International standards for information security. GOST r - national standards of the Russian Federation in the field of protection of information Russian standards of information security

Golovna / Google Play

1.1. International standards for information exchange

Information security (IB) needs to be carried out in accordance with the standardization of the relevant standards and specifications.

Standards in the field of cryptography and key documents of the Federal Service for Technical and Export Control (FSTEC of Russia, formerly the State Technical Commission under the Presidential Russian Federation) are fixed by law.

The role of standards is fixed in the main concepts of the law of the Russian Federation "On technical regulation" dated December 27, 2002 under the number 184-FZ (adopted by the State Duma on December 15, 2002):

standard - a document that, using the method of voluntary bagatorasis victoria, establishes the characteristics of products, the rules for determining the characteristics of the processes of virobnitstv, exploitation, saving, transportation, implementation and disposal, vikonannya chi nadannya services. The standard can also cover the terminology, symbols, packaging, marking or labels and the rules for their application;

standardization - activity from the establishment of rules and indications with the method of voluntary bagatorazovy vykoristannya, direct access to ordering in the areas of production and volume of products and to promote the competitiveness of products, work and services.

There are two groups of standards and specifications in the field of IB:

evaluation standards , recognized for evaluation and classification information systems that zasobіv zahistu for the helpers of security;

specifications , which regulate various aspects of the implementation and selection of methods of protection.

Estimated standards describe most important understanding that aspects of information systems (IS), playing the role of organizational and architectural specifications.

Other specifics signify, as if they were themselves, the ІС proponated architecture and victorious organizational vimogi.

Before appraisal standards are seen:

1. Standard of the US Department of Defense "Criteria for evaluating trust computer mesh"(Department of Defense Trusted Computer System Evaliation Criteria, TCSEC), ("Orange Book") and this yogo merezh configuration "Harmonization of criteria for European lands".

2. International standard "Criteria for assessing the security of information technology".

3. Key documents of the FSTEC of Russia.

4. US Federal Standard "Security Software for Cryptographic Modules".

5. International standard ISO IES 15408:1999 "Criteria for evaluating the security of information technology" ("Call Criteria").

Technical specifications, zastosovnі to the current roses of ІС, are created, Thematic group for Internet technology» (Internet Engineering Task Force, IETF) and її podrozdil – working group of security. The core of the technical specifications that are being looked at are the security documents on the IP-level (IPsec). In addition, attacks on the transport level (Transport Layer Security, TLS), as well as on the add-on level (GSS-API, Kerberos specifics) are analyzed. It is necessary to note that the Internet service attaches due respect to the administrative and procedural security level (“Assistant for information security of business”, “How to collect the postal manager of the Internet service”, “How to react to disruption of the security”).

Merezheva Bezpeka conforms to X.800 specifications Security architecture for interoperability of critical systems", X.500 " Directory service: an overview of concepts, models and services» ta X.509 « Directory Service: Certificate Frameworks open key that attributes».

British Standard BS 7799 " Management of information security. Rules of thumb»appointments for core companies and organizations that are consistent with information security, without any changes made in accordance with the international standard ISO/IEC 17799.

General information about standards and specifications in the information security area is presented below.

"Orange book"

The "Orange Book" has a conceptual basis for IB:

- that trusted system is safe,

- security policy,

– warranty line,

- P_dzvіtnіst,

- The enumeration base has been approved,

- Animal monitor,

- core and security perimeter. The standard sees a security policy, as a voluntary (discretionary) and primus (mandatory) access control, security of object reuse.

From the conceptual point of view, the most significant document of his is “Interpretation of the “Orange Book” mesh configurations(Trusted Network Interpretation). Wine is made up of two parts. The first is to interpret, the other describes security services, specific ones are especially important for lace configurations.

The most important understanding, the most important part of the first part, is the counting base. The second important aspect is the appearance of the dynamism of the mesh changes. Among the mechanisms behind it, cryptography has been seen, which helps to improve both confidentiality and integrity.

Also, the standard is sufficient for the mental correctness of the fragmentation of the monitor, which is the theoretical basis for the decomposition of the divided IC in an object-oriented style in the combined with cryptographic protection of communications.

Harmonized criteria for European lands

These minds have a lot of brains, and some may have a perfect information system. It should be noted that the meta-assessment is formulated, then the certification body is chosen, as far as it is available, so that the architecture and implementation of security mechanisms in a particular situation is correct and effective. In order to make it easier to formulate the purpose of the assessment, the standard should include a description of ten distinct classes of functionality that are typical for commercial and commercial systems.

At "Harmonizing Minds" there is a difference between systems and products of information technologies, but for unification, it could be provided with a single understanding - the object of assessment.

It is important to comment on the difference between security functions (services) and mechanisms that implement them, as well as to see two aspects of security - efficiency and correctness of security measures.

"Harmonization criteria" was prepared by the appearance of the international standard ISO / IEC 15408: 1999 "Evaluation criteria for IT security", which in Russian literature is called "Common criteria".

At the present time, the “Summer Criteria” is the best and most current valuation standard. This is the standard that defines the security assessment tools and the order of their choice; Vіn do not avenge the appointed classes of safety. Such a class can be budding, spiraling on ci vimogi.

"Corporate Criteria" to test two main types of security:

Functional, which support the active aspect of the defense, which are presented before the functions (services) of the security and mechanisms that are implemented;

vomogi doviri, scho vіdpovіdat passive aspect; stinks are presented to the technology and the process of development and exploitation. Vymogi bezpeka are formulated, that їх vikonannya is reverified for the main object of assessment - the hardware and software product of the information system.

Bezpeka in the "Zagalnye Criteria" is viewed not statically, but apparently up to life cycle object of assessment.

“Substantial criteria” to adopt the formation of two basic types of regulatory documents, which are victorious in practice, is the profile of protection and security.

The profile is protected by a typical set of vimog, which is the responsibility of satisfying the products of this / or system of the first class.

The security manager could avenge the security to a specific extent, they could allow the violation of the set order for the security of security.

Key documents (RD) FSTEC Russia began to appear later, already after the publication of "Harmonizing Criteria", which, by analogy with the rest, confirms the difference between automated systems (AS) and products (zasobami) counting technique, SVT).

In 1997 bu v priynyatiya RD for okremy security service - intermediary screens (ME). Its main idea is to classify ME on the basis of the data flows of the reference semi-standard model, which enhances the filtering, - took away the international recognition and continues to be out of date.

Have 2002 r. The State Technical Committee of Russia adopted as a RD the Russian translation of the international standard ISO/IEC 15408:1999 "Criteria for evaluating the security of information technology".

X.800 “Security Architecture for Interoperability of Critical Systems”

Among the technical specifications of the main document

X.800 "Security architecture for interoperable systems". Here you can see the most important security services: authentication, access control, security of confidentiality and/or the integrity of data, as well as the impossibility of accessing other people. For the implementation of services, the transmission of such security mechanisms and combinations: encryption, electronic digital signature(EDP), access control, data integrity control, authentication, traffic addition, routing control, notarization. Selected equal reference seven-tier model, on which can be implemented services and security mechanisms. Detailed look at the nutrition of administrative security for the distribution of changes.

RFC 1510 "Merezhevy Kerberos Authentication Service (V5)"

Vіn vіdnositsya before the problem of authentifikatsії in rіznоrіdny rozdоlоnіy sredovischі for podpomogoyu kontsії єї єєї єєї єєї єєї єєї єІІії merge. The Kerberos Authentication Server is a trusted third party that holds the secret keys of the subjects that are being served, and assists it in pairwise reversal of authority. Kerberos client components are found in most modern operating systems.

US Federal Standard FIPS 140-2 "Security Requiremen ts for Cryptographic Modules"

Vіn vykonuє organizing function, describing the external interface of the cryptographic module, zagalnі vomogi to similar modules of that їkhny otochennya. The presence of such a standard facilitates the development of security services and profiles for them.

"Using the application software interface of the security service"

Cryptography as the implementation of security services has two sides: algorithmic and interface. The interface aspect, in order of the FIPS 140-2 standard, has propagated Internet-compliance with the appearance of the technical specification "Generic Security Service Application Program Interface, GSS-API".

GSS-API security interface for purposes of communication between the components of software systems, as prompted in the client/server architecture. We create minds for mutual authentication of partners who are collaborating, control the integrity of the information, and serve as a guarantee of their confidentiality. Corresponding to the GSS-API security interface and communication protocols (name the application level) or software systems, which independently conquer the overpowering of the data.

IPsec technical specifications

They describe the new recruitment of security measures for confidentiality and integrity on the borderland. For a dominating protocol IP version 4, the stench may be neobov'yazykovy character; version of IPv6 has implementation of obov'yazkova. On the basis of IPsec, there will be developed mechanisms for protocols of the highest level, right up to applied ones, as well as the completion of security procedures, the creation of virtual private measures. IPsec is based on cryptographic mechanisms and key infrastructure.

TLS, Transport Layer Security (TLS)

The TLS specification develops and refines the popular Secure Socket Layer (SSL) protocol, which wins over a great number of software products different recognition.

X.500 "Directory service: an overview of concepts, models and services"

In terms of infrastructure, the X.500 recommendations "The Directory: Overview of concepts, models and services" and X.509 "The Directory Service: Certificate Frameworks for Critical Keys and Attributes" (The Directory : Public-key and attribute certificate frameworks). The X.509 recommendations describe the format of hardkey and attribute certificates, the basic elements of hardkey infrastructures and privilege management.

The security of information security is a complex problem, as it will require a narrow life for entering the legislative, administrative, procedural and software and technical levels. When developing and implementing the basic document of the administrative level (the security policy of the organization), the recommendation of the Internet community “Site Security Handbook” may be upheld. At the same time, the practical aspects of the formation of policies and security procedures are discussed, the main concepts of administrative and procedural equivalence are explained, the motivation for the recommendations of action is explained, the analysis of risks, the response to the disruption of information security and the further consequences of the consequences. The rest of the report is reviewed at the recommendation “How to respond to information security incidents” (Expectations for Computer Security Incident Response). For this document, you can find information on information resources and practical reasons procedural level

During the development and reorganization of corporate information systems, the core recommendation “How to choose an Internet service provider” (Site Security Handbook Addendum for ISPs) will be revealed. Nasampered її polozhenie nebhіdno dotrimuvatsya in the course of molding organizational and architectural security, on which basis other steps of procedural and software-technical rіvnіv are based.

British standard BS 7799 “Information security care. Practical rules»

For practical implementation and support of the information security regime for additional regulators of administrative and procedural equalities, it is necessary to follow the British standard BS 7799 “Information security management. Practical rules ”(Code of practice for information security management) and another part of BS 7799-2: 2002“ Information security management systems - Specification with guidance for use ”(Information security management systems - Specification with guidance for use). The new one is explained in such a way that the procedure is like a security policy, charitable principles organization of protection, classification of resources and management of them, security for personnel, physical security, principles of administration of systems and measures, access control, development and support of IV, planning of uninterrupted work organization.

Tsey text is a cognizable fragment.

ISO/IEC 27001- international standard for information security, splitting jointly by the International Organization for Standardization and the International Electrotechnical Commission. The standard to avenge information security management for the development, development and support of the Information Security Management System (SMIB).

Approved by the standard. The ISO/IEC 27001 (ISO 27001) standard has a selection of descriptions of the best lighting practices in information security management. ISO 27001 provides support for an information security management system to demonstrate the ability of an organization to protect its information resources. This training standard is a model for development, implementation, operation, monitoring, analysis, support and improvement of the Information Security Management System (SMIB).

Tsіl ZMIB- A selection of viable entries in security management, recognized for the protection of information assets and guaranteeing the trust of the affected parties.

Basic understanding. Information security - saving confidentiality, integrity and availability of information; In addition, they can be included in other authorities, such as justice, impossibility of authorship, reliability.

Confidentiality - ensuring the availability of information is only for those who may be in control (authorized correspondents).

Integrity - ensuring the accuracy and completeness of information, as well as methods of processing.

Availability - ensuring access to information for authorized correspondents, if necessary (optionally).

ISO 27001 ensures:

· designation of goals and statements about directly and principles of activity of informational security;

· Appointment of approaches to the assessment and management of risks in the organization;

· management of informational security, up to zastosovogo legislature and normative vimog;

· establishing a single approach to the creation, implementation, operation, monitoring, analysis, and improvement of the management system in order to reach the goal of information security in the region;

· Determination of the processes of the information security management system;

· Appointment to the status of visitors to information security;

· Vykoristannya vnutrishnіh and zovnіshnіh auditіv іn vyznachennya step vіdpovіdnostі system іnformаtsiynoї ї ї bezpeka vmomogo standard;



· Providing adequate information to partners and other interested parties about the policy of information security.


Principles of legal regulation in the field of information, information technologies and the protection of information for the zmist of the Federal Law of the Russian Federation dated April 27, 2006. No. 149-FZ "On information, information technologies and protection of information".

Legal regulation of the law, which is blamed on the sphere of information, information technologies and the protection of information, is based on offensive principles:

1) freedom to seek, withdraw, transfer, circulate and distribute information in any legal way;

2) the establishment of a barrier to access to information only by federal laws;

3) access to information about the activity of state bodies and bodies of self-regulation and free access to such information, crimes, established by federal laws;

4) the equality of the peoples of the Russian Federation in the case of the creation of information systems and their operation;

5) ensuring the security of the Russian Federation during the creation of information systems, their operation and the protection of information in them;

6) reliability of information and timeliness of data;

7) insufficiency of private life, impermissibility of collecting, saving, defrauding and sharing information about the private life of an individual without it;

8) the inadmissibility of the establishment by normative legal acts of any prevailing of the stagnation of some information technologies over others, as the obligation of the stagnation of the first information technologies before the establishment of that operation of state-owned information systems, is not established by federal laws.


National Security Strategy of the Russian Federation until 2020”. Structure, task, method and way of realization by the power of its functions from the security of information security in the "Doctrine of information security of the Russian Federation".



The strategy of national security of the Russian Federation until 2020 - the system of strategic priorities was officially recognized, the goals and approaches in the sphere of domestic and foreign policy, which determine the country's national security and the level of development prospects

The doctrine of information security of the Russian Federation is the totality of official views on the goals, objectives, principles and main principles of information security of the Russian Federation.

Warehouses of national interests of the Russian Federation information sphere in doctrine:

1) Obov'yazkove dotrimannya constitutional rights and freedoms of people in the sphere of otrimannya іnformatsії and koristuvannya it.

2) Information security of the state policy of the Russian Federation (bringing to the citizens of the Russian Federation and the international community about the state policy of the Russian Federation, the official position of similarly significant opinions in Russia and the world) with access to the citizens to the public resources of the state.

3) Development of modern IT business industry (information, telecommunications and communication). Security of the IT domestic market in Russia and outside the world market.

4) Zahist information resources for unauthorized access, security of information and telecommunication systems.

See the threats to the information security of the Russian Federation in the doctrine:

1. Threats, creations for the constitutional rights and freedom of people in the sphere of information activities.

2. Threats to the information security of the sovereign policy of the Russian Federation.

3. Threat to the development of modern IT industry, and to induce the exit of the internal and light market.

4. Threats to the security of information and telecommunication services and systems.

Methods for ensuring the information security of the Russian Federation in the doctrine:

legal methods

Development of normative legal acts that regulate the laws in the field of IT

Organizational and technical methods

The creation of the system of information security of the Russian Federation and її thoroughly

Attracting osіb to vidpovіdalnostі, yakі they committed evil things in this sphere

The creation of systems and devices to prevent unauthorized access to processed information

Economic methods

Development of information security software and financial services

Financial work related to information security of the Russian Federation

Vishno, scho razumіє vozmіvіst і nebhіdnіst ІB, yоgo respect to nutrition ІБ innocently grows.

To explain the trend, you don’t need to go far: there are a lot of compromises of information systems, which bring financial benefits and reputational losses. In a number of ways, stinks have become irrevocable for a particular business. In this way, the security of government information for the organization becomes not only a guarantee of uninterrupted work, but also a criterion of reliability for її partners and clients.

The market follows the same rules, and the criteria for vimiryuvannya streamline protection and efficiency of processes ІB є are the same for all yoga gravels. The role is played by standards, which may help the company to create the necessary balance of defense. The most popular standards in the Russian banking sector include the ISO/IEC 27000 standard, the standard for the Bank of Russia from the information security organization of the banking system and the PCI DSS payment card infrastructure data security standard.

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have developed and published the standards of the ISO/IEC 27000 series. Accredited companies-auditors have the right to zdіysnyuvatsiyu certification for standards, keruyuchichi pledged to them by the authorities.

Vіdsutnіst suvoroї vomoga schodo vykonannya The standard for participants in the Russian market wobbles into those whose breadth can be low. For example, in Japan alone, the number of companies that have far passed the audit to achieve the international standard, more than the similar indicator for Russia and the country of SND may be 200 times more.

In this case, it is impossible not to notice that companies do not spend time in all the cases, as if they were victorious over the standard for the fact, but they did not pass the formal certification. In other words, on the territory of Russia and the territory of the SND there are impersonal companies that tried to encourage the process of management and improvement of the level of IB not to tick off the appearance of a certificate of integrity, but for real honesty. On the right, in the fact that often the standards of the 27000 series are the first step in the development of IB systems. And їх vikoristannya as an orientation - that basis, yaki transferring away life and development of an effective system to IB management.

IBBS STO BR - to achieve a close ISO / IEC 27001 standard, created by the Bank of Russia for the organization of the banking sector, calling for an acceptable level of flow level of information security and processes for managing the security of banks. The main goals of the meeting were declared - to increase the level of confidence in the banking sector, to secure protection against security threats and to reduce the level of losses in the event of IB incidents. The standard is recommended and up to version 2010 was not especially popular.

The active promotion of IBBS STO BR began with the release of a version of the standard, which includes some ways to secure the security of personal data, and a further information sheet, which is considered to be accepted before the end of the standard as an alternative way to ensure the security of personal data in the halls. On the present moment for unofficial statistics, about 70% of banks adopted the standard for the Bank of Russia as a binding document before the end of the year.

Standard ІХБС BR is a set of documents that are developing dynamically, with adequate current threats to help secure that information security management. Yoga in Banks is already becoming de facto necessary, regardless of the official recommendatory status, for organizations in the non-financial sphere, documents for the IXC complex can serve as a set good practices at safe security of information.

Nareshti, another very important standard for financial organizations is the Payment Card Industry Data Security Standard (PCI DSS, Payment Card Industry Data Security Standard). Among the creations of the five largest payment systems - Visa, MasterCard, JCB, American Express and Discover, which organized the Security Council of the Payment Card Industry (PCI SSC). The service of payment cards is due to zdіysnyuvatisya according to the same rules and acknowledgment of the first equal ІB. Obviously, security is a key factor in victorious technologies tied to pennies. Therefore, the protection of these payment cards is the priority of the task of any payment system.

The key point to the PCI DSS standard in the case of reinsurance is the first obov'yazkove zastosuvannya all organizations that process payment cards. If you want to get to the assessment of the reliability, you should get the stink - the stench will lie in the number of transactions that are processed: in the case of self-assessment before passing the certification audit. The rest will be held by the company, as long as it has PCI QSA status.

The key feature of the appearance of the PCI DSS standard was the recognition of the extreme terms of the reduction to validity. This has led to the fact that most of the great gravitators of the payment card industry have worked their way through the robot. As a result, it turned out to be a blatant level of protection like the other participants, and all the pros and cons of untrained payment.

If you want to become a standard and become an initiative of the greatest gravity in the industry of payment systems, you can know your status and become a guide for organizations that do not interfere with the industry. The headline of the yogo victory is a post-yni update, as a last resort, the actual go in and recommendations on how to reduce the threats of IB.

Zastosuvannya standards and viability to їkhnіm vymogam, without a hitch, є garnoy practice and a great crocodile ahead of the vibudovuvanni system of information security. Ale, sorry, put it on, as the very fact of security does not guarantee a high level of protection. The scope of the certificate is extended to singing period if the procedures, broken up only for formal validity, cease to be practicable. In this rank, it may be that the IB system in the organization at the time of the audit did not provide estimates that were broken through the audit.

Until then, when analyzing possible risks, it is impossible to turn off human factor, which can mean a pardon of the auditors themselves in the designated areas of re-verification, the warehouse of components that are re-verified, and the higher visnovkas.

Nasamkinets wanted to point out that the compliance with the standards does not affect the ongoing process of ensuring the security of critical information. There is no ideal security, but the use of different tools allows you to reach the maximum level of IB. Standard IB is itself such a tool.

Rate:

0 4

One of the most important problems is that the needs of modern society are defending the rights of people in the minds of getting yoga to processes informational interaction in addition, the right to protection of special (personal) information in the processes of automated processing of information.

I. N. Malanich, 6th year student of VDU

The Institute for Protection of Personal Data today is no longer in this category, as it can be regulated only by national law. The most important feature of today’s automated information systems is the “supranationality” of richness of them, the “leaving” of them for the interstates, the development of globally accessible light informational measures, such as the Internet, the formation of a single information space at the borders of such international structures.

Today in the Russian Federation the problem is not only the introduction in the legal field of the Institute for the protection of personal data in the framework of automated information processes, and s pіvvіdnoshennia її z іsnuyuchimi international legal standards і іy galuzі.

You can see three main trends in the international legal regulation of the institution of protection of personal data, which lie ahead of the processes of automated processing of information.

1) Declaring the right to protect personal data as an indispensable part of the fundamental rights of a person in acts of a fundamentally humanitarian nature that are accepted within the framework of international organizations.

2) Enforcement and regulation of the right for the protection of personal information in acts of a regulatory nature to the European Union, for the sake of Europe, privately of the Friendship of Independent States and other regional international organizations. This class of norms is the most universal and without intermediary rights to protect personal data from the processes of automated processing of information.

3) The inclusion of norms on the protection of confidential information (zocrema, that personal information) to international agreements.

The first way - historically showing up earlier for others. AT to the current worldіnformatsiyni pravnichiy and freedom є nevid'єmnoy part of the fundamental human rights.

The global declaration of human rights, 1948 I’ll say: “No one can give in to a good deal in a special family life, enough to encroach on ... a mystery of your correspondence” and nadali: “Skin people have the right to defend the law in the face of such an act or such encroachment.” International Pact on Public and Political Rights, 1966 in this part I repeat the declaration. European Convention 1950 detail the right: “The skin of a person has the right to freedom of expression by looking. This right includes the freedom to look at one's own thoughts, to discriminate and spread information and ideas without vruchannya from the side of the sovereign bodies and independently from the sovereign cordons.

Appointed international documents secure information rights.

Ninі international equal was formed a system of looking at the informational rights of people. In a specific plan, the right to withdraw information, the right to privacy from the point of view of the protection of information about it, the right to protect information from the point of view of the security of the state, and from the point of view of the security of business, including financial activity.

Another way is more detailed regulation of the right to protection of personal information due to the greater intensity of the processing of personal information for the help of automated computer information systems. In the rest of the decade, within the framework of low international organizations, a low number of international documents were adopted, which develop the basic information rights of the communication with the intensification of transcordon exchange of information and other modern technologies. Among such documents can be named as follows:

Council of Europe in 1980 roared the European Convention on the Zakhist physical features at the rations, which are automatically processed special data, which nabula 1985 r. The Convention defines the procedure for collecting and processing data on special features, the principles of securing access to these data, and ways of physically defending data. The Convention guarantees the protection of the rights of a person when collecting and processing personal data, the principles of protecting access to these data, methods of physical protection of data, and also protecting the collection of data about race, political look, health, religion without legal restrictions. Russia came to the European Convention at the fall of the leaves in 2001.

In the European Union, the protection of personal data is regulated by a set of documents. In 1979 a resolution was adopted by the European Parliament “On defending the rights of an individual in connection with the progress of informatization”. The resolution propagated the Council of the Commission of the European Spivtovarians to expand and adopt legal acts to protect data about the person in connection with the technical progress of the Galusian informatics. In 1980, a recommendation was adopted by the Organization for the protection of the country-members of the European Union "On the core of direct protection of private life in the interstate exchange of tribute to personal character." The protection of personal data is regulated in detail by directives to the European Parliament and for the sake of the European Union. CE Directive No. 95/46/EC and No. 2002/58/EC of the European Parliament and for the sake of the European Union, dated 24 June 1995 "On the protection of the rights of private persons about the processing of personal data and on the free flow of such data", Directive No. 97/66 / EC to the European Parliament and for the sake of the European Union on December 15, 1997, the need to collect personal data and to protect the lack of privacy in the sphere of telecommunications and other documents.

The acts of the European Union are characterized by detailed implementation of the principles and criteria for automated processing of data, the rights and obligations of subjects and personal data holders, the power of their transcordon transfer, as well as the validity and sanctions for administering shodi. Vіdpovidno to Directive No. 95/46/EC in the European Union created Robotcha group protection of individuals about the processing of their personal data. Won maє the status of an advisory body that diє yak independent structure. The working group is composed of a representative of the body, created by a skin power-participant with a view to dotrimannyam on its territory, the position of the Directive, a representative of the body or bodies, founding for institutions and structures of the Union, and a representative of the European Commission.

Within the framework of the Organization for Economic Protection and Development (OECD), the “Basic Provisions on the Protection of the Insufficiency of Private Life and International Exchanges of Personal Data” were adopted on the 23rd of September 1980. The preamble of the Directive reads: "... The OECD countries respected for the necessary development of the Fundamental Provisions, which could help to unify the national laws on the lack of privacy, ensuring that the general rights of people are not allowed to be blocked." These provisions are enforced both in the state and in the private sector up to personal data, either in connection with the procedure of their processing, or in connection with their character or the context of their competition, to threaten the destruction of the lack of private life and individual freedoms. It has been determined that the need to secure personal data by proper mechanisms for defense against risks, related to their expenses, deprivation, change, or voice-over, unauthorized access. Russia, unfortunately, I do not take part in this organization.

Interparliamentary Assembly of the Krai - participant of the SND on July 16, 1999. the Model Law “On Personal Data” was adopted.

Behind the law "Personal data" - information (fixed on a material carrier) about a specific person, as identified or may be identified with her. Personal data include biographical and historical data, special characteristics, information about family, social life, education, profession, service and financial life, health and others. The law also rehabilitates the principles of legal regulation of personal data, the form of sovereign regulation of transactions with personal data, the rights and obligations of subjects and lords of personal data.

Well, it is clear that another way of normative regulation of protection of personal data from international legal acts can be analyzed. The norms of this class are not only to regulate the suspension of water in this gallery, but also to adopt the given legislation of the country-members to international standards, ensuring themselves the development of these norms on their territory. In this manner, it is secured and guaranteed by the Zagalniy Declaration of the rights of a person of informational rights by the sense declared by Article 12 of the rest "the right to defend the law in the form of vtruchannya or encroachment."

The third way of fixing the norms for the protection of personal data is the fixing of their legal protection in international treaties.

Articles about the exchange of information should be included before international agreements on legal assistance, on the uniqueness of the subordination, on the promotion of civil society, cultural spheres.

For Art. 25 of the Agreement between the Russian Federation and the United States on the exclusion of subsidiaries and the protection of subsidies for subscribing to income and capital, the powers of the goiter give information on how to become a professional secret. Agreement between the Russian Federation and the Republic of India on mutual legal assistance with criminal rights to avenge Article 15 “Confidentiality”: the party may be asked to protect the confidentiality of the transmitted information. The practice of laying down international treaties shows the practice of the Contracting Powers to respect international standards for the protection of personal data.

It is clear that the most effective mechanism for regulating this institution on the international legal level is the appearance of special regulatory documents at the borders of international organizations. This mechanism does not only support the internal regulation of actual problems that have been violated on the cob of the statute, and the defense of personal information in the middle of these organizations, but also pleasantly pours into the national legislation of the country-participant.

Let's take a look at the most important international standards in the field of information security.

ISO standard 17799 "Practical rules for managing information security" looks at the upcoming aspects of IB:

Basic understanding of that purpose;

Information security policy;

Organizational food security;

Classification and asset management;

food security, related to the staff;

Physical zahist ta zahist vіd vplivіv dovkilla;

Managing the transfer of data and operational activities;

Access control;

Development and maintenance of systems;

Business continuity management;

Internal audit of IB;

Vіdpovіdnіst vimogam legislature.

An important place in the system of standards borrows a standard ISO 15408"Significant Criteria for the Security of Information Technologies", published by "Common Criteria". In the "Zahalnye Criteria" a classification of a wide range of security features of information technology was carried out, the structure of this grouping and the principle of selection were determined.

An important warehouse system of standards is PKI (Public Key Infrastructure) public key infrastructure. This transmission infrastructure circulates a number of certificate centers of keys and a variety of digital certificates that are satisfied with X.509 recommendations

Russian standards for information security

GOST R 50739-95. Cost of counting technique. Protection against unauthorized access to information. Zagalni tekhnіchnі vimogi. Derzhstandart of Russia

GOST R 50922-2006. Protector of information. The main terms and definitions. Derzhstandart of Russia

GOST R 51188-98. Protector of information. Viprobuvannya program contributions for presence computer viruses. Typical ceramics. Derzhstandart of Russia

GOST R 51275-2006. Protector of information. The object of informatization. Officials who pour in information. burning position. Derzhstandart of Russia

DERZHSTANDART R 51583-2000. Protector of information. The order of the folding of automated systems at the stolen vikonanni. burning position

GOST R 51624-2000. Protector of information. Automated systems for the stolen viconan. Zagalni vimogi

GOST R 52069-2003. Protector of information. System of standards. Basic provisions

GOST R 53131-2008 (ISO/MEK TO 24762-2008). Protector of information. Recommendations for the services of the supra-extreme situations of functions and mechanisms for the security of information and telecommunication technologies. burning position

DSTU ISO 7498-1-99. Information technology. Vzaimozv'yazok vіdkritih systems. Basic standard model. Part 1. Basic model. Derzhstandart of Russia

DSTU ISO 7498-2-99. Information technology. Vzaimozv'yazok vіdkritih systems. Basic standard model. Part 2. Architecture zahistu. Derzhstandart of Russia

GOST R ІSO/MEK 13335-1-2006. Information technology. Metodi that zasobi zabezpechennya bezpeki. Part 1. Concept and model for security management of information and telecommunication technologies

GOST R ІSO/MEK TO 13335-3-2007. Information technology. Metodi that zasobi zabezpechennya bezpeki. Part 3. Methods and management of information technology security

GOST R ІSO/MEK TO 13335-4-2007. Information technology. Metodi that zasobi zabezpechennya bezpeki. Part 4

GOST R ІSO/MEK TO 13335-5-2007. Information technology. Metodi that zasobi zabezpechennya bezpeki. Part 5. Helper for security management

GOST R ISO/MEK 15408 -1-2008. Metodi that zasobi zabezpechennya bezpeki. Criteria for evaluating the security of information technology. Part 1. Introducing that wild model. Derzhstandart of Russia

GOST R ІSO/MEK 15408-2-2008. Metodi that zasobi zabezpechennya bezpeki. Criteria for evaluating the security of information technology. Part 2. Functional assistance to safety. Derzhstandart of Russia

GOST R ІSO/MEK 15408-3-2008. Metodi that zasobi zabezpechennya bezpeki. Criteria for evaluating the security of information technology. Part 3. We can trust you to safety. Derzhstandart of Russia

GOST R ІSO/MEK TO 15443-1-2011. Information technology. Metodi that zasobi zabezpechennya bezpeki. Fundamentals of trust to IT security. Part 1. A look at the foundations

GOST R ІSO/MEK TO 15443-2-2011. Information technology. Metodi that zasobi zabezpechennya bezpeki. Fundamentals of trust to IT security. Part 2. Methods of trust

GOST R ІSO/MEK TO 15443-3-2011. Information technology. Metodi that zasobi zabezpechennya bezpeki. Fundamentals of trust to IT security. Part 3. Analysis of trust methods

GOST R ISO/MEK 17799- 2005. Information distribution. Metodi that zasobi zabezpechennya bezpeki. Practical rules for maintaining information security

GOST R ІSO/MEK 18028-1-2008. Information technology. Metodi that zasobi zabezpechennya bezpeki. Merezheva security of information technologies. Lease security management

GOST R ІSO/MEK TO 19791-2008. Information technology. Metodi that zasobi zabezpechennya bezpeki. Assessment of the safety of automated systems

GOST R ISO/MEK 27001- 2006. Metodi that zasobi zabezpechennya bezpeki. Information security management systems. Wimogi

GOST R ІSO/MEK 27004-2011. Information technology. Metodi that zasobi zabezpechennya bezpeki. Information security management. Vimiryuvannya

GOST R ІSO/MEK 27005-2009. Information technology. Metodi that zasobi zabezpechennya bezpeki. Information security risk management

GOST R ІSO/MEK 27033-1-2011. Information technology. Metodi that zasobi zabezpechennya bezpeki. Bezpeka merezh. Part 1. An overview of that concept

GOST 28147 -89 Information processing systems. Cryptographic defender. Cryptographic transformation algorithm.

GOST R 34.10 -2001 r. Information technology. Cryptographic Zakhist information. The processes of molding and re-verification of electronic digital signature.

GOST R 34.11 -94 Information distribution. Cryptographic protection of information. Functions of hashing.

Even more important is the family of international standards for managing information security of the ISO 27000 series (as Russian state standards are accepted every so often). Okremo is significant GOST / ISO 27001 (Information security management systems), GOST / ISO 27002 (17799) (Practical rules for information security management)

Technologies of intermediary screens

Intermediate screen(ME) - a complex of hardware and software tools that control and filter the mesh packages that go through the new one, depending on the set rules. ME is also called firewall(Nim. Brandmauer) or firewall(Engl. firewall). ME allows splitting the border into 2 parts and implementing a set of rules that determine the passage of data packets through the screen from one part of the border to the next. Sound ME to be installed between the corporate (local) network and the Internet network, protecting the internal network of enterprises from attacks from the global network, or you can protect that local measure in the form of threats from the corporate side.

The main tasks of the trussed screen are computer tethering or okremikh vuzlіv vіd unauthorized access. Merezhevі screens are often called filters, so their main task is not to let through (filter) packets that do not meet the criteria specified in the configuration.

Choice of editors

© 2022 androidas.ru - All about Android