it is cunningly redrawn in order to give the impression of being false; partly false and partly true. It all depends on the chosen method of so-called disinformation, the purpose of which is to make you believe, wish, think, make decisions in a direction that is beneficial for those who for some reason need to influence us...

Technical disinformation at the object of protection is a set of organizational measures and technical measures aimed at misleading technical intelligence about the true goals of information processing systems, grouping and activities of troops, and the intentions of command and control agencies.

The solution of this problem is carried out within the framework of the well-known operational radio masking by distorting the technical unmasking features of the protected object or simulating the technical unmasking features of a false object.

Particular tasks of technical disinformation are:

Distortion of the unmasking signs of real objects and systems corresponding to the signs of false objects;

Creation (imitation) of a false environment, objects, systems, complexes by reproducing unmasking signs of real objects, structures of systems, situations, actions, functions, etc.;

Transfer, processing, storage in processing systems of false information;

Imitation of the combat activity of means, complexes and information processing systems at false control points;

Participation of forces and means in demonstrative actions on false directions;

Transmission of false information (radio disinformation), counting on its interception by the enemy, etc.

In general, these tasks can be grouped into particular tasks of radio imitation, radio disinformation, and demonstrative actions.