Review of changes in the 17th order of the FSTEC

Hello, Habr! On September 13, the Ministry of Justice approved a document amending the 17th order. This is the one that is about the protection of information in state information systems (hereinafter - GIS). In fact, there are many changes, and some of them are significant. There is at least one very pleasant thing for GIS operators. Details under the cut.

About pleasant

Let's start with this, and then about everything else. The best part for operators is that the GIS certificate is now unlimited. In paragraph 17.4, where it was previously written that the certificate is issued for 5 years, it is now written "Certificate of conformity is issued for the entire life of the information system." True, this, of course, does not eliminate the need to maintain the compliance of the information protection system with the certificate, as mentioned in the same paragraph 17.4.

About cloud data centers

In our experience, more and more GIS operators are inclined to believe that it is not very profitable for them to maintain their own server infrastructure and are migrating to the capacity of a cloud provider. A couple of lines were devoted to such situations in the previous edition of Order 17, but now they decided to describe it in more detail. In particular, the following requirements are indicated:

• The class of GIS that moves to the cloud data center should not be higher than the class of the data center itself, which means that the data center itself must pass the classification (new paragraph in paragraph 14.2 of the 17th order);
• In the process of threat modeling for the information system that has moved to a third-party data center, threats relevant to the data center itself should be taken into account. This in particular directly indicates that two separate threat models should be developed at the data center and GIS (new paragraph of paragraph 14.4.);
• If the data center implements measures to protect information, then in the design documentation for the information security system of the GIS itself, we can indicate them where it is relevant and necessary (new paragraph of paragraph 15.1);
• Information security tools in GIS should be compatible with each other (this is a turn!) And with the security tools used in the data center. Logically, otherwise nothing will work after all (a new paragraph of clause 16.1);
• The data center to which the GIS moves must be certified according to 17 orders. This was already obvious to many, but someone resisted (amended paragraph 17.6);
• If the measures taken in the data center block all security threats for the GIS, then additional measures to protect information in the GIS are not required (new paragraph - 22.1)

Other trivia

In paragraph 17, where it was already written that the design of the protection system and its certification should be carried out by various officials, the “employees” were added to the “officials” in brackets. It’s good that they added clarity, because the debate about what to mean by “officials” was serious.



Clause 17.2 was supplemented with the paragraph that acceptance tests of the GIS itself and certification tests of the information security system can be combined. Yes, in general, this has usually always been done.

Information security during the operation of the information system

Point 18 was replenished with new mandatory measures that must be carried out during the operation of a certified GIS. To the management of the information protection system, the detection and response of incidents, the management of the system configuration and the control over ensuring the level of information security are added “planning of measures to protect information”, “analysis of security threats” and “informing and training personnel of the information system”. Here the last one in the 17th order was definitely not enough for a long time.



Further, all these stages in the 17th order are disclosed in more detail, and since “event planning” became the first in the list, “analysis of security threats” - the second, the numbering of the subitems has changed.



In the course of planning (new paragraph 18.1) we must:

• Identify those responsible for planning and monitoring information protection measures. Previously, there was no need to appoint such persons, therefore, in a good way, a new order on the appointment of such people should be issued in all GIS;
• Identify those responsible for identifying and responding to incidents. This item does not add anything new. In our internal documentation guide, we have already described the purpose of the information security incident response team. That they are;
• Develop and approve a plan of measures to protect information. Nothing new too, such a plan has long been in the standard set of documents ;
• Determine the procedure for monitoring the implementation of measures. This can be done in the same way.

According to the threat analysis (new paragraph 18.2), everything is quite concise. It is necessary to identify and eliminate vulnerabilities, analyze changes in security threats and assess the possible consequences of the implementation of threats.



We are often asked how often we need to search for vulnerabilities and analyze information security threats. In the same paragraph, the regulator says that the frequency is determined by the operator.



The item for managing the information security system (formerly 18.1 and new 18.3) has also changed. From here, “informing users about security threats ...” was removed, apparently because now we have a separate section and the “definition of persons responsible for managing the information security system” has been added. However, there is nothing particularly new about the new item, this is our dearly respected security administrator! The rest here remained in place, although a little paraphrased, but essentially the same.



The point about managing the configuration of the information system (old 18.3, new 18.4) is somewhat rephrased, but essentially has not changed. The same can be said about the incident response point (old 18.2, new 18.5).



Paragraph 18.6 about staff training is new, so we will dwell on it in more detail. So, what should we teach them and what to inform about:

• about new topical threats to information security;
• on the rules for the safe operation of the information system;
• on requirements for the protection of information (regulatory and internal documents);
• on the rules for the operation of individual information protection tools;
• conduct practical exercises to block threats to information security and respond to incidents;
• monitor staff awareness of all of the above.

The frequency of training is set in the internal documents of the operator, but should be at least 1 time in two years.



The appearance of staff training is a good start, but unfortunately, the forms and hours of training are not indicated again, should such training be carried out according to the programs approved by the FSTEC or enough internal instruction. We suspect that many will continue to approach the issue formally, namely, the marks in the magazine “instructed by”, “listened to instructed” without actually conducting classes.



In the item on control over ensuring the level of information security, the frequency of such control has been added. For GIS grade 1 - at least 1 time per year. For GIS 2 and 3 classes - at least 1 time in two years. You can engage a licensee in such events, but you can conduct it yourself.

About levels of confidence in information security tools

In paragraph 26, in addition to the concept of “class of remedy”, the concept of “level of confidence” is introduced. For GIS class 1, you need at least 4 levels of trust, for GIS 2 classes - 5 level of trust and above, for GIS 3 classes - 6 level of trust and above. FSTEC issued an information message about these levels of trust and should not be confused with the estimated level of trust in accordance with GOST R ISO / IEC 15408-3 (there, by the way, the 5th level of trust is the highest, the 1st level of trust is the lowest).



This is the only point of change that does not enter immediately, but from June 1, 2020. We are waiting for updated certificates of conformity of information protection tools by this date. Whether the means of protection that did not renew the certificate will turn into a pumpkin is still unknown. FSTEC closer to date X may release some kind of informational message as it was with firewalls in 2016.

Pro Certified Routers

Finally, we are finished off by the introduction of paragraph 26.1:



“When designing newly created or modernized information systems with access to the Internet telecommunications network, routers should be selected that are certified to meet information security requirements (in terms of the security functions implemented in them).”



In fact, the introduction of this paragraph is not very clear. Firstly, all protective equipment must be certified. Secondly, as a rule, when connecting to the Internet, GIS uses certified firewalls, including those that are routers. There are no separate security profiles for routers (by analogy with those for MEs) and, possibly, the introduction of clause 26.1 hints at their appearance (security profiles) in the near future.