Why do you need certification of information security tools? Information security certification system

The World Wide Web Foundation has published a ranking of Internet speeds for 86 countries. Users who took part in the study recorded Internet speed on the NetIndex website, in their country, region or city using the SpeedTest service.

World's First Network Meter World Wide Web Foundation - International non-profit organization, assessing the contribution of Internet technologies to the social, economic and political development of the state. The Web Index they developed is a multidimensional means of measuring the Internet, how it is used, and how it influences people.

Web Index is located on the netindex.com domain. The information published on the site is based on the last million tests conducted on the SpeedTest.net service.

The study assumes 5 statistical indicators:

• Download speed - average speed downloading data from the Internet in Mb/s. The average speed in the world is 15 Mb/s.

• Upload speed - the average speed of uploading data to the Internet. The average speed in the world is 5 Mb/s.

• The quality of the connection, calculated using the R-factor formula. The average quality in the world is 85.

• Cost - the average price of one megabit in dollars. Worldwide - $4.

• Compliance - compliance indicator real speed connection and declared by the provider.

Experts assessed 86 developed and developing countries on the level of Internet access, freedom to use the network, openness and its influence.
In the lead Scandinavian countries– Denmark, Finland and Norway. They took the first three places. Great Britain and Sweden took 4th and 5th places in the ranking.

The higher the level of well-being and education of citizens, the more advantages the digital revolution gives them,” says Anne Jellema, CEO and author of the World Wide Web Foundation report.

The large gap between rich and poor has been identified as a major problem of our time, and we need technology to combat inequality, not increase it.

Numbers

84% of states noted in the study do not have effective laws and practices to protect the privacy of online communications.
72% of countries are not doing enough to stop online violence against women.
In 62% of countries the Internet and social media play key role in enhancing the social and political activity of residents.
In addition, the Web Index measures the level of development and influence of the World Wide Web on society according to the following parameters:

Penetration

Assessment of the level and intensity of Internet use in the country, including the level of development and quality of communication infrastructure, as well as institutional infrastructure and its regulatory aspects.

Freedom and openness

Level rating civil liberties, including rights to information, expression, security and privacy online.

Content quality

Assessing citizen usage and content availability, focusing on how various groups interested citizens can access information on the national Internet through accessible platforms and channels in the language they use.

Rights and opportunities.

Assessment of social, economic and political indicators of state development in the context of the influence of the Internet on them.

At the same time, having scored the highest scores in the category "Penetration"- 59.29 and the lowest in the region "Rights and opportunities"- 29.76. Besides, "Content quality" Ukraine is - 34.61, and "Freedom and Openness" - 54.61.

In the ranking table, Ukraine yields its positions to such countries as: Mexico, Turkey, Tunisia, Mauritius, Philippines, Malaysia, Peru, China, South Africa. Of the CIS countries, only Russia is ahead of Ukraine, taking 35th place and placing itself between Poland and Colombia. Russia received the highest scores (more than 60 points) for Internet accessibility and quality of content. Russia has the lowest scores in terms of freedom and openness of the Internet. The authors of the study especially noted the development of large-scale censorship in the country by public services in the absence of any convincing means of protecting citizens' privacy.

Unexpectedly, Ukraine outperformed the United United Arab Emirates(47th place) literally by one step. And also countries such as India, Indonesia, Thailand, Egypt, Saudi Arabia and Kazakhstan. The latter, however, lost as much as 6 points over the year

According to the report, Internet speed in Kazakhstan averages 16.7 Mbps, which places the country in 57th place. However, if we talk about the average Internet speed in Kazakhstan, it shows a gradual increase - over the year the connection speed increased by 3 Mbit/sec. The ranking of cities in Kazakhstan in terms of Internet speed is interesting: in first place was not the capital of the country Astana, but the city of Balkhash (33.04 Mbit/sec), in second place was Zhezkazgan (31.82 Mbit/sec), in third place was Aksu (29 .65 Mbit/sec). Astana took 16th place (15.74 Mbit/sec) and Almaty - 13th (16.73 Mbit/sec).

If we talk about mobile internet, then the average speed in Kazakhstan is 8 Mbit/s (download) and 4.7 Mbit/s (upload). Maximum speed was recorded in Almaty (10.4 Mbit/s), and the minimum was in the village of Tenge (2.31 Mbit/s).

Singapore took first place in the NetIndex ranking - the connection speed here is 104.21 Mbit/sec. Also in the top three were Hong Kong (96.36 Mbit/s) and Japan (70.81 Mbit/s). Among the outsiders were Burkina Faso, Gambia and Benin - Internet speed in these countries does not exceed 1.5 Mbit/sec.

The study, which started in 2012, is conducted annually so that it is possible to track the dynamics of changes in the web index and its components, and the number of countries studied will be increased to at least 100.

The calculation part of the Index is based on statistical data international organizations, such as the United Nations, the International Telecommunication Union, the World Bank, the World Economic Forum, the Wikimedia Foundation and others, as well as the results of an expert survey conducted in the countries that were the objects of the study. In the final report, the indicators are summarized into a single Web Index. When determining their place in the global ranking, all countries are ranked based on this Index, where the first place in the ranking table corresponds to highest value this indicator, and the latter - the lowest.

The authors of the study believe that the level of Internet penetration today is an important indicator social development. It is intended that the Index can be used by States as a tool for conducting analysis problematic issues in their policies and monitoring their progress in the implementation of Internet technologies. The organization plans to publish the Index on a regular basis, which will allow countries to monitor changes over time.

If you find an error, select a section of text and click Ctrl + Enter or use the link to let us know.

Under product certification according to information security requirements and information security we will understand a set of organizational and technical measures, as a result of which, through a special document-certificate and a mark of conformity, it is confirmed with a certain degree of reliability that the product meets the requirements:

state standards or other regulatory legal acts, approved by the Government RF - for products used in the processing of information containing information that constitutes state secret;

government or industry standards, other regulations approved by the Government of the Russian Federation or the FSB of the Russian Federation for products used in processing confidential information, which does not contain information constituting the GT.

In this case, the following information security tools are subject to mandatory certification within the framework of the certification system:

technical, cryptographic, software and other means designed to protect information constituting the GT;

means in which they are implemented transferred funds;

means of monitoring the effectiveness of information protection.

The legal basis for certification of information security tools according to information security requirements is the following regulatory legal acts: 1)

Regulations on certification of information security means according to information security requirements, put into effect by order of the Chairman of the State Technical Commission of Russia No. 199 dated October 2.7, 1995;

2) Law Russian Federation

“On certification of products and services” No. 5151-1 dated June 10, 1993; 3)

Law of the Russian Federation “On State Secrets”;

4) Decree of the Government of the Russian Federation No. 608 “On certification of information security means” dated June 26, 1995;; 6)

5)

Regulations on the state system of information protection in the Russian Federation from foreign technical intelligence and from its leakage by

technical channels

Regulations on the system of certification of information security means according to security requirements for information constituting a state secret (certification system SZI-GT); 7) Regulations on the “GOST R Certification System”; in the manner established by Gosstandart, which organizes the activities of the certification system within its competence, defined by legislative and other regulations RF.

The following informatization objects are subject to certification according to information security requirements: automated systems(AS) various levels and appointments; communication systems; systems for displaying and reproducing documents designed for processing and transmitting information to be protected along with the premises in which they are installed; premises intended for maintaining confidential transactions.

Goals of creating a certification system: ensuring the implementation of requirements state system information protection; creating conditions for high-quality and efficient provision of consumers certified means information protection; security national security in the field of information; promoting the formation of a market for secure information technologies and the means to support them; formation and implementation of a unified scientific, technical and industrial policy in the field of information technology, taking into account modern requirements on information protection; support for informatization projects and programs.

A list of information security tools subject to mandatory certification is being developed FSTEC of Russia, consistent with Interdepartmental Commission on GT protection and includes:

funds, including foreign production, designed to protect information constituting GT and other information with limited access;

means used in the management of environmentally hazardous facilities.

In other cases, certification is voluntary ( voluntary certification) and is carried out at the initiative of the developer, manufacturer or consumer of the information security tool.

SZI-GT certification system. federal Service Security of the Russian Federation has created a system of mandatory certification of information protection means according to security requirements for information constituting GT (certification system SZI-GT). The main goals of creating such a system are: ensuring national security in the field of information; formation and implementation of a unified scientific, technical and industrial policy in the field of informatization, taking into account the requirements of the GT protection system; regulation and control of development, as well as subsequent production of SZI-GT.

The main certification schemes for SZI-GT (in accordance with the Procedure for product certification in the Russian Federation, approved by resolution Gosstandart of Russia No. 15 dated September 21, 1994) are:

For serial production SZI-GT - testing a product type for compliance with regulatory documents and requirements for the protection of information constituting a GT, and subsequent inspection control of the stability of characteristics certified products, ensuring (determining) the fulfillment of these requirements. In addition, by decision of the certification body, preliminary check production;

for single samples of SZI-GT - testing the sample for compliance with regulatory documents and requirements for the protection of information constituting state secrets.

SZI-GT certification is carried out by accredited certification bodies, and tests are carried out by accredited testing centers (laboratories) on their material and technical base. in some cases in agreement with the certification body and with the consent of the developer (manufacturer, seller), it is allowed to conduct tests at the testing base of the developer of this SZI-GT in the presence of a representative of the certification body.

The organizational structure of the certification system is formed by:

FSB of Russia (federal agency executive power, authorized to carry out work on mandatory certification of information security means);

central authority certification systems (to be created if necessary);

SZI-GT certification bodies;

testing centers (laboratories);

educational and methodological center;

applicants (developers, manufacturers, sellers, consumers

The certification procedure includes the following actions: submission and consideration of an application for SZI-GT certification; testing of certified SZI-GT and analysis of the state of their production; examination of test results, execution, registration and issuance of a certificate of conformity and a license for the right to use the mark of conformity; carrying out inspection control over compliance with the rules of mandatory certification and certified SZI-GT, informing about the results of certification of SZI-GT; consideration of appeals.

Certification of means of protecting information not related to

to GT, is carried out by FSTEC of Russia and accredited certification bodies. Tests are carried out by accredited testing centers (laboratories) on their material and technical base. In some cases, in agreement with the FSTEC of Russia or the certification body, it is allowed to conduct tests at the testing base of the developer (manufacturer, supplier, consumer) this tool information protection. The accreditation rules are determined by the current system “Regulations on the accreditation of testing centers (laboratories) and bodies for certification of information security means.”

The procedure for payment for certification of specific information security tools is carried out by the applicant on the basis of agreements between certification participants. The amount of funds spent by the applicant for certification of an information security tool is included in its cost.

Certification bodies and testing centers (laboratories) are responsible: for performing the functions assigned to them; ensuring the safety of GT, other confidential information, material assets provided by the applicant; compliance with the applicant's copyright when testing his information security means.

The organizational structure of the information protection certification system according to security requirements is:

FSTEC of Russia (federal body for certification of information security means);

central body of the information security certification system (CI);

certification bodies for information security tools (OS);

testing centers (laboratories) (TC);

applicants (developers) of information security tools;

manufacturers;

suppliers;

consumers.

To organize and conduct the relevant type of activity, applicants (developers, manufacturers, suppliers) must have a license from the FSTEC of Russia.

Certification bodies and testing centers (laboratories) are accredited by the FSTEC of Russia. They should be legal entities, have trained specialists, the necessary measuring instruments, testing equipment and test methods, regulatory documents for carrying out the entire range of work on testing specific information security tools in their area of ​​accreditation.

Accreditation is carried out only if there is a license from the FSTEC of Russia for the relevant types of activities. Accreditation of enterprises subordinate to federal authorities executive authorities, as certification bodies and testing centers (laboratories) is carried out on the proposal of these authorities.

The procedure for certification and control. You can imagine him the following algorithm(Fig. 10.2): 1)

submission and consideration of an application for certification of information security tools;

2)

testing of certified information security tools and certification of their production; 3)

examination of test results;

4)

registration, registration and issuance of a certificate and license for the right to use the mark of conformity;

5)

implementation of state control and supervision, inspection control over compliance with the rules of mandatory certification and certified information security means;

6) informing about the results of certification of information security tools; 7) consideration of appeals.

Let's take a closer look at the components of the information security certification algorithm. 1. Submission and consideration of an application for certification of information security tools. To obtain a certificate, the applicant sends an application to the FSTEC of Russia for testing, indicating the certification scheme, standards and other regulatory documents , for compliance with the requirements of which certification must be carried out. FSTEC in

month period

After receiving the application, it sends the applicant a decision to carry out certification in the certification body and testing center (laboratory) designated for carrying out the certificate. At the request of the applicant, the certification body and testing center (laboratory) can be changed. After receiving the decision, the applicant is obliged to submit to the certification body and testing center (laboratory) information security tools, technical specifications for this tool, as well as a set of technical and operational documentation in accordance with regulatory documents for

unified system

documentation - design (ESKD) and design (ESPD) - for the information security tool being certified. ?MSh Submission and consideration of the application

Testing of products and certification of their production

Examination of test results

2. Testing of certified information security tools in testing centers (laboratories). Tests are carried out on samples and structures according to programs and test methods agreed upon with the applicant and the approved certification body. The composition and manufacturing technology of the tested samples must be the same as those of the samples supplied to the consumer or customer.

Technical and operational documentation for serial information security means must have a letter no lower than “01” (according to the ESKD).

The number of samples, the procedure for their selection and identification must comply with the requirements of regulatory and methodological documents on this type information security means. If at the time of certification there is no testing center (laboratory), the certification body determines the possibility, location and conditions of testing to ensure the objectivity of their results. The timing of the tests is established by an agreement between the applicant and the testing center (laboratory). At the request of the applicant, his representatives must be given the opportunity to familiarize themselves with the conditions of storage and testing of samples of information security means in the testing center (laboratory).

The test results are documented in protocols and conclusions, the originals of which the testing center (laboratory) sends to the certification body, and copies to the applicant.

When changes are made to the design (composition) of information security means or their production technology, which may affect the characteristics of these information security means, the applicant notifies the certification body, which decides on the need to conduct new tests of these means.

Certification of imported information security tools is carried out according to the same rules as domestic ones.

3. Examination of test results. Examination of test results, registration expert opinion

and the draft certificate, if the test results comply with the requirements of regulatory documents on information protection, is carried out by the certification body. Next, he sends these documents and technical specifications for the information security tool to the FSTEC of Russia. 4. Registration, registration and issuance of a certificate and license for the right to use the mark of conformity. After approval of the expert opinion, approval technical specifications for a means of protecting information and assigning a certificate

The validity period of the certificate is set for no more than five years.

If the test results do not comply with the requirements of standards or other regulatory documents on information protection, the FSTEC of Russia makes a decision to refuse to issue a certificate and sends a reasoned conclusion to the applicant. If you disagree with the refusal, the applicant has the right to appeal to the appeal board of the FSTEC of Russia for additional consideration of the certification materials.

Obtaining a certificate gives the manufacturer the right to obtain a certification license from the FSTEC of Russia to mark these products with a mark of conformity. The form of the conformity mark is established by the FSTEC of Russia. The owner of the license to use the mark of conformity is responsible for the supply of marked information security equipment that does not meet the requirements of the regulatory and methodological documentation specified in the certificate.

To recognize a foreign certificate, the applicant sends a copy of it and an application for recognition of the certificate to the FSTEC of Russia, which, no later than two months after receiving them, notifies the applicant about recognition or the need to carry out certification tests. If recognized, the applicant is issued a certificate of the established form.

5. State control and supervision, inspection control of compliance with the rules of mandatory certification and certified means of information security. The types of control under consideration are carried out by the FSTEC of Russia, and their volume, content, procedure, frequency and rules for organizing and conducting control over specific types of certified protective equipment are established by regulatory and methodological documentation

, operating in the information security certification system. Inspection control of certified information security means is carried out by the certification body that certified these information security means. According to the results FSTEC control

Russia may suspend or cancel the validity of the certificate and accreditation certificate, and the certification body may apply for this. A decision to revoke a certificate is made only if, as a result of immediate measures taken, compliance with information security measures cannot be restored established requirements

for the following reasons:

changes in regulatory and methodological documents on information security means or test and control methods;

failure to comply with the requirements of manufacturing technology, control, and testing of information security equipment;

the applicant’s refusal to admit (receive) persons authorized to carry out state control and supervision, inspection control over certification and certified information security means.

Information about the suspension (cancellation) of a certificate or accreditation certificate is immediately brought to the attention of manufacturers, consumers of information security products, certification bodies and testing centers (laboratories).

6. Information about certification of information security tools. This process is one of the important functions of the FSTEC of Russia. It provides certification participants necessary information

on the activities of the certification system, including:

a list of information security tools (their certified parameters) for which certificates have been issued; to the list of information security tools (their certified parameters) for which the certificates have been revoked; list of certification bodies specific types

information security tools;

list of testing centers (laboratories);

a list of regulatory documents for compliance with the requirements of which certification of information security means is carried out, and methodological documents for conducting certification tests. 7. Consideration of appeals. The appeal is submitted to the certification body, the central body of the certification system or to the appeal board of the FSTEC of Russia on issues related to the activities of testing centers (laboratories), certification bodies and is considered within a month with the involvement of interested parties. ABOUT the decision taken

The appellant is notified. Certification is a procedure by which it is confirmed that certain products meets all requirements. However, certification of information security means is an activity that is associated with confirming that these means comply national standards , as well as the requirements prescribed in technical regulations

, and other regulatory documents. FSTEC of the Russian Federation represents a certification system, the existence of which is aimed at achieving security in the field of informatization. The information security certification system deals with the formation of policy in the field of information technology and also ensures its implementation. At the same time, its main tasks include promoting the creation of a market in which everyone, as well as all kinds of security means, are completely protected from theft or other negative influences.

This system additionally regulates and controls various developments of information security tools, and also takes into account their subsequent creation. The system’s objectives include helping various consumers who cannot do it on their own due to the lack of necessary knowledge, do right choice information security tools. In addition, it is with the help of the system that reliable, constant and effective protection all consumers from unscrupulous sellers and creators of information security tools. With the help of this system, certification of these products is ensured, therefore all companies that specialize in the production or sale of protective equipment must undergo information mandatory certification in this state organs

What products are subject to mandatory certification?

All companies or entrepreneurs whose activities are related to information security means should be aware of which means must be certified. These include primarily technical and software tools, as well as software and hardware. This also includes means of monitoring the reliability of protection and means in which the information security system is implemented.

Therefore, every company or entrepreneur must certify these funds.

Features of obtaining a certificate

Certification is valid for only three years, however, there are situations in which its validity period is increased, but it cannot exceed five years.

Firms or entrepreneurs have the opportunity to renew the validity of a certificate received three years ago, and will not need to undergo re-certification, however, this can only be done if they comply certain conditions. These include the fact that the company's number of products that are subject to certification must remain the same. Also, the requirements that apply to these products during the certification procedure should not change. At the same time, you should make sure that the specifications and design of these products have not changed in any way over three years. If all these conditions are met, the company can renew the certificate. However, if even one condition does not meet the requirements, then the organization’s products must again go through the primary certification procedure.

Certification of information security tools is significant procedure, which allows consumers to receive only high-quality products that meet all necessary standards and requirements.

Car loans

Legislation

Business ideas

• 

  Content Urgent production seals and stamps Who will act as buyers Where to start a business Equipment for running a business There are many types of businesses that can be started by people with entrepreneurial skills. Moreover, each option has its own unique features and parameters. Urgent production of seals and stamps The business idea of ​​​​manufacturing seals and stamps is considered quite attractive in terms of...

• 

  Contents Business idea for making postcards How to open a business based on creating custom postcards Employees Premises How to sell created postcards Many people with certain entrepreneurial abilities are thinking about opening own business, and at the same time evaluate and consider a large number of various options to open. The business idea of ​​making postcards is considered quite interesting, since postcards are such items in demand..

• 
• 

  Contents Choosing a room for a gym What you need to open Gym? The gym is becoming increasingly popular in modern world because everything more people are thinking about leading healthy image life, suggesting proper nutrition and playing sports. Therefore, any businessman can open a gym, but to obtain good income needs to be thought through..

• 

  Contents Store location Assortment of goods Sellers Jewelry is a must-have item in the wardrobe of every woman who takes care of herself and tries to look attractive and bright. Therefore, almost every entrepreneur who is aware of the possibility of making good profits wants to open his own jewelry store. To do this, you need to study all available prospects, draw up a business plan and predict possible income in order to decide whether...