• home
  •  > 
  • Safety
  •  > 
  • Information security standards. Information protection ensuring information security in an organization, basic terms and definitions

Information security standards. Information protection ensuring information security in an organization, basic terms and definitions

International standards

  • BS 7799-1:2005 - British Standard BS 7799 first part. BS 7799 Part 1 - Code of Practice for Information Security Management describes the 127 controls required to build information security management systems(ISMS) of the organization, determined on the basis of the best examples of global experience (best practices) in this area. This document serves as a practical guide to creating an ISMS
  • BS 7799-2:2005 - British Standard BS 7799 is the second part of the standard. BS 7799 Part 2 - Information Security management - specification for information security management systems specifies the ISMS specification. The second part of the standard is used as criteria during the official certification procedure for the organization's ISMS.
  • BS 7799-3:2006 - British Standard BS 7799 third part of the standard. A new standard in information security risk management
  • ISO/IEC 17799:2005 - “Information technology - Security technologies - Information security management practice.” International standard based on BS 7799-1:2005.
  • ISO/IEC 27000 - Vocabulary and definitions.
  • ISO/IEC 27001 - "Information technology - Security techniques - Information security management systems - Requirements." International standard based on BS 7799-2:2005.
  • ISO/IEC 27002 - Now: ISO/IEC 17799:2005. "Information technologies - Security technologies - Practical rules for information security management." Release date: 2007.
  • ISO/IEC 27005 - Now: BS 7799-3:2006 - Guidance on information security risk management.
  • German Information Security Agency. IT Baseline Protection Manual - Standard security safeguards.

State (national) standards of the Russian Federation

  • GOST R 50922-2006 - Information protection. Basic terms and definitions.
  • R 50.1.053-2005 - Information technologies. Basic terms and definitions in the field of technical information security.
  • GOST R 51188-98 - Information protection. Testing software for computer viruses. Model manual.
  • GOST R 51275-2006 - Information protection. Information object. Factors influencing information. General provisions.
  • GOST R ISO/IEC 15408-1-2012 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 1. Introduction and general model.
  • GOST R ISO/IEC 15408-2-2013 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 2. Functional safety requirements.
  • GOST R ISO/IEC 15408-3-2013 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3. Security assurance requirements.
  • GOST R ISO/IEC 15408 - “General criteria for assessing the security of information technologies” - a standard that defines tools and methods for assessing the security of information products and systems; it contains a list of requirements against which the results of independent safety assessments can be compared - allowing the consumer to make decisions about the safety of products. The scope of the application of the “General Criteria” is the protection of information from unauthorized access, modification or leakage, and other methods of protection implemented by hardware and software.
  • GOST R ISO/IEC 17799 - “Information technologies. Practical rules for information security management.” Direct application of the international standard with the addition of ISO/IEC 17799:2005.
  • GOST R ISO/IEC 27001 - “Information technologies. Security methods. Information security management system. Requirements". The direct application of the international standard is ISO/IEC 27001:2005.
  • GOST R 51898-2002: Safety aspects. Rules for inclusion in standards.

The importance of ensuring information security is difficult to overestimate, since the need to store and transfer data is an integral part of running any business.

Various methods of information security depend on the form in which it is stored, however, in order to systematize and streamline this area, it is necessary to establish information security standards, since standardization is an important determinant of quality in assessing the services provided.

Any provision of information security requires control and verification, which cannot be carried out only by individual assessment, without taking into account international and state standards.

The formation of information security standards occurs after a clear definition of its functions and boundaries. Information security is ensuring the confidentiality, integrity and availability of data.

To determine the state of information security, a qualitative assessment is most applicable, since it is possible to express the degree of security or vulnerability as a percentage, but this does not give a complete and objective picture.

To assess and audit the security of information systems, you can apply a number of instructions and recommendations, which imply regulatory support.

State and international information security standards

Monitoring and assessment of the security state is carried out by checking their compliance with state standards (GOST, ISO) and international standards (Iso, Common criteris for IT security).

The international set of standards developed by the International Organization for Standardization (ISO) is a set of practices and recommendations for the implementation of information security systems and equipment.

ISO 27000 is one of the most applicable and widespread assessment standards, including more than 15 provisions, and sequentially numbered.

According to the ISO 27000 standardization assessment criteria, information security is not only its integrity, confidentiality and availability, but also authenticity, reliability, fault tolerance and identifiability. Conventionally, this series of standards can be divided into 4 sections:

  • overview and introduction to terminology, description of terms used in the field of security;
  • mandatory requirements for an information security management system, a detailed description of methods and means of managing the system. Is the main standard of this group;
  • audit recommendations, security controls guidance;
  • standards that recommend practices for implementing, developing and improving an information security management system.

State information security standards include a number of regulations and documents consisting of more than 30 provisions (GOST).

Various standards are aimed not only at establishing general assessment criteria, such as GOST R ISO/IEC 15408, which contains methodological guidelines for safety assessment and a list of requirements for the management system. They can be specific and also contain practical guidance.

Proper organization of the warehouse and its regular monitoring of its operation will help eliminate the theft of commodity and material assets, which negatively affects the financial well-being of any enterprise, regardless of its form of ownership.

By the time of launch, the warehouse automation system goes through two more stages: internal testing and data filling. After such preparation, the system starts up in full. Read more about automation here.

The interrelation and set of techniques lead to the development of general provisions and to the merging of international and state standardization. Thus, GOSTs of the Russian Federation contain additions and references to international ISO standards.

Such interaction helps to develop a unified system of monitoring and evaluation, which, in turn, significantly increases the efficiency of applying these provisions in practice, objectively assessing work results and generally improving.

Comparison and analysis of national and international standardization systems

The number of European standardization standards for ensuring and controlling information security significantly exceeds those legal standards established by the Russian Federation.

In national state standards, the prevailing provisions are on the protection of information from possible hacking, leakage and threats of loss. Foreign security systems specialize in developing standards for data access and authentication.

There are also differences in the provisions relating to the implementation of control and audit of systems. In addition, the practice of applying and implementing the information security management system of European standardization is manifested in almost all spheres of life, and the standards of the Russian Federation are mainly aimed at preserving material well-being.

However, constantly updated state standards contain the necessary minimum set of requirements to create a competent information security management system.

Information security standards for data transmission

Doing business involves storing, exchanging, and transmitting data via the Internet. In the modern world, currency transactions, commercial activities and transfers of funds often take place online, and it is possible to ensure the information security of this activity only by applying a competent and professional approach.

There are many standards on the Internet that ensure secure storage and transmission of data, well-known anti-virus protection programs, special protocols for financial transactions, and many others.

The speed of development of information technologies and systems is so great that it significantly outstrips the creation of protocols and uniform standards for their use.

One of the popular secure data transfer protocols is SSL (Secure Socket Layer), developed by American specialists. It allows you to protect data using cryptography.

The advantage of this protocol is the possibility of verification and authentication, for example, immediately before data exchange. However, the use of such systems when transferring data is rather advisory, since the use of these standards is not mandatory for entrepreneurs.

To open an LLC, you need a charter of the enterprise. A procedure that is being developed in accordance with the legislation of the Russian Federation. You can write it yourself, take a standard sample as a guide, or you can contact specialists who will write it.

An aspiring businessman planning to develop his own business as an individual entrepreneur must indicate the economic activity code in accordance with OKVED when filling out the application. Details here.

To carry out secure transactions and operations, the SET (Security Electronic Transaction) transmission protocol was developed, which allows minimizing risks when conducting commercial and trading operations. This protocol is a standard for Visa and Master Card payment systems, allowing the use of a payment system security mechanism.

Committees that standardize Internet resources are voluntary, therefore the activities they carry out are not legal and mandatory.

However, fraud on the Internet in the modern world is recognized as one of the global problems; therefore, it is simply impossible to ensure information security without the use of special technologies and their standardization.

Security Management Systems - Specification with guidance for use" (Systems - specifications with guidance for use). On its basis, the ISO/IEC 27001:2005 "Information Technology" standard was developed. Security techniques. Information security management systems. Requirements", for compliance with which certification can be carried out.

In Russia, the standards GOST R ISO/IEC 17799-2005 “Information technology. Practical rules” are currently in force information security management"(authentic translation of ISO/IEC 17799:2000) and GOST R ISO/IEC 27001-2006 "Information technology. Methods and means of ensuring security. Information security management systems. Requirements" (translation of ISO/IEC 27001:2005). Despite some internal discrepancies associated with different versions and translation features, the presence of standards allows us to bring the system information security management in accordance with their requirements and, if necessary, certify.

GOST R ISO/IEC 17799:2005 "Information technology. Practical rules for information security management"

Let us now consider the contents of the standard. The introduction states that “information, the processes that support it, information systems and network infrastructure are essential assets of an organization. Confidentiality, integrity and availability of information can significantly contribute to competitiveness, liquidity, profitability, compliance and business reputation organization." Thus, we can say that this standard considers information security issues, including from the point of view of economic effect.

Three groups of factors are indicated that must be taken into account when developing requirements in the field of information security. This:

  • organization risk assessment. Through risk assessment, threats to the organization's assets are identified, vulnerability assessment relevant assets and the likelihood of threats occurring, as well as an assessment of possible consequences;
  • legal, statutory, regulatory and contractual requirements that must be met by the organization, its trading partners, contractors and service providers;
  • a specific set of principles, objectives and requirements developed by an organization regarding the processing of information.

Once the requirements have been determined, the stage of selecting and implementing measures that will ensure risk reduction to an acceptable level begins. Selection of events by information security management should be based on the ratio of the cost of their implementation, the effect of reducing risks and possible losses in the event of a security breach. Factors that cannot be expressed in monetary terms, such as loss of reputation, should also be taken into account. A possible list of activities is given in the standard, but it is noted that it can be supplemented or formed independently based on the needs of the organization.

Let us briefly list the sections of the standard and the information protection measures proposed in them. The first group concerns security policy. It is required that it be developed, approved by the management of the organization, published and brought to the attention of all employees. It should determine the procedure for working with the organization’s information resources, the duties and responsibilities of employees. The policy is reviewed periodically to reflect the current state of the system and identified risks.

The next section addresses organizational issues related to information security. The standard recommends creating management councils (with the participation of the company's senior management) to approve the security policy, appoint responsible persons, distribution of responsibilities and coordination of implementation of activities for information security management In the organisation. The process for obtaining permission to use information processing tools (including new software and hardware) in the organization should also be described so that this does not lead to security problems. It is also necessary to determine the procedure for interaction with other organizations on information security issues, consultations with “external” specialists, and independent verification (audit) of information security.

When providing access to information systems to specialists from third-party organizations, special attention must be paid to security issues. An assessment of the risks associated with different types of access (physical or logical, i.e. remote) of such specialists to various organizational resources must be carried out. The need to provide access must be justified, and contracts with third parties and organizations must include requirements regarding compliance with the security policy. It is proposed to do the same in the case of involving third-party organizations in information processing (outsourcing).

The next section of the standard is devoted to issues of classification and asset management. To ensure information security of an organization, it is necessary that all key information assets are accounted for and assigned to responsible owners. We suggest starting with an inventory. The following classification is given as an example:

  • information assets (databases and data files, system documentation etc.);
  • software assets (application software, system software, development tools and utilities);
  • physical assets (computer equipment, communications equipment, storage media, other technical equipment, furniture, premises);
  • services (computing and communication services, basic utilities).

Next, it is proposed to classify information in order to determine its priority, necessity and degree of protection. At the same time, the relevant information can be assessed taking into account how critical it is for the organization, for example, from the point of view of ensuring its integrity and availability. After this, it is proposed to develop and implement a labeling procedure when processing information. Labeling procedures should be defined for each classification level to accommodate the following types of information processing:

  • copying;
  • storage;
  • transmission by mail, fax and e-mail;
  • voice transmission, including mobile phone, voice mail, answering machines;
  • destruction.

The next section addresses safety issues related to personnel. The standard determines that responsibilities for compliance with safety requirements are distributed at the stage of personnel selection, included in employment contracts and monitored throughout the entire period of the employee’s employment. In particular, when hiring a permanent employee, it is recommended to check the authenticity of the documents submitted by the applicant, the completeness and accuracy of the resume, and the recommendations submitted to him. It is recommended that employees sign a confidentiality agreement stating what information is confidential or sensitive. Disciplinary responsibility for employees who violate the organization's security policies and procedures must be determined. Where necessary, this responsibility should continue for a specified period after leaving employment.

Users need to be trained security procedures and the correct use of information processing tools to minimize possible risks. In addition, the procedure for informing about information security violations, which must be familiarized to staff. A similar procedure should be followed in cases of software failures. Such incidents need to be recorded and analyzed to identify recurring problems.

The next section of the standard addresses issues of physical and environmental protection. It is stated that “means for processing critical or important service information must be located in security zones designated by a certain security perimeter with appropriate protective barriers and intrusion controls. These areas must be physically protected from unauthorized access, damage and impact." In addition to organizing access control to protected areas, the procedure for carrying out work in them and, if necessary, procedures for organizing visitor access must be determined. It is also necessary to ensure the safety of equipment (including , which is used outside the organization) to reduce the risk of unauthorized access to data and protect it from loss or damage. This group of requirements also includes providing protection from power failures and cable network protection. Equipment maintenance procedures must also be defined that take into account security requirements , and procedures for the safe disposal or reuse of equipment.For example, it is recommended that disposable storage media containing sensitive information be physically destroyed or overwritten in a secure manner rather than using standard data erasure functions.

To minimize the risk of unauthorized access to or damage to paper documents, storage media and information processing media, it is recommended to implement a "clean desk" policy for paper documents and removable storage media, as well as a "clean screen" policy for information processing equipment. Equipment, information or software may be removed from the organization's premises only with appropriate permission.

The title of the next section of the standard is “Management of data transfer and operational activities.” It requires that the responsibilities and procedures associated with the operation of all information processing facilities be established. For example, configuration changes in information processing facilities and systems must be controlled. It is required to implement the principle of segregation of responsibilities in relation to management functions, performance of certain tasks and areas.

It is recommended to separate the development, testing and production environments of software. The rules for transferring software from the status of being developed to the status of accepted for operation must be defined and documented.

Additional risks arise when using third-party contractors to manage information processing facilities. Such risks must be identified in advance and appropriate measures taken to information security management agreed with the contractor and included in the contract.

To provide the necessary processing and storage capacity, it is necessary to analyze current performance requirements, as well as forecast future ones. These forecasts should take into account new functional and system requirements, as well as current and future plans for the development of information technology in the organization. Requirements and criteria for the adoption of new systems must be clearly defined, agreed upon, documented and tested.

Measures must be taken to prevent and detect the introduction of malicious software such as computer viruses, network worms, Trojan horses and logic bombs. It is noted that protection against malware should be based on an understanding of security requirements, appropriate systems access controls and proper change management.

The procedure for carrying out auxiliary operations, which includes backup of software and data, must be determined 1 As an example, lab #10 looks at organizing backups in Windows Server 2008. logging events and errors and, where necessary, monitoring hardware status. Redundancy arrangements for each individual system should be tested regularly to ensure that they meet the requirements of business continuity plans.

To ensure the security of information on networks and protect supporting infrastructure, the introduction of funds is required security control and protection of connected services from unauthorized access.

Particular attention is paid to the security of various types of storage media: documents, computer storage media (tapes, disks, cassettes), input/output data and system documentation from damage. It is recommended to establish a procedure for using removable computer storage media (procedure for content control, storage, destruction, etc.). As noted above, storage media should be disposed of securely and safely after use.

In order to ensure the protection of information from unauthorized disclosure or misuse, it is necessary to establish procedures for processing and storing information. These procedures should be designed taking into account categorization information, and act in relation to documents, computing systems, networks, laptop computers, mobile communications, mail, voice mail, voice communications in general, multimedia devices, fax use and any other important objects, such as forms, checks and bills. System documentation may contain certain important information, and therefore must also be protected.

The process of exchanging information and software between organizations must be controlled and comply with current legislation. In particular, the security of information carriers during transmission must be ensured, determined usage policy email and electronic office systems. Care should be taken to protect the integrity of information published electronically, such as information on a Web site. An appropriate formalized authorization process is also required before such information is made publicly available.

The next section of the standard is devoted to access control issues.

It is required that the access control rules and rights of each user or group of users are clearly defined by the security policy. Users and service providers must be made aware of the need to comply with these requirements.

Using password authentication, it is necessary to exercise control over user passwords. In particular, users must sign a document agreeing to maintain complete confidentiality of passwords. It is required to ensure the security of the process of obtaining a password for the user and, if this is used, for the users to manage their passwords (forced password change after the first login, etc.).

Access to both internal and external network services must be controlled. Users should be provided with direct access only to those services for which they have been authorized. Particular attention must be paid to authenticating remote users. Based on the risk assessment, it is important to determine the required level of protection in order to select the appropriate authentication method. The security of using network services must also be monitored.

Many network and computing devices have built-in remote diagnostics and management capabilities. Security measures must also apply to these facilities.

When networks are shared by multiple organizations, access control policy requirements must be defined to take this into account. It may also be necessary to introduce additional measures to information security management to limit users' ability to connect.

At the operating system level, information security measures should be used to restrict access to computer resources 2 An example of organizing access control to files and folders in Windows Server 2008 will be discussed in laboratory work No. 9.. It refers to identification and authentication terminals and users. It is recommended that all users have unique identifiers, which should not contain any indication of the user's privilege level. In systems password management effective interactive capabilities must be provided to support their required quality 3 An example of password quality management in Windows operating systems is discussed in laboratory work No. 3.. The use of system utilities should be limited and carefully controlled.

It is advisable to provide an alarm in case the user may become a target of violence 4 An example of this would be “duress” login passwords. If the user enters such a password, the system displays the user's normal login process and then simulates a failure to prevent attackers from gaining access to the data.(if such an event is assessed as probable). Responsibilities and procedures for responding to such an alarm must be defined.

Terminals serving high-risk systems, when located in easily accessible locations, should be switched off after a certain period of inactivity to prevent access by unauthorized persons. A restriction on the period of time during which terminals are allowed to connect to computer services may also be introduced.

Information security measures also need to be applied at the application level. In particular, this may be a restriction of access for certain categories users. Systems that process important information must be provided with a dedicated (isolated) computing environment.

Monitoring of the system is necessary to detect deviations from access control policy requirements and provide evidence in the event of an information security incident. Monitoring results should be reviewed regularly. The audit log can be used to investigate incidents, so proper setting (synchronization) of the computer clock is quite important.

When using portable devices, such as laptops, it is necessary to take special measures to counteract the compromise of proprietary information. Formalized policies should be adopted that address the risks associated with working with portable devices, particularly in unsecured environments.

The next section of the standard is called “Development and maintenance of systems”. Already at the stage information systems development it is necessary to ensure that safety requirements are taken into account. And during the operation of the system, it is necessary to prevent loss, modification or misuse of user data. For this purpose, it is recommended that application systems provide confirmation of the correctness of data input and output, control of data processing in system, authentication messages, logging user actions.

To ensure confidentiality, integrity and data authentication Cryptographic security measures may be used.

Ensuring software integrity plays an important role in the process of information security. To minimize damage to information systems, the implementation of changes should be strictly controlled. From time to time there is a need to make changes to operating systems. In these cases, it is necessary to analyze and test the application systems to ensure that there is no adverse impact on their functionality and safety. As far as possible, it is recommended to use ready-made software packages without modification.

A related issue is countering Trojan horses and the use of covert leakage channels. One countermeasure is to use software obtained from trusted vendors and monitor system integrity.

In cases where a third-party organization is involved in software development, it is necessary to provide measures to control the quality and correctness of the work performed.

The next section of the standard is devoted to business continuity management. At the initial stage, it is supposed to identify events that may cause interruption of business processes (equipment failure, fire, etc.). In this case, it is necessary to assess the consequences, and then develop recovery plans. The adequacy of the plans must be confirmed by testing, and they themselves must be periodically revised to take into account changes occurring in the system.

The final section of the standard addresses compliance issues. First of all, this concerns the compliance of the system and the procedure for its operation with legal requirements. This includes issues of compliance with copyright (including software), protection of personal information (employees, clients), and prevention of misuse of information processing tools. Using cryptographic means information protection, they must comply with current legislation. The procedure for collecting evidence in case of litigation related to incidents in the field of information system security should also be thoroughly worked out.

The information systems themselves must comply with security policy organization and standards used. The security of information systems must be regularly analyzed and assessed. At the same time, it is necessary to observe security measures when conducting a security audit so that this does not lead to undesirable consequences (for example, the failure of a critical server due to an audit).

To summarize, it can be noted that the standard addresses a wide range of issues related to ensuring the security of information systems. Practical recommendations are given in a number of areas.


It doesn’t happen very often that I lose sight of some Russian information security regulation. But then it happened;-(The only justification is that what was omitted is advisory in nature - we are talking about GOSTs on information protection. Among the new GOSTs that I have not encountered before were discovered:

  • GOST R 53110-2008. System for ensuring information security of a public communication network. General provisions
  • GOST R 53111-2008. Stability of the functioning of the public communication network. Requirements and verification methods
  • GOST R 53109-2008. System for ensuring information security of a public communication network. Information security communications organization passport
  • GOST R 53114-2008. Data protection. Ensuring information security in the organization. Basic terms and definitions
  • GOST R 53113.1-2008. Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions
  • GOST R 53112-2008. Data protection. Complexes for measuring parameters of spurious electromagnetic radiation and interference. Technical requirements and test methods
  • GOST R 53115-2008. Data protection. Testing of technical means of information processing for compliance with the requirements of security from unauthorized access. Methods and means
  • GOST R 53113.2-2009. Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels
  • GOST R ISO/IEC TO 19791-2008. Information technology. Methods and means of ensuring security. Security assessment of automated systems
  • GOST R ISO/IEC 21827-2010. Information technology. Methods and means of ensuring security. Design of security systems. Process Maturity Model
  • GOST R 53131-2008. Data protection. Recommendations for disaster recovery services for information and telecommunications technology security functions and mechanisms. General provisions.
  • GOST R 54581-2011 Information technology. Methods and means of ensuring security. Fundamentals of trust in IT security. Part 1: Overview and Basics
  • GOST R 54583-2011. Information technology. Methods and means of ensuring security. Fundamentals of trust in information technology security. Part 3. Analysis of trust methods
  • GOST R 54582-2011. Information technology. Methods and means of ensuring security. Fundamentals of trust in information technology security. Part 2. Methods of trust.
Almost all of these GOSTs are available on the Rostekhregulirovanie website in the public domain.
Also, several standards for biometrics were developed and adopted (some are still in development), as well as the previously mentioned GOSTs 18028 on network security management, 27006 on requirements for ISMS auditors, 27004 on ISMS measurements, 27005 on information security risk assessment and 27033 -1 on network security.

Plans for 2013 include the development of very interesting and worthy GOST standards (some of the work has already begun):

  • "Vulnerabilities of information systems. Classification of vulnerabilities of information systems",
    "Vulnerabilities of information systems. Rules for describing vulnerabilities",
  • "Vulnerabilities of information systems. Contents and procedure for performing work to identify and assess vulnerabilities of information systems",
  • "Procedure for creating automated systems in a secure design. General provisions" (instead of the current version of GOST 51583-2000),
  • "Documentation on technical protection of information at an informatization facility. General provisions",
  • "Information systems and information objects. Threats to information security. General provisions",
  • "Information security technology. Nomenclature of quality indicators" (instead of the current GOST R 52447-2005)",
  • "Basic terms and definitions" (instead of the current version of GOST R 50922-2006),
  • "Requirements for information protection in information systems built using virtualization technology. General provisions",
  • "Requirements for the protection of information processed using cloud computing technologies. General provisions",
  • "Requirements for information protection in information systems built using supercomputer and grid technologies"
  • and a number of standards for information warfare.
It is also planned to develop/adapt/harmonize GOST R ISO/IEC 27007 "Information technology. Methods and means of ensuring security. Guidelines for auditing the information security management system."

The plans are very ambitious and worthy. FSTEC is reorienting itself a little - from the development of purely internal regulatory documents towards a national methodological base. This approach can only be welcomed.

This section provides general information and texts of national standards of the Russian Federation in the field of information security GOST R.

Current list of modern GOSTs developed in recent years and planned for development. Certification system for information security tools according to information security requirements No. ROSS RU.0001.01BI00 (FSTEC of Russia). STATE STANDARD OF THE RUSSIAN FEDERATION. Data protection. PROCEDURE FOR CREATION OF AUTOMATED SYSTEMS IN SECURED EXECUTION. General provisions. Moscow STATE STANDARD OF THE RUSSIAN FEDERATION. Computer facilities. Protection against unauthorized access to information. General technical requirements. Date of introduction 1996-01-01 National standard of the Russian Federation. Data protection. Basic terms and definitions. Protection of information. Basic terms and definitions. Date of introduction 2008-02-01 STATE STANDARD OF THE RUSSIAN FEDERATION. DATA PROTECTION. SYSTEM OF STANDARDS. BASIC PROVISIONS (SAFETY OF INFORMATION. SYSTEM OF STANDARDS. BASIC PRINCIPLES) STATE STANDARD OF THE RUSSIAN FEDERATION. Data protection. TESTING SOFTWARE FOR THE PRESENCE OF COMPUTER VIRUSES. Model manual (Information security. Software testing for the existence of computer viruses. The sample manual). Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels Information technology. Methods and means of ensuring security. Guidance for developing security profiles and security tasks Automatic identification. Biometric identification. Performance tests and test reports in biometrics. Part 3. Features of testing for various biometric modalities Information technology. Methods and means of ensuring security. Methodology for assessing information technology security GOST R ISO/IEC 15408-1-2008 Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 1. Introduction and general model (Information technology. Security techniques. Evaluation criteria for IT security. Part 1. Introduction and general model) GOST R ISO/IEC 15408-2-2008 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 2. Functional security requirements (Information technology. Security techniques. Evaluation criteria for IT security. Part 2. Security functional requirements) GOST R ISO/IEC 15408-3-2008 Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3. Security assurance requirements (Information technology. Security techniques. Evaluation criteria for IT security. Part 3. Security assurance requirements) GOST R 53109-2008 System for ensuring information security of a public communication network. Information security communications organization passport. Information security of the public communications network providing system. Passport of the organization communications of information security. Effective date: 09/30/2009. GOST R 53114-2008 Information protection. Ensuring information security in the organization. Basic terms and definitions. Protection of information. Information security provision in organizations. Basic terms and definitions. Effective date: 09/30/2009. GOST R 53112-2008 Information protection. Complexes for measuring parameters of spurious electromagnetic radiation and interference. Technical requirements and test methods. Information protection. Facilities for measuring side electromagnetic radiation and pickup parameters. Technical requirements and test methods. Effective date: 09/30/2009. GOST R 53115-2008 Information protection. Testing of technical means of information processing for compliance with the requirements of security from unauthorized access. Methods and means. Information protection. Conformance testing of technical information processing facilities to unauthorized access protection requirements. Methods and techniques. Effective date: 09/30/2009. GOST R 53113.2-2009 Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels. Information technology. Protection of information technology and automated systems against security threats posed by use of covert channels. Part 2. Recommendations on protecting information, information technology and automated systems against covert channel attacks. Effective date: 12/01/2009. GOST R ISO/IEC TO 19791-2008 Information technology. Methods and means of ensuring security. Security assessment of automated systems. Information technology. Security techniques. Security assessment of operational systems. Effective date: 09/30/2009. GOST R 53131-2008 Information protection. Recommendations for disaster recovery services for information and telecommunications technology security functions and mechanisms. General provisions. Information protection. Guidelines for recovery services of information and communications technology security functions and mechanisms. General. Effective date: 09/30/2009. GOST R 54581-2011 Information technology. Methods and means of ensuring security. Fundamentals of trust in IT security. Part 1: Overview and Basics. Information technology. Security techniques. A framework for IT security assurance. Part 1. Overview and framework. Effective date: 07/01/2012. GOST R ISO/IEC 27033-1-2011 Information technology. Methods and means of ensuring security. Network security. Part 1: Overview and Concepts. Information technology. Security techniques. Network security. Part 1. Overview and concepts. Effective date: 01/01/2012. GOST R ISO/IEC 27006-2008 Information technology. Methods and means of ensuring security. Requirements for bodies performing audit and certification of information security management systems. Information technology. Security techniques. Requirements for bodies providing audit and certification of information security management systems. Effective date: 09/30/2009. GOST R ISO/IEC 27004-2011 Information technology. Methods and means of ensuring security. Information security management. Measurements. Information technology. Security techniques. Information security management. Measurement. Effective date: 01/01/2012. GOST R ISO/IEC 27005-2010 Information technology. Methods and means of ensuring security. Information security risk management. Information technology. Security techniques. Information security risk management. Effective date: 12/01/2011. GOST R ISO/IEC 31010-2011 Risk management. Risk assessment methods (Risk management. Risk assessment methods). Effective date: 12/01/2012 GOST R ISO 31000-2010 Risk management. Risk management. Principles and guidelines. Effective date: 08/31/2011 GOST 28147-89 Information processing systems. Cryptographic protection. Cryptographic conversion algorithm. Effective date: 06/30/1990. GOST R ISO/IEC 27013-2014 “Information technology. Methods and means of ensuring security. Guidance on the combined use of ISO/IEC 27001 and ISO/IEC 20000-1 - effective September 1, 2015. GOST R ISO/IEC 27033-3-2014 “Network security. Part 3. Reference network scenarios. Threats, design methods and management issues” – comes into force November 1, 2015 GOST R ISO/IEC 27037-2014 “Information technology. Methods and means of ensuring security. Guidelines for the Identification, Collection, Retrieval and Retention of Digital Evidence - effective November 1, 2015. GOST R ISO/IEC 27002-2012 Information technology. Methods and means of ensuring security. Set of norms and rules for information security management. Information technology. Security techniques. Code of practice for information security management. Effective date: 01/01/2014. OKS code 35.040. GOST R 56939-2016 Information protection. Secure software development. General requirements (Information protection. Secure Software Development. General requirements). Effective date: 06/01/2017. GOST R 51583-2014 Information protection. The procedure for creating automated systems in a secure design. General provisions. Information protection. Sequence of protected operational system formation. General. 09/01/2014 GOST R 7.0.97-2016 System of standards for information, library and publishing. Organizational and administrative documentation. Requirements for the preparation of documents (System of standards on information, librarianship and publishing. Organizational and administrative documentation. Requirements for presentation of documents). Effective date: 07/01/2017. OKS code 01.140.20. GOST R 57580.1-2017 Security of financial (banking) transactions. Protection of information of financial organizations. The basic composition of organizational and technical measures - Security of Financial (banking) Operations. Information Protection of Financial Organizations. Basic Set of Organizational and Technical Measures. GOST R ISO 22301-2014 Business continuity management systems. General requirements - Business continuity management systems. Requirements. GOST R ISO 22313-2015 Business continuity management. Implementation Guide - Business continuity management systems. Guidance for implementation. GOST R ISO/IEC 27031-2012 Information technology. Methods and means of ensuring security. A Guide to Information and Communications Technology Readiness for Business Continuity - Information technology. Security techniques. Guidelines for information and communication technology readiness for business continuity. GOST R IEC 61508-1-2012 Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 1. General requirements. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 1. General requirements. Date of introduction 2013-08-01. GOST R IEC 61508-2-2012 Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 2. System requirements. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 2. Requirements for systems. Date of introduction 2013-08-01. GOST R IEC 61508-3-2012 FUNCTIONAL SAFETY OF ELECTRICAL, ELECTRONIC, PROGRAMMABLE ELECTRONIC, SAFETY-RELATED SYSTEMS. Software requirements. IEC 61508-3:2010 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements (IDT). GOST R IEC 61508-4-2012 FUNCTIONAL SAFETY OF ELECTRICAL, ELECTRONIC, PROGRAMMABLE ELECTRONIC, SAFETY-RELATED SYSTEMS Part 4 Terms and definitions. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 4. Terms and definitions. Date of introduction 2013-08-01. . GOST R IEC 61508-6-2012 Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 6. Guidelines for the use of GOST R IEC 61508-2 and GOST R IEC 61508-3. IEC 61508-6:2010. Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 (IDT). GOST R IEC 61508-7-2012 Functional safety of electrical systems, Functional safety of electrical, electronic, programmable electronic systems related to safety. Part 7. Methods and means. Functional safety of electrical electronic programmable electronic safety-related systems. Part 7. Techniques and measures. Date of introduction 2013-08-01. GOST R 53647.6-2012. Business continuity management. Requirements for a personal information management system to ensure data protection