This section provides general information and texts of national standards of the Russian Federation in the field of information security GOST R.

Current list of modern GOSTs developed in recent years and planned for development. Certification system for information security tools according to information security requirements No. ROSS RU.0001.01BI00 (FSTEC of Russia). STATE STANDARD OF THE RUSSIAN FEDERATION. Data protection. PROCEDURE FOR CREATION OF AUTOMATED SYSTEMS IN SECURED EXECUTION. General provisions. Moscow STATE STANDARD OF THE RUSSIAN FEDERATION. Computer facilities. Protection against unauthorized access to information. General technical requirements. Date of introduction 1996-01-01 National standard of the Russian Federation. Data protection. Basic terms and definitions. Protection of information. Basic terms and definitions. Date of introduction 2008-02-01 STATE STANDARD OF THE RUSSIAN FEDERATION. DATA PROTECTION. SYSTEM OF STANDARDS. BASIC PROVISIONS (SAFETY OF INFORMATION. SYSTEM OF STANDARDS. BASIC PRINCIPLES) STATE STANDARD OF THE RUSSIAN FEDERATION. Data protection. TESTING SOFTWARE FOR THE PRESENCE OF COMPUTER VIRUSES. Model manual (Information security. Software testing for the existence of computer viruses. The sample manual). Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels Information technology. Methods and means of ensuring security. Guidance for developing protection profiles and security tasks Automatic identification. Biometric identification. Performance tests and test reports in biometrics. Part 3. Features of testing for various biometric modalities Information technology. Methods and means of ensuring security. Methodology for assessing information technology security GOST R ISO/IEC 15408-1-2008 Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 1. Introduction and general model (Information technology. Security techniques. Evaluation criteria for IT security. Part 1. Introduction and general model) GOST R ISO/IEC 15408-2-2008 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 2. Functional security requirements (Information technology. Security techniques. Evaluation criteria for IT security. Part 2. Security functional requirements) GOST R ISO/IEC 15408-3-2008 Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3. Security assurance requirements (Information technology. Security techniques. Evaluation criteria for IT security. Part 3. Security assurance requirements) GOST R 53109-2008 System for ensuring information security of a public communication network. Information security communications organization passport. Information security of the public communications network providing system. Passport of the organization communications of information security. Effective date: 09/30/2009. GOST R 53114-2008 Information protection. Ensuring information security in the organization. Basic terms and definitions. Protection of information. Information security provision in organizations. Basic terms and definitions. Effective date: 09/30/2009. GOST R 53112-2008 Information protection. Complexes for measuring parameters of spurious electromagnetic radiation and interference. Technical requirements and test methods. Information protection. Facilities for measuring side electromagnetic radiation and pickup parameters. Technical requirements and test methods. Effective date: 09/30/2009. GOST R 53115-2008 Information protection. Testing of technical means of information processing for compliance with the requirements of security from unauthorized access. Methods and means. Information protection. Conformance testing of technical information processing facilities to unauthorized access protection requirements. Methods and techniques. Effective date: 09/30/2009. GOST R 53113.2-2009 Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels. Information technology. Protection of information technology and automated systems against security threats posed by use of covert channels. Part 2. Recommendations on protecting information, information technology and automated systems against covert channel attacks. Effective date: 12/01/2009. GOST R ISO/IEC TO 19791-2008 Information technology. Methods and means of ensuring security. Security assessment of automated systems. Information technology. Security techniques. Security assessment of operational systems. Effective date: 09/30/2009. GOST R 53131-2008 Information protection. Recommendations for disaster recovery services for information and telecommunications technology security functions and mechanisms. General provisions. Information protection. Guidelines for recovery services of information and communications technology security functions and mechanisms. General. Effective date: 09/30/2009. GOST R 54581-2011 Information technology. Methods and means of ensuring security. Fundamentals of trust in IT security. Part 1: Overview and Basics. Information technology. Security techniques. A framework for IT security assurance. Part 1. Overview and framework. Effective date: 07/01/2012. GOST R ISO/IEC 27033-1-2011 Information technology. Methods and means of ensuring security. Network security. Part 1: Overview and Concepts. Information technology. Security techniques. Network security. Part 1. Overview and concepts. Effective date: 01/01/2012. GOST R ISO/IEC 27006-2008 Information technology. Methods and means of ensuring security. Requirements for bodies performing audit and certification of information security management systems. Information technology. Security techniques. Requirements for bodies providing audit and certification of information security management systems. Effective date: 09/30/2009. GOST R ISO/IEC 27004-2011 Information technology. Methods and means of ensuring security. Information security management. Measurements. Information technology. Security techniques. Information security management. Measurement. Effective date: 01/01/2012. GOST R ISO/IEC 27005-2010 Information technology. Methods and means of ensuring security. Information security risk management. Information technology. Security techniques. Information security risk management. Effective date: 12/01/2011. GOST R ISO/IEC 31010-2011 Risk management. Risk assessment methods (Risk management. Risk assessment methods). Effective date: 12/01/2012 GOST R ISO 31000-2010 Risk management. Risk management. Principles and guidelines. Effective date: 08/31/2011 GOST 28147-89 Information processing systems. Cryptographic protection. Cryptographic conversion algorithm. Effective date: 06/30/1990. GOST R ISO/IEC 27013-2014 “Information technology. Methods and means of ensuring security. Guidance on the combined use of ISO/IEC 27001 and ISO/IEC 20000-1 - effective September 1, 2015. GOST R ISO/IEC 27033-3-2014 “Network security. Part 3. Reference network scenarios. Threats, design methods and management issues” – effective November 1, 2015 GOST R ISO/IEC 27037-2014 “Information technology. Methods and means of ensuring security. Guidelines for the Identification, Collection, Retrieval and Retention of Digital Evidence - effective November 1, 2015. GOST R ISO/IEC 27002-2012 Information technology. Methods and means of ensuring security. Set of norms and rules for information security management. Information technology. Security techniques. Code of practice for information security management. Effective date: 01/01/2014. OKS code 35.040. GOST R 56939-2016 Information protection. Secure software development. General requirements (Information protection. Secure Software Development. General requirements). Effective date: 06/01/2017. GOST R 51583-2014 Information protection. The procedure for creating automated systems in a secure design. General provisions. Information protection. Sequence of protected operational system formation. General. 09/01/2014 GOST R 7.0.97-2016 System of standards for information, library and publishing. Organizational and administrative documentation. Requirements for the preparation of documents (System of standards on information, librarianship and publishing. Organizational and administrative documentation. Requirements for presentation of documents). Effective date: 07/01/2017. OKS code 01.140.20. GOST R 57580.1-2017 Security of financial (banking) transactions. Protection of information of financial organizations. The basic composition of organizational and technical measures - Security of Financial (banking) Operations. Information Protection of Financial Organizations. Basic Set of Organizational and Technical Measures. GOST R ISO 22301-2014 Business continuity management systems. General requirements - Business continuity management systems. Requirements. GOST R ISO 22313-2015 Business continuity management. Implementation Guide - Business continuity management systems. Guidance for implementation. GOST R ISO/IEC 27031-2012 Information technology. Methods and means of ensuring security. A Guide to Information and Communications Technology Readiness for Business Continuity - Information technology. Security techniques. Guidelines for information and communication technology readiness for business continuity. GOST R IEC 61508-1-2012 Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 1. General requirements. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 1. General requirements. Date of introduction 2013-08-01. GOST R IEC 61508-2-2012 Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 2. System requirements. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 2. Requirements for systems. Date of introduction 2013-08-01. GOST R IEC 61508-3-2012 FUNCTIONAL SAFETY OF ELECTRICAL, ELECTRONIC, PROGRAMMABLE ELECTRONIC, SAFETY-RELATED SYSTEMS. Software requirements. IEC 61508-3:2010 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements (IDT). GOST R IEC 61508-4-2012 FUNCTIONAL SAFETY OF ELECTRICAL, ELECTRONIC, PROGRAMMABLE ELECTRONIC, SAFETY-RELATED SYSTEMS Part 4 Terms and definitions. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 4. Terms and definitions. Date of introduction 2013-08-01. . GOST R IEC 61508-6-2012 Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 6. Guidelines for the use of GOST R IEC 61508-2 and GOST R IEC 61508-3. IEC 61508-6:2010. Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 (IDT). GOST R IEC 61508-7-2012 Functional safety of electrical systems, Functional safety of electrical, electronic, programmable electronic systems related to safety. Part 7. Methods and means. Functional safety of electrical electronic programmable electronic safety-related systems. Part 7. Techniques and measures. Date of introduction 2013-08-01. GOST R 53647.6-2012. Business continuity management. Requirements for a personal information management system to ensure data protection

Name:

Data protection. Ensuring information security in the organization.

Valid

Date of introduction:

Cancellation date:

Replaced by:

Text GOST R 53114-2008 Information protection. Ensuring information security in the organization. Basic terms and definitions

FEDERAL AGENCY FOR TECHNICAL REGULATION AND METROLOGY

NATIONAL

STANDARD

RUSSIAN

FEDERATION

Data protection

ENSURING INFORMATION SECURITY IN THE ORGANIZATION

Basic terms and definitions

Official publication

Oteidartenform

GOST R 53114-2008

Preface

The goals and principles of standardization in the Russian Federation are established by Federal Law No. 184-FZ of December 27, 2002 “On Technical Regulation”, and the rules for applying national standards of the Russian Federation are GOST R 1.0-2004 “Standardization in the Russian Federation. Basic provisions »

Standard information

1 DEVELOPED by the Federal State Institution “State Research Testing Institute for Problems of Technical Information Security of the Federal Service for Technical and Export Control” (FGU “GNIIII PTZI FSTEC of Russia”), Limited Liability Company “Research and Production Company “Kristall” (OOO NPF "Crystal")

2 INTRODUCED by the Department of Technical Regulation and Standardization of the Federal Agency for Technical Regulation and Metrology

3 APPROVED AND ENTERED INTO EFFECT by order of the Federal Agency for Technical Regulation and Metrology dated December 18, 2008 No. 532-st

4 8DRIVEN FOR THE FIRST TIME

Information about changes to this standard is published in the annually published information index “National Standards” and the text of changes and amendments is published in the monthly published information index “National Standards”. In case of revision (replacement) or cancellation of this standard, the corresponding notice will be published in the monthly published information index “National Standards”. Relevant information, notifications and texts are also posted in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet

© Sgandartinform.2009

This standard cannot be fully or partially reproduced, replicated or distributed as an official publication without permission from the Federal Agency for Technical Regulation and Metrology

GOST R 53114-2008

1 area of ​​use............................................... ....1

3 Terms and definitions................................................... ..2

3.1 General concepts................................................... .....2

3.2 Terms related to the object of information protection............................................4

3.3 Terms related to information security threats....................................7

3.4 Terms related to organizational information security management......8

3.5 Terms related to the control and assessment of an organization's information security. ... 8

3.6 Terms related to information security controls

organizations........................................................ .......9

Alphabetical index of terms...................................................11

Appendix A (for reference) Terms and definitions of general technical concepts.................................13

Appendix B (for reference) Interrelation of basic concepts in the field of information security in an organization....................................................15

Bibliography................................................. .......16

GOST R 53114-2008

Introduction

The terms established by this standard are arranged in a systematic order, reflecting the system of concepts in this field of knowledge.

There is one standardized term for each concept.

The presence of square brackets in a terminology article means that it includes two terms that have common term elements. These terms are listed separately in the alphabetical index.

The part of a term enclosed in parentheses may be omitted when using the term in standardization documents, while the part of the term not included in parentheses forms its short form. Following the standardized terms are their short forms, separated by semicolons, represented by abbreviations.

The given definitions can be changed if necessary by introducing derived characteristics into them. revealing the meanings of the terms used in them, indicating the objects included in the scope of the defined concept.

Changes must not affect the scope and content of the concepts defined in this standard.

Standardized terms are typed in bold, their short forms are in the text and in the alphabetical index, including abbreviations. - light, and synonyms - italics.

Terms and definitions of general technical concepts necessary for understanding the text of the main part of this standard are given in Appendix A.

GOST R 53114-2008

NATIONAL STANDARD OF THE RUSSIAN FEDERATION

Data protection

ENSURING INFORMATION SECURITY 8 ORGANIZATIONS

Basic terms and definitions

Protection of information. Information security provision In organization.

Basic terms and definitions

Date of introduction - 2009-10-01

1 area of ​​use

This standard establishes the basic terms used when carrying out standardization work in the field of information security in an organization.

The terms established by this standard are recommended for use in regulatory documents, legal, technical and organizational and administrative documentation, scientific, educational and reference literature.

This standard is applied in conjunction with GOST 34.003. GOST 19781. GOST R 22.0.02. GOST R 51897. GOST R 50922. GOST R 51898, GOST R 52069.0. GOST R 51275. GOST R ISO 9000. GOST R ISO 9001. GOST R IS014001. GOST R ISO/IEC 27001. GOST R ISO/IEC13335-1. . (2J.

The terms given in this standard comply with the provisions of the Federal Law of the Russian Federation of December 27, 2002 M"184*FZ "Technical Regulation" |3]. Federal Law of the Russian Federation of July 27, 2006 No. 149-FZ “On information, information technologies and information protection”. Federal Law of the Russian Federation of July 27, 2006 No. 152-FZ “On Personal Data”. Doctrines of information security of the Russian Federation, approved by the President of the Russian Federation on September 9, 2000 Pr -1895.

2 Normative references

GOST R 22.0.02-94 Safety in emergency situations. Terms and definitions of basic concepts

GOST R ISO 9000-2001 Quality management systems. Fundamentals and Vocabulary

GOST R ISO 9001-2008 Quality management systems. Requirements

GOST R IS0 14001-2007 Environmental management systems. Requirements and instructions for use

GOST R ISO/IEC 13335-1-2006 Information technology. Methods and means of ensuring security. Part 1. Concept and models of security management of information and telecommunication technologies

GOST R ISO/IEC 27001-2006 Information technology. Methods and means of ensuring security. Information security management systems. Requirements

GOST R 50922-2006 Information protection. Basic terms and definitions

GOST R 51275-2006 Information protection. Information object. Factors influencing information. General provisions

GOST R 51897-2002 Risk management. Terms and Definitions

Official publication

GOST R 53114-2008

GOST R51898-2003 Safety aspects. Rules for inclusion in standards GOST R 52069.0-2003 Information protection. System of standards. Basic provisions of GOST 34.003-90 Information technology. Set of standards for automated systems. Automated systems. Terms and Definitions

GOST 19781-90 Software for information processing systems. Terms and Definitions

Note - When using this standard, it is advisable to check the validity of the reference standards in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet or according to the annually published information index “National Standards”, which was published as of January 1 of the current year , and according to the corresponding monthly information indexes published in the current year. If the reference standard is replaced (changed), then when using this standard you should be guided by the replaced (changed) standard. If a reference standard is canceled without replacement, then the provision in which a reference to it is given applies to the part not affecting this reference.

3 Terms and definitions

3.1 General concepts

security of information [data]: The state of security of information [data], in which its [their] confidentiality, availability and integrity are ensured.

[GOST R 50922-2006. paragraph 2.4.5]

information technology security: The state of security of information technology. which ensures the security of the information for which it is used for processing. and information security of the information system in which it is implemented.

[R 50.1.056-2006. paragraph 2.4.5]

information sphere: The totality of information, information infrastructure, subjects. carrying out the collection, formation, dissemination and use of information, as well as systems for regulating the social relations that arise in this case.

3.1.4 information infrastructure: A set of informatization objects that provides consumers with access to information resources.

informatization object: A set of information resources, tools and information processing systems used in accordance with a given information technology, as well as support facilities, premises or facilities (buildings, structures, technical means) in which these tools and systems are installed, or premises and facilities , intended for conducting confidential negotiations.

[GOST R 51275-2006. clause 3.1]

3.1.6 assets of the organization: All. what is of value to the organization in the interests of achieving its goals and is at its disposal.

Note: An organization's assets may include:

Information assets, including various types of information circulating in the information system (service, management, analytical, business, etc.) at all stages of the life cycle (generation, storage, processing, transmission, destruction):

Resources (financial, human, computing, information, telecommunications and others):

Processes (technological, information, etc.);

Manufactured products or services provided.

GOST R 53114-2008

information processing system resource: An information processing system facility that can be allocated to the data processing process for a certain time interval.

Note - The main resources are processors, main memory areas, data sets. peripheral devices, programs.

[GOST 19781-90. paragraph 93)

3.1.8 information process: The process of creation, collection, processing, accumulation, storage, search. dissemination and use of information.

information technology; IT: Processes, methods of searching, collecting, storing, processing, providing. dissemination of information and ways of carrying out such processes and methods. [Federal Law of the Russian Federation dated December 27, 2002 No. 184-FZ. article 2. paragraph 2)]

technical support of the automated system; NPP technical support: The totality of all technical means used in the operation of the NPP.

[GOST R 34.003-90. paragraph 2.5]

automated system software; AS software: A set of programs on storage media and program documents intended for debugging, operating and testing the functionality of the AS.

[GOST R 34.003-90. paragraph 2.7]

information support of the automated system; information support of the AS: A set of document forms, classifiers, regulatory framework and implemented solutions on the volume, placement and forms of existence of information used in the AS during its operation.

[GOST R 34.003-90. clause 2.8]

3.1.13 service; service: The result of the performer’s activities to satisfy the consumer’s needs.

Note - 8 an organization, an individual or a process can act as a performer (consumer) of a service.

3.1.14 information technology services: IT services: The set of functional capabilities of information and. possibly non-information technology provided to end users as a service.

NOTE Examples of IT services include messaging, business applications, file and print services, network services, etc.

3.1.15 critical information infrastructure system; key information infrastructure system: FIAC: Information management or information telecommunication system that manages or provides information to a critical object or process, or is used to officially inform society and citizens, the disruption or interruption of the functioning of which (as a result of destructive information influences, as well as failures or failures) can lead to an emergency with significant negative consequences.

3.1.18 critical object: An object or process, disruption of the continuity of operation of which could cause significant damage.

GOST R 53114-2008

Note - Damage may be caused to the property of individuals or legal entities. state or municipal property, the environment, as well as causing harm to the life or health of citizens.

personal data information system: An information system that is a set of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without the use of such tools.

personal data: Any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name. patronymic, year month, date and place of birth, address, family, social, property status, education, profession, income, other information.

3.1.19 automated system in a protected design; AS in a protected version: An automated system that implements information technology to perform established functions in accordance with the requirements of standards and/or regulatory documents on information protection.

3.2 Terms related to the object of information protection

3.2.1 information security of the organization; IW of the organization: The state of protection of the interests of the organization in the face of threats in the information sphere.

Note - Security is achieved by ensuring a set of information security properties - confidentiality, integrity, availability of information assets and the organization's infrastructure. The priority of information security properties is determined by the significance of information assets for the interests (goals) of the organization.

object of information protection: Information or information carrier, or information process. which must be protected in accordance with the purpose of protecting information.

[GOST R 50922-2006. clause 2.5.1]

3.2.3 protected process (information technology): A process used by information technology to process protected information with the required level of its security.

3.2.4 violation of the organization’s information security: violation of the organization’s information security: Accidental or intentional unlawful action of an individual (subject, object) in relation to the organization’s assets, the consequence of which is a violation of the security of information when it is processed by technical means in information systems, causing negative consequences (damage/ harm) for the organization.

emergency; unforeseen situation; Emergency: A situation in a certain territory or water area that has developed as a result of an accident, a dangerous natural phenomenon, a catastrophe, a natural or other disaster that may result in loss of life or entail human casualties, damage to human health or the environment, significant material losses and disruption of living conditions of people.

Note - Emergency situations are distinguished by the nature of the source (natural, man-made, biological-social and military) and by scale (local, local, territorial, regional, federal and transboundary).

(GOST R 22.0.02-94. Article 2.1.1)

GOST R 53114-2008

3.2.6

hazardous situation: Circumstances in which people, property or the environment are at risk.

(GOST R 51898-2003. paragraph 3.6)

3.2.7

information security incident: Any unexpected or unwanted event that may disrupt operations or information security.

Note - Information security incidents are:

Loss of services, equipment or devices:

System failures or overloads:

User errors.

Violation of physical protection measures:

Uncontrolled changes to systems.

Software failures and hardware failures:

Violation of access rules.

(GOST R ISO/IEC 27001 -2006. Article 3.6)

3.2.8 event: The occurrence or presence of a certain set of circumstances.

Notes

1 The nature, likelihood and consequences of the event may not be fully known.

2 An event can occur one or more times.

3 The probability associated with an event can be estimated.

4 An event may consist of the non-occurrence of one or more circumstances.

5 An unpredictable event is sometimes called an "incident".

6 An event in which no losses occur is sometimes called a prerequisite for an incident (incident), a dangerous condition, a dangerous combination of circumstances, etc.

3.2.9 risk: The impact of uncertainties on the process of achieving goals.

Notes

1 Goals can have different aspects: financial, health, safety and environmental aspects, and can be set at different levels: at the strategic level, at the organizational level, at the project, product and process levels.

3 Risk is often expressed in terms of a combination of the consequences of an event or change in circumstances and their likelihood.

3.2.10

Risk Assessment: A process that combines risk identification, risk analysis and risk quantification.

(GOST R ISO/IEC 13335-1 -2006, paragraph 2.21]

3.2.11 information security risk assessment (of the organization); information security risk assessment (organization): The overall process of identifying, analyzing and determining the acceptability of an organization's information security risk level.

3.2.12 risk identification: The process of detecting, recognizing and describing risks.

Notes

1 Risk identification includes the identification of risk sources, events and their causes, as well as their possible consequences.

NOTE 2 Risk identification may include statistical data, theoretical analysis, informed views and expert opinions, and stakeholder needs.

GOST R 53114-2008

risk analysis: The systematic use of information to identify sources of risk and quantify risk.

(GOST R ISO/IEC 27001-2006. Article 3.11)

3.2.14 risk acceptability determination: The process of comparing the results of a risk analysis with risk criteria to determine the acceptability or tolerability of the risk level.

NOTE Determining the acceptability of the level of risk helps make treatment decisions

3.2.15 handling the organization’s information security risk; Organizational Information Security Risk Treatment: The process of developing and/or selecting and implementing measures to manage an organization's information security risks.

Notes

1 Risk treatment may include:

Avoiding risk by deciding not to initiate or continue activities that create conditions

Seeking an opportunity by deciding to initiate or continue activities that may create or increase risk;

Eliminating the source of risk:

Changes in the nature and magnitude of risk:

Changing consequences;

Sharing risk with another party or parties.

The persistence of risk both as a result of a conscious decision and “by default”.

2 Risk treatments with negative consequences are sometimes called mitigation, elimination, prevention. reduction, suppression and risk correction.

3.2.16 risk management: Coordinated actions to direct and control the organization's activities in relation to risks.

3.2.17 source of risk for the organization’s information security; source of organizational information security risk: An object or action that can cause [create) a risk.

Notes

1 There is no risk if there is no interaction between an object, person or organization with the source of risk.

2 The source of risk can be tangible or intangible.

3.2.18 information security policy (of the organization); information security policy (organization): A formal statement of the information security rules, procedures, practices, or guidelines that guide an organization's activities.

Note - Policies must contain.

Subject, main goals and objectives of the security policy:

Conditions for applying the security policy and possible restrictions:

Description of the position of the organization's management regarding the implementation of the security policy and the organization of the organization's information security regime as a whole.

Rights and responsibilities, as well as the degree of responsibility of employees for compliance with the organization's security policy.

Emergency procedures in case of security policy violation

3.2.19 information security goal (of the organization); IS (organization) goal: A predetermined result of ensuring the information security of an organization in accordance with the established requirements in the IS (organization) policy.

Note - The result of ensuring information security may be the prevention of damage to the information owner due to possible information leakage and (or) unauthorized and unintentional impact on information.

3.2.20 system of documents on information security in the organization; system of information security documents in an organization: an ordered set of documents united by a target orientation. interconnected on the basis of origin, purpose, type, scope of activity, uniform requirements for their design and regulating the organization’s activities to ensure information security.

GOST R 53114-2008

3.3 Terms related to information security threats

3.3.1 threat to the organization’s information security; information security threat to an organization: A set of factors and conditions that create a danger of a violation of an organization’s information security, causing or capable of causing negative consequences (damage/harm) for the organization.

Notes

1 The form of implementation (manifestation) of an information security threat is the outbreak of one or more interrelated information security events and information security incidents. leading to violations of the information security properties of the organization's protected object(s).

2 A threat is characterized by the presence of an object of threat, a source of threat and a manifestation of the threat.

threat (information security): A set of conditions and factors that create a potential or actual danger of a violation of information security.

[GOST R 50922-2006. clause 2.6.1]

3.3.3 threat (information security) model: Physical, mathematical, descriptive representation of the properties or characteristics of information security threats.

Note - a special regulatory document can be a type of descriptive representation of the properties or characteristics of information security threats.

vulnerability (of information system); breach: A property of an information system that makes it possible to implement threats to the security of the information processed in it.

Notes

1 The condition for the implementation of a security threat processed in the information system may be a deficiency or weakness in the information system.

2 If the vulnerability matches the threat, then there is a risk.

[GOST R 50922-2006. clause 2.6.4]

3.3.5 violator of the organization’s information security; organization's information security violator: An individual or logical entity that accidentally or intentionally committed an action, the consequence of which is a violation of the organization's information security.

3.3.6 unauthorized access: Access to information or to resources of an automated information system, carried out in violation of established access rights (or) rules.

Notes

1 Unauthorized access may be intentional or unintentional.

2 Rights and rules for access to information and information system resources are established for information processing processes, maintenance of an automated information system, and software changes. technical and information resources, as well as obtaining information about them.

3.3.7 network attack: Actions using software and (or) hardware and using a network protocol, aimed at implementing threats of unauthorized access to information, influencing it or the resources of an automated information system.

Application - Network protocol is a set of semantic and syntactic rules that determine the interaction of network management programs located on the same computer. with programs of the same name located on another computer.

3.3.8 blocking access (to information): Termination or difficulty of access to information of persons. entitled to do so (legitimate users).

3.3.9 denial of service attack: Network attack leading to blocking of information processes in an automated system.

3.3.10 information leakage: Uncontrolled dissemination of protected information as a result of its disclosure, unauthorized access to information and receipt of protected information by foreign intelligence services.

3.3.11 disclosure of information: Unauthorized communication of protected information to persons. not authorized to access this information.

GOST R 53114-2008

interception (of information): Illegal receipt of information using a technical means that detects, receives and processes informative signals.

(R 50.1.053-2005, paragraph 3.2.5]

informative signal: A signal whose parameters can be used to determine the protected information.

[R 50.1.05S-2005. paragraph 3.2.6]

3.3.14 declared capabilities: Functional capabilities of computer hardware and software that are not described or do not correspond to those described in the documentation. which may lead to a decrease or violation of the security properties of information.

3.3.15 spurious electromagnetic radiation and interference: Electromagnetic radiation from technical information processing equipment, arising as a side effect and caused by electrical signals acting in their electrical and magnetic circuits, as well as electromagnetic interference of these signals on conductive lines, structures and power circuits.

3.4 Terms related to organizational information security management

3.4.1 information security management of the organization; management of information security organization; Coordinated actions to guide and manage the organization in terms of ensuring its information security in accordance with the changing conditions of the internal and external environment of the organization.

3.4.2 information security risk management of the organization; organization's information security risk management: Coordinated actions to guide and manage an organization in relation to information security risk in order to minimize it.

NOTE The core processes of risk management are setting the context, assessing the risk, treating and accepting the risk, monitoring and reviewing the risk.

information security management system; ISMS: Part of the overall management system. based on the use of bioenergy risk assessment methods for development, implementation, and operation. monitoring, analysis, support and improvement of information security.

NOTE A management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

[GOST R ISO/IEC 27001 -2006. paragraph 3.7]

3.4.4 the role of information security in the organization; role of information security in an organization: A set of specific functions and tasks for ensuring the information security of an organization that establish acceptable interaction between a subject and an object in an organization.

Notes

1 Subjects include persons from among the managers of the organization, its personnel or processes initiated on their behalf to perform actions on objects

2 Objects can be hardware, software, software and hardware, or an information resource on which actions are performed.

3.4.5 information security service of an organization: The organizational and technical structure of the information security management system of an organization that implements the solution of a specific task aimed at countering threats to the organization’s information security.

3.5 Terms related to monitoring and assessing an organization's information security

3.5.1 control over ensuring the information security of the organization; control of the organization's information security provision: Checking the compliance of information security provision in the organization.

GOST R 53114-2008

3.5.2 monitoring the organization’s information security; organization's information security monitoring: Constant monitoring of the information security process in the organization in order to establish its compliance with information security requirements.

3.5.3 audit of the organization’s information security; audit of an information security organization: A systematic, independent and documented process of obtaining evidence of the organization’s activities to ensure information security and establishing the degree of fulfillment of information security criteria in the organization, as well as allowing the possibility of forming a professional audit judgment about the state of the organization’s information security.

3.5.4 evidence (evidence) of an organization’s information security audit; Organizational information security audit data: Records, statements of facts, or other information that are relevant to the organization's information security audit criteria and can be verified.

NOTE Information security evidence can be qualitative or quantitative.

3.5.5 assessment of compliance of the organization’s information security with established requirements; assessment of an organization's information security compliance with established requirements: Activities involved in directly or indirectly determining compliance or non-compliance with established information security requirements in an organization.

3.5.6 criterion for auditing an organization’s information security; audit criterion of an information security organization: A set of principles, provisions, requirements and indicators of current regulatory documents* related to the organization’s activities in the field of information security.

Application - Information security audit criteria are used to compare information security audit evidence with them.

3.5.7 certification of an automated system in a secure design: The process of comprehensive verification of the performance of the specified functions of an automated system for processing protected information for compliance with the requirements of standards and/or regulatory documents in the field of information protection and the preparation of documents on its compliance with the performance of the function of processing protected information at a specific facility informatization.

3.5.8 criterion for ensuring the information security of the organization; organization's information security criterion: An indicator on the basis of which the degree of achievement of the organization's information security goal(s) is assessed.

3.5.9 effectiveness of information security; effectiveness of information security: The relationship between the achieved result and the resources used to ensure a given level of information security.

3.6 Terms related to an organization's information security controls

3.6.1 ensuring the information security of the organization; providing an organization's information security: Activities aimed at eliminating (neutralizing, countering) internal and external threats to an organization's information security or minimizing damage from the possible implementation of such threats.

3.6.2 security measure; security control: A established practice, procedure, or mechanism for handling risk.

3.6.3 measures to ensure information security; information security measures: A set of actions aimed at the development and/or practical application of methods and means of ensuring information security.

3.6.4 organizational measures to ensure information security; organizational measures to ensure information security: Measures to ensure information security, providing for the establishment of temporary, territorial, spatial, legal, methodological and other restrictions on the conditions of use and operating modes of an informatization object.

3.6.5 technical means of ensuring information security; information security technical means: Equipment used to ensure the information security of an organization using non-cryptographic methods.

Note - Such equipment can be represented by hardware and software built into the protected object and/or operating autonomously (independent of the protected object).

GOST R 53114-2008

3.5.6 intrusion detection tool, attack detection tool: A software or software-hardware tool that automates the process of monitoring events occurring in a computer system or network, and also independently analyzes these events in search of signs of an information security incident.

3.6.7 means of protection against unauthorized access: Software, hardware or software and hardware designed to prevent or significantly hinder unauthorized access.

GOST R 53114-2008

Alphabetical index of terms

organization assets 3.1.6

risk analysis 3.2.13

Speakers in protected version 3.1.19

denial of service attack 3.3.9

network attack 3.3.7

certification of an automated system in a protected version 3.5.7

organization information security audit 3.5.3

organization information security audit 3.5.3

security (data] 3.1.1

information security 3.1.1

information technology security 3.1.2

organization information security 3.2.1

blocking access (to information) 3.3.8

breach 3.3.4

undeclared capabilities 3.3.14

personal data 3.1.18

unauthorized access 3.3.6

Organizational information security 3.2.1

risk identification 3.2.12

information infrastructure 3.1.4

information security incident 3.2.7

source of organizational information security risk 3.2.17

source of risk for the organization's information security 3.2.17

control of the organization's information security 3.5.1

control over the information security of the organization 3.5.1

criteria for ensuring the organization's information security 3.5.8

organizational IS audit criterion 3.5.6

organization information security audit criterion 3.5.6

criterion for ensuring information security of the organization 3.5.8

organization information security management 3.4.1

organization information security management 3.4.1

organization information security risk management 3.4.2

organization information security risk management 3.4.2

security measure 3.6.2

security measure 3.6.2

information security measures 3.6.3

organizational information security measures 3.6.4

information security measures 3.6.3

organizational information security measures 3.4.6

threat model (information security) 3.3.3

organization information security monitoring 3.5.2

monitoring of organization information security 3.5.2

violation of the organization's information security 3.2.4

violation of the organization's information security 3.2.4

organization information security violator 3.3.5

violator of an organization's information security 3.3.5

automated information system support 3.1.12

automated system software 3.1.11

technical support of the automated system 3.1.10

AS information support 3.1.12

AC software 3.1.11

AC technical support 3.1.10

ensuring the organization's information security 3.6.1

ensuring the information security of the organization 3.6.1

organization's information security risk treatment 3.2.15

GOST R 53114-2008

managing the organization's information security risk 3.2.1S

information protection object 3.2.2

informatization object 3.1.5

critical object 3.1.16

determination of acceptable level of risk 3.2.14

risk assessment 3.2.10

risk assessment I6 (organizations) 3.2.11

information security risk assessment (organization) 3.2.11

assessing the organization's IS compliance with established requirements 3.5.5

assessment of compliance of the organization's information security with established requirements 3.5.5

interception (information) 3.3.12

IS policy (organization) 3.2.18

information security policy (organization) 3.2.18

process (information technology) protected 3.2.3

information process 3.1.8

disclosure of information 3.3.11

information processing system resource 3.1.7

role of information security in the organization 3.4.4

role of information security 8 in the organization 3.4.4

certificates (evidence) of an organization's IS audit 3.5.4

evidence (evidence) of an organization’s information security audit 3.5.4

service 3.1.13

informative signal 3.3.13

secure automated system 3.1.19

information security document system in the organization 3.2.20

system of documents on information security in the organization 3.2.20

key information infrastructure system 3.1.15

critical information infrastructure system 3.1.15

information security management system 3.4.3

personal data information system 3.1.17

unforeseen situation 3.2.5

dangerous situation 3.2.6

emergency situation 3.2.5

organization information security service 3.4.6

event 3.2.8

protection against unauthorized access 3.6.7

technical information security tool 3.6.5

technical information security tool 3.6.5

Attack Detection Tool 3.6.6

Intrusion Detection Tool 3.6.6

information sphere 3.1.3

information technology 3.1.9

threat (information security) 3.3.2

threat to the organization's information security 3.3.1

threat to the organization's information security 3.3.1

risk management 3.2.16

service 3.1.13

information technology services 3.1.14

IT services 3.1.14

information leak 3.3.10

vulnerability (information system) 3.3.4

IS goal (organization) 3.2.19

information security goal (organization) 3.2.19

electromagnetic radiation and side interference 3.3.15

IS efficiency 3.5.9

effectiveness of information security 3.5.9

GOST R 53114-2008

Appendix A (reference)

Terms and definitions of general technical concepts

organization: A group of workers and necessary resources with the distribution of responsibilities, powers and relationships.

(GOST R ISO 9000-2001, paragraph 3.3.1]

Notes

1 Organizations include: company, corporation, firm, enterprise, institution, charitable organization, retail trade enterprise, association. as well as their subdivisions or a combination of them.

2 The distribution is usually ordered.

3 An organization can be public or private.

A.2 business: Economic activity that produces profit; any type of activity that generates income and is a source of enrichment.

A.Z business process: Processes used in the economic activities of an organization.

information: Information (messages, data) regardless of the form of their presentation.

assets: All. what is of value to the organization. (GOST R ISO/IEC13335-1-2006, paragraph 2.2(

A.6 resources: Assets (of an organization) that are used or consumed during the execution of a process. Notes

1 Resources can include such diverse items as personnel, equipment, fixed assets, tools, and utilities such as energy, water, fuel and communications network infrastructure.

2 Resources can be reusable, renewable or consumable.

A.7 danger: A property of an object that characterizes its ability to cause damage or harm to other objects. A.8 emergency event: An event leading to an emergency situation.

A.9 damage: Physical damage or harm to human health or damage to property or the environment.

A. 10 threat: A set of conditions and factors that can cause a violation of integrity and availability. privacy.

A.11 vulnerability: Internal properties of an object that create susceptibility to the effects of a risk source that can lead to some consequence.

A. 12 attack: An attempt to overcome the security system of an information system.

Notes - The degree of “success” of an attack depends on the vulnerability and effectiveness of the defense system.

A.13 management: Coordinated activities for the direction and management of the organization

A.14 business (continuity) management: Coordinated management and control activities

business processes of the organization.

A. 15 role: A predetermined set of rules and procedures for the activities of an organization that establish acceptable interaction between the subject and object of the activity.

owner of information: A person who independently created information or received, on the basis of law or agreement, the right to permit or restrict access to information determined by any criteria.

GOST R 53114-2008

infrastructure: The totality of buildings, equipment and support services necessary for the functioning of an organization.

[GOST R ISO 9000-2001. paragraph 3.3.3]

A.18 audit: A systematic, independent and documented process of obtaining audit evidence and evaluating it objectively to determine the extent to which agreed audit criteria have been met.

Notes

1 Internal audits, called first-party audits, are carried out for internal purposes by the organization itself or on its behalf by another organization. The results of the internal audit may serve as the basis for a declaration of conformity. In many cases, especially in small businesses, the audit must be carried out by specialists (people who are not responsible for the activity being audited).

NOTE 2 External audits include audits called second party audits and third party audits. Second party audits are carried out by parties interested in the activities of the enterprise, for example.

consumers or others on their behalf. Third party audits are carried out by external independent organizations. These organizations carry out certification or registration for compliance with requirements, for example, the requirements of GOST R ISO 9001 and GOST R ISO 14001.

3 An audit of quality management systems and environmental management systems carried out simultaneously is called a “comprehensive audit”.

4 If the audit of the audited organization is carried out simultaneously by several organizations, then such an audit is called a “joint audit”.

A.19 monitoring: Systematic or continuous monitoring of an object, ensuring control and/or measurement of its parameters, as well as conducting analysis to predict the variability of parameters and make decisions on the need and composition of corrective and preventive actions.

declaration of conformity: A form of confirmation of product compliance with the requirements of technical regulations.

A.21 technology: A system of interconnected methods, methods, techniques of objective activity. A.22

document: Information recorded on a tangible medium with details that allow it to be identified.

[GOST R 52069.0-2003. paragraph 3.18]

A.23 information processing: A set of operations of collection, accumulation, input, output, reception, transmission, recording, storage, registration, destruction, transformation, display, carried out on information.

GOST R 53114-2008

Appendix B (for reference)

The relationship of basic concepts in the field of information security in an organization

The relationship between the basic concepts is shown in Figure B.1.

Figure B.1 - relationship between basic concepts

GOST R 53114-2008

Bibliography

(1] R 50.1.053-2005

(2]PS0.1.056-2005

Information Technology. Basic terms and definitions in the field of technical information security Technical information security. Basic terms and definitions

About technical regulation

About information, information technologies and information protection

About personal data

Information Security Doctrine of the Russian Federation

UDC 351.864.1:004:006.354 OKS 35.020 LLP

Key words: information, information security, information security in an organization, threats to information security, information security criteria

Editor V.N. Cops soya Technical editor V.N. Prusakova Corrector V.E. Nestorovo Computer software I.A. NapeikinoO

Delivered for recruitment on 11/06/2009. Signed stamp 12/01/2009. Format 60"84 Offset paper. Arial typeface. Offset printing. Usp. oven l. 2.32. Uch.-ed. l. 1.90. Circulation 373 »kz. Zach. 626

FSUE "STANDARTINFORM*. 123995 Moscow. Pomegranate por.. 4. info@goslmlo gi

Typed into FSUE "STANDARTINFORM" on a PC.

Printed at the branch of FSUE "STANDARTINFORM* - type. "Moscow Printer". 105062 Moscow. Lyalin lane.. 6.

• GOST 22731-77 Data transmission systems, data link control procedures in the main mode for half-duplex information exchange
• GOST 26525-85 Data processing systems. Usage metrics
• GOST 27771-88 Procedural characteristics at the interface between data terminal equipment and data channel termination equipment. General requirements and standards
• GOST 28082-89 Information processing systems. Methods for detecting errors in serial data transmission
• GOST 28270-89 Information processing systems. Data Description File Specification for Information Exchange
• GOST R 43.2.11-2014 Information support for equipment and operator activities. Operator language. Structured presentation of text information in message formats
• GOST R 43.2.8-2014 Information support for equipment and operator activities. Operator language. Message Formats for Technical Activities
• GOST R 43.4.1-2011 Information support for equipment and operator activities. “Man-information” system
• GOST R 53633.10-2015 Information technologies. Telecommunications control network. Extended Communications Organization Operational Framework (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Organization management. Organizational risk management
• GOST R 53633.11-2015 Information technologies. Telecommunications control network. Extended communication organization activity diagram (eTOM). Decomposition and process descriptions. eTOM Level 2 Processes. Organization management. Organizational Performance Management
• GOST R 53633.4-2015 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Service management and operation
• GOST R 53633.7-2015 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Development and resource management
• GOST R 53633.9-2015 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Organization management. Planning strategy and development of the organization
• GOST R 55767-2013 Information technology. European ICT Competence Framework 2.0. Part 1. Common European Competence Framework for ICT Professionals for all Industry Sectors
• GOST R 55768-2013 Information technology. Model of an open Grid system. Basic provisions
• GOST R 56093-2014 Information protection. Automated systems in a secure design. Means for detecting intentional force electromagnetic influences. General requirements
• GOST R 56115-2014 Information protection. Automated systems in a secure design. Means of protection against intentional force electromagnetic influences. General requirements
• GOST R 56545-2015 Information protection. Vulnerabilities of information systems. Rules for describing vulnerabilities
• GOST R 56546-2015 Information protection. Vulnerabilities of information systems. Classification of information system vulnerabilities
• GOST IEC 60950-21-2013 Information technology equipment. Safety requirements. Part 21. Remote power supply
• GOST IEC 60950-22-2013 Information technology equipment. Safety requirements. Part 22. Equipment intended for installation outdoors
• GOST R 51583-2014 Information protection. The procedure for creating automated systems in a secure design. General provisions
• GOST R 55766-2013 Information technology. European ICT Competence Framework 2.0. Part 3. Creation of e-CF - combining methodological foundations and expert experience
• GOST R 55248-2012 Electrical safety. Classification of interfaces for equipment connected to information and communication technology networks
• GOST R 43.0.11-2014 Information support for equipment and operator activities. Databases in technical activities
• GOST R 56174-2014 Information technologies. Architecture of services of an open Grid environment. Terms and Definitions
• GOST IEC 61606-4-2014 Audio and audiovisual equipment. Components of digital audio equipment. Basic methods for measuring sound characteristics. Part 4. Personal computer
• GOST R 43.2.5-2011 Information support for equipment and operator activities. Operator language. Grammar
• GOST R 53633.5-2012 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Marketing and product offering management
• GOST R 53633.6-2012 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Service development and management
• GOST R 53633.8-2012 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Supply chain development and management
• GOST R 43.0.7-2011 Information support for equipment and operator activities. Hybrid-intellectualized human-information interaction. General provisions
• GOST R 43.2.6-2011 Information support for equipment and operator activities. Operator language. Morphology
• GOST R 53633.14-2016 Information technologies. Telecommunications management network is an extended communications organization operation framework (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Organization management. Stakeholder and external relations management
• GOST R 56938-2016 Information protection. Information protection when using virtualization technologies. General provisions
• GOST R 56939-2016 Information protection. Secure software development. General requirements
• GOST R ISO/IEC 17963-2016 Specification of web services for management (WS-management)
• GOST R 43.0.6-2011 Information support for equipment and operator activities. Naturally intellectualized human-information interaction. General provisions
• GOST R 54817-2011 Ignition of audio, video, information technology and communications equipment accidentally caused by a candle flame
• GOST R IEC 60950-23-2011 Information technology equipment. Safety requirements. Part 23. Equipment for storing large volumes of data
• GOST R IEC 62018-2011 Energy consumption of information technology equipment. Measurement methods
• GOST R 53538-2009 Multi-pair cables with copper conductors for broadband access circuits. General technical requirements
• GOST R 53633.0-2009 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). General structure of business processes
• GOST R 53633.1-2009 Information technology. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Managing relationships with suppliers and partners
• GOST R 53633.2-2009 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Resource Management and Operation
• GOST R 53633.3-2009 Information technology. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Customer Relationship Management
• GOST R ISO/IEC 20000-2-2010 Information technology. Service management. Part 2: Code of Practice
• GOST R 43.0.3-2009 Information support for equipment and operator activities. Noon technology in technical activities. General provisions
• GOST R 43.0.4-2009 Information support for equipment and operator activities. Information in technical activities. General provisions
• GOST R 43.0.5-2009 Information support for equipment and operator activities. Information exchange processes in technical activities. General provisions
• GOST R 43.2.1-2007 Information support for equipment and operator activities. Operator language. General provisions
• GOST R 43.2.2-2009 Information support for equipment and operator activities. Operator language. General provisions for use
• GOST R 43.2.3-2009 Information support for equipment and operator activities. Operator language. Types and properties of iconic components
• GOST R 43.2.4-2009 Information support for equipment and operator activities. Operator language. Syntactics of sign components
• GOST R 52919-2008 Information technology. Methods and means of physical protection. Classification and test methods for fire resistance. Data rooms and containers
• GOST R 53114-2008 Information protection. Ensuring information security in the organization. Basic terms and definitions
• GOST R 53245-2008 Information technologies. Structured cable systems. Installation of the main components of the system. Test methods
• GOST R 53246-2008 Information technologies. Structured cable systems. Design of the main components of the system. General requirements
• GOST R IEC 60990-2010 Methods for measuring touch current and protective conductor current
• GOST 33707-2016 Information technologies. Dictionary
• GOST R 57392-2017 Information technologies. Service management. Part 10. Basic concepts and terminology
• GOST R 43.0.13-2017 Information support for equipment and operator activities. Directed training of specialists
• GOST R 43.0.8-2017 Information support for equipment and operator activities. Artificially intellectualized human-information interaction. General provisions
• GOST R 43.0.9-2017 Information support for equipment and operator activities. Informational resources
• GOST R 43.2.7-2017 Information support for equipment and operator activities. Operator language. Syntax
• GOST R ISO/IEC 38500-2017 Information technology. Strategic IT management in an organization
• GOST R 43.0.10-2017 Information support for equipment and operator activities. Information objects, object-oriented design in the creation of technical information
• GOST R 53633.21-2017 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. Primary activity. Management and operation of services. eTOM Level 3 Processes. Process 1.1.2.1 - Support and Availability of SM&O Processes
• GOST R 57875-2017 Telecommunications. Connection diagrams and grounding in telecommunication centers
• GOST R 53633.22-2017 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. Primary activity. Management and operation of services. eTOM Level 3 Processes. Process 1.1.2.2 - Configuring and activating services

International standards

• BS 7799-1:2005 - British Standard BS 7799 first part. BS 7799 Part 1 - Code of Practice for Information Security Management describes the 127 controls required to build information security management systems(ISMS) of the organization, determined on the basis of the best examples of global experience (best practices) in this area. This document serves as a practical guide to creating an ISMS
• BS 7799-2:2005 - British Standard BS 7799 is the second part of the standard. BS 7799 Part 2 - Information Security management - specification for information security management systems specifies the ISMS specification. The second part of the standard is used as criteria during the official certification procedure for the organization's ISMS.
• BS 7799-3:2006 - British Standard BS 7799 third part of the standard. A new standard in information security risk management
• ISO/IEC 17799:2005 - "Information technology - Security technologies - Information security management practice." International standard based on BS 7799-1:2005.
• ISO/IEC 27000 - Vocabulary and definitions.
• ISO/IEC 27001:2005 - "Information technology - Security techniques - Information security management systems - Requirements." International standard based on BS 7799-2:2005.
• ISO/IEC 27002 - Now: ISO/IEC 17799:2005. "Information technologies - Security technologies - Practical rules for information security management." Release date: 2007.
• ISO/IEC 27005 - Now: BS 7799-3:2006 - Guidance on information security risk management.
• German Information Security Agency. IT Baseline Protection Manual - Standard security safeguards.

State (national) standards of the Russian Federation

• GOST R 50922-2006 - Information protection. Basic terms and definitions.
• R 50.1.053-2005 - Information technologies. Basic terms and definitions in the field of technical information security.
• GOST R 51188-98 - Information protection. Testing software for computer viruses. Model manual.
• GOST R 51275-2006 - Information protection. Information object. Factors influencing information. General provisions.
• GOST R ISO/IEC 15408-1-2008 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 1. Introduction and general model.
• GOST R ISO/IEC 15408-2-2008 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 2. Functional safety requirements.
• GOST R ISO/IEC 15408-3-2008 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3. Security assurance requirements.
• GOST R ISO/IEC 15408 - “General criteria for assessing the security of information technologies” - a standard that defines tools and methods for assessing the security of information products and systems; it contains a list of requirements against which the results of independent safety assessments can be compared - allowing the consumer to make decisions about the safety of products. The scope of the application of the “General Criteria” is the protection of information from unauthorized access, modification or leakage, and other methods of protection implemented by hardware and software.
• GOST R ISO/IEC 17799 - “Information technologies. Practical rules for information security management.” Direct application of the international standard with the addition of ISO/IEC 17799:2005.
• GOST R ISO/IEC 27001 - “Information technologies. Security methods. Information security management system. Requirements". The direct application of the international standard is ISO/IEC 27001:2005.
• GOST R 51898-2002: Safety aspects. Rules for inclusion in standards.

Guiding Documents

• RD SVT. Protection against NSD. Security indicators from NSD to information - contains a description of security indicators of information systems and requirements for security classes.

see also

• Undeclared capabilities

External links

• International Information Security Management Standards

Wikimedia Foundation. 2010.

The importance of ensuring information security is difficult to overestimate, since the need to store and transfer data is an integral part of running any business.

Various methods of information security depend on the form in which it is stored, however, in order to systematize and streamline this area, it is necessary to establish information security standards, since standardization is an important determinant of quality in assessing the services provided.

Any provision of information security requires control and verification, which cannot be carried out only by individual assessment, without taking into account international and state standards.

The formation of information security standards occurs after a clear definition of its functions and boundaries. Information security is ensuring the confidentiality, integrity and availability of data.

To determine the state of information security, a qualitative assessment is most applicable, since it is possible to express the degree of security or vulnerability as a percentage, but this does not give a complete and objective picture.

To assess and audit the security of information systems, you can apply a number of instructions and recommendations, which imply regulatory support.

State and international information security standards

Monitoring and assessment of the security state is carried out by checking their compliance with state standards (GOST, ISO) and international standards (Iso, Common criteris for IT security).

The international set of standards developed by the International Organization for Standardization (ISO) is a set of practices and recommendations for the implementation of information security systems and equipment.

ISO 27000 is one of the most applicable and widespread assessment standards, including more than 15 provisions, and sequentially numbered.

According to the ISO 27000 standardization assessment criteria, information security is not only its integrity, confidentiality and availability, but also authenticity, reliability, fault tolerance and identifiability. Conventionally, this series of standards can be divided into 4 sections:

• overview and introduction to terminology, description of terms used in the field of security;
• mandatory requirements for an information security management system, a detailed description of methods and means of managing the system. Is the main standard of this group;
• audit recommendations, security controls guidance;
• standards that recommend practices for implementing, developing and improving an information security management system.

State information security standards include a number of regulations and documents consisting of more than 30 provisions (GOST).

Various standards are aimed not only at establishing general assessment criteria, such as GOST R ISO/IEC 15408, which contains methodological guidelines for safety assessment and a list of requirements for the management system. They can be specific and also contain practical guidance.

Proper organization of the warehouse and its regular monitoring of its operation will help eliminate the theft of commodity and material assets, which negatively affects the financial well-being of any enterprise, regardless of its form of ownership.

By the time of launch, the warehouse automation system goes through two more stages: internal testing and data filling. After such preparation, the system starts up in full. Read more about automation here.

The interrelation and set of techniques lead to the development of general provisions and to the merging of international and state standardization. Thus, GOSTs of the Russian Federation contain additions and references to international ISO standards.

Such interaction helps to develop a unified system of control and evaluation, which, in turn, significantly increases the efficiency of applying these provisions in practice, objectively assessing work results and generally improving.

Comparison and analysis of national and international standardization systems

The number of European standardization standards for ensuring and controlling information security significantly exceeds those legal standards established by the Russian Federation.

In national state standards, the prevailing provisions are on the protection of information from possible hacking, leakage and threats of loss. Foreign security systems specialize in developing standards for data access and authentication.

There are also differences in the provisions relating to the implementation of control and audit of systems. In addition, the practice of applying and implementing the information security management system of European standardization is manifested in almost all spheres of life, and the standards of the Russian Federation are mainly aimed at preserving material well-being.

However, constantly updated state standards contain the necessary minimum set of requirements to create a competent information security management system.

Information security standards for data transmission

Doing business involves storing, exchanging, and transmitting data via the Internet. In the modern world, currency transactions, commercial activities and transfers of funds often take place online, and it is possible to ensure the information security of this activity only by applying a competent and professional approach.

There are many standards on the Internet that ensure secure storage and transmission of data, well-known anti-virus protection programs, special protocols for financial transactions, and many others.

The speed of development of information technologies and systems is so great that it significantly outstrips the creation of protocols and uniform standards for their use.

One of the popular secure data transfer protocols is SSL (Secure Socket Layer), developed by American specialists. It allows you to protect data using cryptography.

The advantage of this protocol is the possibility of verification and authentication, for example, immediately before data exchange. However, the use of such systems when transferring data is rather advisory, since the use of these standards is not mandatory for entrepreneurs.

To open an LLC, you need a charter of the enterprise. A procedure that is being developed in accordance with the legislation of the Russian Federation. You can write it yourself, take a standard sample as a guide, or you can contact specialists who will write it.

An aspiring businessman planning to develop his own business as an individual entrepreneur must indicate the economic activity code in accordance with OKVED when filling out the application. Details here.

To carry out secure transactions and operations, the SET (Security Electronic Transaction) transmission protocol was developed, which allows minimizing risks when conducting commercial and trading operations. This protocol is a standard for Visa and Master Card payment systems, allowing the use of a payment system security mechanism.

Committees that standardize Internet resources are voluntary, therefore the activities they carry out are not legal and mandatory.

However, fraud on the Internet in the modern world is recognized as one of the global problems; therefore, it is simply impossible to ensure information security without the use of special technologies and their standardization.

Security Management Systems - Specification with guidance for use" (Systems - specifications with guidance for use). On its basis, the ISO/IEC 27001:2005 "Information Technology" standard was developed. Security techniques. Information security management systems. Requirements", for compliance with which certification can be carried out.

In Russia, the standards GOST R ISO/IEC 17799-2005 “Information technology. Practical rules” are currently in force information security management"(authentic translation of ISO/IEC 17799:2000) and GOST R ISO/IEC 27001-2006 "Information technology. Methods and means of ensuring security. Information security management systems. Requirements" (translation of ISO/IEC 27001:2005). Despite some internal discrepancies associated with different versions and translation features, the presence of standards allows us to bring the system information security management in accordance with their requirements and, if necessary, certify.

GOST R ISO/IEC 17799:2005 "Information technology. Practical rules for information security management"

Let us now consider the contents of the standard. The introduction states that “information, the processes that support it, information systems and network infrastructure are essential assets of an organization. Confidentiality, integrity and availability of information can significantly contribute to competitiveness, liquidity, profitability, compliance and business reputation organization." Thus, we can say that this standard considers information security issues, including from the point of view of economic effect.

Three groups of factors are indicated that must be taken into account when developing requirements in the field of information security. This:

• organization risk assessment. Through risk assessment, threats to the organization's assets are identified, vulnerability assessment relevant assets and the likelihood of threats occurring, as well as an assessment of possible consequences;
• legal, statutory, regulatory and contractual requirements that must be met by the organization, its trading partners, contractors and service providers;
• a specific set of principles, objectives and requirements developed by an organization regarding the processing of information.

Once the requirements have been determined, the stage of selecting and implementing measures that will ensure risk reduction to an acceptable level begins. Selection of events by information security management should be based on the ratio of the cost of their implementation, the effect of reducing risks and possible losses in the event of a security breach. Factors that cannot be expressed in monetary terms, such as loss of reputation, should also be taken into account. A possible list of activities is given in the standard, but it is noted that it can be supplemented or formed independently based on the needs of the organization.

Let us briefly list the sections of the standard and the information protection measures proposed in them. The first group concerns security policy. It is required that it be developed, approved by the management of the organization, published and brought to the attention of all employees. It should determine the procedure for working with the organization’s information resources, the duties and responsibilities of employees. The policy is reviewed periodically to reflect the current state of the system and identified risks.

The next section addresses organizational issues related to information security. The standard recommends creating management councils (with the participation of the company's senior management) to approve the security policy, appoint responsible persons, distribution of responsibilities and coordination of implementation of activities for information security management In the organisation. The process for obtaining permission to use information processing tools (including new software and hardware) in the organization should also be described so that this does not lead to security problems. It is also necessary to determine the procedure for interaction with other organizations on information security issues, consultations with “external” specialists, and independent verification (audit) of information security.

When providing access to information systems to specialists from third-party organizations, special attention must be paid to security issues. An assessment of the risks associated with different types of access (physical or logical, i.e. remote) of such specialists to various organizational resources must be carried out. The need to provide access must be justified, and contracts with third parties and organizations must include requirements regarding compliance with the security policy. It is proposed to do the same in the case of involving third-party organizations in information processing (outsourcing).

The next section of the standard is devoted to issues of classification and asset management. To ensure information security of an organization, it is necessary that all key information assets are accounted for and assigned to responsible owners. We suggest starting with an inventory. The following classification is given as an example:

• information assets (databases and data files, system documentation etc.);
• software assets (application software, system software, development tools and utilities);
• physical assets (computer equipment, communications equipment, storage media, other technical equipment, furniture, premises);
• services (computing and communication services, basic utilities).

Next, it is proposed to classify information in order to determine its priority, necessity and degree of protection. At the same time, the relevant information can be assessed taking into account how critical it is for the organization, for example, from the point of view of ensuring its integrity and availability. After this, it is proposed to develop and implement a labeling procedure when processing information. Labeling procedures should be defined for each classification level to accommodate the following types of information processing:

• copying;
• storage;
• transmission by mail, fax and e-mail;
• voice transmission, including mobile phone, voice mail, answering machines;
• destruction.

The next section addresses safety issues related to personnel. The standard determines that responsibilities for compliance with safety requirements are distributed at the stage of personnel selection, included in employment contracts and monitored throughout the entire period of the employee’s employment. In particular, when hiring a permanent employee, it is recommended to check the authenticity of the documents submitted by the applicant, the completeness and accuracy of the resume, and the recommendations submitted to him. It is recommended that employees sign a confidentiality agreement stating what information is confidential or sensitive. Disciplinary responsibility for employees who violate the organization's security policies and procedures must be determined. Where necessary, this responsibility should continue for a specified period after leaving employment.

Users need to be trained security procedures and the correct use of information processing tools to minimize possible risks. In addition, the procedure for informing about information security violations, which must be familiarized to staff. A similar procedure should be followed in cases of software failures. Such incidents need to be recorded and analyzed to identify recurring problems.

The next section of the standard addresses issues of physical and environmental protection. It is stated that “means for processing critical or important service information must be located in security zones designated by a certain security perimeter with appropriate protective barriers and intrusion controls. These areas must be physically protected from unauthorized access, damage and impact." In addition to organizing access control to protected areas, the procedure for carrying out work in them and, if necessary, procedures for organizing visitor access must be determined. It is also necessary to ensure the safety of equipment (including , which is used outside the organization) to reduce the risk of unauthorized access to data and protect it from loss or damage. This group of requirements also includes providing protection from power failures and cable network protection. A procedure for maintaining equipment that takes into account security requirements must also be defined. , and procedures for the safe disposal or reuse of equipment. For example, it is recommended that disposable storage media containing sensitive information be physically destroyed or overwritten in a secure manner rather than using standard data deletion functions.

To minimize the risk of unauthorized access to or damage to paper documents, storage media and information processing media, it is recommended to implement a "clean desk" policy for paper documents and removable storage media, as well as a "clean screen" policy for information processing equipment. Equipment, information or software may be removed from the organization's premises only with appropriate permission.

The title of the next section of the standard is “Management of data transfer and operational activities”. It requires that the responsibilities and procedures associated with the operation of all information processing facilities be established. For example, configuration changes in information processing facilities and systems must be controlled. It is required to implement the principle of segregation of responsibilities in relation to management functions, performance of certain tasks and areas.

It is recommended to separate the development, testing and production environments of software. The rules for transferring software from the status of being developed to the status of accepted for operation must be defined and documented.

Additional risks arise when using third-party contractors to manage information processing facilities. Such risks must be identified in advance and appropriate measures taken to information security management agreed with the contractor and included in the contract.

To provide the necessary processing and storage capacity, it is necessary to analyze current performance requirements, as well as forecast future ones. These forecasts should take into account new functional and system requirements, as well as current and future plans for the development of information technology in the organization. Requirements and criteria for the adoption of new systems must be clearly defined, agreed upon, documented and tested.

Measures must be taken to prevent and detect the introduction of malicious software such as computer viruses, network worms, Trojan horses and logic bombs. It is noted that protection against malware should be based on an understanding of security requirements, appropriate systems access controls and proper change management.

The procedure for carrying out auxiliary operations, which includes backup of software and data, must be determined 1 As an example, lab #10 looks at organizing backups in Windows Server 2008. logging events and errors and, where necessary, monitoring hardware status. Redundancy arrangements for each individual system should be tested regularly to ensure that they meet the requirements of business continuity plans.

To ensure the security of information on networks and protect supporting infrastructure, the introduction of funds is required security control and protection of connected services from unauthorized access.

Particular attention is paid to the security of various types of storage media: documents, computer storage media (tapes, disks, cassettes), input/output data and system documentation from damage. It is recommended to establish a procedure for using removable computer storage media (procedure for content control, storage, destruction, etc.). As noted above, storage media should be disposed of securely and safely after use.

In order to ensure the protection of information from unauthorized disclosure or misuse, it is necessary to establish procedures for processing and storing information. These procedures should be designed taking into account categorization information, and act in relation to documents, computing systems, networks, laptop computers, mobile communications, mail, voice mail, voice communications in general, multimedia devices, fax use and any other important objects, such as forms, checks and bills. System documentation may contain certain important information, and therefore must also be protected.

The process of exchanging information and software between organizations must be controlled and comply with current legislation. In particular, the security of information carriers during transmission must be ensured, determined usage policy email and electronic office systems. Care should be taken to protect the integrity of information published electronically, such as information on a Web site. An appropriate formalized authorization process is also required before such information is made publicly available.

The next section of the standard is devoted to access control issues.

It is required that the access control rules and rights of each user or group of users are clearly defined by the security policy. Users and service providers must be made aware of the need to comply with these requirements.

Using password authentication, it is necessary to exercise control over user passwords. In particular, users must sign a document agreeing to maintain complete confidentiality of passwords. It is required to ensure the security of the process of obtaining a password for the user and, if this is used, for the users to manage their passwords (forced password change after the first login, etc.).

Access to both internal and external network services must be controlled. Users should be provided with direct access only to those services for which they have been authorized. Particular attention must be paid to authenticating remote users. Based on the risk assessment, it is important to determine the required level of protection in order to select the appropriate authentication method. The security of using network services must also be monitored.

Many network and computing devices have built-in remote diagnostics and management capabilities. Security measures must also apply to these facilities.

When networks are shared by multiple organizations, access control policy requirements must be defined to take this into account. It may also be necessary to introduce additional measures to information security management to limit users' ability to connect.

At the operating system level, information security measures should be used to restrict access to computer resources 2 An example of organizing access control to files and folders in Windows Server 2008 will be discussed in laboratory work No. 9.. It refers to identification and authentication terminals and users. It is recommended that all users have unique identifiers, which should not contain any indication of the user's privilege level. In systems password management effective interactive capabilities must be provided to support their required quality 3 An example of password quality management in Windows operating systems is discussed in laboratory work No. 3.. The use of system utilities should be limited and carefully controlled.

It is advisable to provide an alarm in case the user may become a target of violence 4 An example of this would be “duress” login passwords. If the user enters such a password, the system displays the user's normal login process and then simulates a failure to prevent attackers from gaining access to the data.(if such an event is assessed as probable). Responsibilities and procedures for responding to such an alarm must be defined.

Terminals serving high-risk systems, when located in easily accessible locations, should be switched off after a certain period of inactivity to prevent access by unauthorized persons. A restriction on the period of time during which terminals are allowed to connect to computer services may also be introduced.

Information security measures also need to be applied at the application level. In particular, this may be a restriction of access for certain categories users. Systems that process important information must be provided with a dedicated (isolated) computing environment.

Monitoring of the system is necessary to detect deviations from access control policy requirements and provide evidence in the event of an information security incident. Monitoring results should be reviewed regularly. The audit log can be used to investigate incidents, so proper setting (synchronization) of the computer clock is quite important.

When using portable devices, such as laptops, it is necessary to take special measures to counteract the compromise of proprietary information. Formalized policies should be adopted that address the risks associated with working with portable devices, particularly in unsecured environments.

The next section of the standard is called “Development and maintenance of systems.” Already at the stage information systems development it is necessary to ensure that safety requirements are taken into account. And during the operation of the system, it is necessary to prevent loss, modification or misuse of user data. For this purpose, it is recommended that application systems provide confirmation of the correctness of data input and output, control of data processing in system, authentication messages, logging user actions.

To ensure confidentiality, integrity and data authentication Cryptographic security measures may be used.

Ensuring software integrity plays an important role in the process of information security. To minimize damage to information systems, the implementation of changes should be strictly controlled. From time to time there is a need to make changes to operating systems. In these cases, application systems must be analyzed and tested to ensure that there is no adverse impact on their functionality and safety. As far as possible, it is recommended to use ready-made software packages without modification.

A related issue is countering Trojan horses and the use of covert leakage channels. One countermeasure is to use software obtained from trusted vendors and monitor system integrity.

In cases where a third-party organization is involved in software development, it is necessary to provide measures to control the quality and correctness of the work performed.

The next section of the standard is devoted to business continuity management. At the initial stage, it is supposed to identify events that may cause interruption of business processes (equipment failure, fire, etc.). In this case, it is necessary to assess the consequences, and then develop recovery plans. The adequacy of the plans must be confirmed by testing, and they themselves must be periodically revised to take into account changes occurring in the system.

The final section of the standard addresses compliance issues. First of all, this concerns the compliance of the system and the procedure for its operation with legal requirements. This includes issues of compliance with copyright (including software), protection of personal information (employees, clients), and prevention of misuse of information processing tools. Using cryptographic means information protection, they must comply with current legislation. The procedure for collecting evidence in case of litigation related to incidents in the field of information system security should also be thoroughly worked out.

The information systems themselves must comply with security policy organization and standards used. The security of information systems must be regularly analyzed and assessed. At the same time, it is necessary to observe security measures when conducting a security audit so that this does not lead to undesirable consequences (for example, the failure of a critical server due to an audit).

To summarize, it can be noted that the standard addresses a wide range of issues related to ensuring the security of information systems. Practical recommendations are given in a number of areas.