Information security standards. International information security standards International information security standards

Let's look at the most well-known international standards in the field of information security.

ISO standard 17799 “Practical Rules for Information Security Management” considers the following aspects of information security:

Basic concepts and definitions;

Information security policy;

Organizational security issues;

Asset classification and management;

Safety issues related to personnel;

Physical and environmental protection;

Management of data transfer and operational activities;

Access control;

Systems development and maintenance;

Business continuity management;

Internal audit of the company's information security;

Compliance with legal requirements.

Important place in the system of standards the standard occupies ISO 15408"General safety criteria information technologies", known as "Common Criteria". The “General Criteria” classifies a wide range of information technology security requirements, defines their grouping structures and principles of use.

An important component of the standards system is infrastructure public keys PKI (Public Key Infrastructure). This infrastructure involves the deployment of a network of key certification authorities and the use of digital certificates that comply with X.509 recommendations

Russian information security standards

GOST R 50739-95. Computer facilities. Protection against unauthorized access to information. Are common technical requirements. Gosstandart of Russia

GOST R 50922-2006. Data protection. Basic terms and definitions. Gosstandart of Russia

GOST R 51188-98. Data protection. Tests software for availability computer viruses. Model manual. Gosstandart of Russia

GOST R 51275-2006. Data protection. Information object. Factors influencing information. General provisions. Gosstandart of Russia

GOST R 51583-2000. Data protection. Creation order automated systems in a protected version. General provisions

GOST R 51624-2000. Data protection. Automated systems in a secure design. General requirements

GOST R 52069-2003. Data protection. System of standards. Basic provisions

GOST R 53131-2008 (ISO/IEC TO 24762-2008). Data protection. Recommendations for disaster recovery services for information and telecommunications technology security functions and mechanisms. General provisions

GOST R ISO 7498-1-99. Information technology. Relationship open systems. Basic reference model. Part 1. Basic model. Gosstandart of Russia

GOST R ISO 7498-2-99. Information technology. Interconnection of open systems. Basic reference model. Part 2. Information security architecture. Gosstandart of Russia

GOST R ISO/IEC 13335-1-2006. Information technology. Methods and means of ensuring security. Part 1. Concept and models of security management of information and telecommunication technologies

GOST R ISO/IEC TO 13335-3-2007. Information technology. Methods and means of ensuring security. Part 3. Information technology security management methods

GOST R ISO/IEC TO 13335-4-2007. Information technology. Methods and means of ensuring security. Part 4. Selection of protective measures

GOST R ISO/IEC TO 13335-5-2007. Information technology. Methods and means of ensuring security. Part 5: Network Security Management Guide

GOST R ISO/IEC 15408 -1-2008. Methods and means of ensuring security. Criteria for assessing information technology security. Part 1. Introduction and general model. Gosstandart of Russia

GOST R ISO/IEC 15408-2-2008. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 2. Functional safety requirements. Gosstandart of Russia

GOST R ISO/IEC 15408-3-2008. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3. Security assurance requirements. Gosstandart of Russia

GOST R ISO/IEC TO 15443-1-2011. Information technology. Methods and means of ensuring security. Fundamentals of trust in IT security. Part 1: Overview and Basics

GOST R ISO/IEC TO 15443-2-2011. Information technology. Methods and means of ensuring security. Fundamentals of trust in IT security. Part 2. Trust Methods

GOST R ISO/IEC TO 15443-3-2011. Information technology. Methods and means of ensuring security. Fundamentals of trust in IT security. Part 3. Analysis of trust methods

GOST R ISO/IEC 17799- 2005. Information technology. Methods and means of ensuring security. Information Security Management Practices

GOST R ISO/IEC 18028-1-2008. Information technology. Methods and means of ensuring security. Network security of information technologies. Network Security Management

GOST R ISO/IEC TO 19791-2008. Information technology. Methods and means of ensuring security. Security assessment of automated systems

GOST R ISO/IEC 27001- 2006. Methods and means of ensuring security. Information security management systems. Requirements

GOST R ISO/IEC 27004-2011. Information technology. Methods and means of ensuring security. Information security management. Measurements

GOST R ISO/IEC 27005-2009. Information technology. Methods and means of ensuring security. Information Security Risk Management

GOST R ISO/IEC 27033-1-2011. Information technology. Methods and means of ensuring security. Network security. Part 1: Overview and Concepts

GOST 28147 -89 Information processing systems. Cryptographic protection. Cryptographic conversion algorithm.

GOST R 34.10 -2001 Information technology. Cryptographic protection information. Processes for generating and verifying electronic digital signature.

GOST R 34.11 -94 Information technology. Cryptographic information protection. Hash Functions.

Very important is the family of international standards for information security management of the ISO 27000 series (which, with some delay, are also adopted as Russian state standards). We especially note GOST/ISO 27001 (Information security management systems), GOST/ISO 27002 (17799) (Practical rules for information security management)

Firewall Technologies

Firewall(ME) - a complex of hardware or software that monitors and filters network packets passing through it in accordance with specified rules. ME is also called firewall(German) Brandmauer) or firewall(English) firewall). ME allows you to separate shared network into 2 parts and implement a set of rules that determine the conditions for the passage of data packets through the screen from one part of the network to another. Typically, the firewall is installed between the corporate (local) network and the Internet, protecting the enterprise’s internal network from attacks from the global network, but it can also protect local network from threats from the corporate network.

The main purpose of a firewall is to protect computer networks or individual nodes from unauthorized access. Firewalls are often called filters, since their main task is not to allow (filter) packets that do not meet the criteria defined in the configuration.

The problem of computer information security is not new - specialists have been dealing with it from the very moment the computer began to process data that is of high value to the user. However, in recent years, due to the development of networks, growing demand for electronic services The situation in the field of information security has seriously deteriorated, and the issue of standardizing approaches to solving it has become especially relevant for both developers and users of IT tools.

Why do you need to know the theory?

Any information security specialist goes through three stages in his professional development. The first of them is “working with your hands.” The newcomer intensively, using specialized tools, searches for and eliminates very specific gaps in system and application software. Scanner, patch, port, connection - these are the entities with which he works at this stage.

The second stage is “working with your head.” Tired of plugging more and more new gaps, the specialist begins to develop plans and methods, the purpose of which is to streamline actions to improve the security of systems and eliminate the consequences of information threats. It is at this stage that the concept of “security policy” arises.

Finally, the time comes for reflection - at this stage, a seasoned specialist understands that he is most likely reinventing the wheel, since security strategies have probably already been developed before him. And in this he is certainly right.

Numerous organizations around the world have been dealing with the problem of information security for a long time; the result of their activities has been weighty volumes of standards, regulations, recommendations, rules, etc. It is hardly advisable to study the entire volume, but it is, of course, worth knowing the fundamental documents. Therefore, in this article we will mention only the most important Russian and international provisions that establish standards in the field of information security.

Information security concept

The development of information and telecommunication systems for various purposes (primarily the Internet), as well as the electronic exchange of valuable information in need of protection, required specialists working in this field to systematize and streamline the basic requirements and characteristics of computer systems in terms of security. However, before moving on to the consideration of the formed standards, it is necessary to define what security is.

Considering the importance of the concept, we will try to formulate its expanded definition, which will take into account the latest international and domestic developments in this area. So, information security is a state of data resistance to accidental or intentional influences, excluding unacceptable risks of their destruction, distortion and disclosure, which lead to material damage to the owner or user. This definition most fully takes into account the main purpose of a commercial information computer system - minimizing financial losses, obtaining maximum profits in the face of real risks.

This provision is especially relevant for so-called public open systems that process proprietary information limited access, not containing state secrets. Today, systems of this type are rapidly developing both in the world and in our country.

International Information Security Standard

It is well known that standardization is the basis of all kinds of methods for determining the quality of products and services. One of the main results of such activities in the field of systematization of the requirements and characteristics of secure information systems was the System of international and national information security standards, which contains more than a hundred different documents. An example is the ISO 15408 standard, known as the "Common Criteria".

The basic information security standard ISO 15408, adopted in 1998, is certainly very important for Russian developers. Moreover, this year, 2001, Gosstandart plans to prepare a harmonized version of this document. The International Organization for Standardization (ISO) began developing the International Standard for Information Technology Security Assessment Criteria for general use, "Common Criteria" in 1990. Participating in its creation: the National Institute of Standards and Technology and the National Security Agency (USA), the Communications Security Establishment (Canada), the Information Security Agency (Germany), the National Communications Security Agency (Holland), the implementing authorities of the IT Security and Certification Program (England) , Center for Systems Security (France). Once the standard was finalized, it was given the number ISO 15408.

The Common Criteria (CC) were created for the mutual recognition of IT security assessment results on a global scale and represent its basis. They allow you to compare the results of independent assessments of information security and risk tolerance based on a set of general requirements for the security functions of IT tools and systems, as well as the guarantees applied to them during the testing process.

The main advantages of OK are the completeness of information security requirements, flexibility in application and openness for subsequent development taking into account the latest achievements of science and technology. The criteria are designed to meet the needs of all three user groups (consumers, developers and evaluators) when examining the security properties of an IT tool or system (the object of evaluation). This standard is useful as a guide when developing IT security features, as well as when purchasing commercial products with similar features. The main focus of the assessment is threats arising from malicious human actions, but OC can also be used in assessing threats caused by other factors. In the future, it is expected that specialized requirements will be created for the commercial credit and financial sector. Let us recall that previous domestic and foreign documents of this type were tied to the conditions of a government or military system that processes classified information that may contain state secrets.

The release and implementation of this standard abroad is accompanied by the development of a new, standardized architecture, which is designed to ensure the information security of computing systems. In other words, computer hardware and software are created that meet the General Criteria. For example, the international organization "Open Group", which unites about 200 leading computing and telecommunications companies from around the world, has released a new information security architecture for commercial automated systems taking into account these criteria. In addition, "Open Group" creates training programs that facilitate the rapid and high-quality implementation of standardization documents.

Features of the Internet standardization process

The Global Network has long had a number of committees that deal with the standardization of all Internet technologies. These organizations, which form the bulk of the Internet Engineering Task Force (IETF), have already standardized several important protocols, thereby accelerating their adoption on the Internet. The TCP/IP family of protocols for data transfer, SMTP and POP for email, as well as SNMP (Simple Network Management Protocol) for network management are the results of the IETF.

Over the past few years, the online market has witnessed what is known as a fragmented influence on standards formation. As the Internet expanded into consumer and commercial markets, some firms began to look for ways to influence standardization by creating a semblance of competition. Even informal bodies such as the IETF felt the pressure. As Internet-related markets developed, entrepreneurs began to form special groups or consortia to promote their own standards. Examples include OMG (Object Management Group), VRML (Virtual Reality Markup Language) Forum and Java Development Connection. Sometimes serious consumers of Internet services set de facto standards with their purchases or orders.

One of the reasons for the appearance various groups on standardization lies in the contradiction between the ever-increasing pace of technology development and the long cycle of creating standards.

Internet Security Standards

Secure data transmission protocols are popular as means of ensuring security on the Internet, namely SSL (TLS), SET, IP v. 6. They appeared relatively recently and immediately became de facto standards.

SSL (TLS)

Most popular now network protocol data encryption for secure transmission over a network is a set of cryptographic algorithms, methods and rules for their application. Allows you to establish a secure connection, monitor data integrity and solve various related problems.

SET

SET (Security Electronics Transaction) is a promising protocol that provides secure electronic transactions on the Internet. It is based on the use of digital certificates according to the X.509 standard and is intended for organizing electronic commerce over the network.

This protocol is a standard developed by MasterCard and Visa with the participation of IBM, GlobeSet and other partners. It allows customers to purchase goods online using the most secure payment mechanism available today. SET is an open standard multilateral protocol for making payments on the Internet using plastic cards. It provides cross-authentication between the cardholder's account, the merchant and the merchant's bank to verify payment readiness, as well as message integrity and secrecy, and encryption of valuable and sensitive data. SET can be considered a standard technology or system of protocols for making secure payments based on plastic cards over the Internet.

IPSec

The IPSec specification is included in the IP v standard. 6 and is additional to the current version of the TCP/IP protocols. It is being developed Working group IP Security IETF. IPSec currently includes three algorithm-independent core specifications representing the corresponding RFC standards.

The IPSec protocol provides standard way traffic encryption at the network (third) IP level and protects information based on end-to-end encryption: regardless of the running application, every data packet passing through the channel is encrypted. It allows organizations to create virtual private networks on the Internet. IPSec runs on top of conventional communications protocols, supporting DES, MD5 and a number of other cryptographic algorithms.

Ensuring information security at network level with IPSec includes:

• support for unmodified end systems;
• support for transport protocols other than TCP;
• support virtual networks in unprotected networks;
• header protection transport layer from interception (protection from unauthorized traffic analysis);
• protection against denial of service attacks.

In addition, IPSec has two important advantages:

1. its use does not require changes in intermediate network devices;
2. Desktops and servers do not necessarily need to support IPSec.

Features of the Russian market

Historically, in Russia, IT security problems were studied and promptly resolved only in the area of ​​protecting state secrets. Similar but specific problems in the commercial sector of the economy have not found appropriate solutions for a long time. This fact still significantly slows down the emergence and development of secure IT tools in the domestic market, which is being integrated with the global system. Moreover, information security in a commercial automated system has its own characteristics that simply must be taken into account, because they have a serious impact on information security technology. We list the main ones:

1. Priority of economic factors. For a commercial automated system, it is very important to reduce or eliminate financial losses and ensure that the owner and users of this tool make a profit under real risks. An important condition for this, in particular, is the minimization of typical banking risks (for example, losses due to erroneous payment directions, falsification of payment documents, etc.);
2. Openness of design, providing for the creation of an information security subsystem from tools that are widely available on the market and work in open systems;
3. The legal significance of commercial information, which can be defined as a property of secure information that makes it possible to provide legal force to electronic documents or information processes in accordance with the legal regime information resources established by the legislation of the Russian Federation. This condition has recently become increasingly important in our country along with the creation of a regulatory framework for IT security (especially with the interaction of automated systems of different legal entities).

It is obvious that the creation of secure IT that processes confidential information that does not contain state secrets is extremely important for the economic and financial life of modern Russia. The application in Russia of the harmonized standard ISO 15408 (“Common Criteria”), reflecting the latest global achievements in assessing information security, will allow:

• introduce Russian IT to modern international information security requirements, which will simplify, for example, the use of foreign products and the export of their own;
• facilitate the development of relevant Russian specialized regulatory and methodological materials for testing, assessment (monitoring) and certification of secure banking and other IT tools and systems;
• create a basis for qualitative and quantitative assessment of information risks necessary for insuring automated systems;
• reduce the overall costs of maintaining an information security regime in banks and corporations by typing and unifying methods, measures and means of protecting information.

State standards

Among the various information technology security standards that exist in our country, a number of documents regulating the protection of the interconnection of open systems should be highlighted (Table 1, lines 1-3). To these you can add regulatory documents on tools, systems and criteria for assessing the security of computer equipment and automated systems (see Table 1, lines 4-8). The last group of documents, like many previously created foreign standards, is focused primarily on protecting state secrets.

Table 1. Regulatory documents governing IT security assessment

№ p/p	Document Number	Description
1	GOST R ISO 7498-2-99	Information technology. Interconnection of open systems. Basic reference model. Part 2. Information security architecture
2	GOST R ISO/IEC 9594-8-98	Information technology. Interconnection of open systems. Directory. Part 8: Authentication Basics
3	GOST R ISO/IEC 9594-9-95	Information technology. Interconnection of open systems. Directory. Part 9. Duplication
4	-	Guiding document of the State Technical Commission "RD. SVT. Firewalls. Protection from unauthorized access to information. Indicators of security from unauthorized access to information" (State Technical Commission of Russia, 1997)
5	GOST R 50739-95	"Computer technology. Protection against unauthorized access to information. General technical requirements"
6	GOST 28147-89	Information processing systems. Cryptographic protection. Cryptographic conversion algorithm
7	GOST R 34.10-94	Information technology. Cryptographic information protection. Procedures for generating and verifying an electronic signature based on an asymmetric cryptographic algorithm
8	GOST R 34.11-94	Information technology. Cryptographic information protection. Hash function

How and where different standards work

All currently available standards are multi-level. This means that their use is limited to a certain level of abstraction in information systems (for example, the “Common Criteria” cannot be used to describe in detail the mechanism for generating a session key in the TLS protocol). Obviously, in order to effectively apply standards, it is necessary to have a good understanding of their level and purpose.

Thus, when developing a security policy and a performance assessment system, as well as when conducting comprehensive security tests, it is best to use the provisions of ISO 15408 (“Common Criteria”). The corresponding GOST standards are intended for the implementation and assessment of the technical perfection of encryption and digital signature systems. If you need to protect a channel for exchanging arbitrary information, then it is advisable to use the TLS protocol. When is it not just about protection? communication lines, and regarding the security of financial transactions, SET comes into play, including channel security protocols as one of the lower-level standards.

From theory to practice

To demonstrate the practical importance of the above provisions, we provide a list of security standards used in the complex implementation of InterBank electronic banking services

The SSL (TLS) protocol can be used to protect the information exchange channel in the RS-Portal and Internet Client systems. Standards GOST 28147-89, GOST R 34.10-94 and GOST R 34.11-94, regulating data encryption and the electronic digital signature mechanism, are implemented in all cryptographic protection systems of subsystems of the "client-bank" type ("Client DOS", " Windows client", "Internet Client").

Using the IPSec protocol, you can transparently protect any information exchange channel between the client and the bank using the IP network protocol. This applies to both Internet systems (RS-Portal and Internet Client) and the RS-Mail email system, which supports IP operation.

We hope that the information provided in the article will help you assess the reliability of your systems, and the efforts and time of developers will be directed to creating truly the best tools that will become a new step in the development of information security technology.

Articles on this topic•
It is almost impossible for information security professionals today to do without knowledge of the relevant standards and specifications. There are several reasons for this. The formal one is that the need to follow certain standards, such as “cryptographic” standards or “guidance documents,” is enshrined in law. However, the substantive reasons are the most convincing.

Firstly, standards and specifications are one of the forms of knowledge accumulation, primarily about the procedural and software and hardware levels of information security. They document proven, high-quality solutions and methodologies developed by the most qualified specialists.

Secondly, both are the main means of ensuring mutual compatibility of hardware-software systems and their components.

Thirdly, information security standards face the difficult task of reconciling three different points of view, the “security equipment manufacturer”, the “consumer” and various “certification specialists”, as well as creating an effective mechanism for interaction between all parties.

Consumers are interested in methods that allow them to choose a product that meets their needs and solves their problems, this could include a VPS running Windows Server OS, for which they need a security rating scale. And the consumer also needs a tool with which he can formulate his requirements to the manufacturer. Unfortunately, many consumers often do not understand that security requirements necessarily contradict not only ease of use and performance, but more often impose certain restrictions on compatibility and, as a rule, force us to abandon widely used, easy-to-use, but less secure tools.

Certifiers view standards as a tool that allows them to assess the level of safety and enable consumers to make the most effective choices for themselves.

One of the first and most famous documents was the so-called “Orange Book”, developed in the 90s as “Safety Criteria computer systems» US Department of Defense. It defines 4 security levels, A, B, C, D, where A is the most high level security, which, accordingly, imposes the most stringent requirements.

Although the “Orange Book” became one of the first most famous documents, it is clear that every state that wants to ensure its information security developed its own documentation - “national standards” in the field of information security. These include the “European Information Technology Security Criteria”, “Canadian Computer Systems Security Criteria”, as well as the “British Information Security Management Practices”, on the basis of which, by the way, the international standards ISO/IEC 17799:2000 (BS 7799- 1:2000). IN this moment latest version standard ISO/IEC 27001:2013, as well as “Guiding documents of the State Technical Commission of the USSR” (and later of Russia).

It should be noted that the Americans highly appreciated the activities of the USSR State Technical Commission. American publications wrote that the Soviet body for protecting information and countering technical intelligence was carefully studying everything that is known in the West about the Soviet Union and developing “a huge amount of materials in order to distort the real picture.” The commission, they said, monitors all military parades and exercises attended by foreigners, the construction of missile bases and barracks, while in some areas achievements are deliberately hidden and in others, such as missile defense, greatly exaggerated. The activities of the State Technical Commission in this area indeed very soon bore their first fruits. As the American newspaper The New York Times wrote, already in 1977, as a result of measures taken at shipyards and shipyards of the USSR, the Americans had problems monitoring the progress of construction of Soviet submarines.

The results of the work of the State Technical Commission of the USSR during the Soviet period were not only an increase in the security of information at military-industrial complex enterprises, but also the testing of new types of weapons at testing grounds. Serious work has been done to ensure the security of information processed in automated control systems and computers, in particular, secure computer control systems and means for processing confidential documents have been created to prevent leakage of classified information, communication channels have been introduced at the level of government bodies and the high command of the Soviet Army, and much more.

It should also be noted that the previously indicated role of standards is also recorded in the Federal Law “On Technical Regulation” dated December 27, 2002 N 184-FZ

It should be noted that among the principles of standardization proclaimed in the said law, Article 7 “Content and Application of Technical Regulations” includes the principle of applying an international standard as the basis for the development of a national standard, except in cases where such application is recognized as impossible due to the non-compliance of the requirements of international standards with climate and geographical features, technical or technological features or on other grounds, or if the Russian Federation opposed the adoption of an international standard or a separate provision thereof.

Article 7. Clause 8:

International standards must be used in whole or in part as the basis for the development of draft technical regulations, except for cases where international standards or their sections would be ineffective or unsuitable for achieving the goals established by Article 6 of this Federal Law, including due to climatic and geographical features Russian Federation, technical and (or) technological features. (as amended by Federal Law dated July 18, 2009 N 189-FZ)
National standards of the Russian Federation can be used in whole or in part as a basis for the development of draft technical regulations.

Since from a practical point of view, the number of standards and specifications, including international, national and industry-specific in the field of information security, is endless, we will present only a few of them, full list national standards are provided on the website of the FSTEC of Russia in the corresponding section “National Standards”.

Designation	Name in Russian
GOST R 50739-95	Computer facilities. Protection against unauthorized access to information. General technical requirements
GOST R 50922-2006	Data protection. Basic terms and definitions
GOST R 51188-98	Data protection. Testing software for computer viruses. Model manual
GOST R 51583-2014	Data protection. The procedure for creating automated systems in a secure design. General provisions
GOST R 53110-2008	Communication network information security system common use. General provisions
GOST R 53111-2008	Stability of the functioning of the public communication network. Requirements and verification methods
GOST R 53113.1-2008	Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions
GOST R 53113.2-2009	Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels
GOST R 54581-2011 / I SO/IEC TR 15443-1:2005	Information technology. Methods and means of ensuring security. Fundamentals of trust in IT security. Part 1: Overview and Basics
GOST R 54582-2011 / ISO/IEC TR 15443-2:2005	Information technology. Methods and means of ensuring security. Fundamentals of trust in information technology security. Part 2. Trust Methods
GOST R 54583-2011 / ISO/IEC TR 15443-3:2007	Information technology. Methods and means of ensuring security. Fundamentals of trust in information technology security. Part 3. Analysis of trust methods
GOST R ISO 7498-1-99	Information technology. Interconnection of open systems. Basic reference model. Part 1. Basic model
GOST R ISO 7498-2-99	Information technology. Interconnection of open systems. Basic reference model. Part 2. Information security architecture
GOST R ISO/IEC TO 13335-5-2006	Information technology. Methods and means of ensuring security. Part 5: Network Security Management Guide
GOST R ISO/IEC 15408-1-2012	Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 1. Introduction and general model

For example, consider GOST R 53113.2-2009 “Information technology (IT). Protection of information technologies and automated systems from information security threats implemented using covert channels.”

IN this standard not only the general scheme of the functioning of covert channels in an automated system, the rules for forming a threat model are presented, but also various recommendations for protecting information and methods used in building an information security system that take into account the presence of such covert channels.

Below in Figure 1, a general diagram of the functioning of covert channels in an automated system is presented.

Picture 1 - General scheme mechanism for the functioning of hidden channels in an automated system

1 - security violator (attacker), whose goal is unauthorized access to restricted access information or unauthorized influence on an automated system;
2 - restricted access information or critical function;
3 - subject with authorized access to 2 and 5;
3" is an agent of a security violator, located in a closed loop with 2 and interacting with 2 on behalf of subject 3;
4 - inspector (software, hardware and software, hardware or a person) who controls information interaction 3, crossing the closed loop separating the informatization object from the external environment;
5 - a subject located outside the closed loop, with which 3 carries out authorized information interaction

Security threats that can be implemented through covert channels include:

1. Implementation malware and data;
2. The attacker submits commands to the agent for execution;
3. Leakage of cryptographic keys or passwords;
4. Leakage of individual information objects.

Protecting information, information technology and automated systems from attacks carried out using covert channels is a cyclical process that includes the following steps, repeated at each iteration of the process:

1. Risk analysis for the organization’s assets, including identifying valuable assets and assessing the possible consequences of attacks using covert channels
2. Identifying hidden channels and assessing their danger to the organization’s assets
3. Implementation of protective measures to counter covert channels
4. Organization of control over counteraction to hidden channels.

The cyclical nature of the process of protecting against information security threats implemented using covert channels is determined by the emergence of new ways to build covert channels that were unknown at the time of previous iterations.

Based on the assessment of the danger of hidden channels, taking into account the results of the risk analysis, a conclusion is made about the advisability or inappropriateness of countering such channels.

Based on the results of identifying hidden channels, an action plan is formed to counter the threats realized through their use. These activities may include the implementation of one of the already known (or improvement of already existing) methods of countering information security threats implemented using covert channels.

It is advisable to use the following as protective measures:

1. Decline bandwidth information transmission channel;
2. Architectural solutions for building automated systems;
3. Monitoring the effectiveness of protection of automated systems.

The choice of methods to counter threats to the information security of the VDS server you rent, implemented using covert channels, and the formation of a plan for their implementation are determined by experts, based on the individual characteristics of the automated system being protected.

As you can see, even a short list of standards is far from short, not to mention regulations and recommendations, but it is necessary to have at least basic knowledge in this area so that you can not only navigate but also apply the necessary standards in practice.

International standards

• BS 7799-1:2005 - British Standard BS 7799 first part. BS 7799 Part 1 - Code of Practice for Information Security Management describes the 127 controls required to build information security management systems(ISMS) of the organization, determined on the basis of the best examples of global experience (best practices) in this area. This document serves as a practical guide to creating an ISMS
• BS 7799-2:2005 - British Standard BS 7799 is the second part of the standard. BS 7799 Part 2 - Information Security management - specification for information security management systems specifies the ISMS specification. The second part of the standard is used as criteria during the official certification procedure for the organization's ISMS.
• BS 7799-3:2006 - British Standard BS 7799 third part of the standard. New standard in the field of information security risk management
• ISO/IEC 17799:2005 - “Information technology - Security technologies - Information security management practice.” International standard based on BS 7799-1:2005.
• ISO/IEC 27000 - Vocabulary and definitions.
• ISO/IEC 27001 - "Information technology - Security techniques - Information security management systems - Requirements." International standard based on BS 7799-2:2005.
• ISO/IEC 27002 - Now: ISO/IEC 17799:2005. "Information technologies - Security technologies - Practical rules for information security management." Release date: 2007.
• ISO/IEC 27005 - Now: BS 7799-3:2006 - Guidance on information security risk management.
• German Information Security Agency. IT Baseline Protection Manual - Standard security safeguards basic level information technology protection).

State (national) standards of the Russian Federation

• GOST R 50922-2006 - Information protection. Basic terms and definitions.
• R 50.1.053-2005 - Information technologies. Basic terms and definitions in the field technical protection information.
• GOST R 51188-98 - Information protection. Testing software for computer viruses. Model manual.
• GOST R 51275-2006 - Information protection. Information object. Factors influencing information. General provisions.
• GOST R ISO/IEC 15408-1-2012 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 1. Introduction and general model.
• GOST R ISO/IEC 15408-2-2013 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 2. Functional safety requirements.
• GOST R ISO/IEC 15408-3-2013 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3. Security assurance requirements.
• GOST R ISO/IEC 15408 - “General criteria for assessing the security of information technologies” - a standard that defines tools and methods for assessing the security of information products and systems; it contains a list of requirements against which the results of independent safety assessments can be compared - allowing the consumer to make decisions about the safety of products. Scope of application " General criteria» - protection of information from unauthorized access, modification or leakage, and other methods of protection implemented by hardware and software.
• GOST R ISO/IEC 17799 - “Information technologies. Practical rules for information security management.” Direct application of the international standard with the addition of ISO/IEC 17799:2005.
• GOST R ISO/IEC 27001 - “Information technologies. Security methods. Information security management system. Requirements". The direct application of the international standard is ISO/IEC 27001:2005.
• GOST R 51898-2002: Safety aspects. Rules for inclusion in standards.

Georgy Garbuzov,
CISSP, MCSE:Security, Information Security Directorate, URALSIB Insurance Group

THE HISTORY of standardization, as a process of establishing uniform requirements suitable for repeated use, goes back several thousand years - even during the construction of the pyramids in Ancient Egypt, blocks of a standard size were used, and special people controlled the degree of compliance with this ancient standard. Today, standardization occupies a strong place in almost all sectors of human activity.

Standardization in the field of information security

Standardization in the field of information security (IS) is beneficial to both professionals and consumers of IS products and services, as it allows one to establish an optimal level of streamlining and unification, ensure the interchangeability of IS products, as well as the measurability and repeatability of results obtained in different countries and organizations. For professionals, this means saving time in searching for effective and proven solutions, and for consumers, it is a guarantee of obtaining a result of the expected quality.

The object of standardization can be any information security product or service: assessment method, functionality security features and settings, compatibility properties, development and production process, management systems, etc.

Standardization, depending on the composition of participants, can be international, regional or national, while international standardization (along with official standardization bodies such as ISO) includes standardization of consortia (for example, IEEE or SAE), and national standardization can be state or industry .

Let us dwell in more detail on some of the foreign standards in demand today, which in one way or another affect information security issues.

International standards in the field of information security - foreign experience

Standardization in the field of information security abroad has been developing for decades, and some countries, for example the UK, have extensive experience in developing standards - many British national standards, such as BS7799-1/2, have acquired international status over time. Let's start with them.

International standards ISO 27002 and ISO 27001

Perhaps these are the most popular standards in the field of information security today.

ISO 27002 (formerly ISO 17799) contains a set of recommendations for the effective organization of information security management systems in an enterprise, covering all key areas, in particular:

• formation of information security policy;
• personnel related safety;
• security of communications;
• physical security;
• access control;
• incident processing;
• ensuring compliance with legal requirements.

The ISO 27001 standard is a collection of criteria for management system certification, based on the results of which an international certificate of conformity is issued by an accredited certification body, which is included in the register.

According to the register, there are currently about a dozen companies registered in Russia that have such a certificate, with the total number of certifications in the world exceeding 5,000. Preparation for certification can be carried out either by the organization itself or by consulting companies, and practice shows that it is much easier to obtain a certificate ISO 27001 for companies that already have a certified management system (for example, quality).

The ISO 27001/27002 standards are representatives of a new series of standards, the final formation of which has not yet been completed: standards 27000 (basic principles and terminology), 27003 (guidelines for the implementation of an information security management system), 27004 (measuring the effectiveness of an information security management system) and others are in development - in total, more than 30 standards are expected in the 27000 series. More information about the composition of the series and the current state of its development can be found on the official ISO website (www.iso.org).

International standards ISO13335 and ISO15408

The ISO 13335 standard is a family of information technology security standards covering IT security management, offering specific protective measures and techniques. Currently, the 13335 series is being gradually replaced by the newer 27000 series. The ISO 15408 standard contains uniform criteria for assessing the security of IT systems at the software and hardware level (similar to the famous Orange Book, which is also known as TCSEC assessment criteria, or European ITSEC criteria), which allow comparison of results obtained in different countries.

In general, these standards, although they contain only a technological part, can be used both independently and when building information security management systems as part of, for example, preparation for certification for compliance with ISO 27001.

CobiT

CobiT is a set of approximately 40 international standards and guidelines in the areas of IT governance, auditing and security and contains descriptions of related processes and metrics. The main goal of CobiT is to find a common language between a business that has specific goals and IT that contributes to their achievement, allowing the creation of adequate plans for the development of the organization's information technology.

CobiT is used to audit and control an organization's IT management system and contains detailed descriptions goals, principles and objects of management, possible IT processes and security management processes. Completeness, clear descriptions specific actions and tools, as well as a business focus, make CobiT good choice when creating information infrastructure and its management system.

In the next part of the article we will look at some interesting national and industry-specific foreign standards, such as NIST SP 800, BS, BSI, PCI DSS, ISF, ITU and others.

Expert commentary

Alexey Pleshkov,
Head of Information Technology Security Department, Gazprombank (Open Joint Stock Company)

In addition to the above review of international standards, I would like to draw attention to another regulatory document on information security, which is not widespread in the Russian Federation. One of these standards is a document from the EBIOS family of methods.

The EBIOS project for the development of methods and tools for information security management in information systems is supported by the French government and promoted by the DCSSI Commission under the Prime Minister of France to the pan-European level. The purpose of this project is to help improve the security of information systems of public or private organizations (http://www.securiteinfo.com/conseils/ebios.shtml).

The text of the documentation set for the product for automating assessment tasks of information security support "Methodological tools achieving the security of information systems EBIOS (defining needs and identifying security goals)" was published on the official website of the French government dedicated to the issues of ensuring information security of automated systems in 2004.

The EBIOS method, proposed by the General Secretariat of the French Ministry of National Defense and called "Definition of needs and identification of security objectives" (EBIOS), was developed taking into account international standards aimed at ensuring information security. It formalizes the approach to assessing and processing risks in the field of information system security and is used to assess the level of information security in developed and existing systems.
The purpose of the method is to allow any government-controlled organization to determine a list of security actions that need to be taken first. The method can be implemented by administrators of the organization's security department and can be applied at all levels of the structure being developed or existing information system(subsystems, application programs).

The EBIOS approach takes into account three main properties of information security: confidentiality, integrity and availability of both information and systems, as well as the environment in which they are located. In certain cases, it is suggested that care be taken to ensure non-repudiation, authorization and authentication needs.