The main requirements for gis. On the requirements of the fstek of russia and the fsb of russia for gis, ispdn, asup and asutp. Requirements for marking, packaging, transportation and storage of GIS software and information
ON THE APPROVAL OF REQUIREMENTS FOR THE PROTECTION OF INFORMATION CONTAINED IN STATE INFORMATION SYSTEMS
List of changing documents
(as amended by the Order of the FSTEC of Russia dated February 15, 2017 N 27)
In accordance with Part 5 of Article 16 of the Federal Law of July 27, 2006 N 149-FZ "On Information, Information Technologies and Information Protection" (Sobraniye Zakonodatelstva Rossiyskoy Federatsii, 2006, N 31, Art. 3448; 2010, N 31, 4196; 2011, N 15, item 2038; N 30, item 4600; 2012, N 31, item 4328) and the Regulations on the Federal Service for Technical and Export Control, approved by the Decree of the President of the Russian Federation of August 16, 2004 No. 1085 (Collected Legislation of the Russian Federation, 2004, No. 34, Art. 3541; 2006, No. 49, Art. 5192; 2008, No. 43, Art. 4921; No. 47, Art. 5431; 2012, No. 7, Art. 818), I ORDER:
1. Approve the attached Requirements for the protection of information not constituting a state secret contained in state information systems.
2. Establish that the Requirements specified in paragraph 1 of this order are applied to protect information in state information systems from September 1, 2013.
Director
Federal Service for Technical
and export control
APPROVED
by order of the FSTEC of Russia
REQUIREMENTS
ON THE PROTECTION OF INFORMATION THAT IS NOT A STATE SECRET CONTAINED IN STATE INFORMATION SYSTEMS
I. General provisions
1. These Requirements have been developed in accordance with the Federal Law of July 27, 2006 N 149-FZ "On Information, Information Technologies and Information Protection" (Sobraniye Zakonodatelstva Rossiyskoy Federatsii, 2006, N 31, Art. 3448; 2010, N 31 , article 4196; 2011, N 15, article 2038; N 30, article 4600; 2012, N 31, article 4328), as well as taking into account the national standards of the Russian Federation in the field of information security and in the field of creating automated systems ( hereinafter - national standards).
2. The document establishes requirements for ensuring the protection of information of limited access that does not contain information constituting a state secret (hereinafter referred to as information), from leakage through technical channels, unauthorized access, special effects on such information (information carriers) in order to obtain it, destroy it , distortion or blocking access to it (hereinafter referred to as information protection) when processing this information in state information systems.
These Requirements may be applied to protect publicly available information contained in state information systems in order to achieve the goals specified in paragraphs 1 and 3 of part 1 of Article 16 of the Federal Law of July 27, 2006 N 149-FZ "On Information, Information Technologies and Protection information".
The document does not address information security requirements related to the use of cryptographic information security methods and encryption (cryptographic) information security tools.
3. These Requirements are mandatory when processing information in state information systems operating on the territory of the Russian Federation, as well as in municipal information systems, unless otherwise provided by the legislation of the Russian Federation on local self-government.
These Requirements do not apply to state information systems of the Administration of the President of the Russian Federation, the Security Council of the Russian Federation, the Federal Assembly of the Russian Federation, the Government of the Russian Federation, the Constitutional Court of the Russian Federation, the Supreme Court of the Russian Federation and the Federal Security Service of the Russian Federation.
4. These Requirements are intended for information owners, customers who have entered into a state contract for the creation of a state information system (hereinafter referred to as customers) and operators of state information systems (hereinafter referred to as operators).
A person processing information that is a state information resource, on behalf of the information owner (customer) or operator and (or) providing them with computing resources (capacities) for processing information on the basis of a concluded agreement (hereinafter referred to as the authorized person), ensures the protection of information in accordance with the legislation of the Russian Federation on information, information technologies and information protection. The contract must provide for the obligation of the authorized person to ensure the protection of information that is a state information resource in accordance with these Requirements.
5. When processing information containing personal data in the state information system, these Requirements apply along with the requirements for the protection of personal data when they are processed in personal data information systems approved by a decree of the Government of the Russian Federation
dated November 1, 2012 N 1119 (Collected Legislation of the Russian Federation, 2012, N 45, art. 6257).
6. By decision of the information owner (customer) or operator, these Requirements may be applied to protect information contained in non-state information systems.
7. The protection of information contained in the state information system (hereinafter referred to as the information system) is ensured by fulfilling the requirements for the organization of the protection of information contained in the information system and the requirements for measures to protect information contained in the information system.
II. Requirements for the organization of protection of information contained in the information system
8. In the information system, the objects of protection are the information contained in the information system, technical means (including computer equipment, machine storage media, means and systems of communication and data transmission, technical means for processing alphanumeric, graphic, video and speech information), system-wide, applied, special software, information technology, as well as information security tools.
9. To ensure the protection of information contained in the information system, the operator shall appoint a structural unit or an official (employee) responsible for information protection.
10. To carry out work on the protection of information during the creation and operation of an information system, the information owner (customer) and the operator in accordance with the legislation of the Russian Federation, if necessary, involve organizations that have a license for the technical protection of confidential information in accordance with the Federal Law of May 4 2011 N 99-FZ "On Licensing Certain Types of Activities" (Collected Legislation of the Russian Federation, 2011, N 19, Art. 2716; N 30, Art. 4590; N 43, Art. 5971; N 48, Art. 6728; 2012, N 26, item 3446; N 31, item 4322; 2013, N 9, item 874).
11. To ensure the protection of information contained in the information system, information security tools are used that have passed conformity assessment in the form of mandatory certification for compliance with information security requirements in accordance with Article 5 of the Federal Law of December 27, 2002 N 184-ФЗ “On Technical regulation” (Sobraniye zakonodatelstva Rossiyskoy Federatsii, 2002, N 52, item 5140; 2007, N 19, item 2293; N 49, item 6070; 2008, N 30, item 3616; 2009, N 29, item 3626 ; N 48, item 5711; 2010, N 1, item 6; 2011, N 30, item 4603; N 49, item 7025; N 50, item 7351; 2012, N 31, item 4322; 2012 , N 50, item 6959).
12. The protection of information contained in the information system is an integral part of the creation and operation of the information system and is ensured at all stages (stages) of its creation, during operation and decommissioning by taking organizational and technical measures to protect information aimed at blocking (neutralization) of threats to information security in the information system, within the framework of the system (subsystem) of information protection of the information system (hereinafter referred to as the information protection system of the information system).
Organizational and technical information protection measures implemented within the framework of the information system information protection system, depending on the information contained in the information system, the goals of creating the information system and the tasks solved by this information system, should be aimed at eliminating:
illegal access, copying, provision or distribution of information (ensuring the confidentiality of information);
illegal destruction or modification of information (ensuring the integrity of information);
unlawful blocking of information (ensuring the availability of information).
13. To ensure the protection of information contained in the information system, the following activities are carried out:
formation of requirements for the protection of information contained in the information system;
development of the information security system of the information system;
implementation of the information security system of the information system;
certification of the information system according to the requirements of information security (hereinafter referred to as certification of the information system) and putting it into operation;
ensuring the protection of information during the operation of a certified information system;
ensuring the protection of information during the decommissioning of a certified information system or after a decision has been made to complete the processing of information.
Formation of requirements for the protection of information contained in the information system
14. The formation of requirements for the protection of information contained in the information system is carried out by the owner of the information (customer).
The formation of requirements for the protection of information contained in the information system is carried out taking into account GOST R 51583 “Information security. The order of creation of automated systems in protected execution. General Provisions” (hereinafter referred to as GOST R 51583) and GOST R 51624 “Information Protection. Automated systems in a secure design. General requirements" (hereinafter referred to as GOST R 51624) and includes:
making a decision on the need to protect information contained in the information system;
classification of the information system according to the requirements of information protection (hereinafter referred to as the classification of the information system);
identification of information security threats, the implementation of which can lead to a violation of information security in the information system, and the development of an information security threat model based on them;
determination of requirements for the information security system of the information system.
14.1. When deciding on the need to protect the information contained in the information system, the following is carried out:
analysis of the goals of creating an information system and the tasks solved by this information system;
determination of information to be processed in the information system;
analysis of regulatory legal acts, methodological documents and national standards that the information system must comply with;
making a decision on the need to create an information security system of an information system, as well as determining the goals and objectives of protecting information in an information system, the main stages of creating an information security system of an information system and functions to ensure the protection of information contained in an information system, the owner of information (customer), operator and authorized persons.
14.2. The classification of an information system is carried out depending on the significance of the information processed in it and the scale of the information system (federal, regional, object).
Three security classes of the information system are established, which determine the levels of security of the information contained in it. The lowest class is the third, the highest is the first. The information system security class is determined in accordance with Appendix No. 1 to these Requirements.
The security class is determined for the information system as a whole and, if necessary, for its individual segments (components). The requirement for the security class is included in the terms of reference for the creation of an information system and (or) the terms of reference (private terms of reference) for the creation of an information security system of an information system, developed taking into account GOST 34.602 “Information technology. Set of standards for automated systems. Terms of reference for the creation of an automated system "(hereinafter - GOST 34.602), GOST R 51583 and GOST R 51624.
The security class of an information system is subject to revision when the scale of the information system or the significance of the information processed in it changes.
The results of the classification of the information system are documented by the act of classification.
14.3. Information security threats are determined based on the results of assessing the capabilities (potential) of external and internal violators, analyzing possible vulnerabilities of the information system, possible ways to implement information security threats and the consequences of violating information security properties (confidentiality, integrity, availability).
As the initial data for determining information security threats, the information security threat database (bdu.site) is used, which is maintained by the FSTEC of Russia in accordance with subparagraph 21 of paragraph 8 of the Regulations on the Federal Service for Technical and Export Control, approved by Decree of the President of the Russian Federation dated 16 August 2004 N 1085 (Sobranie Zakonodatelstva Rossiyskoy Federatsii, 2004, N 34, Art. 3541; 2006, N 49, Art. 5192; 2008, N 43, Art. 4921; N 47, Art. 5431; 2012, N 7 , item 818; 2013, N 26, item 3314; N 53, item 7137; 2014, N 36, item 4833; N 44, item 6041; 2015, N 4, item 641; 2016, N 1 , art. 211) (hereinafter referred to as the data security threat database of the FSTEC of Russia), as well as other sources containing information about vulnerabilities and threats to information security.
When determining information security threats, the structural and functional characteristics of the information system are taken into account, including the structure and composition of the information system, physical, logical, functional and technological relationships between information system segments, with other information systems and information and telecommunication networks, information processing modes in the information system and in its individual segments, as well as other characteristics of the information system, the information technologies used and the features of its functioning.
Based on the results of determining information security threats, if necessary, recommendations are developed for adjusting the structural and functional characteristics of the information system, aimed at blocking (neutralizing) individual information security threats.
The information security threat model should contain a description of the information system and its structural and functional characteristics, as well as a description of information security threats, including a description of the capabilities of violators (violator model), possible vulnerabilities of the information system, methods for implementing information security threats and the consequences of violating information security properties.
To determine information security threats and develop an information security threat model, methodological documents developed and approved by the FSTEC of Russia are used in accordance with subparagraph 4 of paragraph 8 of the Regulations on the Federal Service for Technical and Export Control, approved by Decree of the President of the Russian Federation of August 16, 2004 N 1085 (Sobraniye Zakonodatelstva Rossiyskoy Federatsii, 2004, N 34, Art. 3541; 2006, N 49, Art. 5192; 2008, N 43, Art. 4921; N 47, Art. 5431; 2012, N 7, Art. 818).
14.4. The requirements for the information security system of the information system are determined depending on the security class of the information system and the information security threats included in the information security threat model.
Requirements for the information security system of an information system are included in the terms of reference for the creation of an information system and (or) the terms of reference (private terms of reference) for the creation of an information security system of an information system, developed taking into account GOST 34.602, GOST R 51583 and GOST R 51624, and must including contain:
the purpose and objectives of ensuring the protection of information in the information system;
information system security class;
a list of regulatory legal acts, methodological documents and national standards that the information system must comply with;
list of information system protection objects;
requirements for measures and means of protecting information used in the information system;
stages (stages of work) of creating an information system protection system;
requirements for the supplied technical means, software, information security tools;
functions of the customer and operator to ensure the protection of information in the information system;
requirements for the protection of means and systems that ensure the functioning of the information system (supporting infrastructure);
requirements for information protection during information interaction with other information systems and information and telecommunication networks, including with information systems of an authorized person, as well as when using computing resources (capacities) provided by an authorized person for information processing.
When determining the requirements for the information security system of the information system, the provisions of the information security policies of the information owner (customer), as well as the information security policies of the operator and the authorized person in the part that does not contradict the policies of the information owner (customer) are taken into account.
Development of an information security system of an information system
15. The development of the information security system of the information system is organized by the owner of the information (customer).
The development of an information security system for an information system is carried out in accordance with the terms of reference for the creation of an information system and (or) the terms of reference (private terms of reference) for the creation of an information security system for an information system, taking into account GOST 34.601 “Information technology. Set of standards for automated systems. Automated systems. Stages of creation" (hereinafter referred to as GOST 34.601), GOST R 51583 and GOST R 51624, including:
designing the information security system of the information system;
development of operational documentation for the information security system of the information system;
prototyping and testing of the information security system of the information system (if necessary).
The information security system of an information system should not interfere with the achievement of the goals of creating an information system and its functioning.
When developing an information security system for an information system, its information interaction with other information systems and information and telecommunication networks, including information systems of an authorized person, as well as the use of computing resources (capacities) provided by an authorized person for information processing, are taken into account.
15.1. When designing an information security system of an information system:
types of access subjects (users, processes and other access subjects) and access objects that are objects of protection (devices, file system objects, run and executable modules, database management system objects, objects created by application software, other access objects) are defined;
access control methods are defined (discretionary, mandatory, role-based or other methods), access types (read, write, execute or other types of access) and rules for restricting access of access subjects to access objects (based on lists, security labels, roles and other rules) to be implemented in the information system;
information protection measures to be implemented in the information protection system of the information system are selected;
defines the types and types of information security tools that ensure the implementation of technical measures to protect information;
the structure of the information security system of the information system is determined, including the composition (quantity) and location of its elements;
the selection of information security tools certified for compliance with information security requirements is carried out, taking into account their cost, compatibility with information technologies and technical means, the security functions of these tools and the features of their implementation, as well as the security class of the information system;
requirements for software settings are determined, including software for information protection tools that ensure the implementation of information protection measures, as well as the elimination of possible information system vulnerabilities that lead to information security threats;
information protection measures are determined during information interaction with other information systems and information and telecommunication networks, including with information systems of an authorized person, as well as when using computing resources (capacities) provided by an authorized person for information processing.
The results of the design of the information security system of the information system are reflected in the design documentation (draft (technical) project and (or) in the working documentation) for the information system (information security system of the information system), developed taking into account GOST 34.201 “Information technology. Set of standards for automated systems. Types, completeness and designation of documents when creating automated systems "(hereinafter - GOST 34.201).
The design documentation for an information system and (or) its information security system is subject to agreement with the operator of the information system if he is determined as such in accordance with the legislation of the Russian Federation by the time the design of the information security system of the information system is completed and is not the customer of this information system.
In the absence of the necessary information security tools certified for compliance with information security requirements, the development (improvement) of information security tools and their certification in accordance with the legislation of the Russian Federation is organized or the design decisions on the information system and (or) its information security system are adjusted taking into account functionality of available certified information security tools.
15.2. The development of operational documentation for the information security system of the information system is carried out in accordance with the terms of reference for the creation of the information system and (or) the terms of reference (private terms of reference) for the creation of the information security system of the information system.
The operational documentation for the information security system of the information system is developed taking into account GOST 34.601, GOST 34.201 and GOST R 51624 and should also contain a description of:
structure of the information security system of the information system;
composition, installation locations, parameters and procedure for setting up information security tools, software and hardware;
rules for operating the information security system of the information system.
15.3. When prototyping and testing the information security system of an information system, the following are carried out, among other things:
checking the operability and compatibility of the selected information security tools with information technologies and technical means;
verification of the fulfillment by the selected information security tools of the requirements for the information security system of the information system;
adjustment of design solutions developed during the creation of an information system and (or) an information security system of an information system.
The layout of the information security system of an information system and its testing can be carried out, among other things, using tools and methods for modeling information systems and virtualization technologies.
Implementation of information security system information system
16. The implementation of the information security system of the information system is organized by the owner of the information (customer).
The implementation of the information security system of the information system is carried out in accordance with the design and operational documentation for the information security system of the information system, and includes:
installation and configuration of information security tools in the information system;
development of documents defining the rules and procedures implemented by the operator to ensure the protection of information in the information system during its operation (hereinafter referred to as organizational and administrative documents for information protection);
implementation of organizational measures to protect information;
preliminary tests of the information security system of the information system;
trial operation of the information security system of the information system;
analysis of information system vulnerabilities and taking information protection measures to eliminate them;
acceptance tests of the information security system of the information system.
An information system operator is involved in the implementation of the information system information security system if it is defined as such in accordance with the legislation of the Russian Federation by the time the information system information security system is implemented and is not a customer of this information system.
16.1. Installation and configuration of information security tools in the information system should be carried out in accordance with the operational documentation for the information security system of the information system and the documentation for information security tools.
16.2. The developed organizational and administrative documents on information protection should define the rules and procedures:
management (administration) of the information security system of the information system;
identifying incidents (one event or a group of events) that can lead to failures or disruption of the information system and (or) threats to information security (hereinafter referred to as incidents), and responding to them;
managing the configuration of the certified information system and the information security system of the information system;
control (monitoring) over ensuring the level of security of information contained in the information system;
protection of information during the decommissioning of the information system or after a decision has been made to complete the processing of information.
16.3. When implementing organizational measures to protect information, the following are carried out:
implementation of access control rules that regulate the access rights of access subjects to access objects, and the introduction of restrictions on user actions, as well as on changes in operating conditions, composition and configuration of hardware and software;
verification of the completeness and detail of the description in the organizational and administrative documents for information protection of the actions of users and administrators of the information system to implement organizational measures for information protection;
working out the actions of officials and departments responsible for the implementation of information protection measures.
16.4. Preliminary tests of the information security system of the information system are carried out taking into account GOST 34.603 “Information technology. Types of tests of automated systems” (hereinafter referred to as GOST 34.603) and include checking the operability of the information system information security system, as well as making a decision on the possibility of trial operation of the information system information security system.
16.5. Pilot operation of the information system information protection system is carried out taking into account GOST 34.603 and includes checking the functioning of the information system information protection system, including the implemented information protection measures, as well as the readiness of users and administrators to operate the information system information protection system.
16.6. Analysis of information system vulnerabilities is carried out in order to assess the possibility of overcoming the information system information protection system by the violator and preventing the implementation of threats to information security.
Analysis of information system vulnerabilities includes analysis of vulnerabilities of information security tools, hardware and software of the information system.
When analyzing the vulnerabilities of the information system, the absence of known vulnerabilities of information security tools, hardware and software is checked, including taking into account the information available to developers and obtained from other public sources, the correct installation and configuration of information security tools, hardware and software, as well as the correct operation of information security tools when they interact with hardware and software.
If information system vulnerabilities are identified that lead to additional threats to information security, the model of information security threats is refined and, if necessary, additional information protection measures are taken to eliminate the identified vulnerabilities or exclude the possibility of using the identified vulnerabilities by the violator.
Based on the results of the vulnerability analysis, it must be confirmed that the information system does not contain vulnerabilities contained in the database of information security threats of the FSTEC of Russia, as well as in other sources, or their use (exploitation) by the intruder is impossible.
16.7. Acceptance tests of the information security system of the information system are carried out taking into account GOST 34.603 and include verification of the fulfillment of the requirements for the information security system of the information system in accordance with the terms of reference for the creation of the information system and (or) the terms of reference (private terms of reference) for the creation of the information security system of the information system .
Certification of the information system and its commissioning
17. Certification of the information system is organized by the information owner (customer) or operator and includes a set of organizational and technical measures (certification tests), as a result of which the compliance of the information system information protection system with these Requirements is confirmed.
Conducting attestation tests of the information system by officials involved in the design and (or) implementation of the information security system of the information system is not allowed.
17.1. As the initial data necessary for the certification of the information system, the model of information security threats, the act of classifying the information system, the terms of reference for the creation of the information system and (or) the terms of reference (private terms of reference) for the creation of an information security system of the information system, design and operational documentation for the information system information security system, organizational and administrative documents for information security, information system vulnerability analysis results, materials of preliminary and acceptance tests of the information system information security system, as well as other documents developed in accordance with these Requirements.
17.2. The certification of the information system is carried out in accordance with the program and methods of certification tests prior to the processing of information to be protected in the information system. To carry out the certification of the information system, national standards are applied, as well as methodological documents developed and approved by the FSTEC of Russia in accordance with subparagraph 4 of paragraph 8 of the Regulations on the Federal Service for Technical and Export Control, approved by Decree of the President of the Russian Federation of August 16, 2004 N 1085.
Based on the results of certification tests, protocols of certification tests, a conclusion on the compliance of the information system with information protection requirements and a certificate of conformity in case of positive results of certification tests are drawn up.
When conducting certification tests, the following methods of inspections (tests) should be used:
an expert-documentary method that provides for checking the compliance of the information security system of the information system with the established requirements for information security, based on the assessment of operational documentation, organizational and administrative documents for information security, as well as the operating conditions of the information system;
analysis of information system vulnerabilities, including those caused by incorrect setup (configuration) of software and information security tools;
testing the information security system by attempting unauthorized access (impact) to the information system bypassing its information security system.
17.3. It is allowed to certify an information system based on the results of certification tests of a selected set of information system segments that implement a complete information processing technology.
In this case, the distribution of the certificate of conformity to other segments of the information system is carried out provided that they correspond to the segments of the information system that have passed certification tests.
A segment is considered to correspond to the segment of the information system, in respect of which attestation tests were carried out, if the same security classes, threats to information security are established for these segments, the same design solutions for the information system and its information security system are implemented.
Compliance of the segment covered by the attestation of conformity with the segment of the information system for which certification tests were carried out is confirmed during the acceptance tests of the information system or segments of the information system.
In the segments of the information system to which the certificate of conformity applies, the operator ensures compliance with the operational documentation for the information security system of the information system and organizational and administrative documents for information security.
Features of certification of an information system based on the results of certification tests of a selected set of its segments, as well as the conditions and procedure for extending the certificate of conformity to other segments of the information system are determined in the program and methods of certification tests, the conclusion and the certificate of conformity.
17.4. Re-certification of the information system is carried out upon expiration of the validity of the certificate of conformity, which cannot exceed 5 years, or an increase in the security class of the information system. With an increase in the composition of threats to information security or changes in design solutions implemented when creating an information security system of an information system, additional certification tests are carried out within the framework of the current certificate of conformity.
17.5. The commissioning of the information system is carried out in accordance with the legislation of the Russian Federation on information, information technologies and information protection, taking into account GOST 34.601 and in the presence of a certificate of conformity.
17.6. Information systems operating on the basis of a common infrastructure (computer equipment, telecommunications equipment servers) as applied services are subject to certification as part of this infrastructure.
If an information system is created on the basis of a data processing center of an authorized person, such a data processing center must be certified for a security class not lower than the security class established for the information system being created.
When attesting the information system, the results of attesting the general infrastructure of the information system operator should be used.
Ensuring the protection of information during the operation of a certified information system
18. Ensuring the protection of information during the operation of a certified information system is carried out by the operator in accordance with the operational documentation for the information protection system and organizational and administrative documents for information protection, including:
management (administration) of the information security system of the information system;
identifying incidents and responding to them;
configuration management of the certified information system and its information security system;
control (monitoring) over ensuring the level of security of information contained in the information system.
18.1. In the course of management (administration) of the information security system of the information system, the following are carried out:
creation and deletion of user accounts, management of information system user permissions and maintenance of access control rules in the information system;
management of information security tools in the information system, including software settings, including information security software, user account management, restoration of information security tools, generation, change and recovery of passwords;
installation of software updates, including software for information security tools, released by developers (manufacturers) of information security tools or on their behalf;
centralized management of the information security system of the information system (if necessary);
registration and analysis of events in the information system related to the protection of information (hereinafter referred to as security events);
informing users about threats to information security, about the rules for operating the information security system of the information system and individual information security tools, as well as training them;
support for the functioning of the information security system of the information system during its operation, including the adjustment of operational documentation for it and organizational and administrative documents for information security;
18.2. In the course of identifying incidents and responding to them, the following is carried out:
identification of persons responsible for identifying incidents and responding to them;
detection and identification of incidents, including denials of service, failures (reboots) in the operation of hardware, software and information security tools, violations of access control rules, illegal actions to collect information, introductions of malicious computer programs (viruses) and other events, leading to incidents;
timely informing the persons responsible for detecting incidents and responding to them about the occurrence of incidents in the information system by users and administrators;
analysis of incidents, including determining the sources and causes of incidents, as well as assessing their consequences;
planning and taking measures to eliminate incidents, including restoring an information system and its segments in the event of a denial of service or after failures, eliminating the consequences of violations of access control rules, illegal actions to collect information, the introduction of malicious computer programs (viruses) and other events leading to incidents;
planning and taking measures to prevent the recurrence of incidents.
18.3. In the course of managing the configuration of a certified information system and its information security system, the following is carried out:
maintaining the configuration of the information system and its information security system (the structure of the information security system of the information system, the composition, installation locations and settings of information security tools, software and hardware) in accordance with the operational documentation for the information security system (maintaining the basic configuration of the information system and its information security systems);
determination of persons who are allowed to take actions to make changes to the basic configuration of the information system and its information security system;
managing changes to the basic configuration of the information system and its information security system, including determining the types of possible changes to the basic configuration of the information system and its information security system, authorizing changes to the basic configuration of the information system and its information security system, documenting actions to make changes to the basic configuration of the information system and its information security system, saving data on changes to the basic configuration of the information system and its information security system, control of actions to make changes to the basic configuration of the information system and its information security system;
analysis of the potential impact of planned changes in the basic configuration of the information system and its information security system on ensuring the protection of information, the emergence of additional threats to information security and the performance of the information system;
determination of software settings, including information security software, composition and configuration of hardware and software prior to making changes to the basic configuration of the information system and its information security system;
entering information (data) about changes in the basic configuration of the information system and its information security system into the operational documentation for the information security system of the information system;
making a decision based on the results of configuration management to re-certify the information system or conduct additional certification tests.
18.4. In the course of control (monitoring) of ensuring the level of security of information contained in the information system, the following is carried out:
control over security events and user actions in the information system;
control (analysis) of the security of information contained in the information system;
analysis and evaluation of the functioning of the information security system of the information system, including the identification, analysis and elimination of shortcomings in the functioning of the information security system of the information system;
periodic analysis of changes in information security threats in the information system that arise during its operation, and the adoption of information protection measures in the event of new information security threats;
documentation of procedures and results of control (monitoring) for ensuring the level of security of information contained in the information system;
making a decision based on the results of control (monitoring) for ensuring the level of information security on finalizing (upgrading) the information security system of the information system, re-certifying the information system or conducting additional certification tests.
Ensuring the protection of information during the decommissioning of a certified information system or after a decision has been made to complete the processing of information
19. Ensuring the protection of information during the decommissioning of a certified information system or after a decision is made to complete the processing of information is carried out by the operator in accordance with the operational documentation for the information protection system of the information system and organizational and administrative documents for information protection, and includes:
archiving information contained in the information system;
destruction (erasing) of data and residual information from machine storage media and (or) destruction of machine media.
19.1. Archiving of the information contained in the information system should be carried out if it is necessary to further use the information in the activities of the operator.
19.2. Destruction (erasing) of data and residual information from machine data carriers is carried out if it is necessary to transfer the machine data carrier to another user of the information system or to third-party organizations for repair, maintenance or further destruction.
During the decommissioning of machine storage media on which information was stored and processed, the physical destruction of these machine media is carried out.
III. Requirements for measures to protect information contained in the information system
20. Organizational and technical information security measures implemented in the information system within its information security system, depending on the information security threats, the information technologies used and the structural and functional characteristics of the information system, should provide:
identification and authentication of access subjects and access objects;
access control of access subjects to access objects;
limitation of the software environment;
protection of machine storage media;
registration of security events;
anti-virus protection;
detection (prevention) of intrusions;
control (analysis) of information security;
integrity of the information system and information;
availability of information;
protection of the virtualization environment;
protection of technical means;
protection of the information system, its means, communication and data transmission systems.
The composition of information protection measures and their basic sets for the corresponding security classes of information systems are given in Appendix No. 2 to these Requirements.
20.1. Measures for the identification and authentication of access subjects and access objects should ensure the assignment of a unique attribute (identifier) to access subjects and objects, comparison of the identifier presented by the access subject (object) with the list of assigned identifiers, as well as verification of ownership of the identifier presented by the access subject (object) (confirmation authenticity).
20.2. Measures for managing access of access subjects to access objects should ensure the management of the rights and privileges of access subjects, access differentiation of access subjects to access objects based on a set of access control rules established in the information system, and also ensure compliance with these rules.
20.3. Measures to restrict the software environment must ensure the installation and (or) launch of only software permitted for use in the information system or exclude the possibility of installing and (or) launching software prohibited for use in the information system.
20.4. Measures to protect machine media (means of processing (storage) of information, removable machine media) should exclude the possibility of unauthorized access to machine media and information stored on them, as well as unauthorized use of removable machine media.
20.5. Measures for recording security events should ensure the collection, recording, storage and protection of information about security events in the information system, as well as the ability to view and analyze information about such events and respond to them.
20.6. Anti-virus protection measures should ensure the detection in the information system of computer programs or other computer information intended for unauthorized destruction, blocking, modification, copying of computer information or neutralization of information security tools, as well as response to the detection of these programs and information.
20.7. Measures to detect (prevent) intrusions should ensure the detection of actions in the information system aimed at deliberate unauthorized access to information, special effects on the information system and (or) information in order to obtain, destroy, distort and block access to information, as well as respond for these actions.
20.8. Measures to control (analyze) the security of information should ensure control of the level of security of information contained in the information system by carrying out measures to analyze the security of the information system and test its information security system.
20.9. Measures to ensure the integrity of the information system and information should ensure the detection of unauthorized violations of the integrity of the information system and the information contained in it, as well as the possibility of restoring the information system and the information contained in it.
20.10. Measures to ensure the availability of information should ensure authorized access of users who have the rights for such access to the information contained in the information system in the normal mode of operation of the information system.
20.11. Measures to protect the virtualization environment should exclude unauthorized access to information processed in the virtual infrastructure and virtual infrastructure components, as well as impact on information and components, including virtual infrastructure management tools, virtual machine monitor (hypervisor), data storage system (including a virtual infrastructure image storage system), data transmission networks through elements of a virtual or physical infrastructure, guest operating systems, virtual machines (containers), a replication system and network, terminal and virtual devices, as well as a backup system and copies created by it.
20.12. Measures for the protection of technical means should exclude unauthorized access to stationary technical means that process information, means that ensure the functioning of the information system (hereinafter referred to as the means of ensuring the functioning), and to the premises in which they are permanently located, protection of technical means from external influences, as well as protection of information presented in the form of informative electrical signals and physical fields.
20.13. Measures to protect the information system, its means, communication and data transmission systems should ensure the protection of information when the information system or its individual segments interact with other information systems and information and telecommunication networks through the application of the information system architecture, design solutions for its information security system, aimed to ensure the protection of information.
21. The choice of information security measures for their implementation in the information system within its information security system includes:
determination of the basic set of information protection measures for the established security class of the information system in accordance with the basic sets of information protection measures given in Appendix No. 2 to these Requirements;
adaptation of the basic set of information protection measures in relation to the structural and functional characteristics of the information system, information technologies, features of the functioning of the information system (including the exclusion from the basic set of information protection measures of measures directly related to information technologies that are not used in the information system, or structurally - functional characteristics that are not characteristic of the information system);
clarification of the adapted basic set of information protection measures, taking into account the information protection measures not previously selected, given in Appendix No. 2 to these Requirements, as a result of which information protection measures are determined that ensure the blocking (neutralization) of all information security threats included in the information security threat model;
supplementing the revised and adapted basic set of information protection measures with measures that ensure the fulfillment of information protection requirements established by other regulatory legal acts in the field of information protection, including in the field of personal data protection.
To select information security measures for the appropriate security class of the information system, methodological documents developed and approved by the FSTEC of Russia are used in accordance with subparagraph 4 of paragraph 8 of the Regulations on the Federal Service for Technical and Export Control, approved by Decree of the President of the Russian Federation of August 16, 2004 N 1085 .
22. In the information system of the appropriate security class, as part of its information security system, information security measures selected in accordance with clause 21 of these Requirements and ensuring blocking (neutralization) of all information security threats must be implemented.
At the same time, the information system must at least implement an adapted basic set of information protection measures corresponding to the established information system security class.
23. If it is impossible to implement in the information system within the framework of its information protection system certain selected information protection measures at the stages of adapting the basic set of information protection measures or refining the adapted basic set of information protection measures, other (compensating) information protection measures may be developed that provide adequate blocking (neutralization ) information security threats.
In this case, during the development of the information security system of the information system, a rationale for the use of compensatory information security measures should be carried out, and during attestation tests, the sufficiency and adequacy of these compensatory measures to block (neutralize) information security threats should be assessed.
24. Information protection measures are selected and implemented in the information system within its information protection system, taking into account information security threats in relation to all objects and subjects of access at the hardware, system, application and network levels, including in a virtualization and cloud computing environment.
25. Organizational measures and means of protecting information used in the information system should ensure:
in information systems of the 1st class of security - protection against threats to the security of information associated with the actions of violators with high potential;
in information systems of the 2nd class of security - protection against threats to the security of information associated with the actions of violators with a potential not lower than enhanced basic;
in information systems of the 3rd class of security - protection against threats to the security of information associated with the actions of intruders with a potential not lower than the basic one.
The potential of violators is determined during the assessment of their capabilities, carried out when determining threats to information security in accordance with clause 14.3 of these Requirements.
The operator may decide to apply in the information system the appropriate security class of information protection measures that provide protection against information security threats implemented by intruders with a higher potential.
26. Technical information protection measures are implemented through the use of information protection tools, including software (software and hardware) tools in which they are implemented, having the necessary security functions. Wherein:
in information systems of the 1st security class, information security tools of at least class 4 are used, as well as computer equipment of at least class 5;
in information systems of the 2nd security class, information security tools of at least class 5 are used, as well as computer equipment of at least class 5;
in information systems of the 3rd security class, information security tools of the 6th class are used, as well as computer equipment of at least the 5th class.
In information systems of the 1st and 2nd security classes, information protection tools are used that have been tested at least at the 4th level of control for the absence of undeclared capabilities.
Protection classes are determined in accordance with the regulatory legal acts of the FSTEC of Russia, issued in accordance with subparagraph 13.1 of paragraph 8 of the Regulations on the Federal Service for Technical and Export Control, approved by Decree of the President of the Russian Federation of August 16, 2004 N 1085.
In information systems, information security tools are used that are certified for compliance with the mandatory information security requirements established by the FSTEC of Russia, or for compliance with the requirements specified in the technical specifications (security tasks). At the same time, the security functions of such facilities must ensure the implementation of these Requirements.
27. In case of processing in the information system of information containing personal data, implemented in accordance with paragraphs 21 and 22 of these Requirements, information protection measures:
for an information system of the 1st security class, they provide 1, 2, 3 and 4 levels of personal data security 1 ;
for an information system, 2 security classes provide 2, 3 and 4 levels of personal data security 1 ;
for an information system, the 3rd security class provides 3rd and 4th levels of personal data security 1 .
28. When using new information technologies in information systems and identifying additional information security threats for which information protection measures are not defined, compensatory measures must be developed in accordance with paragraph 23 of these Requirements.
___________________________________
1 Established in accordance with the Requirements for the protection of personal data during their processing in personal data information systems, approved by Decree of the Government of the Russian Federation of November 1, 2012 N 1119.
Appendix No. 1
not constituting a state secret,
information systems
Determination of the information system security class
1. The security class of the information system (the first class (K1), the second class (K2), the third class (K3)) is determined depending on the level of significance of information (KI) processed in this information system and the scale of the information system (federal, regional , object).
Security class (K) = [information significance level; system scale].
2. The level of significance of information is determined by the degree of possible damage to the information owner (customer) and (or) operator from a violation of confidentiality (illegal access, copying, provision or distribution), integrity (illegal destruction or modification) or availability (illegal blocking) of information.
KM = [(confidentiality, damage) (integrity, damage) (availability, damage)],
where the degree of possible damage is determined by the owner of the information (customer) and (or) the operator independently by expert or other methods and can be:
high, if as a result of a violation of one of the properties of information security (confidentiality, integrity, availability), significant negative consequences are possible in the social, political, international, economic, financial or other areas of activity and (or) the information system and (or) the operator (information owner ) cannot perform the functions assigned to them;
medium, if as a result of a violation of one of the properties of information security (confidentiality, integrity, availability), moderate negative consequences are possible in the social, political, international, economic, financial or other areas of activity and (or) the information system and (or) the operator (information owner ) cannot perform at least one of the functions assigned to them;
low, if as a result of a violation of one of the properties of information security (confidentiality, integrity, availability), minor negative consequences are possible in the social, political, international, economic, financial or other areas of activity and (or) the information system and (or) the operator (information owner ) can perform the functions assigned to them with insufficient efficiency or the performance of functions is possible only with the involvement of additional forces and means.
Information has a high level of significance (LE 1) if at least one of the information security properties (confidentiality, integrity, availability) has a high degree of damage. Information has an average level of significance (LE 2) if at least one of the information security properties (confidentiality, integrity, availability) has a medium degree of damage and there is not a single property for which a high degree of damage has been determined. Information has a low level of significance (LE 3) if all information security properties (confidentiality, integrity, availability) are defined as having low levels of damage.
When processing two or more types of information in the information system (official secret, tax secret and other types of restricted access information established by the legislation of the Russian Federation), the level of significance of information (IL) is determined separately for each type of information. The final level of significance of the information processed in the information system is set according to the highest values of the degree of possible damage, determined for the confidentiality, integrity, availability of information of each type of information.
3. An information system has a federal scale if it operates on the territory of the Russian Federation (within the federal district) and has segments in the constituent entities of the Russian Federation, municipalities and (or) organizations.
An information system has a regional scale if it operates on the territory of a constituent entity of the Russian Federation and has segments in one or more municipalities and (or) subordinate and other organizations.
An information system has an object scale if it operates at the facilities of one federal government body, government body of a constituent entity of the Russian Federation, municipality and (or) organization and does not have segments in territorial bodies, representative offices, branches, subordinate and other organizations.
4. The security class of the information system is determined in accordance with the table:
Appendix No. 2
to the Data Protection Requirements,
not constituting a state secret,
information systems
The composition of information protection measures and their basic sets for the corresponding security class of the information system
| Symbol and measure number | Information protection measures in information systems | Security classes information system |
|||
|---|---|---|---|---|---|
|
I. Identification and authentication of access subjects and access objects (AAF) |
|||||
|
Identification and authentication of users who are employees of the operator |
|||||
|
Identification and authentication of devices, including stationary, mobile and portable |
|||||
|
Identifier management, including creation, assignment, destruction of identifiers |
|||||
|
Management of authentication tools, including storage, issuance, initialization, blocking of authentication tools and taking action in case of loss and (or) compromise of authentication tools |
|||||
|
Feedback protection when entering authentication information |
|||||
|
Identification and authentication of users who are not employees of the operator (external users) |
|||||
|
Identification and authentication of file system objects, startup and executable modules, objects of database management systems, objects created by application and special software, other access objects |
|||||
|
II. Access control of access subjects to access objects (UAD) |
|||||
|
Management (establishment, activation, blocking and destruction) of user accounts, including external users |
|||||
|
Implementation of the required methods (discretionary, mandate, role or other method), types (read, write, execute or other type) and access control rules |
|||||
|
Management (filtering, routing, connection control, unidirectional transmission and other methods of management) of information flows between devices, segments of an information system, as well as between information systems |
|||||
|
Separation of powers (roles) of users, administrators and persons ensuring the functioning of the information system |
|||||
|
Assigning the minimum necessary rights and privileges to users, administrators and persons ensuring the functioning of the information system |
|||||
|
Limitation of unsuccessful attempts to enter the information system (access to the information system) |
|||||
|
Warning the user when he enters the information system that the information system has implemented information protection measures, and about the need to comply with the information processing rules established by the operator |
|||||
|
Notifying the user after a successful login to the information system about his previous login to the information system |
|||||
|
Limiting the number of parallel access sessions for each user account of the information system |
|||||
|
Blocking an access session to the information system after a set time of inactivity (inactivity) of the user or at his request |
|||||
|
Permission (prohibition) of user actions allowed before identification and authentication |
|||||
|
Support and preservation of security attributes (security labels) associated with information during its storage and processing |
|||||
|
Implementation of secure remote access of subjects of access to objects of access through external information and telecommunication networks |
|||||
|
Regulation and control of the use of wireless access technologies in the information system |
|||||
|
Regulation and control of the use of mobile technical means in the information system |
|||||
|
Management of interaction with information systems of third parties (external information systems) |
|||||
|
Ensuring trusted loading of computer equipment |
|||||
|
III. Software Environment Restriction (SPE) |
|||||
|
Management of the launch (requests) of software components, including the definition of launched components, setting the launch parameters of components, control over the launch of software components |
|||||
|
Management of the installation (installation) of software components, including determining the components to be installed, setting the parameters for installing components, monitoring the installation of software components |
|||||
|
Installation (installation) of only authorized software and (or) its components |
|||||
|
Temporary file management, including deny, allow, write redirection, delete temporary files |
|||||
|
IV. Protection of machine storage media (ZNI) |
|||||
|
Accounting for machine storage media |
|||||
|
Management of access to machine storage media |
|||||
|
Control of the movement of machine storage media outside the controlled area |
|||||
|
Elimination of the possibility of unauthorized acquaintance with the content of information stored on machine media, and (or) use of information media in other information systems |
|||||
|
Control of the use of interfaces for input (output) of information on machine storage media |
|||||
|
Control of input (output) of information on machine storage media |
|||||
|
Monitoring the connection of machine storage media |
|||||
|
Destruction (erasing) of information on machine media during their transfer between users, to third-party organizations for repair or disposal, as well as control of destruction (erasure) |
|||||
|
V. Security Event Logging (SEL) |
|||||
|
Determining the security events to be logged and their retention periods |
|||||
|
Determination of the composition and content of information about security events subject to registration |
|||||
|
Collection, recording and storage of information about security events during the specified storage time |
|||||
|
Responding to failures in the registration of security events, including hardware and software errors, failures in the mechanisms for collecting information and reaching the limit or overflow of the amount (capacity) of memory |
|||||
|
Monitoring (viewing, analyzing) the results of registering security events and responding to them |
|||||
|
Generation of timestamps and (or) synchronization of system time in the information system |
|||||
|
Protecting information about security events |
|||||
|
Providing the ability to view and analyze information about the actions of individual users in the information system |
|||||
|
VI. Antivirus protection (AVZ) |
|||||
|
Implementation of anti-virus protection |
|||||
|
Updating the database of signs of malicious computer programs (viruses) |
|||||
|
VII. Intrusion Detection (IDS) |
|||||
|
Intrusion detection |
|||||
|
Decision Rule Base Update |
|||||
|
VIII. Control (analysis) of information security (ANZ) |
|||||
|
Identification, analysis of information system vulnerabilities and prompt elimination of newly identified vulnerabilities |
|||||
|
Controlling the installation of software updates, including information security software updates |
|||||
|
Monitoring the health, settings and correct functioning of software and information security tools |
|||||
|
Control of the composition of hardware, software and information security tools |
|||||
|
Control of the rules for generating and changing user passwords, establishing and deleting user accounts, implementing access control rules, user permissions in the information system |
|||||
|
IX. Ensuring the integrity of the information system and information (OSI) |
|||||
|
Software integrity control, including information security software |
|||||
|
Control of the integrity of information contained in the databases of the information system |
|||||
|
Ensuring the possibility of restoring software, including software of information security tools, in case of emergency situations |
|||||
|
Detection and response to the receipt of unsolicited electronic messages (letters, documents) and other information not related to the functioning of the information system (spam protection) in the information system |
|||||
|
Restriction of the rights of users to enter information into the information system |
|||||
|
Control of accuracy, completeness and correctness of data entered into the information system |
|||||
|
Control of erroneous actions of users on input and (or) transmission of information and warning of users about erroneous actions |
|||||
|
X. Information Accessibility (CCA) |
|||||
|
Use of fail-safe technical means |
|||||
|
Reservation of technical means, software, information transmission channels, means of ensuring the functioning of the information system |
|||||
|
Monitoring the failure-free functioning of technical means, detection and localization of failures in functioning, taking measures to restore failed means and testing them |
|||||
|
Periodic backup of information on backup machine storage media |
|||||
|
Ensuring the possibility of restoring information from backup machine storage media (backup copies) within a specified time interval |
|||||
|
Clustering an information system and (or) its segments |
|||||
|
Monitoring the status and quality of the provision of computing resources (capacities) by an authorized person, including information transfer |
|||||
|
XI. Virtualization Environment Protection (SEP) |
|||||
|
Identification and authentication of access subjects and access objects in a virtual infrastructure, including virtualization management administrators |
|||||
|
Access control of access subjects to access objects in a virtual infrastructure, including inside virtual machines |
|||||
|
Logging Security Events in a Virtual Infrastructure |
|||||
|
Management (filtering, routing, connection control, unidirectional transfer) of information flows between the components of the virtual infrastructure, as well as along the perimeter of the virtual infrastructure |
|||||
|
Management of movement of virtual machines (containers) and data processed on them |
|||||
|
Monitoring the integrity of the virtual infrastructure and its configurations |
|||||
|
Data backup, redundancy of hardware, virtual infrastructure software, as well as communication channels within the virtual infrastructure |
|||||
|
Implementation and management of anti-virus protection in a virtual infrastructure |
|||||
|
Partitioning a virtual infrastructure into segments (segmentation of a virtual infrastructure) for processing information by an individual user and (or) a group of users |
|||||
|
XII. Protection of technical means (ZTS) |
|||||
|
Protection of information processed by technical means from its leakage through technical channels |
|||||
|
Organization of a controlled zone, within which stationary technical means processing information, and means of protecting information, as well as means of ensuring the functioning |
|||||
|
Control and management of physical access to technical means, means of information protection, means of ensuring the functioning, as well as to the premises and structures in which they are installed, excluding unauthorized physical access to means of processing information, means of protecting information and means of ensuring the functioning of the information system and premises and buildings in which they are installed. |
|||||
|
Placement of information output (display) devices, excluding its unauthorized viewing |
|||||
|
Protection against external influences (environmental influences, instability of power supply, air conditioning and other external factors) |
|||||
|
XIII. Protection of the information system, its means, communication and data transmission systems (VMS) |
|||||
|
Separation in the information system of functions for management (administration) of the information system, management (administration) of the information security system, functions for processing information and other functions of the information system |
|||||
|
Prevent high priority processes from being delayed or interrupted by low priority processes |
|||||
|
Ensuring the protection of information from disclosure, modification and imposition (input of false information) during its transmission (preparation for transmission) via communication channels that go beyond the controlled zone, including wireless communication channels |
|||||
|
Providing a trusted channel, route between the administrator, user and information protection tools (security functions of information protection tools) |
|||||
|
Prohibition of unauthorized remote activation of cameras, microphones and other peripheral devices that can be activated remotely, and notification of users about the activation of such devices |
|||||
|
Transmission and integrity control of security attributes (security labels) associated with information when exchanging information with other information systems |
|||||
|
Control of authorized and exclusion of unauthorized use of mobile code technologies, including registration of events related to the use of mobile code technologies, their analysis and response to violations related to the use of mobile code technologies |
|||||
|
Control of authorized and exclusion of unauthorized use of speech transmission technologies, including registration of events associated with the use of speech transmission technologies, their analysis and response to violations associated with the use of speech transmission technologies |
|||||
|
Control of authorized and exclusion of unauthorized transmission of video information, including registration of events related to the transmission of video information, their analysis and response to violations associated with the transmission of video information |
|||||
|
Confirmation of the origin of information obtained in the process of determining network addresses from network names or determining network names from network addresses |
|||||
|
Ensuring the authenticity of network connections (interaction sessions), including protection against spoofing of network devices and services |
|||||
|
Elimination of the possibility of the user denying the fact of sending information to another user |
|||||
|
Excluding the possibility of the user denying the fact of receiving information from another user |
|||||
|
Use of terminal access devices for information processing |
|||||
|
Protection of archive files, settings of information protection tools and software, and other data that cannot be changed during information processing |
|||||
|
Identification, analysis and blocking in the information system of covert channels of information transmission bypassing the implemented information protection measures or within allowed network protocols |
|||||
|
Splitting the information system into segments (segmentation of the information system) and ensuring the protection of the perimeters of the segments of the information system |
|||||
|
Ensuring the loading and execution of software from read-only machine storage media and monitoring the integrity of this software |
|||||
|
Process isolation (execution of programs) in a dedicated memory area |
|||||
|
Protection of wireless connections used in the information system |
|||||
|
Exclusion of user access to information resulting from the actions of the previous user through registries, RAM, external storage devices and other information system resources common to users |
|||||
|
Protection of the information system from information security threats aimed at denial of service of the information system |
|||||
|
Protection of the perimeter (physical and (or) logical boundaries) of the information system when it interacts with other information systems and information and telecommunication networks |
|||||
|
Termination of network connections upon their completion or after the expiration of a time interval specified by the operator of inactivity of the network connection |
|||||
|
Use in an information system or its segments of various types of system-wide, applied and special software (creation of a heterogeneous environment) |
|||||
|
Use of application and special software capable of functioning in environments of various operating systems |
|||||
|
Creation (emulation) of false information systems or their components designed to detect, register and analyze the actions of violators in the process of implementing information security threats |
|||||
|
Reproduction of false and (or) concealment of true individual information technologies and (or) structural and functional characteristics of the information system or its segments, ensuring the imposition of a false idea on the offender about the true information technologies and (or) structural and functional characteristics of the information system |
|||||
|
Transfer of an information system or its devices (components) into a predetermined configuration that ensures information protection in the event of failures (failures) in the information system information protection system |
|||||
|
Protection of mobile technical means used in the information system |
|||||
"+" - the information security measure is included in the basic set of measures for the corresponding security class of the information system.
Information protection measures not marked with a “+” sign are used when adapting the basic set of measures and refining the adapted basic set of measures, as well as when developing compensatory information protection measures in the information system of the corresponding security class.
- 1. The concept of information technology and information systems. Modern concepts, ideas and problems of information technology development. The role and tasks of information technology in the development of society.
- 2. The concept of information, message, signal, coding and modulation. A generalized information transmission system and the purpose of its main elements.
- 3. Converting continuous signals into discrete ones, their transmission in the form of digital signals.
- 4. Fourier series for a periodic sequence of pulses and its power. Amplitude-frequency (AFC) and phase-frequency (PFC) characteristics of a periodic sequence of pulses.
- 5. (Spectral density s(w)) for a non-periodic signal. Direct and inverse Fourier transform.
- 6. Discretization of signals in time. Theorem of Kotelnikov.
- 8. Absolute method for determining coordinates in satellite technologies. Pseudo-range serif. The accuracy of the absolute method. Geometric factors dop.
- 33.Model of interaction of open systems (Open System Interconnection, osi). Standard stacks of communication protocols. Implementation of internetworking by means of tcp/ip.
- 34.Communication devices of the information network. Communication medium. Standard technologies for building local and global networks.
- 35. Methods of switching in information networks (circuit switching, packet switching, message switching).
- 36. The level of internetworking (Network layer), its purpose, functions and protocols. Principles of routing in composite networks.
- 37. Corporate information system (kis). Requirements for corporate Implementation problems. Kiss examples.
- 38. Ensuring information security in modern corporate networks. Methods of protection against unauthorized access. Technologies: Intranet, Extranet and vpn.
- 13. Protection of applications and databases. Structure "user (group) - right". Role model of the organization of access rights. Organization of access to the client-server subd.
- 14. Systems of classified communication. General structure, principle of operation. Strength of the encryption algorithm. Shannon's theory.
- 15. Cryptographic methods of information protection, their classification. Requirements for cryptographic closure of information. Encryption standard (general description of the des algorithm).
- 16. The concept of public key cryptosystems. Electronic digital signature. Structural scheme for constructing an EDS.
- 17. Destructive software: computer virus (classification, signs of infection, methods for detecting and neutralizing the virus).
- 18. Methods for protecting IP from unauthorized access at the logical, physical and legal levels. Russian legislation in the field of information protection.
- 19. Protection of information on the Internet. Purpose of shielding systems. Requirements for the construction of shielding systems. Organization of security policy in Internet networks.
- 23. Interfaces IS. User interface
- 24. Reliability is. Factors affecting the reliability of IS. Methods for improving the reliability of is.
- 25. Structural approach to the design of information systems is.
- 26. Software life cycle (life cycle), life cycle models.
- 27. Case-technologies as new means for designing IP. Case-package by platinum, its composition and purpose. Criteria for evaluation and selection of case-means.
- 28. The idef standard, its main components.
- 29. Principles of systemic structural analysis, its main aspects.
- 30. Tool environment bpWin, its purpose, composition of models, package capabilities. Composition of reports (documents) of the designed model in the bpWin environment.
- 31. Tool environment erWin, its purpose and composition of the tasks to be solved.
- 32. Unified modeling language uml, its purpose, the composition of the tasks to be solved with its help.
- 39. Databases (bd). The main stages of database development. Methods for creating a database structure. Data types. Structured data.
- 40. Data models used in databases. Links in models. Database architecture. Relational, hierarchical and network data models. Data types and formats.
- 41. Database management systems (subd). Purpose, types and basic functionality of subd. Overview of existing subd. Subd composition, their performance.
- 43.Standard sql query language. Sql queries to get information from the database. Basic principles, commands and functions for building sql queries.
- 44. Modification of data using sql query language. Creating and changing the structure of tables. Adding and editing data. Search and sort data based on sql.
- 45. Data normalization. First, second, third normal forms. The procedure for reducing data to normal form.
- 46. Give the concepts of primary key (pk), foreign key (fk), alternative key, inverse input. Types and organization of relationships between tables.
- 49. Artificial intelligence systems (AI). Classification of the main areas of research in the field of AI.
- 1.2.3. Development of natural language interfaces and machine translation (natural language processing)
- 1.2.4. Intelligent robots (robotics)
- 1.2.5. Training and self-learning (machine learning)
- 1.2.6. Pattern recognition
- 1.2.7. New computer architectures (new hardware platforms and architectures)
- 1.2.8. Games and machine creativity
- 50. Expert systems (es), composition of es. Classification of es, their structural composition. Es development tools.
- 51.Knowledge representation models (production, frame, network model).
- 52. Classification of systems based on knowledge.
- 2.2.1. Classification according to the problem being solved
- 64.Digital terrain models (DMM), digital situation and relief models, digital map and plan models. Layers cmm. Appointment and use of digital and electronic maps and plans.
- 65.Raster and vector form of data representation. formats for this data. Registration of raster images in cartographic systems.
- 67. Modern technologies for creating digital and electronic maps and plans. Classification of object types during digitization (vectorization) of maps. Classifiers of topographic information.
- 68.Programs - vectorizers, their characteristics, principles of operation and capabilities. Methods and accuracy of vectorization. Vectorization quality analysis. Control of the topological structure of a digital map.
- 53. Essence and basic concepts of geoinformatics. Areas of application of geoinformatics.
- 55. Topological concept of gis. Georelational model of connection between objects and their attributes.
- 57. GIS creation tools (MapEdit, MapInfo, GeoMedia, etc.). The main functions, characteristics and capabilities of gis - shells. Tools for expanding GIS shells and creating applications.
- 58. Federal, regional and municipal gis. Requirements for software and information support of GIS.
- 60. Spatial (geographical) analysis. Buffer zones, overlays. Creation of thematic maps based on GIS technologies.
- 61. Method of surfaces for creating thematic maps. Interpolation based on an irregular network of triangles tin and a weighted average idw.
- 53. Essence and basic concepts of geoinformatics. Areas of application of geoinformatics.
- 63. Geoinformation modeling. Fundamentals of network analysis.
- 64. Computer-aided design systems (cad - MicroStation, AutoCad, etc.). Basic concepts of two-dimensional (2d) and three-dimensional (3d) design. Communication gis with cad - systems.
- 21. Increasing the reliability of systems through redundancy. Types and methods of reservation.
- 62.3D maps. Ways to create and use three-dimensional maps.
- 9. Differential way to determine the coordinates. Types of transmission channels for differential corrections. Ways of differential correction. Waas differential correction system. dgps accuracy.
58. Federal, regional and municipal gis. Requirements for software and information support of GIS.
FGIS, MGIS, RGIS - designed to solve operas. and computational tasks associated with the processing of spatial GIS data in the management, planning, inventory monitoring, analysis and forecasting. spatial data used in GIS should cover:
1 for FSIS - all territories of the Russian Federation, including coastal waters and border areas.
2 for RGIS - territories of large natural and ecological regions of the subjects of the Russian Federation, fed. districts including areas of protected areas, areas of crisis situations.
3 for MGIS - territories of cities, urban areas, suburban areas
Requirements for software and IO for GIS
For the formation of DB, F, R, MGIS, GIS: 1) a basic digital terrain model (for FGIS - ctc m - 1: 1000000; for RGIS ctc scale 1:50000 - 1:200000 and ctg scale 1:500 - 1:1000 for MGIS tstg scale 1:500 - 1:10000). 2) digital thematic specificity of the map. 3) aerial and satellite images in digital format. 4) thematic data. 5) attribute data. 6) metadata. 7) regulatory information. The terms of reference for a specific GIS establish requirements for IO in terms of: 1. composition, structure, methods of organizing these systems. 2. to the quality of data (completeness, reliability, relevance). 3. availability of a certificate of conformity.4. compatibility of essential and created components. 5. DBMS application. 6.Organization of information exchange with other bases. 7. Processes for collecting, processing and transferring information 8. Controlling, storing and updating recovery for. 9. Provides documentation management
10. The procedure for giving legal means to GIS software should include the following: - operating system. - text and graphic editors. -composition of special software. – software library, a set of application programs.
The software supports the main GIS subsystems.
Collection, data entry; - storage.
59. The main stages of creating gis - projects. Data sources for the formation of graphic and attributive (non-graphic) information.
Main stages:
1.Development and approval of a business plan (financial and economic aspects, expected result, sources of financing, terms, costs are stipulated here). 2.Conclusion of the contract (here is the protocol for agreeing the contract price). 3. The development of the terms of reference is a document that contains the requirements that b. d. real. 4.Approval.
5.Technical design (finding a technical solution)
Statement of tasks (input and output of information). -Development of a conceptual model (draw information model of each task). -Technical solutions (algorithm). 5. Development of working documentation - Operational documentation of how to use the system - Network diagram. -DB projects.
Development of programs and methods of preliminary tests.
7. Three stages of testing the system: 1. Preliminary testing - checking the performance of the system, are carried out on the basis of development. The developer must put the output works: - the system or not. - whether the system can be transferred to the next stage or not. 2. Experimental operation. Determining the quantitative characteristics of the system, lasts at least 6 months. In order to carry out trial operation, a special program is compiled, carried out on the basis of a problem book. trial operation is carried out by a pilot project. This is a production work in which production results will be obtained, but they will be performed within restrictions: territories, by functions. In the log, we see daily records: what tasks are solved, failures, whether the program worked or not. At this stage, corrections are made along the way. At the end, an act of reconciliation is written whether the stage was completed based on the log. Conclusion: - whether to consider trial operation completed. - Is it possible to transfer the system to the next stage. 3.Acceptance testing is carried out by the customer's test, the commission is usually taken from outside. Purpose: compliance with the TOR may partially correspond to the TOR. After these stages, an act of acceptance of the permanent operation system is drawn up. Conclusion: The system as a whole corresponds to the TOR. If it matches, then the system can. transferred to permanent operation or not. After starting, the system enters the operating phase. There are 3 main processes here: -Performing administrative work to ensure the system. -Introduction of the database. -Solving spatial problems by the end user. Data sources: topographic and geodetic data;
point coordinates; measurement results; CMM;
cartographic materials (paper maps, aerial photographs, space photographs);
attributive information (characteristics of objects, cadastral data)
Introduction
A geographic information system (GIS) is an information system that collects, stores, processes, analyzes and displays spatial and related non-spatial data, as well as obtaining information and knowledge about geographic space based on them. It is believed that geographic or spatial data make up more than half of the volume of all circulating information used by organizations engaged in various activities that need to take into account the spatial distribution of objects. GIS is focused on providing the possibility of making optimal management decisions based on the analysis of spatial data. The key words in the definition of GIS are spatial data analysis or spatial analysis.
In this work, we will consider:
- - GIS in railway transport management;
- - Requirements for geographic information systems;
- - Characteristics, scope and main features of the GIS application.
Theoretical side of the issue
GIS requirements
At present, GIS is a complex information system that includes a powerful operating system, user interface, systems for introducing databases (DB), and displaying graphic information.
The development of geoinformatics, as a science of automated processing of spatially coordinated information, has led to the intensive promotion of geographic information systems and GIS technologies in all areas of human activity.
At present, GIS should not be treated as geographic information systems, which geographers urge us to do. The value of GIS in technical applications, as information and control systems, is much more promising.
Ideas about geographic information systems and their role in science and technology largely coincide, which, of course, is reflected in the formulation of the basic concepts and definitions of geographic information systems of railway transport.
Railway transport GIS is an information and control automated system designed to provide a solution to the problems of inventory, design and management of railway transport facilities. The main purpose of creating a GIS for railway transport is to provide all areas of its activity with complex spatially coordinated information.
Powerful GIS tool shells allow you to integrate any database and existing automated inventory, design and management systems. In turn, the information obtained as a result of the work of the GIS is successfully used in automated systems for inventory (certification), design (CAD) and management (ACS).
Along with GIS, the organization of problem-oriented databases designed for mapping natural and socio-economic phenomena has become widespread. Such databases are called cartographic data banks (CDBs).
The most important function of the CBD is the automated mapping performed by an automated cartographic system, which is also an integral part of the GIS.
In recent years, when creating information systems (IS) in geography, increased attention is paid to the construction of expert systems (ES). ES is understood as an inference system based on facts (knowledge) and heuristics (rules of thumb) of data processing.
The main components of the ES: knowledge base - organized sets of facts, a mechanism for logical solution of the task.
The emergence in recent years of mass interest in the construction of GIS requires the development of principles for evaluating the created information systems, their classification, and determination of potential opportunities.
To a certain extent, this is possible when developing requirements for an ideal GIS:
- 1. Possibility of processing arrays by component heterogeneous spatially coordinated information;
- 2. Ability to maintain databases for a wide class of geographical objects;
- 3. Possibility of an interactive mode of operation of the user;
- 4. Flexible system configuration, the ability to quickly configure the system to solve a variety of tasks;
- 5. The ability to "perceive" and process the spatial features of geoecological situations.
The stages of information technology in the creation and operation of GIS include the following stages: collection of primary data, data entry and storage, data analysis, scenario analysis and decision making. It should be noted that the identified stages are the most general and are repeated when creating specific GIS, differing in details related to the goals and objectives of the GIS, as well as the technical capabilities of the system. It is obvious that the sources of information, the procedure for obtaining it, the methods of analysis should be considered as stages of a single technological process, united by the common goals and objectives of building and operating a GIS. This means that the design and creation of a GIS should be based on a single methodology. Since GIS can be considered as a means of machine representation of data and knowledge of the complex of Earth sciences, the direction of their construction as a tool for understanding the patterns of structure and organization of geosystems using computer science tools, including mathematical modeling and computer graphics, should be chosen as the methodological basis of GIS.
On the requirements of the FSTEC of Russia and the FSB of Russia for GIS, ISPD, APCS and APCS
In the course of consultations with Customers, Eisnet LLC, as well as during the direct performance of work, one has to deal with the initial definition or formation of requirements for a future (created) state information system (GIS), a personal data information system (ISPD) or an automated production management system. (APCS P) and technological processes (APCS).
Sometimes it is difficult to immediately answer what requirements should be implemented in a particular system. For this, it is proposed to use for state information systems, personal data information systems and automated control systems for production and technological processes, which clearly shows (for discussion) all the necessary requirements.
To understand the issue, consider what main regulatory documents of regulators in the field of information security apply to these information systems.
State information systems
- "Requirements for the protection of information that is not a state secret contained in state information systems", Order of the FSTEC of Russia dated February 11, 2013. N 17 (Registered in the Ministry of Justice of Russia on May 31, 2013 N 28608);
- Methodical document. Measures for protecting information in state information systems”, Order of the FSTEC of Russia dated February 11, 2014.
Personal data information systems
- “Basic model of personal data security threats during their processing in personal data information systems”, Approved by the FSTEC of Russia, February 15, 2008;
- "Methodology for determining actual threats to the security of personal data during their processing in personal data information systems", Approved by the FSTEC of Russia, February 14, 2008;
- "Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems", Order of the FSTEC of Russia dated February 18, 2013. N 21 (Registered in the Ministry of Justice of Russia on May 14, 2013 N 28375). Note: Order No. 21 canceled the “Regulations on methods and means of protecting information in information systems of personal data”, order of the FSTEC of Russia dated February 5, 2010. N 58 (registered by the Ministry of Justice of Russia on February 19, 2010, registration N 16456);
- Guidelines for ensuring the security of personal data with the help of cryptomeans during their processing in personal data information systems using automation tools”, Approved by the Federal Security Service of Russia on February 21, 2008. No. 149/54-144;
- "Standard requirements for the organization and operation of encryption (cryptographic) tools designed to protect information that does not contain information constituting a state secret if they are used to ensure the security of personal data when they are processed in personal data information systems", Approved by the Federal Security Service of Russia on February 21 2008 No. 149/6/6-622;
- Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems using cryptographic information protection tools necessary to fulfill the requirements established by the Government of the Russian Federation for the protection of personal data for each of the levels of security”, Order of the FSB of Russia dated June 10, 2014 N 378, (registered with the Ministry of Justice of Russia on August 18, 2014 N 33620).
Control systems for production and technological processes
"Requirements for ensuring the protection of information in automated control systems for production and technological processes at critically important facilities, potentially hazardous facilities, as well as facilities that pose an increased danger to human life and health and to the environment", Order of the FSTEC of Russia dated 14.03.2014. N 31 (Registered in the Ministry of Justice of Russia on June 30, 2014 N 32919).
Documents of regulators common for IS, ISPD, ACS systems, including for public IS - SOP
- "Special requirements and recommendations for the technical protection of confidential information" (STR-K), Approved by order of the State Technical Commission of Russia dated August 30, 2002. No. 282;
- «Automated systems. Protection against unauthorized access to information. Classification of automated systems and information protection requirements”, decision of the Chairman of the State Technical Commission of Russia dated March 30, 1992;
- "On the electronic signature used by executive authorities and local governments in the organization of electronic interaction between themselves, on the procedure for its use, as well as on the establishment of requirements for ensuring the compatibility of electronic signature means" (together with the "Rules for the use of enhanced qualified electronic signature by executive authorities and local governments when organizing electronic interaction between themselves”, “Requirements for ensuring the compatibility of electronic signature means when organizing electronic interaction between executive authorities and local governments among themselves”), Decree of the Government of the Russian Federation No. 111 of February 09, 2012;
- On the types of electronic signature, the use of which is allowed when applying for state municipal services”, Decree of the Government of the Russian Federation No. 634 dated June 25, 2012.
- "Regulations on the development, production, implementation and operation of encryption (cryptographic) information security tools (Regulations PKZ-2005)", Order of the FSB of Russia dated February 9, 2005. No. 66;
- “Instructions on organizing and ensuring the security of storage, processing and transmission through communication channels using cryptographic protection of information with limited access that does not contain information constituting a state secret”, Order of the FAPSI under the President of the Russian Federation of June 13, 2001 No. 152;
- “Requirements for electronic signature tools and requirements for certification center tools”, Order of the FSB of Russia No. 796 dated December 27, 2011;
- On accreditation of certification centers”, Order of the Ministry of Telecom and Mass Communications of the Russian Federation No. 203 dated August 21, 2012;
- GOST R 51583-2000. "Protection of information. The procedure for creating automated systems in a protected design. General Provisions”;
- GOST R 51624-2000. "Protection of information. Automated systems in a secure design. General requirements";
- GOST RO 0043-003-2012. "Protection of information. Certification of informatization objects. General Provisions”;
- GOST RO 0043-004-2013. "Protection of information. Certification of informatization objects. Program and methods of attestation tests”;
- GOST 51275-2006 “Information security. Informatization object. Factors affecting information. General Provisions".
- RD 50-34.698-90. «Methodological instructions. Information technology. Automated systems. Requirements for the content of documents.
Features of the requirements for various systems
Note: The documents of the FSTEC of Russia and the FSB of Russia on systems do not address the issues of ensuring the security of protected data classified in the prescribed manner as information constituting a state secret.
Features of the requirements for personal data information systems (ISPD)
- The requirements apply to the processing of personal data carried out by federal government authorities, government authorities of the constituent entities of the Russian Federation, other government authorities, local governments, other municipal authorities, legal entities and individuals using automation tools, including in information and telecommunication networks , or without the use of such means, if the processing of personal data without the use of such means corresponds to the nature of the actions (operations) performed with personal data using automation tools, that is, it allows, in accordance with a given algorithm, to search for personal data recorded on a material carrier and contained in file cabinets or other systematized collections of personal data, and (or) access to such personal data.
- Personal data - any information relating directly or indirectly to a specific or identifiable natural person (subject of personal data).
- Personal data information system (ISPD) - a set of personal data contained in databases and information technologies and technical means that ensure their processing.
Installed four levels of personal data security . The lowest level is the fourth, the highest is the first.
Features of the requirements for state information systems
- A GIS has a federal scale if it operates on the territory of the Russian Federation (within the federal district) and has segments in the constituent entities of the Russian Federation, municipalities and (or) organizations.
- A GIS has a regional scale if it operates on the territory of a constituent entity of the Russian Federation and has segments in one or more municipalities and (or) subordinate and other organizations.
- A GIS has an object scale if it operates at the facilities of one federal government body, government body of a constituent entity of the Russian Federation, municipality and (or) organization and does not have segments in territorial bodies, representative offices, branches, subordinate and other organizations.
- The requirements for GIS are mandatory when processing information in state information systems operating on the territory of the Russian Federation, as well as in municipal information systems, unless otherwise provided by the legislation of the Russian Federation on local self-government. The requirements do not apply to state information systems of the Administration of the President of the Russian Federation, the Security Council of the Russian Federation, the Federal Assembly of the Russian Federation, the Government of the Russian Federation, the Constitutional Court of the Russian Federation, the Supreme Court of the Russian Federation, the Supreme Arbitration Court of the Russian Federation and the Federal Security Service of the Russian Federation.
- When processing information containing personal data in the state information system, the Requirements for GIS are applied along with the requirements for the protection of personal data when they are processed in personal data information systems approved by Decree of the Government of the Russian Federation of November 1, 2012 N 1119.
- By decision of the information owner (customer) or operator, the Requirements for GIS can be applied to protect information contained in non-state information systems.
Installed four security classes of the state information system , which determine the levels of security of the information contained in it. The lowest class is the fourth, the highest is the first.
Features of the requirements for control systems for production and technological processes
- The requirements are aimed at ensuring the functioning of the automated control system in the normal mode, which ensures compliance with the design limits of the values of the parameters for performing the target functions of the automated control system under the influence of threats to information security, as well as reducing the risks of illegal interference in the functioning of the automated control system of critically important objects, potentially dangerous objects, objects, representing an increased danger to human life and health and to the natural environment, including hazardous production facilities, the safety of which is ensured in accordance with the legislation of the Russian Federation on the safety of fuel and energy complex facilities, on transport safety, on the use of atomic energy, on industrial safety hazardous production facilities, on the safety of hydraulic structures and other legislative acts of the Russian Federation.
- They apply to automated control systems that provide control and management of technological and (or) production equipment (executive devices) and technological and (or) production processes implemented on it (including supervisory control systems, data collection (transmission) systems, systems built on the basis of programmable logic controllers, distributed control systems, control systems for machine tools with numerical control).
- ACS, as a rule, have a multi-level structure:
- operator (dispatch) control level (upper level);
- level of automatic control (middle level);
- level of input (output) of data of executive devices (lower (field) level).
- The automated control system may include:
- at the level of operator (dispatch) control: operator (dispatch), engineering workstations, industrial servers (SCADA servers) with general system and application software installed on them, telecommunications equipment (switches, routers, firewalls, other equipment), and also communication channels;
- at the level of automatic control: programmable logic controllers, other technical means with installed software, receiving data from the lower (field) level, transmitting data to the upper level to make a decision on the control of the object and (or) process and forming control commands (control (command) ) information) for actuating devices, as well as an industrial data transmission network;
- at the input (output) level of data (executive devices): sensors, actuators, other hardware devices with firmware and machine controllers installed in them.
In ACS, the objects of protection are:
- information (data) about the parameters (state) of a managed (controlled) object or process (input (output) information, control (command) information, control and measurement information, other critical (technological) information);
- including workstations, industrial servers, telecommunications equipment, communication channels, programmable logic controllers, executive devices), software (including firmware, system-wide, applied), as well as information security tools.
Installed three security classes of the automated control system , which determine the levels of security of the automated control system. The lowest class is the third, the highest is the first.
For all the above systems, to ensure the protection of information, the following typical measures are taken:
- formation of requirements for the protection of information contained in the GIS (ISPD, ACS);
- development of a GIS information security system (ISPD, ACS);
- implementation of a GIS information security system (ISPD, ACS);
- GIS certification (ISPD, ACS) and putting it into operation;
- ensuring the protection of information during the operation of a certified GIS (ISPD, ACS);
- ensuring the protection of information during the decommissioning of a certified GIS (ISPD, ACS) or after a decision is made to complete the processing of information.
For all systems (GIS, ISPD, ACS), basic sets of information security measures and requirements for their implementation, which must be selected depending on the class or level of system security, which must be determined taking into account the Threat Model (including the violator model) of information security.
Thus, having considered the features and differences in the three systems (GIS, ISPD, ACS) and using the Comparative Table of Requirements of the FSTEC of Russia, it will not be difficult to explain to the Customer or an official of the department who are not familiar with the differences in the systems, what needs to be implemented in a particular system.
Project
Ministry of Telecom and Mass Communications of the Republic of Bashkortostan
TECHNICAL TASK
TO THE GEOINFORMATION SYSTEM
"Minkomsvyaz RB"
1. General information. 3
1.1. The full name of the system and its symbol. 3
1.2. The legal status of the document. 3
1.3. List of source documents. 3
1.4. Order of financing and terms of work. 3
1.5. The order of registration and presentation of the results of work to the Customer. 3
1.6. Document structure. 3
2. Purpose and goals of creating a GIS .. 4
2.1. Purpose of GIS.. 4
2.2. Goals of creating a GIS.. 5
3. Characteristics of automation objects. 5
3.1. The current state of the automated activity. 5
3.2. Operating conditions and environment. 6
4. Requirements for GIS.. 6
4.1. Requirements for GIS in general.. 6
4.2. Requirements for GIS functions.. 12
4.3. Requirements for types of collateral. fifteen
5. Composition and content of work on the creation (development) of the system .. 18
5.1. GIS implementation stages.. 18
6. The order of control and acceptance of GIS .. 20
6.1. General requirements. 20
6.2. Guiding documents.. 20
6.3. GIS verification procedure.. 20
7. Composition and content of the preparatory work. 21
7.1. Information preparation. 21
7.2. Technical preparation of the automation object. 22
7.3. Organizational events. 22
8. Requirements for documentation.. 22
8.1. General requirements for documentation.. 22
8.2. List of documents to be developed. 23
9. Development sources. 23
1. General information
1.1. Full name of the system and its symbol
Geoinformation system of the Ministry of Telecom and Mass Communications of the Republic of Bashkortostan. The abbreviation within this document is GIS.
1.2. Legal status of the document
Order of the Minister of Communications and Mass Media of the Republic of Bashkortostan XX-OD dated XX.03.2011 "On approval of the action plan for the creation of the GIS system of the OGV of the Republic of Bashkortostan »
1.3. List of source documents
The development of the Terms of Reference was carried out taking into account the requirements of the following documents:
1) GOST 24.105-85. Automated control systems. General requirements.
2) GOST 34.201-89. Types, completeness and designation of documents when creating automated systems.
3) GOST 34.601-90. Automated systems. Creation stages.
4) GOST 34.602-89. Terms of reference for the creation of an automated system.
5) State Technical Commission of Russia. Guidance document. Computer facilities. Protection against unauthorized access to information. Indicators of security from unauthorized access to information. 1992
6) Decree of "XX" XX 2011 No. p of the Government of the Republic of Bashkortostan on the Concept of the geographic information system of the executive authorities of the Republic of Bashkortostan.
1.4. Financing procedure and terms of work
The order of financing and terms of work on the creation of GIS are determined by the contract between the Customer and the Contractor.
1.5. The procedure for registration and presentation of the results of work to the Customer
The results of the work are:
1) GIS deployed at the Customer, passed acceptance tests and accepted for trial operation at the Ministry of Telecom and Mass Communications of the Republic of Bashkortostan (Ministry of Communications of the Republic of Belarus).
2) A set of documents developed at the stages of the System Design and Commissioning.
1.6. Document structure
The document consists of the following sections:
1. General information. Reference information about the developed system, description of the limits of applicability of the document.
2. Purpose and goals of creating a GIS. Description of the purpose of the GIS, automated activities of the Ministry of Telecom and Mass Communications of the Republic of Bashkortostan, the goals of developing the GIS.
3. Characteristics of automation objects. Description of tasks and functions of GIS.
4. Requirements for GIS. Enumeration of requirements, both for the GIS itself and its individual subsystems, types of support, various aspects of the GIS functioning.
5. Composition and content of works on creation of GIS. The list of stages of creating a GIS, the main work that must be performed at each stage.
6. Order of control and acceptance of GIS. General requirements for the organization of GIS acceptance, enumeration of guidance documents on the basis of which GIS acceptance will be carried out.
7. Composition and content of the preparatory work. The work that needs to be done to put the GIS into operation.
8. Documentation requirements. General requirements for the design of project documentation.
9. Development sources. The list of documents on the basis of which this document is being developed.
1.7. Limits of applicability of the document. The terms of reference describe the requirements for the GIS and are the first and main document in the GIS documentation set. All other documents developed during the creation of the GIS must be consistent with this document.
2. Purpose and goals of creating a GIS
2.1. Purpose of GIS
2.1.1. Type of automated activity
GIS is designed to automate the storage and processing of spatial information, which is used by the leadership of the Ministry of Telecom and Mass Communications of the Republic of Bashkortostan (hereinafter referred to as the Ministry of Telecom and Mass Communications of the Republic of Belarus) and its structural divisions to implement, within their competence, state policy and regulation in the field of communications, informatization and development of telecommunication networks.
2.1.2. List of automation objects
The object of automation is the activity of the central office of the Ministry of Communications of the Republic of Belarus, which uses information about communication facilities and facilities located on the territory of the republic, as well as telecom operators providing communication services on the territory of the republic, to perform its tasks:
management of the Ministry of Communications of the Republic of Belarus;
Department of information and analytical work in the field of information and communication technologies.
2.2. Goals of creating a GIS
The purpose of creating a GIS is to prepare and present information to support decision-making on the organization of effective work in the field of communications, informatization and the development of telecommunication networks, by automating the processing of cartographic data about communication objects located on the territory of the Republic of Belarus, based on modern GIS technologies, processing systems space and aviation images and GLONASS/GPS technologies.
The goals of creating a GIS are:
1) reliable and timely provision of information about communication facilities located on the territory of the Republic of Belarus, of varying degrees of detail; ensuring its completeness, error-freeness, relevance and necessary confidentiality;
2) ensuring the possibility of sharing heterogeneous data received from various sources (communication operators, citizens), about communication objects located on the territory of the Republic of Belarus;
3) clarification and addition of information about communication objects located on the territory of the Republic of Belarus, based on space and aerial images and GLONASS / GPS technologies;
4) development of standard solutions for the purpose of their subsequent replication in the GIS OGV RB.
5) creation of an information basis for the subsequent solution of analytical problems of specialists of the Ministry of Communications of the Republic of Belarus.
3. Characteristics of automation objects
3.1. The current state of the automated activity
In the Ministry of Communications of the Republic of Belarus and its structural divisions, a number of information systems operate, with which the created GIS should interact:
1) Information and analytical system Web-codes - designed to automate the collection, consolidation and analysis of arbitrary reporting.
2) The "Informatization Passport" system is an automated system for collecting and processing information characterizing the state of work on the use and development of information technologies at the regional and municipal level.
The analysis of the systems existing in the Ministry of Telecom and Mass Communications of the Republic of Belarus showed:
1) Most of the information necessary for organizing information support for the procedures for planning, forecasting, monitoring and analyzing the implementation of communications, the formation of statistical data characterizing the state of the communications industry on the territory of the Republic of Belarus characterizes geographically distributed objects. However, the Ministry of Communications of the Republic of Belarus does not have systems for processing spatially distributed information.
2) The automated systems currently existing in the Ministry of Telecom and Mass Communications of the Republic of Belarus do not provide a solution to the entire range of functional tasks of specialists of the Ministry of Telecom and Mass Communications of the Republic of Belarus.
3.2. Operating conditions and environment
The operating conditions and the environment of the automation object do not affect the development of the GIS and its operation, therefore, the requirements for this paragraph are not imposed on the GIS.
4. Requirements for GIS
4.1. GIS requirements in general
4.1.1. General requirements
1) GIS is a coordinated set of information, software and hardware tools and services that provide information support for the activities of system users.
The GIS structure should have a service-oriented architecture, which will provide an opportunity for an unlimited number of users to access the GIS on a single software and hardware platform, as well as the subsequent enhancement of the GIS functionality.
2) GIS is an integral part of the GIS OGV RB and should ensure the unity of approaches to the storage, transmission and processing of information, architecture, nomenclature of technical means and general system software.
To ensure compatibility of GIS with existing and newly developed automated information systems in the Ministry of Telecom and Mass Communications of the Republic of Belarus, unified systems of protocols for multilevel interaction should be applied.
3) GIS should provide data storage in one of the industrial DBMS (Oracle, MS SQL Server, etc.).
4) The GIS should provide users with data of the following types:
spatial (vector and raster) data;
Attribute data
files of arbitrary format.
5) GIS should provide integration with existing and developed in the Ministry of Communications of the Republic of Belarus information systems.
6) GIS should provide integration of information of different types and different degrees of confidentiality.
4.1.2. Requirements for the development and modernization of GIS
GIS should provide the ability to:
1) a phased increase in functionality when changing the composition of the tasks of GIS users;
2) development and modernization of the GIS without a fundamental change in the elements previously developed and introduced into the configuration of the GIS.
4.1.3. Structure and function requirements
General requirements for the GIS structure
The logical structure of a GIS is shown in Figure 1.
General requirements
1) The information support of the GIS should be sufficient to perform all the functions of the GIS.
2) The totality of information arrays of the system should be organized in the form of databases.
Requirements for the composition, structure and methods of organizing data in a GIS
The composition and structure of the data must correspond to the information model developed in the system project.
Requirements for control, storage and updating of data
1) The system must periodically check the integrity of the state of the GIS databases by built-in software.
2) Modification of data structures should be carried out taking into account the reduction of real data previously loaded into databases in accordance with the changed data structure.
3) Any change in database structures should not lead to the loss of information existing in the GIS.
Requirements for the language of interaction with GIS users
1) The linguistic support of the GIS should be reflected in the documentation (instructions, descriptions) of the organizational support of the GIS in the form of rules for the user to communicate with the GIS in all modes of its operation.
2) The user's communication interface with the GIS should be in Russian (except for specialized terms and commands).
4.3.3. Software Requirements
General requirements
1) GIS software should be sufficient to perform all GIS functions, as well as have the means of organizing all the required data processing processes, allowing timely performance of all GIS functions in all regulated modes of GIS operation.
2) GIS software should have the following properties:
functional sufficiency;
Reliability (including recoverability, availability of error detection tools);
adaptability;
modifiability;
Ease of use.
3) GIS software should be built in such a way that the absence of individual data does not affect the performance of GIS functions, in the implementation of which these data are not used.
4) In the GIS software, measures must be implemented to protect against errors during the input and processing of information to perform the functions of the GIS.
5) The software must consist of general and special software (OPS and open source software).
6) OPO and open source software should be built on the basis of licensed software products.
General Software Requirements
1) OPO GIS should be unified and ensure the creation and support of a single information environment for solving information, reference and search tasks of users.
2) OPO should support the creation of workstations of GIS users, database servers, application servers, as well as provide connection of individual technical means for various purposes.
3) HPF must include in its composition:
operating systems for workstations and servers for various purposes;
· means of local and remote exchange of information using a unified interface for access to the services of information exchange subsystems ;
· means of administration, management and audit of the GIS hardware and software environment;
· means of testing, diagnostics and anti-virus protection;
· means of processing textual, tabular and graphic information;
· Means of protecting information from unauthorized access.
The following software must be installed on dedicated computers (servers):
operating system of the Window Server family (with the IIS component on the web server).
The following software must be installed on client workstations:
· Russian-language operating system;
· Flash-enabled web browser.
At the administrator's workplace, an operating system of at least Window XP SP 2 must be installed.
Note 4 : The list of HIF products can be updated in the process of GIS development, as well as when more promising products appear.
5) The local network must provide data exchange based on TCP / IP protocols.
6) During the formation of the PO, the issues of organizing interaction with existing databases should be worked out.
Requirements for special software
1) Open source software should provide a solution to functional and special technological problems, including manipulation with cartographic databases
2) STR must include in its composition:
· on the ArcGIS Server server, standard and specialized services that implement the functions of the user's workstation and one of the industrial DBMS (Oracle, MS SQL Server, etc.);
· ArcGis Desktop administrator workstation (ArcInfo with extension modules);
· Free software for working with GIS is not installed on client workstations.
4.3.5. Requirements for technical support
1) GIS hardware should be sufficient to perform all GIS functions.
2) The GIS hardware must comply with the requirements of the GIS software.
3) GIS hardware should provide the required reliability of GIS operation and data availability.
4) In the complex of technical means of GIS, technical means of mass production should be mainly used. If necessary, the use of technical means of single production is allowed.
5) GIS technical means must be placed in compliance with the requirements contained in the technical, including operational, documentation for them, and so that it is convenient to use them during the operation of the GIS and perform maintenance.
6) The placement of technical means used by GIS personnel in the performance of their duties must comply with ergonomic requirements: for production equipment in accordance with GOST 12.049-80, for visual information presentation means in accordance with GOST.
7) Any of the GIS hardware should allow its replacement by a tool of similar functionality, without any structural changes or adjustments in the rest of the GIS hardware.
8) For each of the technical means of the system, the operating conditions specified in the operational documentation must be provided, if necessary, systems of power supply, power supply, air conditioning, etc. should be deployed.
9) Technical means of GIS may be used only under the conditions specified in the operational documentation for them.
10) The power supply of the server equipment must provide a regular shutdown of the server with data saving. The normal shutdown time is determined in the operational documentation for the software and hardware of the server equipment.
11) GIS hardware should contain backup tools to ensure prompt recovery of information.
4.3.6. Requirements for organizational support
General requirements
1) The organizational support of the GIS should be sufficient for the effective performance by the GIS personnel of the duties assigned to them when performing the functions of the GIS.
2) The organizational support of the GIS should be fixed in the relevant instructions for the organizational support of the GIS.
Requirements for the content of instructions for the organizational support of GIS
Instructions for the organizational support of GIS should:
1) Describe all modes of GIS operation.
2) Determine the actions of the GIS personnel necessary to perform each function in all modes of operation of the GIS, taking into account the specified requirements for the accuracy and speed of the implementation by the GIS personnel of their functional duties.
3) Describe the methods of diagnosing by the GIS service personnel of the occurred and predicted violations of the GIS performance.
Requirements for documenting GIS organizational support instructions
Instructions for the organizational support of the GIS should be documented.
4.3.7. Metrological support
There are no special requirements for metrological support.
5. Composition and content of work on the creation (development) of the system
5.1. GIS implementation stages
When creating a GIS, the following stages must be implemented.
5.1.1. Stage "Terms of Reference"
Table 5.1 shows the work that needs to be done at the "Terms of Reference" stage.
Table 5.1. Works at the stage of "Terms of Reference"
|
Job Title |
Responsible |
Result |
|
|
Determination and analysis by the Contractor of the Customer's requirements for GIS |
Executor | ||
|
Development by the contractor with the participation of the Customer of the Terms of Reference for GIS |
Executor |
Technical task |
|
|
Coordination of terms of reference |
Customer |
Notes to the terms of reference |
|
|
Making changes to the terms of reference |
Executor |
Terms of Reference agreed by the Customer |
|
|
Terms of reference approval |
Customer |
Terms of Reference approved by the Customer |
Implementation period - 1 month.
5.1.2. Stage "System project"
Table 5.2 shows the work to be done at the "System project" stage.
Table 5.2. Works of the "System project" stage
|
Job Title |
Responsible |
Result |
|
|
Development of design solutions for GIS |
Executor |
Functional model and information model of GIS data |
|
|
GIS database development |
Executor |
Logical and physical models of the GIS database. |
|
|
Development of design solutions for GIS in general and by types of support, registration of a system project |
Executor |
System project |
Implementation period - 2 months.
5.1.3. Stage " GI Development With »
Table 5.3 shows the work that needs to be done at the "Detailed Design" stage.
Table 5.3. Works of the stage "Development of GIS"
|
Job Title |
Responsible |
Result |
|
|
Implementation of design solutions for the creation of GIS |
Executor |
GIS prototype |
|
|
Development and testing on the hardware of the Prototype GIS Executor |
Executor |
GIS prototype |
|
|
Customer | |||
|
Deployment of GIS on customer's hardware |
Executor |
GIS installed on the Customer's hardware |
|
|
Development of working documentation for the first stage of GIS |
Executor |
Working documentation listed in paragraphs 1-4 of clause 8.2.3. |
|
|
Development by the executor of the Program and methodology for testing GIS (hereinafter in this section "Program") |
Executor |
The program and methodology for testing the first stage of well logging |
|
|
Program approval |
Customer |
Program Notes |
|
|
Making changes to the program |
Executor |
Program agreed with the Customer |
|
|
Program Approval |
Customer |
Program approved by the Customer |
Implementation period - 5.5 months.
5.1.4. Stage "Commissioning into trial operation"
Table 5.4 shows the work to be performed at the stage "Commissioning into trial operation".
Table 5.4. Works of the stage "Commissioning into trial operation"
|
Job Title |
Responsible |
Result |
|
|
Preparation of GIS for the start of trial operation |
Contractor (together with the Customer) | ||
|
Executor | |||
|
Conducting GIS tests |
Customer (together with the contractor) |
GIS prototype |
|
|
Acceptance of GIS for trial operation |
Customer |
Implementation period - 1.5 months.
6. Procedure for control and acceptance of GIS
6.1. General requirements
1) Acceptance of GIS for trial operation should be carried out at the Customer's facilities.
2) Acceptance of GIS for trial operation should be carried out in accordance with the guidelines listed in the next section.
6.2. Guidance Documents
The following documents should be developed:
1) The program and methodology for testing GIS.
2) Draft pilot operation program, which should indicate:
conditions and procedure for the functioning of the system;
· regulations for the maintenance by the contractor of the register of comments and proposals of the Customer related to the functioning of the GIS in the process of trial operation;
Regulations for the elimination of deficiencies identified in the course of trial operation;
· requirements for the Customer's hardware required for testing and trial operation.
6.3. GIS verification procedure
6.3.1. Acceptance of GIS for trial operation
1) According to the results of GIS tests carried out in accordance with the program and test methodology, a preliminary test report is drawn up, which records the compliance of the implemented system functions with the requirements of the TOR.
2) If the protocol reflects the possibility of accepting the system for trial operation, the acceptance committee draws up an acceptance certificate for trial operation, on the basis of which the GIS is accepted for trial operation.
6.3.2. Trial operation
1) In the process of trial operation, the Customer must keep a log of comments and suggestions (the form of the log of comments and suggestions and the rules for working with it are developed by the contractor). The customer should separate comments and suggestions to the declared functions of the GIS and all other comments.
2) Comments and suggestions to the declared functions of the GIS must be eliminated by the Contractor within the time period agreed with the Customer.
3) After the contractor eliminates the comments on the declared functions of the GIS, a joint act on the completion of trial operation and the commissioning of the GIS into commercial operation should be prepared.
7. Composition and content of preparatory work
The section contains a list of the main activities and their performers that must be performed when preparing the automation object and putting the GIS into trial operation. All activities are grouped into three main areas, arranged in the form of subsections of this section.
7.1. Information preparation
Table 7.1 shows the work on preparing information for uploading to the GIS.
Table 7.1. Activities for the preparation of information
|
Name of the event |
Responsible |
Note |
|
|
Creation of a cartographic and attributive GIS database. |
Executor |
· FOCL connection nodes; Base stations coverage areas of cellular operators; WI-FI connection nodes. 2. thematic linking of FOCL technological schemes to map objects, etc. |
|
|
Refinement of the cartographic and attributive base of GIS. |
Executor |
Includes: 1. Clarification of the location and characteristics of objects on maps: base stations; TV and radio transmitters, etc. 2. Correction of the cartographic database according to the specified coordinates of objects. |
|
|
Organization of interaction between GIS and information and reference systems of the Ministry of Communications of the Republic of Belarus |
Executor |
Filling the GIS database with attributive information and connecting to information and reference systems used in the Ministry of Communications of the Republic of Belarus. |
7.2. Technical preparation of the automation object
Table 7.2 shows the work to ensure the technical readiness of the automation object.
Table 7.2. Measures to ensure the technical readiness of the automation object
|
Name of the event |
Responsible |
Note |
|
|
Providing the Contractor with hardware and software for GIS deployment |
Customer | ||
|
Ensuring the technical readiness of hardware and software for GIS deployment |
Customer | ||
|
Installing system-wide software |
Customer | ||
|
Acquisition and installation of application software necessary for the functioning of the GIS |
Customer |
Together with the Executor |
|
|
GIS deployment |
Executor |
Together with the customer |
7.3. Organizational events
Table 7.3 shows the organizational measures required to put the GIS into trial operation.
Table 7.3. Organizational events
|
Name of the event |
Responsible |
Note |
|
|
Training of the Customer's personnel to work with GIS |
Executor |
8. Documentation requirements
8.1. General Documentation Requirements
1) Documents must be submitted by the contractor to the customer on paper in one copy (original) and on magnetic media in one copy (copy). The source texts of the programs must be submitted only on magnetic media (original). It is possible to provide a set of documentation and program texts on CDs.
2) Text documents must comply with the internal standard of the Contractor for paperwork.
3) It is allowed to issue documents using development automation tools (CASE-tools) agreed with the Customer.
4) All documents must be issued in Russian. Individual documents, including those issued using CASE tools, may contain entries in Latin letters (database field names, program text, etc.).
5) The composition of documents for the general software supplied as part of the GIS must correspond to the set of the manufacturer.
8.2. List of documents to be developed
8.2.1. Stage "Terms of Reference"
Technical task
8.2.2. Stage "System project"
System project consisting of:
1) functional model;
2) information model;
3) GIS database structures;
4) requirements for GIS.
8.2.3. Stage " GI Development With »
1) Source texts of programs with comments.
2) User manual.
3) Administrator's guide.
4) Instructions for setting up and installing (may be part of the administrator's guide).
5) The program and methodology for testing GIS.
Note 5 : Documentation for GIS components may be included as separate sections in the GIS documentation as a whole.
9. Development sources
1) Vernikov G. Technological evolution of corporate information systems. Center for Information Technology, http://www. *****/cfin/articles/kis_xml. shtml, 2001
2) Information technology. A set of standards and guidelines for automated systems (GOST 34.201-89, GOST 34.602-89, RD, RD, GOST 34.601-90, GOST 34.401-90, RD 50-34.698-90, GOST 34.03-90, R 50-34.119- 90). – M.: Ed. Standards, 1989.
5) GIS is the basis of modern information support in the management of geographically distributed systems. // Scientific problems of the fuel and energy complex of the Republic of Belarus: - Ufa, 1997.
6) Creation of spatial data infrastructure of the Republic of Bashkortostan based on geoinformation technologies // , / Ufa: UGNTU, 20p.
7) Citywide GIS. / // ArcReview, "Municipal GIS", No. 3(46), +, 2008. - P.1-3.
8) The use of geoinformation technologies to create a spatial data infrastructure of the Republic of Bashkortostan // , / Geoinformation technologies in the design and creation of corporate information systems // Interuniversity scientific collection. Ufa: UGATU, 2008. - P.56-c.
9) Multi-user processing of distributed-stored spatial information in the scientific and educational GIS of the Republic of Belarus / , // Bulletin of the USATU: scientific. magazine Ufimsk. state aviation tech. university Series "Management, Computer Engineering and Informatics". 2009. Vol. 12, No. 1(30). pp. 3–8.
10) Instructions for topographic surveys in M 1:5000, 1:1000, 1:500 GKINP. Moscow, Nedra, 1982
11) "Instructions for the development of survey justification and survey of the situation and relief using global navigation satellite systems", GLONASS and GPS, Moscow, TsNIIGAiK, 2002.
12) Shekhar, Sh. Fundamentals of spatial databases / Sh. Shekhar, S. Chaula; per. from English. .- M. : KUDITS-OBRAZ, 2004 .- 336 p.
13) Seiler, M. Modeling Our World: An ESRI Geodatabase Design Guide / M. Seiler: ESRI Press, .- 254 p.
14), Tikunov. – M.: Academy, 2005. – 480 p.
15), Tsvetkov. – M.: MAX PRESS, 2001.
16) ArcGIS 9. Geoprocessing in ArcGIS: GIS by ESRI.- M.: Date+, 2004 .- 358 p.
17) Tomlinson, Roger F. Thinking about GIS. Geographic Information Systems Planning: A Guide for Managers. Per. from English. - M. Date +, 2004. - 325 p.
eighteen) , . Data protection of geoinformation systems Publisher: Gelios ARV, 2010 336 pages.
nineteen) , . Geoinformation systems Publisher: KUDITs-Press, 2009, 272 p.
20) Kang-Tsung Chang. Introduction to Geographic Information Systems. McGraw-Hill Higher Education, 2006. - 450 p.
21) Peters D. Building a GIS: system architecture design strategies for managers / ESRI Press, 2008, 292 p.
- Succubus - who is it and how to protect yourself from a succubus?
- How to distinguish love from infatuation?
- When was Stalin taken out of the Mausoleum?
- Is valerian harmful for cats The cat was afraid how much to give valerian
- Moldy Foods: To Eat or Not to Eat?
- An operator-cashier is a wonderful profession in the banking sector. What does an operator do in a bank
- What does a biologist profession description
- What does a biologist do
- Why do fish need a swim bladder?
- What does the ring on the thumb mean?
- What does it mean to wear a ring on your fingers
- In what year did Zhirinovsky first run for office
- Who is a pedant? What is pedantry? Pedantry equals scrupulousness? Positive traits of a pedant
- Meaning of esthete Examples of using esthete in context
- what is haiku what is haiku
- Lily is a Tatar name. What does the name lily mean. Short and diminutive address
- Golden, red and black bananas
- Rule for adding square roots
- What is a can of Coca Cola made of?
- What should you remember before cloning yourself?