Internet Windows Android
Expand
home

State information systems (GIS): practical issues of information security. List of information systems Federal Register of Information Systems of the Russian Federation

In which government agencies are required to register their more or less serious (but not secret) information systems. It is quite small, for a long time I wanted to dig deeper into it and take a closer look at what the systems are and how they work, making the life of an ordinary citizen even easier and happier every day.

The register is hosted on the Roskomnadzor portal, which tries to be in the trend of transparency, so it has a section with open data sets - great! Download the latest archive of the Register from 02/16/2016, inside there is an xml download from September 2015... Nice try, citizen. We will have to supplement the “open data” with fresh information directly from the site, where everything has been done to make it difficult for enemies to parse the Registry. As a result, as of March 8, 2016, we got a list of 339 federal government information systems, some interesting infographics on which I want to present to you below.

For each GIS in the Registry, several supported OS and DBMS can be indicated at once, so it is impossible to understand exactly what software it works with in reality. Therefore, in the next three diagrams for such systems, the plus sign was placed in several categories at once.

1. Distribution by supported server OS

Of the domestic developments, only the mysterious Zircon operating system based on Solaris, Alt Linux and MSVS is mentioned.

2. Distribution by supported client OS

What exactly several applicants mean by “Mobile operating system” is not clear.

3. DBMS used


Of the DBMSs, only Red Database (based on Firebird), IRBIS64 and LINTER-VS can be considered domestic developments.

4. Data storage formats

The font size corresponds to the prevalence of support.


Using this diagram, you can play an exciting game called “Find in the picture the office document formats approved by GOST R ISO/IEC 26300-2010 and do not receive their support in the GIS.” Formats that, back in 2011, before the era of import substitution, should have become a single standard for government document flow. But it seems that something went wrong again. 3 years ago I already wrote about how, to put it mildly, Open Document was slowly being implemented on the websites of government agencies. Things are still there today. Only for 10 GIS support for GOST formats is mentioned.

5. Using office software

Those GISs that contained other software (not an office suite) or no data at all were not taken into account.

In general, some members of the Registry have a rather strange understanding of the term Free Software (there is such a column in the Registry), including Internet Explorer, Delphi and even Ccleaner in its ranks.

6. Distribution of GIS by date of commissioning


What is noteworthy is that, apparently, in order not to be late as always, Slow Russian Post has set the commissioning date for its State Information System of Housing and Communal Services as early as July 2016. This is the only GIS from the future.

7. Distribution by departments

The larger the area of ​​the rectangle, the greater the number of GIS owned by this department.

8. Amount of funds spent on development, modernization and operation

The Register contains the field “Information on sources of financing for the creation, operation, modernization of FSIS,” which contains information in free form about the cost of the system for the taxpayer. The obligation and frequency of entering this information into the Register is not clear, but it gives an approximate idea of ​​the amount of costs.

Only 7 information systems account for half of all funds spent (amounts are indicated in thousand rubles):


The first and second places with a minimal gap are occupied by the State Autonomous Administration Elections and Justice. An honorable 3rd place goes to the automated system of the Ministry of Internal Affairs with the self-explanatory name IBD-F. This mighty troika of GIS accounts for more than a quarter of all expenses indicated in the Register - 61 billion rubles.

Tag cloud

We present to your attention (with minimal abbreviations) the text published by user Akr0n on habrhabr.ru. The author analyzes the Register of Federal State Information Systems in order to show the ratio of imported and domestic system-wide software used in state information systems.

The register of federal state information systems (GIS), which is maintained by everyone’s beloved Roskomnazdor, and in which government agencies are required to register their more or less serious (but not secret) information systems, is small. For a long time I wanted to dig deeper into it and take a closer look at what the systems are and how they work, making the life of an ordinary citizen even easier and happier every day. Especially when every day the federal media happily report on the successes of import substitution in all sectors of the national economy, including in the IT sector, and large Western vendors begin to turn away from Russian government customers.

The register is posted on the Roskomnadzor website, where there is a section with open data sets - great! Download the latest archive of the Register dated February 16, 2016, inside there is an xml download from September 2015... Nice try, citizen. We will have to supplement the “open data” with fresh information directly from the site, where everything has been done to make it difficult for enemies to parse the Registry. As a result, as of March 8, 2016, we got a list of 339 federal government information systems, some interesting infographics on which I want to present to you.

For each GIS in the Registry, several supported OS and DBMS can be indicated at once, so it is impossible to understand which software it actually works with. Therefore, in the next three diagrams for such systems, the plus sign was placed in several categories at once.

1. Distribution by supported server OS

Of the domestic developments, only the mysterious Zircon operating system based on Solaris, AltLunux and MSVS is mentioned.

2. Distribution by supported client OS

What exactly several applicants mean by “Mobile operating system” is unclear.

3. DBMS used

Of the DBMSs, only Red Database (based on Firebird), IRBIS64 and LINTER-VS can be considered domestic developments (in the comments to the publication the author is objected: “1C: Database” can also be considered a domestic OS - ed.).

4. Data storage formats (font size corresponds to the prevalence of the format)

Using this diagram, you can play an exciting game called “Find in the picture the office document formats approved by GOST R ISO/IEC 26300-2010 and do not receive their support in the GIS.” These are formats that back in 2011, before the era of import substitution, should have become a unified standard for government document flow. But it seems that something went wrong again. Only for 10 GIS support for GOST formats is mentioned.

5. Use of office software (those GIS in which other software was specified (not an office package), or there was no data at all, were not taken into account).

Some Registry members have a strange understanding of the term “Free Software” (there is such a column in the Registry), including Internet Explorer, Delphi and even CCleaner in its ranks.

6. Distribution of GIS by date of commissioning

Apparently, in order not to be late, as always, Russian Post set the commissioning date for its GIS for housing and communal services as early as July 2016. This is the only GIS from the future.

7. Distribution by department (the larger the area of ​​the rectangle, the more GIS is owned by this department)

8. Amount of funds spent on development, modernization and operation

The Register contains the field “Information on sources of financing for the creation, operation, modernization of FSIS”, in which the cost of the system for the taxpayer is reported in free form. The obligation and frequency of entering this information into the Register is unclear, but it gives an approximate idea of ​​the amount of costs. Seven information systems account for half of all funds spent (amounts are indicated in thousands of rubles):

The sad irony is that the lion's share of the money was spent on some mythical things - the first and second places with a minimal gap are occupied by the State Automated Information System "Elections" and "Justice". An honorable third place goes to the automated system of the Ministry of Internal Affairs with the self-explanatory name IBD-F. This mighty troika of GIS accounts for more than a quarter of all expenses indicated in the Register - 61 billion rubles.

Concept

In December 2011, the Concept of accounting for state information systems was approved.

According to the concept, by the end of April 2012, the accounting system was to be created and put into trial operation.

As of June 2012, a software registry for federal government agencies actually exists; information about 239 systems is included in it. Among the departments that submitted data Ministry of Agriculture , Accounts Chamber , Rosreestr , Ministry of Foreign Affairs , Rosstat and a number of others.

In the current version of the information disclosure portal, one could see the name of the person responsible for the operation of the notorious alcohol accounting system (USAIS) in Rosalkogolregulirovanie, brief descriptions of the equipment and databases required, development and operation costs in 2010. There are no amounts for 2011 now.

Government Decree

In June 2012, Prime Minister Dmitry Medvedev signed a decree on accounting for information systems created in the interests of federal departments and extra-budgetary funds.

In the document, the government gives two groups of instructions: the project coordinator - Ministry of Telecom and Mass Communications and to the federal government agencies themselves, which must enter information into the accounting system.

The Ministry of Telecom and Mass Communications must, by the end of August 2012, give instructions on the accounting and classification of software and infrastructure components, develop forms of electronic passports and rules for compiling unique identifiers for software and equipment. In addition, the ministry must write rules for submitting data to the accounting system and a methodology for assessing the effectiveness of work.

Federal departments are given a month more time - until the end of September. Before this deadline, they must select a person responsible for releasing the data and formally describe how such disclosure will take place. The status of the person responsible for filling the accounting system, as in the case of interdepartmental interaction, should not be lower than the deputy head. After this, within a month, i.e. at the latest by the end of November, all data on the software running in the department should be in the accounting system.

You will eventually be able to read information about the working software, its costs and the effectiveness of projects on the website 365.minsvyaz.ru, as well as on the unified budget system portal budget.gov.ru (currently only a test page is available).

The annex to the current government decree determines the set of published data and the speed of updating the unified database. The deadline for putting accounting information systems into commercial operation was defined in the concept - the end of 2012.

There are about 100 state information systems in the Russian Federation, they are divided into federal and regional. An organization operating any of these systems is required to comply with security requirements for the data processed within it. Depending on the classification, different information systems are subject to different requirements, for non-compliance with which sanctions are applied - from a fine to more serious measures.

The operation of all information systems in the Russian Federation is determined by the Federal Law of July 27, 2006 No. 149-FZ (as amended on July 21, 2014) “On information, information technologies and information protection” (July 27, 2006). Article 14 of this law provides a detailed description of GIS. Operators of state information systems in which restricted access information is processed (not containing information constituting a state secret) are subject to the requirements set out in Order No. 17 of the FSTEC of Russia dated February 11, 2013 “On approval of requirements for the protection of information that does not constitute a state secret contained in state information systems."

Let us recall that an operator is a citizen or legal entity engaged in the operation of an information system, including the processing of information contained in its databases.

If an organization is connected to a state information system, then FSTEC Order No. 17 obliges the system to be certified, and only certified information security tools (with valid FSTEC or FSB certificates) must be used to protect information.

There are often cases when the operator of an information system mistakenly classifies it as a GIS, when it is not one. As a result, excessive security measures are applied to the system. For example, if by mistake the operator of a personal data information system classified it as state-owned, he will have to comply with more stringent requirements for the security of the information being processed than required by law. Meanwhile, the requirements for the protection of personal data information systems, which are regulated by FSTEC Order No. 21, are less stringent and do not require certification of the system.

In practice, it is not always clear whether the system to which you need to connect is state-owned, and, therefore, what measures to build information security need to be taken. Nevertheless, the plan of inspections by regulatory authorities is growing, and fines are systematically increasing.

How to distinguish GIS from non-GIS

A state information system is created when it is necessary to ensure:

  • implementation of powers of government agencies;
  • information exchange between government agencies;
  • achieving other goals established by federal laws.

You can understand that the information system belongs to the state using the following algorithm:

  1. Find out if there is a legislative act requiring the creation of an information system.
  2. Check the availability of the system in the Register of Federal State Information Systems. Similar registers exist at the level of the constituent entities of the Federation.
  3. Pay attention to the purpose of the system. An indirect sign of classifying a system as a GIS will be a description of the powers that it implements. For example, each administration of the Republic of Bashkortostan has its own charter, which also describes the powers of local government bodies. The IS “Registration of citizens in need of residential premises on the territory of the Republic of Bashkortostan” was created to implement such powers of administrations as “adopting and organizing the implementation of plans and programs for the comprehensive socio-economic development of the municipal region”, and is a GIS.

If the system involves the exchange of information between government agencies, it is also highly likely to be state-owned (for example, an interdepartmental electronic document management system).

This is GIS. What to do?

FSTEC Order 17 prescribes the following measures to protect information for GIS operators:

  • developing requirements for the protection of information contained in the information system;
  • development of an information security system for an information system;
  • implementation of the information security system of the information system;
  • certification of the information system according to information security requirements (hereinafter referred to as ISPD certification) and its commissioning;
  • ensuring the protection of information during the operation of a certified information system;
  • ensuring the protection of information during decommissioning of a certified information system or after a decision is made to terminate information processing.

Organizations that are connected to government information systems must perform the following actions:

1. Classify IP and identify security threats.

IP classification is carried out in accordance with clause 14.2 17 of the FSTEC order.

Threats to information security are determined based on the results

  • assessing the capabilities of violators;
  • analysis of possible information system vulnerabilities;
  • analysis (or modeling) of possible ways to implement threats to information security;
  • assessing the consequences of violating information security properties (confidentiality, integrity, availability).

2. Generate requirements for the information processing system.

System requirements must contain:

  • the purpose and objectives of ensuring information security in the information system;
  • information system security class;
  • a list of regulatory legal acts, methodological documents and national standards that the information system must comply with;
  • list of information system protection objects;
  • requirements for measures and means of information protection used in the information system.

3. Develop an information security system for the information system.

To do this you need to do:

  • designing an information security system for an information system;
  • development of operational documentation for the information security system of the information system;
  • prototyping and testing of the information security system of the information system.

4. Implement the information security system of the information system, namely:

  • installation and configuration of information security tools in the information system;
  • development of documents defining the rules and procedures implemented by the operator to ensure the protection of information in the information system during its operation (hereinafter referred to as organizational and administrative documents on information protection);
  • implementation of organizational measures to protect information;
  • preliminary testing of the information security system of the information system;
  • trial operation of the information security system;
  • checking the constructed information security system for vulnerability;
  • acceptance tests of the information security system of the information system.

5. Certify ISPDn:

  • conduct certification tests;
  • receive a certificate of conformity.

There is a widespread belief that in order to pass an inspection by regulatory authorities, it is enough to have organizational and administrative documents, so GIS operators often neglect to implement security measures. Indeed, Roskomnadzor pays close attention to documents and the implementation of organizational and administrative measures to protect personal data in the organization. However, if questions arise, specialists from FSTEC and the FSB may be involved in the inspection. At the same time, FSTEC looks very carefully at the composition of technical information protection and checks the correctness of the threat model, and the FSB checks the implementation of requirements regarding the use of cryptographic information protection means.

Oleg Necheukhin, information systems protection expert, Kontur-Security

Did not find an answer to your question? Look at here
Transparent PC case - features of choice, how to make it yourself How to make a system unit from plexiglassTransparent PC case - features of choice, how to make it yourself How to make a system unit from plexiglass
How to earn more money: methods and tipsHow to earn more money: methods and tips
Windows Installer service could not be accessed Installer Control exe windows could not be accessedWindows Installer service could not be accessed Installer Control exe windows could not be accessed