Basic international ib standards in various countries. Information protection and information security international and Russian standards

One of the most important problems and needs modern society is the protection of human rights in the conditions of involving him in the processes of information interaction, including the right to the protection of personal information in the processes of automated information processing.

I. N. Malanych, 6th year student at VSU

The Institute for Personal Data Protection today is no longer a category that can be regulated only by national law. The most important feature of modern automated information systems is the “supranationality” of many of them, their “exit” beyond the borders of states, the development of publicly accessible world information networks, such as the Internet, the formation of a single information space within the framework of such international structures.

Today in the Russian Federation there is a problem not only of introducing into the legal field the institution of personal data protection within the framework of automated information processes, but also its correlation with existing international legal standards in this area.

There are three main trends in the international legal regulation of the institution of personal data protection, which relates to the processes of automated information processing.

1) Declaration of the right to the protection of personal data, as an integral part of fundamental human rights, in acts of a general humanitarian nature adopted within international organizations.

2) Consolidation and regulation of the right to protect personal information in regulatory acts of the European Union, the Council of Europe, partly the Commonwealth of Independent States and some regional international organizations. This class of norms is the most universal and directly concerns the rights to the protection of personal data in automated information processing processes.

3) Inclusion of rules on the protection of confidential information (including personal information) into international treaties.

The first method historically appeared earlier than the others. In the modern world, information rights and freedoms are an integral part of fundamental human rights.

The Universal Declaration of Human Rights of 1948 declares: “No one shall be subjected to arbitrary interference with his privacy or family, or to arbitrary attacks on ... the privacy of his correspondence” and further: “Everyone has the right to the protection of the law against such interference or attacks.” The International Covenant on Civil and Political Rights of 1966 repeats the declaration in this part. The 1950 European Convention details this right: “Everyone has the right to freedom of expression. This right includes freedom to hold opinions and to receive and impart information and ideas without interference from public authorities and regardless of frontiers.”

These international documents establish human information rights.

Currently, a stable system of views on human information rights has been formed at the international level. In general terms, this is the right to receive information, the right to privacy in terms of protecting information about it, the right to protect information both from the point of view of state security and from the point of view of business security, including financial activities.

The second way - more detailed regulation of the right to the protection of personal information is associated with the ever-increasing intensity of processing personal information in recent years using automated computer information systems. In recent decades, a number of international documents have been adopted within the framework of a number of international organizations that develop basic information rights in connection with the intensification of cross-border information exchange and the use of modern information technologies. Among such documents are the following:

The Council of Europe in 1980 developed the European Convention on the Protection individuals in matters relating to the automatic processing of personal data, which came into force in 1985. The Convention defines the procedure for collecting and processing personal data, the principles of storage and access to this data, and methods of physical protection of data. The Convention guarantees respect for human rights in the collection and processing of personal data, principles of storage and access to this data, methods of physical protection of data, and also prohibits the processing of data on race, political opinions, health, religion without appropriate legal grounds. Russia acceded to the European Convention in November 2001.

In the European Union, issues of personal data protection are regulated by a whole range of documents. In 1979, the European Parliament Resolution “On the protection of individual rights in connection with the progress of informatization” was adopted. The resolution invited the Council and the Commission of the European Communities to develop and adopt legal acts on the protection of personal data in connection with technical progress in the field of computer science. In 1980, the Recommendations of the Organization for Cooperation of Member States of the European Union “On guidelines for the protection of privacy during interstate exchange of personal data.” Currently, issues of personal data protection are regulated in detail by directives of the European Parliament and the Council of the European Union. These are Directives No. 95/46/EC and No. 2002/58/EC of the European Parliament and of the Council of 24 October 1995 on the protection of the rights of individuals with regard to the processing of personal data and on the free movement of such data, Directive No. 97/66 /EC of the European Parliament and of the Council of the European Union of 15 December 1997 concerning the use of personal data and the protection of privacy in telecommunications and other documents.

The acts of the European Union are characterized by a detailed elaboration of the principles and criteria for automated data processing, the rights and obligations of subjects and holders of personal data, issues of their cross-border transfer, as well as liability and sanctions for damage. In accordance with Directive No. 95/46/EC, the European Union has established a Working Group on the protection of individuals with regard to the processing of their personal data. It has the status of an advisory body and acts as an independent structure. The working group consists of a representative of the body established by each Member State for the purpose of supervising compliance on its territory with the provisions of the Directive, a representative of the body or bodies established for the Community institutions and structures, and a representative of the European Commission.

The Organization for Economic Cooperation and Development (OECD) has a Framework for the Protection of Privacy and the International Exchange of Personal Data, which was adopted on September 23, 1980. The preamble to this Directive states: “...OECD member countries have considered it necessary to develop Frameworks that could help harmonize national privacy laws and, while respecting relevant human rights, would not allow blocking of international data exchanges...”. These provisions apply in both the public and private sectors to personal data which, either due to the manner in which it is processed or due to its nature or the context in which it is used, poses a risk of violating privacy and individual freedoms. It defines the need to provide personal data with adequate protection mechanisms against risks associated with their loss, destruction, modification or disclosure, and unauthorized access. Russia, unfortunately, does not participate in this organization.

Interparliamentary Assembly of the CIS Member States on October 16, 1999. The Model Law “On Personal Data” was adopted.

According to the law, “Personal data” is information (recorded on a tangible medium) about a specific person that is identified or can be identified with him. Personal data includes biographical and identification data, personal characteristics, information about family, social status, education, profession, professional and financial status, health status, and others. The law also lists the principles of legal regulation of personal data, forms of state regulation of operations with personal data, rights and obligations of subjects and holders of personal data.

It seems that the considered second method of regulatory regulation of the protection of personal data in international legal acts is the most interesting for analysis. The norms of this class not only directly regulate public relations in this area, but also help bring the legislation of the member countries to international standards, thereby ensuring the effectiveness of these norms on their territory. Thus, the guarantee of information rights enshrined in the Universal Declaration of Human Rights is ensured in the sense of the “right to the protection of the law from ... interference or ... encroachment” declared in Article 12 of the latter.

The third way to consolidate the rules on the protection of personal data is to consolidate their legal protection in international treaties.

Articles on the exchange of information are included in international treaties on legal assistance, on the avoidance of double taxation, and on cooperation in certain public and cultural spheres.

According to Art. 25 of the Treaty between the Russian Federation and the United States for the avoidance of double taxation and the prevention of tax evasion with respect to taxes on income and capital, states are required to provide information that constitutes a professional secret. The Treaty between the Russian Federation and the Republic of India on Mutual Legal Assistance in Criminal Matters contains Article 15 “Confidentiality”: the requested party may require that the information transmitted be kept confidential. The practice of concluding international treaties shows the desire of contracting states to comply with international standards for the protection of personal data.

It seems that the most effective mechanism for regulating this institution at the international legal level is the publication of special regulatory documents within the framework of international organizations. This mechanism not only promotes appropriate internal regulation of the pressing issues of personal information protection within these organizations mentioned at the beginning of the article, but also has a beneficial effect on the national legislation of the participating countries.

Lecture outline

1. Prerequisites for the creation of international standards information security(IB)

1.1. Purpose and goals of international standardization

1.2. International Organization for Standardization, ISO

1.3. Basic international information security standards

2. Criteria for assessing trusted computer systems (“ Orange Book")

2.1.Basic information

2.2 Basic requirements and tools

3. Basic concepts

4.Security implementation mechanisms

5. Sections and safety classes.

5.1. Security Sections

5.2. Security classes

6. Brief classification

International criteria for assessing the security of information technologies in foreign countries

Lecture outline

1. Harmonized criteria of European countries

2. German standard BSI

3. British standard BS 7799

4. International standard IS O/ I EC 15408"Criteria for assessing the security of information technologies." "General Criteria"

Prerequisites for the creation of international information security standards

1.1. General issues

Abroad, the development of standards is carried out continuously; drafts and versions of standards are consistently published at different stages of coordination and approval. Some standards are gradually deepened and detailed in the form of a set of groups of standards interconnected in concepts and structure.

It is generally accepted that an integral part of the general process of information technology (IT) standardization is the development of standards related to the problem of IT security, which has become increasingly relevant due to the trends of increasing mutual integration of applied tasks, building them on the basis of distributed data processing, telecommunications systems, electronic data exchange technologies.

Development standards for open systems , including standards in the field of IT security, is implemented by a number of specialized international organizations and consortia such as, for example, ISO, IEC, ITU-T, IEEE, IAB, WOS, ECMA, X/Open, OSF, OMG.

Significant work on standardization of IT security issues is carried out by specialized organizations and at the national level. All this has made it possible to date to form a fairly extensive methodological base, in the form of international, national and industry standards, as well as regulatory and guidance materials regulating activities in the field of IT security.

1.2. State of the international regulatory and methodological framework

In order to systematize the analysis of the current state of the international regulatory and methodological framework in the field of IT security, it is necessary to use some classification of standardization areas .

In general, the following directions can be distinguished :

1. General principles information security management.

2. IT security models.

3. IT security methods and mechanisms (such as, for example: authentication methods, key management, etc.).

4. Cryptographic algorithms.

5. Methods for assessing the security of information systems.

6. Security of EDI technologies.

7. Security of internetwork interactions (firewalls).

8. Certification and certification of standardization objects.

Purpose and goals of international standardization

Standard is a document that establishes the characteristics of products, operation, storage, transportation, sales and disposal, performance of work or provision of services. Standard may also contain requirements for terminology, symbols, packaging, markings or labels and rules for their application.

International standard - a standard adopted by an international organization. In practice, international standards often also mean regional standards and standards developed by scientific and technical societies and adopted as norms by various countries around the world.

International standardization - standardization, participation in which is open to the relevant authorities of all countries.

The main purpose of international standards - this is the creation at the international level of a unified methodological basis for the development of new and improvement of existing quality systems and their certification.

Scientific and technical cooperation in the field of standardization is aimed at harmonizing the national standardization system with international, regional and progressive national standardization systems.

Both industrialized countries and developing countries creating their own national economies are interested in the development of international standardization.

International standards do not have the status of mandatory for all participating countries. Any country in the world has the right to apply or not apply them. Resolving the issue of applying an international standard ISO is connected mainly with the degree of participation of the country in the international division of labor and the state of its foreign trade. ISO is the leading international organization in the field of standardization.

1.4. International Organization for Standardization, ISO

International Organization for Standardization , IS О (International Organization for Standardization, ISO) - an international organization that produces standards.

International organization IS O began to function February 23, 1947. as a voluntary, non-governmental organization. It was established on the basis of what was achieved at a meeting in London in 1946 agreements between representatives 25 industrialized countries on the creation of an organization with the authority to coordinate at the international level the development of various industrial standards and carry out the procedure for their adoption as international standards.

When creating the organization and choosing its name, the need was taken into account for the abbreviation of the name to sound the same in all languages. For this it was decided to use the Greek word isos- equal, which is why in all languages ​​of the world the International Organization for Standardization has a short name IS O (ISO).

Field of activity ISO concerns standardization in all areas, except electrical engineering and electronics, falling within the competence of the International Electrotechnical Commission ( IEC). Some types of work are carried out jointly by these organizations. In addition to standardization ISO also deals with certification issues.

ISO Purpose - promoting the development of standardization on a global scale to facilitate international trade and mutual assistance, as well as to expand cooperation in the field of intellectual, scientific, technical and economic activities.

Georgy Garbuzov,
CISSP, MCSE:Security, Information Security Directorate, URALSIB Insurance Group

THE HISTORY of standardization, as a process of establishing uniform requirements suitable for repeated use, goes back several thousand years - even during the construction of the pyramids in Ancient Egypt, blocks of a standard size were used, and special people controlled the degree of compliance with this ancient standard. Today, standardization occupies a strong place in almost all sectors of human activity.

Standardization in the field of information security

Standardization in the field of information security (IS) is beneficial to both professionals and consumers of IS products and services, as it allows one to establish an optimal level of streamlining and unification, ensure the interchangeability of IS products, as well as the measurability and repeatability of results obtained in different countries and organizations. For professionals, this means saving time in searching for effective and proven solutions, and for consumers, it is a guarantee of obtaining a result of the expected quality.

The object of standardization can be any information security product or service: assessment method, functionality security features and settings, compatibility properties, development and production process, management systems, etc.

Standardization, depending on the composition of participants, can be international, regional or national, while international standardization (along with official standardization bodies such as ISO) includes standardization of consortia (for example, IEEE or SAE), and national standardization can be state or industry .

Let us dwell in more detail on some of the foreign standards in demand today, which in one way or another affect information security issues.

International standards in the field of information security - foreign experience

Standardization in the field of information security abroad has been developing for decades, and some countries, for example the UK, have extensive experience in developing standards - many British national standards, such as BS7799-1/2, have acquired international status over time. Let's start with them.

International standards ISO 27002 and ISO 27001

Perhaps these are the most popular standards in the field of information security today.

ISO 27002 (formerly ISO 17799) contains a set of recommendations for the effective organization of information security management systems in an enterprise, covering all key areas, in particular:

  • formation of information security policy;
  • personnel related safety;
  • security of communications;
  • physical security;
  • access control;
  • incident processing;
  • ensuring compliance with legal requirements.

The ISO 27001 standard is a collection of criteria for management system certification, based on the results of which an international certificate of conformity is issued by an accredited certification body, which is included in the register.

According to the register, there are currently about a dozen companies registered in Russia that have such a certificate, with the total number of certifications in the world exceeding 5,000. Preparation for certification can be carried out either by the organization itself or by consulting companies, and practice shows that it is much easier to obtain a certificate ISO 27001 for companies that already have a certified management system (for example, quality).

ISO 27001/27002 standards are representatives of a new series of standards, the final formation of which has not yet been completed: standards 27000 (basic principles and terminology), 27003 (guidelines for the implementation of an information security management system), 27004 (measuring the effectiveness of an information security management system) and others are in development - in total, more than 30 standards are expected in the 27000 series. More information about the composition of the series and the current state of its development can be found on the official ISO website (

International standards ISO13335 and ISO15408

The ISO 13335 standard is a family of information technology security standards covering IT security management, offering specific protective measures and techniques. Currently, the 13335 series is being gradually replaced by the newer 27000 series. The ISO 15408 standard contains uniform criteria for assessing the security of IT systems at the software and hardware level (similar to the famous Orange Book, which is also known as TCSEC assessment criteria, or European ITSEC criteria), which allow comparison of results obtained in different countries.

In general, these standards, although they contain only a technological part, can be used both independently and when building information security management systems as part of, for example, preparation for certification for compliance with ISO 27001.


CobiT is a set of approximately 40 international standards and guidelines in the areas of IT governance, auditing and security and contains descriptions of related processes and metrics. The main goal of CobiT is to find a common language between a business that has specific goals and IT that contributes to their achievement, allowing the creation of adequate plans for the development of the organization's information technology.

CobiT is used to audit and control an organization's IT management system and contains detailed descriptions goals, principles and objects of management, possible IT processes and security management processes. Completeness, clear descriptions of specific actions and tools, as well as a business focus make CobiT good choice when creating information infrastructure and its management system.

In the next part of the article we will look at some interesting national and industry-specific foreign standards, such as NIST SP 800, BS, BSI, PCI DSS, ISF, ITU and others.

Expert commentary

Alexey Pleshkov,
Head of Information Technology Protection Department, Gazprombank (Open Joint Stock Company)

In addition to the above review of international standards, I would like to draw attention to another regulatory document on information security, which is not widespread in the Russian Federation. One of these standards is a document from the EBIOS family of methods.

The EBIOS project for the development of methods and tools for information security management in information systems is supported by the French government and promoted by the DCSSI Commission under the Prime Minister of France to the pan-European level. The purpose of this project is to help improve the security of information systems of public or private organizations (

The text of a set of documentation for the product for automating assessment tasks of information security support "Methodological tools for achieving the security of information systems EBIOS (definition of needs and identification of security goals)" was published on the official website of the French government dedicated to information security issues automated systems in 2004

The EBIOS method, proposed by the General Secretariat of the French Ministry of National Defense and called "Definition of needs and identification of security objectives" (EBIOS), was developed taking into account international standards aimed at ensuring information security. It formalizes the approach to assessing and processing risks in the field of information system security and is used to assess the level of information security in developed and existing systems.
The purpose of the method is to allow any government-controlled organization to determine a list of security actions that need to be taken first. The method can be implemented by administrators of an organization's security department and can be applied at all levels of the structure of a developed or existing information system (subsystems, application programs).

The EBIOS approach takes into account three main properties of information security: confidentiality, integrity and availability of both information and systems, as well as the environment in which they are located. In certain cases, it is suggested that care be taken to ensure non-repudiation, authorization and authentication needs.

International standards

  • BS 7799-1:2005 - British Standard BS 7799 first part. BS 7799 Part 1 - Code of Practice for Information Security Management describes the 127 controls required to build information security management systems(ISMS) of the organization, determined on the basis of the best examples of global experience (best practices) in this area. This document serves as a practical guide to creating an ISMS
  • BS 7799-2:2005 - British Standard BS 7799 is the second part of the standard. BS 7799 Part 2 - Information Security management - specification for information security management systems specifies the ISMS specification. The second part of the standard is used as criteria during the official certification procedure for the organization's ISMS.
  • BS 7799-3:2006 - British Standard BS 7799 third part of the standard. A new standard in information security risk management
  • ISO/IEC 17799:2005 - " Information Technology- Security technologies - Practical rules for information security management.” International standard based on BS 7799-1:2005.
  • ISO/IEC 27000 - Vocabulary and definitions.
  • ISO/IEC 27001 - "Information technology - Security techniques - Information security management systems - Requirements." International standard based on BS 7799-2:2005.
  • ISO/IEC 27002 - Now: ISO/IEC 17799:2005. "Information technologies - Security technologies - Practical rules for information security management." Release date: 2007.
  • ISO/IEC 27005 - Now: BS 7799-3:2006 - Guidance on information security risk management.
  • German Information Security Agency. IT Baseline Protection Manual - Standard security safeguards.

State (national) standards of the Russian Federation

  • GOST R 50922-2006 - Information protection. Basic terms and definitions.
  • R 50.1.053-2005 - Information technologies. Basic terms and definitions in the field of technical information security.
  • GOST R 51188-98 - Information protection. Trial software for availability computer viruses. Model manual.
  • GOST R 51275-2006 - Information protection. Information object. Factors influencing information. General provisions.
  • GOST R ISO/IEC 15408-1-2012 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 1. Introduction and general model.
  • GOST R ISO/IEC 15408-2-2013 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 2. Functional safety requirements.
  • GOST R ISO/IEC 15408-3-2013 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3. Security assurance requirements.
  • GOST R ISO/IEC 15408 - “General criteria for assessing the security of information technologies” - a standard that defines the tools and methodology for assessing security information products and systems; it contains a list of requirements against which the results of independent safety assessments can be compared - allowing the consumer to make decisions about the safety of products. The scope of the application of the “General Criteria” is the protection of information from unauthorized access, modification or leakage, and other methods of protection implemented by hardware and software.
  • GOST R ISO/IEC 17799 - “Information technologies. Practical rules for information security management." Direct application of the international standard with the addition of ISO/IEC 17799:2005.
  • GOST R ISO/IEC 27001 - “Information technologies. Security methods. Information security management system. Requirements". The direct application of the international standard is ISO/IEC 27001:2005.
  • GOST R 51898-2002: Safety aspects. Rules for inclusion in standards.

Ensure the security of information systems in Currently, it is impossible without competent and high-quality creation of information security systems. This determined the work of the world community to systematize and streamline the basic requirements and characteristics of such systems in terms of information security.

One of the main results of such activities was systeminternational and national standardsinformation security, which contains more than a hundred different documents.

This is especially true for the so-called open systems for commercial use, processing restricted information that does not contain state secrets, and rapidly developing in our country.

Under understand open systems a collection of all kinds of computing and telecommunications equipment from different manufacturers, the joint functioning of which is ensured by compliance with the requirements of standards, primarily international ones.

The term " open " also implies that if a computing system complies with standards, then it will be open to interconnection with any other system that meets the same standards. This, in particular, applies to mechanisms for cryptographic information protection or protection against unauthorized access ( NSD) to information.

Information security specialists ( IS) today it is almost impossible to do without knowledge of the relevant standards.

Firstly, standards and specifications are one of the forms of knowledge accumulation, primarily about the procedural and software and hardware levels of information security. They document proven, high-quality solutions and methodologies developed by the most qualified specialists.

Secondly , both of them are the main means of ensuring mutual compatibility of hardware-software systems and their components, and in internet:-community This product really works and is very effective.

Recently, a new generation of standards in the field of information security has appeared in different countries, dedicated to practical issues of managing a company’s information security. These are, first of all, international and national information security management standards ISO 15408, ISO 17799 (BS7799), BS.I.; audit standards for information systems and information

on-line security OWLIT,SAC, COSABOUT and some others similar to them.

International standards are of particular importance ISO 15408, ISO 17799 serve as the basis for any work in the field information security, including auditing.

ISO 15408 - defines detailed requirements for software and hardware information security tools.

ISO 17799 - focused on issues organization and security management.

Use of international and national standards ensuring information security helps to solve the following five tasks:

- Firstly , determination of goals for ensuring information security of computer systems;

- Secondly , creation of an effective information security management system;

- Thirdly , calculation of a set of detailed not only qualitative, but also quantitative indicators to assess the compliance of information security with the stated goals;

- fourthly , application of information security tools and assessment of its current state;

- fifthly , the use of security management techniques with a well-founded system of metrics and measures to support information system developers that allow them to objectively assess the security of information assets and manage the company’s information security.

Focus on international standard ISO/ 15408 and his Russian analogue of GOST R ISO/IEC15408 -2002 “Criteria for assessing the security of information technologies” and specifications "Internet-communities."

Conducting an audit information security is based on the use of numerous recommendations, which are set out mainly in international standards IS.

Starting from the beginning 80s, dozens of international and national standards in the field of information security have been created, which to a certain extent complement each other.

The lecture discusses the most important standards, the knowledge of which is necessary for developers and evaluators of security products, system administrators, heads of information security services, and users according to the chronology of their creation, including:

    Criterion for assessing the reliability of computer systems " Orange book"(USA);

    Harmonized criteria of European countries;

    German standard BSI;

    British standard B.S. 7799 ;

    Standard " General criteria"ISO 15408;

    Standard ISO 17799;

    Standard COBIT

These standards can be divided into two different types:

    Evaluation Standards , aimed at classifying information systems and means of protection according to security requirements;

    Technical Specifications regulating various aspects of the implementation of protective equipment.

It's important to note that between these types of regulatory documents there is no blank wall, on the contrary, there is a logical relationship.

Evaluation Standards highlight the most important aspects of information security from an information security point of view, playing the role of architectural specifications.

Technical Specifications determine how to build an IS of a prescribed architecture. The following describes the features of these standards.

2. Criteria for assessing trusted computer systems

Orange Book")
