GOVERNMENT OF THE KYRGYZ REPUBLIC
REGULATION
dated November 21 , 2017 No. 762
On approval of Requirements for the protection of information contained in databases of state information systems
(As amended by the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744, and the Cabinet of Ministers of the Kyrgyz Republic dated January 31, 2022 No. 45)
In accordance with Article 19 of the Law of the Kyrgyz Republic "On Electronic Management", Articles 10 and 17 of the Constitutional Law of the Kyrgyz Republic "On the Government of the Kyrgyz Republic", the Government of the Kyrgyz Republic.
DECIDES:
1. To approve the Requirements for the protection of information contained in databases of state information systems (hereinafter - Requirements).
2. The State Committee for Information Technologies and Communications of the Kyrgyz Republic, together with the State Committee for National Security of the Kyrgyz Republic, shall submit proposals to the Government of the Kyrgyz Republic by April 1, 2018 on the organization of the fulfillment of the Requirements approved by this resolution.
3. To ministries, state committees, administrative departments, other state bodies (as agreed), local self-government bodies (as agreed), state and municipal enterprises, organizations and institutions financed from the republican and/or local budgets, owners and/or operators of state/municipal information systems, up to 1 July 2018 to take measures arising from the Requirements approved by this resolution.
4. To establish that the State Committee for Information Technologies and Communications of the Kyrgyz Republic jointly with the State Committee for National Security of the Kyrgyz Republic exercises control over compliance with the Requirements.
(As amended by the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
5. Recommend that local self-government bodies that create and operate information systems subject to inclusion in the Register of State e-Government Infrastructure, from July 1, 2018, annually submit relevant information on the fulfillment of the Requirements approved by this resolution to the Ministry of Digital Development of the Kyrgyz Republic.
(As amended by Resolution No. 45 of the Cabinet of Ministers of the Kyrgyz Republic dated January 31, 2022)
6. To assign control over the execution of this resolution to the Department of Construction, Transport and Communications of the Apparatus of the Government of the Kyrgyz Republic.
7. This resolution comes into force after fifteen days from the date of official publication.
Prime Minister S. Isakov
Application
Requirements
for the protection of information contained in databases of state information systems
(As amended by the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
Chapter 1. General provisions
1. The requirements for the protection of information contained in the databases of state information systems (hereinafter referred to as the Requirements) have been developed in accordance with the Law of the Kyrgyz Republic "On Electronic Management" and define information protection measures, as well as requirements for the use of information technologies in state information systems and ensuring the security of information contained in their databases.
2. The provisions of these Requirements are mandatory for application by state bodies, local self-government bodies, state and municipal enterprises, organizations and institutions financed from the republican and/or local budgets, owners and/or operators of state/municipal information systems.
3. The provisions of these Requirements do not apply to state information systems containing in their databases information classified as state secrets in accordance with the legislation of the Kyrgyz Republic on state secrets, special purpose telecommunications networks and/or government, classified, encrypted and coded communications, information systems that are not part of the state infrastructure of electronic management.
4. The following definitions are used in these Requirements:
critical information infrastructure - is a set of critical information infrastructure facilities of the Kyrgyz Republic operating in the public administration and public electronic services sector, in the field of healthcare, transport, telecommunications and communications, the credit and financial sector, the defense sector, the fuel industry, the generation and distribution of electricity, the food industry and the mining industry;
coded communication - secure communication using documents and coding techniques;
the local network of the internal circuit - is the local network of the state body assigned to the internal circuit of the telecommunication network of the state body, its territorial subdivision exercising the powers of the owner and/or operator of the information system, which has a connection with the unified transport environment of the state bodies;
the local network of the external circuit is the local network of the state body assigned to the external circuit of the telecommunication network of the state body, its territorial subdivision exercising the powers of the owner and/or operator of the information system, having an Internet connection, access to which is provided to the state body by telecom operators only through a single Internet access gateway;
marking of an asset associated with information processing means is the application of conventional signs, letters, numbers, graphic signs or inscriptions on an asset for the purpose of its further identification (recognition), indication of its properties and characteristics;
scalability is the ability of an element of the state e-government infrastructure to ensure an increase in its productivity as the volume of information processed and (or) the number of simultaneously working users increases;
multi-factor authentication - is a method of verifying user authentication using a combination of various parameters, including generating and entering passwords or authentication features (digital certificates, tokens, smart cards, one-time password generators, biometric identification tools);
information infrastructure objects - information centers, subsystems, banks and/or databases of data and knowledge, communication systems, control centers, hardware and software and technologies for collecting, storing, processing and transmitting information;
applied software - is a software package for solving an applied problem of a certain class of the subject area;
a workstation - is a stationary or portable computer as part of a local network designed to solve applied tasks;
server room - a room intended for the placement of server, active and passive network (telecommunication) equipment and equipment of structured cabling systems;
system software - is a set of software to ensure the operation of computing equipment;
a means of cryptographic protection of information - is a software or hardware-software complex that implements algorithms for cryptographic transformations, generation, formation, distribution or management of encryption keys;
The Tunduk electronic interdepartmental interaction system - is a software and hardware solution and organizational environment that provides secure data exchange in electronic format between information systems and databases of state bodies and local self-government bodies when providing electronic state and municipal services, performing state and municipal functions;
technical documentation on cybersecurity - documentation establishing policies, rules, protective measures related to integrity assurance processes (including authenticity and fault tolerance), availability and confidentiality of information contained in databases of state information systems;
terminal system - thin or zero client for working with applications in a terminal environment or thin client programs in a client-server architecture;
encrypted communication - is secure communication using manual ciphers, encryption machines, linear encryption equipment and special computer equipment.
Other terms and definitions are used in the meanings given in the laws of the Kyrgyz Republic "On Electronic Management", "On Electronic Signature", "On the Protection of State Secrets".
Chapter 2. Requirements for the use of information technologies in state bodies, local self-government bodies and organizations
5. The use of information technologies in state bodies, local self-government bodies, organizations is carried out in accordance with the Law of the Kyrgyz Republic "On Electronic Management", taking into account the requirements for feasibility studies, technical specifications, technical specifications for the purchase (modernization) of information systems and information technologies for state and municipal bodies, enterprises, institutions, as well as List of technologies set out in international standards for state information systems, using encryption systems and means of cryptographic protection of information, with the exception of information classified as state secrets, given in Annex 2 to these Requirements.
Requirements for feasibility studies, technical specifications, technical specifications for the purchase (modernization) of information systems and information technologies for state bodies, local governments, organizations are approved by the authorized state body in the field of information technology and electronic management (hereinafter - the authorized state body).
6. The implementation of tasks in the field of electronic management in accordance with the Law of the Kyrgyz Republic "On Electronic Management", in a state body, a local government body, an organization is provided by an appropriate unit competent in information technology issues, carrying out:
- accounting and analysis of information and communication technology assets;
- coordination of work on the creation, maintenance and development of elements of the state e-government infrastructure;
- registration of the information system in the Register of the state infrastructure of electronic management;
- control over the safety of reference copies of software, source program codes (if any), a set of settings of licensed software, electronic copies of technical documentation of elements of the state infrastructure of electronic management;
- interaction with the authorized state body, information system operators, other state bodies, local self-government bodies, organizations, regarding the implementation of projects in the field of electronic management.
7. The workplace of an employee of a state body, local self-government body, organization is equipped taking into account his functional responsibilities and includes:
- a workstation, a unified workplace or a terminal system with connection to the local network of the internal circuit of a state body, local government body, organization.
If necessary, it is allowed to equip the workplace with an additional monitor;
- a set of multimedia equipment (headphones, microphone and webcam), if necessary;
- a telephone communication or IP telephony device.
8. To ensure the cybersecurity of state information systems:
1) the technical documentation on cybersecurity defines:
- ways of placing workstations of employees of a state body or local government body, organization;
- ways to protect workstations from failures in the power supply system and other violations caused by failures in the work of utilities;
- procedures and frequency of maintenance of workstations to ensure continuous availability and integrity;
- ways to protect mobile users' workstations located outside a state or local government body, organization, taking into account various external risks;
- methods of guaranteed destruction of information during reuse of workstations or decommissioning of data carriers;
- rules for the removal of workstations outside the workplace;
2) on a regular basis, the accounting of workstations is carried out by a unit competent in information technology issues, with configuration verification;
3) installation and use of remote control software or hardware on workstations from outside the local network of the internal circuit is excluded. Remote control within the local network of the internal circuit is allowed in cases directly provided for by the departmental act of a state body or local government body, organization, defining the conditions and procedure for providing such remote access (order, order, instructions);
4) unused I/O ports of workstations and mobile computers of employees of a state body, local government body, organization are disabled or blocked, with the exception of workstations of employees of the cybersecurity unit.
9. The issue of I/O operations with the use of external electronic data carriers at the workstations of employees of a state body, a local government body, an organization is regulated in accordance with the departmental cybersecurity policy adopted by a state body or a local government body, an organization.
10. In order to optimize the placement of equipment at the workplace of an employee of a state body, a local government body, an organization, it is allowed to use specialized equipment that ensures the use of one monitor unit, a manual manipulator (mouse) and a keyboard for several workstations, without the use of network interfaces.
11. To use the services of the Tunduk electronic interdepartmental interaction system, a workstation connected to the local network of the internal circuit of a state body, local government body, organization is provided with a network connection to the infrastructure of the Tunduk electronic interdepartmental interaction system.
12. Processing and storage of information for official use of a state body, local self-government body, organization are carried out at workstations connected to the local network of the internal circuit of a state body or local self-government body, organization and not connected to the Internet.
13. Access to the Internet to employees of a state body, local government body, organization is provided from workstations connected to the local network of the external circuit of a state body, local government body, organization located outside the security premises determined in accordance with the regulatory act on ensuring secrecy in ministries, administrative departments, enterprises, in institutions and organizations of the Kyrgyz Republic.
14. Telephone communication of the state body, local self-government body, organization:
1) it is implemented both on the basis of public digital telephone networks and with the use of IP telephony technology;
2) provides switching of the user with subscribers of telephone networks through the following channels:
- use of subscriber connections through the existing local area network of internal and external circuits and departmental data transmission network;
- use of communication services of a public telephone operator along the E1 stream;
- use of mobile operators;
- use of long-distance and international communication services.
15. For conferences, presentations, meetings, teleconferences, the premises (conference hall) of a state body, local government body, organization are equipped with:
- a conference system of sound amplification, including the placement of a microphone, a loudspeaker and a light indicator of the participant's request and speech at the participant's place;
- information input/output device.
To organize a "teleconference" with geographically distributed participants located in other cities or countries, the conference system is supplemented, if necessary, by an audio and video conferencing system.
16. Organization of the printing of documents in a state body and/or a local government body, organization:
1) it is implemented by means of printing, copying and scanning equipment connected to the local network of the internal circuit of a state body, local government body and organization, using a network interface or direct connection to a print server;
2) is provided by software that implements:
- centralized management of users and devices;
- accounting of printed documents, as well as copies, faxes sent by e-mail and scans by user identification numbers, with the possibility of distributing costs between departments and users;
- a system of reports graphically illustrating the activity of printing, copying and scanning;
- identification of the user before using the print service;
- authorization of an employee of a state body on a printing device by the methods regulated in the technical documentation on cybersecurity;
- the formation of a print queue, through which printing is carried out, with the possibility of obtaining printed documents.
Chapter 3. Requirements for the organization of cybersecurity in a state body, a local government body, an organization
17. In order to differentiate responsibilities and functions in the field of cybersecurity, the cybersecurity unit, which is a structural subdivision of a state body or local government body, organization, carries out:
- control of compliance with the requirements of technical documentation on cybersecurity;
- control over the documentation of cybersecurity;
- control over asset management in terms of cybersecurity;
- control of the legality of the use of the software;
- control over risk management in the field of information and communication technologies;
- control over the registration of cybersecurity events;
- conducting an internal audit of cybersecurity;
- control over the organization of an external cybersecurity audit;
- monitoring compliance with cybersecurity requirements in personnel management;
- control of the state of cybersecurity of an element of the state infrastructure of electronic management.
18. It is allowed to involve competent third-party bodies/organizations to ensure cybersecurity in a state body and/or a local government body, an organization on the basis of agreements with the owner of the information system, which establish working conditions, access or use of facilities, as well as liability for violations.
19. Technical documentation on cybersecurity is created in the form of a four-level system of documented rules, procedures, practical techniques or guidelines that guide a state body, a local government body, an organization in its activities.
Technical documentation on cybersecurity is approved by the decision of the state body, local government body, organization and is brought to the attention of all employees of the state body, local government body, employees of the organization.
Technical documentation on cybersecurity is reviewed for the purpose of analyzing and updating the information contained therein at least once every two years.
20. The departmental cybersecurity policy of a state body, a local government body, an organization defines goals, objectives, guidelines and practical techniques in the field of cybersecurity.
21. The list of documents in the field of cybersecurity includes documents detailing the requirements of the departmental cybersecurity policy of a state body, local government body, organization, work forms, journals, applications, protocols and other documents, including electronic ones, used for registration and confirmation of completed procedures and works, including:
- methodology for assessing cybersecurity risks;
- rules for identification, classification and labeling of assets related to information processing facilities;
- rules for ensuring the continuous operation of assets related to information processing facilities;
- rules of inventory and certification of computer equipment, telecommunication equipment and software;
- rules for conducting an internal audit of cybersecurity;
- rules for the use of cryptographic protection of information;
- rules of differentiation of access rights to information resources;
- rules for the use of the Internet and e-mail;
- rules for the organization of the authentication procedure;
- rules for the organization of anti-virus control;
- rules for the use of mobile devices and media;
- rules for the organization of physical protection of information processing facilities and a safe environment for the operation of information resources;
- catalogue (list) of cybersecurity threats (risks);
- cybersecurity threat (risk) processing plan;
- regulations for backup and recovery of information;
- a plan of measures to ensure continuous operation and restore the operability of assets related to information processing facilities;
- the administrator's guide to the maintenance of the state infrastructure of electronic management/information infrastructure;
- instructions on the procedure for users to respond to cybersecurity incidents and in emergency (crisis) situations;
- cybersecurity incident log;
- journal of emergency situations;
- log of server room visits;
- report on the vulnerability assessment of network resources;
- log of registration and elimination of software vulnerabilities;
- log of cable connections;
- backup accounting log;
- log of testing backups;
- log of equipment configuration changes;
- log of testing and accounting of changes in system software and application software of the information system;
- log of testing of diesel generator sets and uninterruptible power supplies for the server room;
- log of testing of microclimate systems, video surveillance, fire extinguishing of server rooms.
22. In order to ensure the protection of information assets by a unit competent in information technology issues,:
- inventory of assets;
- classification and marking of assets in accordance with the classification system adopted by the state body, local government body, organization;
- securing assets for officials and determining the measure of their responsibility for the implementation of measures for the management of cybersecurity assets;
- regulation in the technical documentation on cybersecurity of the order:
use and return of assets;
identification, classification and labeling of assets.
23. In order to manage risks/threats in the field of cybersecurity in a state body, a local government body, organizations are carried out:
1) determination of the list of cybersecurity threats in information systems when carried out by a state body or a local government body, an organization of relevant activities;
2) identification of risks in relation to the list of identified and classified assets, including:
- identification of cybersecurity threats and their sources;
- identification of vulnerabilities that may lead to the implementation of threats;
- identification of information leakage channels;
- formation of the intruder model;
3) selection of criteria for taking identified risks;
4) formation of a catalogue of threats (risks) to cybersecurity, including assessment (reassessment) of threats (risks), determination of potential damage;
5) development and approval of measures to neutralize or reduce threats (risks) to cybersecurity.
24. In order to control the events of cybersecurity violations in a state body, a local government body, an organization:
1) events related to cybersecurity violations are monitored and the results of monitoring are analyzed;
2) events related to the state of cybersecurity are recorded and violations are detected by analyzing event logs, including:
- operating system event logs;
- event logs of database management systems;
- anti-virus protection event logs;
- application software event logs;
- event logs of telecommunication equipment;
- event logs of attack detection and prevention systems;
- event logs of the content management system;
3) synchronization of the time of the event logs with the time source infrastructure is provided;
4) event logs are stored for the period specified in the technical documentation on cybersecurity, but not less than three years, and are in operational access for at least three months;
5) logs of events of the created software are kept in accordance with the formats and types of records defined in the Rules for Monitoring Cybersecurity, Protection and Safe Functioning of elements of the state infrastructure of Electronic management approved by the authorized state body;
6) event logs are protected from interference and unauthorized access. It is not allowed for system administrators to have the authority to change, delete and disable logs. Confidential information systems require the creation and maintenance of a backup log store;
7) implementation of a formalized procedure for reporting cybersecurity incidents and responding to cybersecurity incidents is ensured.
25. In order to protect critical processes in the state information systems of state bodies, local self-government bodies, organizations from internal and external threats:
- an action plan is being developed, tested and implemented to ensure continuous operation and restore the operability of assets associated with information processing facilities;
- the Instruction on the procedure for users' actions to respond to cybersecurity incidents and in emergency (crisis) situations approved by a departmental act of a state body, local government body, organization is brought to the attention of employees of state bodies, local self-government bodies, organizations.
The action plan for ensuring continuous operation and restoring the operability of assets related to information processing facilities is subject to regular updating.
26. Functional responsibilities for ensuring cybersecurity and obligations to comply with the requirements of technical documentation on cybersecurity of employees of state bodies, local self-government bodies, employees of the organization are included in job descriptions and/ or the terms of the employment contract.
The technical documentation on cybersecurity also defines the content of procedures for the dismissal of employees of state bodies, local governments, employees of organizations with obligations in the field of cybersecurity.
In case of dismissal or amendments to the terms of an employment contract, the right of access of an employee of a state body, a local government body, an employee of an organization to information and means of information processing:
- includes physical and logical access, access identifiers, signatures, documentation that identifies him as an active employee of a state body, a local government body or an employee of an organization;
- cancelled after the termination of his employment contract or changed when changes are made to the terms of the employment contract.
26. Functional responsibilities for ensuring cybersecurity and obligations to comply with the requirements of technical documentation on cybersecurity of employees of state bodies, local self-government bodies, employees of the organization are included in job descriptions and/ or the terms of the employment contract.
The technical documentation on cybersecurity also defines the content of procedures for the dismissal of employees of state bodies, local governments, employees of organizations with obligations in the field of cybersecurity.
In case of dismissal or amendments to the terms of an employment contract, the right of access of an employee of a state body, a local government body, an employee of an organization to information and means of information processing:
- includes physical and logical access, access identifiers, signatures, documentation that identifies him as an active employee of a state body, a local government body or an employee of an organization;
- cancelled after the termination of his employment contract or changed when changes are made to the terms of the employment contract.
27. In order to ensure cybersecurity during the operation of electronic control facilities, the requirements for:
- identification methods;
- the means of cryptographic protection of information used;
- ways to ensure availability and fault tolerance;
- monitoring of cybersecurity, protection and safe operation;
- the use of cybersecurity tools and systems;
- registration certificates of certification centers.
28. In order to protect information for official use, confidential information, special categories of personal data contained in databases of information systems, cryptographic information protection tools (software or hardware) with parameters according to the Technical Requirements for cryptographic information protection tools corresponding to the security level set out in Annex 1 to these Requirements are used.
29. To ensure availability and fault tolerance, the owners of information systems provide:
- availability of a backup own or rented server room;
- redundancy of hardware and software for data processing, data storage systems, components of data storage networks and data transmission channels.
30. State bodies, local self-government bodies and organizations carry out monitoring:
- actions of users and staff;
- the use of information processing tools.
31. In state bodies, local self-government bodies, organizations within the framework of monitoring the actions of users and staff:
- if abnormal activity and malicious actions of users are detected, these actions are registered, blocked and promptly notified to the head of the cybersecurity unit of a state body, local government body, organization;
- the actions of the service personnel are recorded and monitored by the cybersecurity unit.
32. Cybersecurity events identified as critical for confidentiality, availability and integrity, based on the results of cybersecurity event monitoring analysis and event log analysis:
- defined as cybersecurity incidents;
- are taken into account in the list of cybersecurity threats;
- are registered in the service (division) of responding to computer incidents of the authorized state body in the field of information technology and electronic management and (or) the authorized state body in the field of national security.
33. At the stage of pilot and industrial operation of elements of the state infrastructure of electronic management, tools and systems are used:
- detection and prevention of malicious code;
- cybersecurity incident and event management;
- intrusion detection and prevention;
- monitoring and management of the electronic management information infrastructure.
Chapter 4. Requirements for information systems of state bodies, local self-government bodies, organizations
34. (Expired in accordance with the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
35. Creation, development and operation of the state infrastructure of electronic management are carried out taking into account the requirements provided for by the laws of the Kyrgyz Republic "On Public Procurement" and "On Electronic Management".
36. The creation, operation and support of websites of state bodies, local self-government bodies, organizations on the Internet are carried out in accordance with the requirements for the creation and support of websites of state bodies and local self-government bodies established by the Government of the Kyrgyz Republic.
37. (Expired in accordance with the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
38. (Expired in accordance with the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
39. (Expired in accordance with the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
40. (Expired in accordance with the Decree of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
41. (Expired in accordance with the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
42. (Expired in accordance with the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
43. Provision to the authorized state body for accounting and storage of the developed software, source program codes (if available) and a set of settings of the licensed software of the information system of the state body, local self-government body, organization is mandatory and is carried out in accordance with the procedure determined by the authorized state body.
44. Modification, disclosure and (or) use of source software codes, software products and software are carried out with the permission of its owner.
45. During the industrial operation of the information system of a state body, local self-government body, organization, monitoring of cybersecurity events of the information system of a state body, local self-government body, organization is provided and its results are transmitted to the cybersecurity monitoring system of the service (unit) responding to computer incidents of the authorized state body in the field of information technology and electronic management and (or) authorized state body in the field of cybersecurity.
(As amended by the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
46. (Expired in accordance with the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
47. (Expired in accordance with the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
48. (Expired in accordance with the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
49. (Expired in accordance with the Resolution of the Government of the Kyrgyz Republic dated December 31, 2019 No. 744)
50. To ensure the cybersecurity of state information systems:
1) at the stages of acceptance tests and test operation are carried out:
- testing of information system software based on developed test suites configured for specific classes of programs;
- full-scale testing of programs under extreme loads with simulation of the effects of active defects (stress testing);
- testing of the information system software in order to identify possible defects;
- bench tests of the information system software to identify unintended software design errors, identify potential performance problems;
- identification and elimination of software and hardware vulnerabilities;
- development of means of protection against unauthorized exposure;
2) before putting the information system into trial operation, it is required to provide:
- control of the adverse impact of the new information system on functioning information systems and elements of the state infrastructure of electronic management, including during maximum loads;
- analysis of the impact of the new information system on the state of cybersecurity of the state e-government infrastructure;
- organization of personnel training for the operation of the new information system;
3) the environments of experimental or industrial operation of the information system are separated from the environments of development, testing or bench testing. At the same time, the following requirements are implemented:
- the transfer of the information system from the development phase to the testing phase, from the testing phase to the trial operation phase, from the trial operation phase to the industrial operation phase is recorded and documented;
- the development tools and the tested software of the information system are located in different domains;
- compilers, editors and other development tools are not placed in the operational environment or are not available for use from the operational environment;
- the testing environment of the information system corresponds to the operating environment in terms of hardware and software and architecture;
- for the tested information systems, it is not allowed to use real user accounts of systems in commercial operation;
- data from information systems in commercial operation cannot be copied into the test environment;
4) upon decommissioning of the information system, the following are provided::
- archiving of information contained in the information system;
- destruction (erasure) of data and residual information from machine media and (or) destruction of machine media. When decommissioning machine media on which information was stored and processed, the physical destruction of these machine media is carried out with the execution of the relevant act.
Chapter 5. Requirements for application software developed or acquired by a state body, local government body, organization
51. The requirements for the information system application software being developed or purchased are determined by a state body, a local government body, an organization in the terms of reference created in accordance with the requirements for feasibility studies, technical specifications, technical specifications for the purchase (modernization) of information systems and technologies for state and municipal bodies, enterprises, institutions, developed by the authorized state body.
52. The ready-made application software being developed or purchased must meet the following requirements:
- provides a user interface, input, processing and output of data in the state, official and/or other languages, if necessary, with the possibility for the user to choose the interface language;
- takes into account the requirements of: reliability; maintainability; usability; efficiency; versatility; functionality; cross-platform;
- provides full-featured virtualization technology support;
- supports clustering;
- provided with technical documentation on operation in the state and official languages.
53. Creation (development) or acquisition of software is provided with technical support and maintenance. Planning, implementation and documentation of technical support and maintenance of software is carried out in accordance with the specifications of the manufacturer, supplier or the requirements of technical documentation of cybersecurity.
54. The process of creating (developing) application software should:
1) provide for:
- creation of an information base of algorithms, source texts and software tools;
- testing and testing of software modules;
- typification of algorithms, programs and cybersecurity tools that ensure information, technological and software compatibility;
- use of licensed development tools;
2) include procedures for acceptance of application software, providing:
- transfer by the developer of the source texts of programs and other objects necessary for the creation of application software to the owner and (or) the owner;
- control compilation of the transmitted source texts with the creation of a fully functional version of the application software;
- execution of a control example on this version of the software.
55. Control over authorized changes to the software and access rights to it is carried out with the participation of employees of the information technology division of the state body, local government body, organization.
56. Application software development requires:
- taking into account the features provided for by the rules for the implementation of the service model of the state e-government infrastructure;
- regulation of cybersecurity issues in software development agreements;
- risk management in the process of application software development.
57. In order to ensure the cybersecurity of state information systems, the following are provided:
1) the requirements for the application software being developed or purchased provide for the use of tools:
- identification and authentication of users, if necessary by electronic signature, and registration certificates;
- access control;
- integrity control;
- logging user actions affecting cybersecurity;
- protection of online transactions;
- cryptographic protection of information using means of cryptographic protection of information of the appropriate level during storage and processing;
- logging of critical software events;
2) the technical documentation on cybersecurity defines and applies during operation:
- rules for installing, updating and removing software on servers and workstations;
- procedures for change management and analysis of application software, in case of system software changes;
3) the licensed software is used and purchased only if a license is available.
58. Measures to control the legality of the use of software are defined in the technical documentation on cybersecurity, carried out by the cybersecurity unit of a state body, a local government body, an organization at least once a year and include:
- determination of the software actually used;
- determination of rights to use the software;
- comparison of the software actually used and the available licenses.
Chapter 6. Requirements for a technological platform for information systems of state bodies, local self-government bodies, organizations
59. The choice of the technological platform is carried out by the department competent in information technology issues, taking into account the priority of the equipment implementing virtualization technology.
60. When choosing equipment implementing virtualization technology, the need to provide the following functionality is taken into account:
1) decompositions:
- computing resources are distributed between virtual machines;
- multiple applications and operating systems coexist in one physical computing system;
2) insulation:
- virtual machines are completely isolated from each other, and an emergency failure of one of them does not affect the rest;
- data is not transferred between virtual machines and applications, except when using shared network connections or resources;
3) compatibility:
- applications and operating systems are provided with computing resources of equipment implementing virtualization technology.
61. The information systems included in the Register of the state infrastructure of electronic management are placed on the equipment located in the server center of the state body.
The state e-governance infrastructure provides:
- automated provision of electronic services with a single entry point for their management;
- virtualization of computing resources of server equipment using various technologies;
- uninterrupted and fault-tolerant functioning of the electronic services provided, with a utilization rate of at least 98.7 percent;
- elimination of a single point of failure at the logical and physical levels by means of used equipment, telecommunications and software;
- separation of computing resources at the hardware and software levels.
The reliability of the virtual infrastructure is provided by the built-in software of virtualization technology and virtual environment management.
62. To ensure cybersecurity when using virtualization technology, the following are implemented:
1) identity management, requiring:
- authentication of users of electronic services;
- identification of users within the same technology platform;
- saving authentication information after deleting the user ID;
- application of controls for procedures for assigning user authority profiles;
2) access control requiring:
- separation of powers of the information system administrator and the virtualization environment administrator;
- restrictions on the access rights of the virtualization environment administrator to the data of the electronic service user. Access rights are limited to specific procedures defined in the technical documentation on cybersecurity and the service agreement on maintenance, and are subject to regular updating;
- multi-factor authentication applications for privileged and critical operations;
- restrictions on the use of roles with all permissions. The settings of the information system administrator profile exclude access to the components of the virtualization environment;
- definition of minimum privileges and implementation of the role-based access control model;
- remote access via a secure gateway or a list of allowed network addresses of senders;
3) encryption key management, requiring:
- control of restriction of access to data on encryption keys of cryptographic protection of information;
- control over the organization of the root directory and key subscription;
- blocking compromised keys and their safe destruction;
4) conducting an audit of cybersecurity events, requiring:
- mandatory and regular procedures defined in the technical documentation on cybersecurity;
- conducting audit procedures for all operating systems, client virtual machines, network component infrastructure;
- logging events and storing them in a storage system inaccessible to the administrator;
- checking the correctness of the operation of the event logging system;
- determining the duration of storing event logs in the technical documentation on cybersecurity;
5) registration of cybersecurity events requiring:
- logging of administrators' actions;
- application of a cybersecurity incident and event monitoring system;
- alerts based on automatic recognition of a critical event or cybersecurity incident;
6) cybersecurity incident management, requiring:
- definition of the formal process of detection, identification, evaluation and response to cybersecurity incidents with updating once every six months;
- preparation of reports with the frequency specified in the technical documentation on cybersecurity, based on the results of detection, identification, assessment and response to cybersecurity incidents;
- notifications of responsible persons of a state body, local government body, organization about cybersecurity incidents;
- registration of cybersecurity incidents in the service (unit) of responding to computer incidents of the authorized state body in the field of information technology and electronic management and (or) the authorized state body in the field of security;
7) the application of protective measures of hardware and software components of the virtualization environment infrastructure that carry out:
- physical disconnection or blocking of unused physical devices (removable drives, network interfaces);
- disabling unused virtual devices and services;
- monitoring of interaction between guest operating systems;
- control of mapping virtual devices to physical;
- use of hypervisors;
- physical separation of operational environments from development and testing environments;
- definition of change management procedures for informatization objects in the technical documentation on cybersecurity;
8) definition in the technical documentation on cybersecurity of procedures for recovery after failures and failures of hardware and software;
9) execution of network and system administration procedures requiring:
- ensuring the safety of virtual machine images, monitoring the integrity of the operating system, applications, network configuration, software and data of a state body, local government body, organization for the presence of malicious signatures;
- separation of the hardware platform from the operating system of the virtual machine in order to exclude access by external users to the hardware;
- logical isolation between different functional areas of the virtualization environment infrastructure;
- physical isolation between the virtualization environments of the information system according to the level of cybersecurity.
Chapter 7. Requirements for the hardware and software complex of information systems of state bodies, local self-government bodies, organizations
63. The requirements for the configuration of server equipment of the hardware and software complex are determined by the department competent in information technology issues in the terms of reference for the creation, purchase (modernization) of information systems and technologies for state bodies, local governments, organizations.
64. The choice of a typical configuration of server hardware and software complex is carried out taking into account the priority of servers:
- with multiprocessor architecture;
- allowing you to scale resources and increase productivity;
- supporting virtualization technology;
- including management tools, changes and reallocation of resources;
- compatible with the information and communication infrastructure used.
65. Embedded systems are used to ensure high availability of the server:
- hot swapping of backup fans, power supplies, disks and I/O adapters;
- dynamic cleaning and reallocation of memory pages;
- dynamic redistribution of processors;
- alerts about critical events;
- support for continuous monitoring of the condition of critical components and measurement of controlled indicators.
66. The purchased server equipment is provided with technical support from the manufacturer. Server equipment that is being discontinued is not subject to purchase.
67. In order to ensure cybersecurity, an inventory of server equipment is carried out on a regular basis, as defined in the technical documentation on cybersecurity, with verification of its configuration.
68. To ensure the safety and quality of service, the server equipment of the hardware and software complex of the state infrastructure of electronic management is placed only in the server center of the state body, local government body, organization in accordance with the requirements for server premises established in these Requirements.
69. The requirements for data storage systems are determined by the department competent in information technology issues in the terms of reference for the creation, purchase (modernization) of information systems and technologies for state bodies, local governments, organizations and (or) technical specifications for the purchase of goods, works and services in the field of electronic management.
70. The data storage system provides support:
- unified means for data replication;
- scalability in terms of data storage.
71. For highly loaded information systems requiring high availability, the following are used:
- data storage networks;
- data storage systems that support virtualization and (or) tiered data storage.
72. To ensure high availability, data storage systems include the following embedded systems:
- hot replacement of backup fans and power supplies;
- hot swapping of disks and I/O adapters;
- alerts about critical events;
- active controllers (in the number of at least two);
- storage network interfaces (in the amount of at least two ports per controller);
- support for continuous monitoring of the condition of critical components and measurement of controlled indicators.
73. The data storage system is provided by a backup system.
74. To ensure cybersecurity, reliable storage and data recovery capability:
- means of cryptographic protection of information are used for stored service information, confidential information, special categories of personal data contained in the databases of the information system;
- a dedicated server is used for secure storage of encryption keys at a security level not lower than the security level of the cryptographic information protection tools used, established for cryptographic keys in the Requirements for cryptographic information protection tools;
- recording and testing of backups is provided in accordance with the backup regulations defined in the technical documentation on cybersecurity.
75. When decommissioning information carriers used in an information system containing confidential information in databases, special categories of personal data, software and hardware are used to ensure the destruction of information.
76. When choosing system software for server equipment and workstations, the following factors are taken into account::
- requirements set forth in the terms of reference for the development (modernization) of the application software of the information system or the task for the design of a service software product;
- compliance with the type of operating systems (client or server);
- compatibility with the application software used;
- support of network services operating in the telecommunications network;
- multitasking support;
- availability of means to obtain and install critical updates and security updates issued by the operating system manufacturer;
- availability of diagnostic tools, auditing and event logging;
- support for virtualization technologies.
77. The acquisition of system software is carried out taking into account the priority:
- licensing model that provides a reduction in the cost of purchase, as well as the total cost of the license for the period of operation;
- software provided with technical support and maintenance.
78. In order to ensure cybersecurity, system software should provide the ability to:
1) access control with the use of:
- identification, authentication and password management of users;
- registration of successful and failed accesses;
- registration of the use of system privileges;
- connection time limits, if necessary, and session blocking for exceeding the time limit;
2) exceptions for users and restrictions for administrators to use system utilities that can bypass operating system controls.
79. System software is purchased by a state body, a local government body, an organization in accordance with the legislation of the Kyrgyz Republic in the field of public procurement or downloaded free of charge in compliance with the requirements of the legislation of the Kyrgyz Republic on copyright, as well as the terms of licenses for downloadable system software.
(As amended by Resolution No. 45 of the Cabinet of Ministers of the Kyrgyz Republic dated January 31, 2022)
80. The system software is provided with open source code.
(EXPIRED in accordance with the Resolution of the Cabinet of Ministers of the Kyrgyz Republic dated January 31, 2022 No. 45)
81. The system software used in a state body, a local government body, an organization is being finalized taking into account the support of information interaction formats through the Tunduk electronic interdepartmental interaction system.
82. To ensure the cybersecurity of state information systems when using system software:
- system software supported by the community (association) of developers of system software or that has passed the examination and (or) certification of the program code is allowed to be used;
- the used versions of the system software are saved.
Chapter 8. Requirements for telecommunications networks of state bodies, local self-government bodies, organizations
83. Departmental (corporate) telecommunications networks are organized by combining local networks through dedicated own or leased communication channels.
Dedicated communication channels intended for combining local networks are organized using channel and network layer protocols.
84. When organizing a departmental (corporate) network by combining several local networks, a radial or radial-node network topology is used. At the nodal points, the dedicated channels are connected to a single border gateway. Cascading (serial) connection of local networks is not used.
85. When designing, a documented scheme of a departmental (corporate) telecommunications network is created and maintained up-to-date during operation.
86. Physical access to equipment for the organization of communication channels is provided by personnel serving a dedicated communication channel.
The equipment is managed by an operator providing a dedicated channel.
Unused ports are blocked in the hardware settings.
87. For the purposes of cybersecurity of communication channels:
1) when organizing a dedicated communication channel connecting local networks, software and technical means of information protection, including cryptographic encryption, are used using cryptographic information protection means;
2) a dedicated communication channel is connected to the local network via an edge gateway with prescribed routing rules and cybersecurity policy. The edge gateway provides the following minimal set of functions:
- centralized authorization of network nodes;
- configuration of administrator privilege levels;
- logging of administrators' actions;
- static translation of network addresses;
- protection against network attacks;
- monitoring the status of physical and logical ports;
- filtering of incoming and outgoing packets on each interface;
- cryptographic protection of transmitted traffic using cryptographic information protection tools;
3) when connecting a departmental (corporate) telecommunications network and local networks of a state body or local government body, organizations are used among themselves:
- means of separation and isolation of information flows;
- equipment with components that ensure cybersecurity and secure management;
- dedicated and integrated with access equipment firewalls installed at each connection point, in order to protect the perimeter of the state body, local government, organization.
When the server is connected to the state electronic management infrastructure of a state body, local government body, or local network organization, cybersecurity is ensured through firewalls and separate access gateways installed at the junction of the information system of a state body, local government body, or organization with a local network;
4) when connecting a departmental (corporate) telecommunications network and local networks of a state body or local government body, organizations use the services of the telecom operator that provided the connection to the Internet;
5) employees of a state body, a local self-government body, employees of organizations, as well as owners of strategic facilities, critical information infrastructure facilities, for the implementation of operational information exchange (official correspondence) in electronic form, when performing their official duties, use only departmental:
- email;
- instant messaging system and other services.
Departmental e-mail of a state body, a local government body is placed in domain zones gov.kg .
88. In a state body, a local self-government body, an organization, it is allowed to use devices for organizing wireless access only to publicly accessible state information resources in places permitted for visitors to a state body, a local self-government body, an organization.
89. It is not allowed to connect to a local network, as well as technical means that are part of the local network of a state body, a local government body, an organization, devices for organizing remote access through wireless networks, wireless access, modems, radio modems, modems of networks of cellular operators and other wireless network devices.
90. The authorized state body/operator of the state infrastructure of electronic management, at the request of a state body, a local government body, an organization, performs:
- distribution, registration and re-registration of IP addresses of local networks of a state body or a local government body, an organization connected to the state infrastructure of electronic management, at the request of a state body, a local government body, an organization;
- registration of domain names in Internet domain zones gov.kg at the request of a state body, a local government body, an organization;
- registration of domain names in the network of the state infrastructure of electronic management at the request of a state body, a local government body, an organization;
- provision of DNS service in the network of the state infrastructure of electronic management.
91. State bodies, local self-government bodies, organizations annually:
- request from the authorized state body/operator of the state infrastructure of electronic management a list of categories of Internet resources used on the equipment of the state infrastructure of electronic management;
- select categories of Internet resources from the above list, access to which is restricted for employees of state bodies, local self-government bodies, employees of organizations, and make a list of them;
- send to the authorized state body/operator of the state e-government infrastructure the above list and lists of network addresses of information and communication networks of state bodies, local governments, organizations that have access to the Internet for use on the equipment of the state e-government infrastructure.
92. The authorized state body/operator of the state infrastructure of electronic management carries out delegation (maintenance) of gov domain zones.kg with the provision of service on the Internet.
93. The requirements for the created or developed local network are defined in the technical specification for the purchase of goods, works and services in the field of electronic management.
94. When designing, a unit competent in information technology issues creates a documented local network diagram, which is kept up-to-date during operation.
95. All elements of the cable system are subject to marking. All cable connections are recorded in the cable connection log.
96. The active equipment of local networks is provided with power supply from uninterruptible power supplies.
97. The following measures are provided for the cybersecurity of the network:
1) unused ports of the LAN cable system are physically disconnected from the active equipment;
2) technical documentation on cybersecurity is being developed and approved, including the rules:
- use of networks and network services;
- connections to international (territorial) data transmission networks;
- connections to the Internet and (or) telecommunications networks, communication networks with access to international (territorial) data transmission networks;
- use of wireless access to network resources;
3) information marked "For official use", information of confidential information systems, state information systems containing special categories of personal data, biometric data, is not transmitted via unsecured wired communication channels and radio channels that are not equipped with appropriate means of cryptographic protection of information. The transfer of information marked "For official use" is carried out in compliance with special requirements for the protection of such information in accordance with regulatory legal acts in this area;
4) means are applied:
- identification, authentication and user access control;
- identification of equipment;
- protection of diagnostic and configuration ports;
- physical segmentation of the local network;
- logical segmentation of the local network;
- network connection management;
- inter-network shielding;
- hiding the internal address space of the local network;
- monitoring the integrity of data, messages and configurations;
- cryptographic protection of information;
- physical protection of data transmission channels and network equipment;
- registration of cybersecurity events;
- monitoring and analysis of network traffic;
- network management;
5) the interaction of local networks of a state body, a local government body, an organization with each other is carried out only through the Tunduk electronic interdepartmental interaction system, with the exception of special-purpose telecommunications networks and/or government, classified, encrypted and coded communications;
6) the interaction of local networks of a state body, a local government body, an organization with each other is carried out only through the state infrastructure of electronic management, with the exception of special-purpose telecommunications networks and/or government, classified, encrypted and coded communications;
7) the interface of the local network of the internal circuit and the local network of the external circuit of a state body, local government body, organization with each other is excluded;
8) the connection of the local network of the internal circuit of the state body, local government body, organization to the Internet is excluded;
9) the connection of the local network of the external circuit of a state body, local government body, organization with the Internet is carried out only through the Tunduk electronic interdepartmental interaction system. Internet connection in any other way is not allowed, except for special and law enforcement state agencies for operational purposes;
10) The top-level time source infrastructure servers are synchronized with a time and frequency reference reproducing the national Coordinated Universal Time UTC (kg) scale.
The exact time infrastructure servers are synchronized with the top-level exact time infrastructure server. The servers of the exact time infrastructure provide access to clients for time synchronization.
Chapter 9. Requirements for systems of uninterrupted functioning of technical means of server equipment and for the server room of a state body, local self-government body, organization
98. The server equipment of the hardware and software complex and data storage systems are located in the server room.
99. The server room is located in separate, impassable rooms without window openings. If there are window openings, they are closed or sealed with non-flammable materials.
Materials that do not emit or accumulate dust are used for the surface of walls, ceilings and floors. Materials with antistatic properties are used for the floor covering. The server room is protected from the penetration of pollutants.
The walls, doors, ceiling, floor and partitions of the server room ensure the tightness of the room. The doors of the server room are at least 1.2 meters wide and 2.2 meters high, open outward or move apart. The design of the door frame does not provide for a threshold and a central pillar.
100. The server room is equipped with a raised floor and (or) a raised ceiling to accommodate cable systems and engineering communications.
101. The passage of any transit communications is excluded through the server room. The routes of conventional and fire water supply, heating and sewerage are carried outside the server room and are not placed above the server room on the upper floors.
102. Installation of communication channels for laying power and low-current cable networks of the building is carried out in separate or partitioned cable trays, boxes or pipes spaced apart. Low-current and power cabinets are installed separately and locked.
Laying of cables through ceilings, walls, partitions is carried out in sections of fireproof pipes with sealing with non-combustible materials.
103. The server room is reliably protected from external electromagnetic radiation.
104. When placing equipment in the server room:
- compliance with the rules of technical operation of electrical installations of consumers approved by the authorized body in the field of energy is ensured;
- ensures compliance with the requirements of suppliers and (or) the manufacturer of equipment for installation (installation), load on floors and raised floors, taking into account the weight of equipment and communications;
- availability of free service aisles for equipment maintenance is ensured;
- the organization of air flows of the microclimate system is taken into account;
- the organization of the system of raised floors and raised ceilings is taken into account.
105. During the technical support of the equipment installed in the server room, the department competent in information technology issues are documented:
- equipment maintenance;
- elimination of problems arising during the operation of hardware and software;
- facts of failures and failures, as well as the results of restoration work;
- post-warranty maintenance of critical equipment after the warranty period of service.
The form and method of documentation are determined independently by a state body or a local government body, an organization.
106. Maintenance of critical equipment is performed by certified technical personnel.
107. In the immediate vicinity of the server room, a warehouse of spare parts for critical equipment is being created, containing a stock of components and equipment for performing prompt replacement during repair and restoration work.
108. Interference in the operation of the equipment in operation is possible only with the permission of the head of the information technology department or the person replacing him.
109. The main and backup server rooms are located at a safe distance in buildings that are remote from each other. The requirements for the backup server rooms are identical to the requirements for the main server rooms.
110. To ensure cybersecurity, fault tolerance and reliability of operation:
1) in the server room, methods of equipment arrangement are used to reduce the risks of threats, hazards and opportunities for unauthorized access;
2) the list of persons authorized to carry out maintenance of critical information infrastructure facilities installed in the server room is kept up-to-date;
3) the server room is equipped with systems:
- access control and management;
- providing microclimate;
- security alarm system;
- video surveillance;
- fire alarm system;
- fire extinguishing;
- guaranteed power supply;
- grounding;
4) the fault tolerance of the server room infrastructure should be at least 99.7 percent.
111. The access control and management system provides an authorized entrance to the server room and an authorized exit from it. Blocking devices and the design of the entrance door should prevent the possibility of transmitting access identifiers in the opposite direction through the vestibule of the entrance door.
The central control device of the access control and management system is installed in separate office premises protected from access by unauthorized persons, including in the premises of the security post.
The access of security personnel to the software of the access control and management system affecting the operating modes of the system should be excluded.
The power supply of the access control and control system is carried out from the free group of the on-duty lighting panel. The access control and management system is provided with a backup power supply.
112. The microclimate system should include air conditioning, ventilation and microclimate monitoring systems. The microclimate systems of the server room should not be combined with other microclimate systems installed in the building.
The temperature in the server room is maintained in the range from 20 ° C to 25 ° C with a relative humidity of 45 to 55 percent.
The power of the air conditioning system must exceed the total heat output of all equipment and systems. The air conditioning system is provided by redundancy. The power supply of the server room air conditioners is carried out from a guaranteed power supply system or an uninterruptible power supply system.
The ventilation system provides fresh air with filtration and heating of the incoming air in winter. In the server room, the pressure is created excessive to prevent the entry of polluted air from neighboring rooms. Protective valves controlled by the fire extinguishing system are installed on the air ducts of the supply and exhaust ventilation. The air conditioning and ventilation systems are switched off automatically by a fire alarm signal.
The microclimate monitoring system monitors the climatic parameters in server cabinets and telecommunication racks:
- air temperature;
- air humidity;
- dustiness of the air;
- air flow rate;
- smoke in the air;
- opening (closing) of cabinet doors.
113. The security alarm system of the server room is performed separately from the security systems of the building. Warning signals are displayed in the room of round-the-clock security in the form of a separate remote control. All entrances and exits of the server room, as well as the internal volume of the server room, are subject to control and protection. The alarm system has its own redundant power supply.
114. The location of the cameras of the video surveillance system is selected taking into account the control of all entrances and exits to the server room, space and passages near the equipment. The viewing angle and resolution of the cameras should provide face recognition. The image from the cameras is displayed on a separate remote control in the room of round-the-clock security.
115. The fire alarm system of the server room is performed separately from the fire alarm system of the building. Two types of sensors are installed in the server room: temperature and smoke.
Sensors monitor the total space of the server room and the volumes formed by a raised floor and (or) a raised ceiling. The alarm signals of the fire alarm system are output to the remote control in the 24-hour security room.
116. The fire extinguishing system of the server room is equipped with an automatic fire extinguishing system, independent of the fire extinguishing system of the building.
The fire extinguishing system is placed directly in the server room or near it in a specially equipped cabinet for this purpose. The fire extinguishing system is started from early fire detection sensors that respond to the appearance of smoke, as well as manual sensors located at the exit of the room. The delay time for the release of the fire extinguisher is no more than 30 seconds. The notification of the fire extinguishing system activation is displayed on the display boards placed inside and outside the room.
The fire extinguishing system issues commands to close the protective valves of the ventilation system and turn off the power supply of the equipment. The server room equipped with a fire extinguishing system is equipped with exhaust ventilation.
117. The guaranteed power supply system provides for the presence of two power inputs from different external power sources at a voltage of ~ 400/230 V, with a frequency of 50 Hz and an autonomous generator. All sources of electricity are supplied to the reserve input machine, which automatically switches to the backup power input when the power supply is interrupted or interrupted at the main input. The parameters of the power supply lines and the cross section of the cores are determined based on the planned total power consumption of the equipment and subsystems of the server room. The power supply lines are carried out according to a five-wire scheme.
The guaranteed power supply system provides for the power supply of equipment and systems of the server room through uninterruptible power supplies. The power and configuration of uninterruptible power supplies are calculated taking into account all the equipment being powered and the reserve for future development. The battery life from uninterruptible power supplies is calculated taking into account the needs, as well as the required time to switch to backup lines and the time to start the generator in operating mode.
118. The grounding system of the server room is performed separately from the protective grounding of the building. All metal parts and structures of the server room are grounded with a common grounding bus. Each cabinet (rack) with equipment is grounded by a separate conductor connected to a common ground bus. The open conductive parts of the information processing equipment must be connected to the main grounding terminal of the electrical installation. The grounding conductors connecting the surge protection devices to the main grounding bus must be the shortest and straightest (without corners).
Appendix 1
Requirements for the protection
of information
contained in databases
of state information systems
TECHNICAL REQUIREMENTS
to the means of cryptographic protection of information
Chapter 1. General provisions
1. These Requirements establish general technical requirements for cryptographic information protection tools as technologically complete hardware, software or hardware-software tools, regardless of the country of manufacture and/or cryptographic transformation algorithms implemented in cryptographic information protection tools, with the exception of cryptographic information protection tools designed to protect information constituting state secrets of the Kyrgyz Republic.
2. These Requirements are applied for the purposes of assessing the compliance of cryptographic information security tools in accordance with the procedure established by these Requirements.
3. The means of cryptographic protection of information are intended for:
- maintaining data confidentiality with the help of cryptographic information protection technologies;
- authentication, including data integrity control, using an extension and (or) an electronic signature;
- generation, formation, distribution of keys and (or) key management.
4. The following terms are used in these Requirements:
a cryptographic transformation algorithm - is a set of a finite number of simple and unambiguously defined rules that depend on the variable parameter (key) and specify the sequence of operations to solve the cryptographic transformation problem;
asymmetric cryptographic transformation algorithm - is a cryptographic transformation algorithm in which forward and reverse transformations use public and secret keys interconnected in such a way that it is computationally difficult to determine the secret key from the public key;
authentication - authentication of one or more aspects of information interaction: communication session, its time, communicating parties, transmitted messages, data source, data creation time, data content;
accessibility of information - is a property of information security, in which access subjects who have the right to access can freely implement them;
an extension is a string of fixed - length bits, obtained by a certain rule from data and a key, added to the data to provide imit protection.;
imitoprotection - protection of the communication system from the imposition of false messages;
information - information (messages, data) regardless of the form of their presentation;
the key of cryptographic information protection means is a specific secret or open (if specifically specified) state of some parameters of the cryptographic data transformation algorithm, providing the choice of one transformation from a set of possible transformations for this algorithm;
confidentiality of information is a property of information security, in which access to it is carried out only by access subjects who have the right to it;
cryptographic strength of cryptographic information protection means is the computational complexity of the method (algorithm) of opening cryptographic protection, the best for this means of cryptographic information protection;
cryptographic transformation - data transformation by means of encryption, generation (verification) of an extension or formation (verification) of an electronic signature;
pre-encryption - encryption, technically implemented separately from the transmission of encrypted data over communication channels;
symmetric cryptographic transformation algorithm - is a cryptographic transformation algorithm in which forward and reverse transformations use the same key or two keys, each of which is easily calculated from the other;
a means of cryptographic protection of information - is a software or hardware-software complex that implements algorithms for cryptographic transformations, generation, formation, distribution or management of encryption keys;
electronic signature - information in electronic form, which is attached to other information in electronic form and (or) logically related to it and which is used to identify the person on whose behalf the information is signed;
information integrity - is a property of information security, in which there is no change in it or change by access subjects who have the right to it.
Chapter 2. Security levels of cryptographic information protection tools
5. Depending on the cryptographic strength, four levels of security are established for the means of cryptographic protection of information:
first: the means of cryptographic protection of information of the first level of security are designed to protect information, harm from disclosure of which or violation of confidentiality, integrity, availability of information protected using the same means of cryptographic protection of information (the same means of cryptographic protection of information) cannot be caused (does not entail negative consequences in social, political, international, economic, financial or other fields of activity) (coefficient 0);
second: the means of cryptographic protection of information of the second level of security are designed to protect information, the harm from changing which or confidentiality, integrity, availability of information protected using the same means of cryptographic protection of information (the same means of cryptographic protection of information) is insignificant - less than 1000 calculated indicators (entails insignificant negative consequences in social, political, international, economic, financial or other fields of activity), easily compensated by the operator of the information system and/or the owner of the information, who can perform the functions assigned to them with insufficient efficiency or the performance of functions is possible only with the involvement of additional forces and means (coefficient 1);
third: the means of cryptographic protection of information of the third level of security are designed to protect information, the harm from changing which or confidentiality, integrity, availability of information protected using the same means of cryptographic protection of information (the same means of cryptographic protection of information) is significant - from 1000 to 5000 calculated indicators (entails moderate negative consequences in social, political, international, economic, financial or other fields of activity), which can be compensated by the operator of the information system and/or the owner of information who can perform at least one of the functions assigned to them (coefficient 2);
fourth: the means of cryptographic protection of information of the fourth level of security are designed to protect information, the harm from changing which or confidentiality, integrity, availability of information protected using the same means of cryptographic protection of information (the same means of cryptographic protection of information) is critical - more than 5000 calculated indicators (entails significant negative consequences in social, political, international, economic, financial or other fields of activity), cannot be compensated by the operator of the information system and/or the owner of information who cannot perform the functions assigned to them (coefficient 3).
6. Means of cryptographic protection of information cannot be recognized as corresponding to the first, second, third or fourth level of security if the computational complexity of existing algorithms for opening cryptographic protection provided by them is less than 250, 280, 2120 or 2160 possible combinations for brute force, respectively.
Chapter 3. General technical requirements for cryptographic protection of information by security levels
7. Generated keys of cryptographic information protection means (except public keys) must be sequences of random numbers generated using physical noise generators (for example, thermal, diode, radiation, pulse) or sequences of pseudo-random numbers generated using random events (for example, system parameters of an electronic computer, mouse movements, keyboard taps, timer status).
8. Cryptographic information security tools using the distribution of keys over unsecured communication channels must provide cryptographic protection of keys in order to prevent the disclosure and unauthorized modification of these keys (except for the disclosure of public keys), as well as the imposition of false keys.
9. Any key used for cryptographic protection of information must be used only by one cryptographic transformation algorithm, for example, only for encryption or only for the formation of an electronic signature.
10. Protection must be provided against unauthorized modification of cryptographic information security tools, including modification or substitution of their elements and modules, in order to exclude the impact on the cryptographic strength of cryptographic information security tools.
11. Technical documentation (design, technological and software documentation, depending on the type of cryptographic information protection tools) must contain a complete description of the algorithms of cryptographic transformations, generation, formation, distribution and key management implemented in cryptographic information protection tools.
12. If cryptographic information protection tools implement algorithms of cryptographic transformations defined by state and interstate standards or other documents in force or applied in the Kyrgyz Republic in accordance with the established procedure, then in the technical documentation, instead of their full description, it is allowed to make references to these documents.
13. The means of cryptographic protection of information must implement algorithms of cryptographic transformations in exact accordance with their description given in the technical documentation.
14. Each set of cryptographic information protection tools should include operational documentation that fully and adequately describes all possible modes of their use and contains a list of all organizational and technical measures necessary to ensure the security of the processed information, including the order and frequency of key changes, the procedure for maintenance of cryptographic information protection tools and actions to be taken to eliminate operator errors and other abnormal situations possible during operation, as well as their consequences.
15. Requirements for the means of cryptographic protection of information of the first level of security:
1) the key length of the implemented cryptographic information security tools of symmetric cryptographic transformation algorithms must be at least 60 bits;
2) the key length of the implemented means of cryptographic protection of information of asymmetric cryptographic transformation algorithms must be at least 120 bits;
3) the key length of the implemented means of cryptographic protection of information of asymmetric cryptographic transformation algorithms, the cryptographic strength of which is based on the computational complexity of the problem of decomposing a composite number into multipliers or the problem of discrete logarithm in a finite field, must be at least 500 bits;
4) the length of the calculated hash code of cryptographic information protection means must be at least 120 bits;
5) the length of the generated electronic signature of the means of cryptographic protection of information must be at least 120 bits;
6) the implemented principle of generating means of cryptographic information protection and key generation should ensure that each bit of the key accepts a single value with a probability from the interval (0.50 ± 0.03).
16. Requirements for the means of cryptographic protection of information of the second level of security:
1) the key length of the implemented cryptographic information security tools of symmetric cryptographic transformation algorithms must be at least 100 bits;
2) the key length of the implemented means of cryptographic protection of information of asymmetric cryptographic transformation algorithms must be at least 160 bits;
3) the key length of the implemented means of cryptographic protection of information of asymmetric cryptographic transformation algorithms, the cryptographic strength of which is based on the computational complexity of the problem of decomposing a composite number into multipliers or the problem of discrete logarithm in a finite field, must be at least 1500 bits;
4) the length of the calculated hash code of cryptographic information protection means must be at least 160 bits;
5) the length of the generated electronic signature of the means of cryptographic protection of information must be at least 200 bits;
6) the implemented principle of generating means of cryptographic information protection and key generation should ensure that each bit of the key accepts a single value with a probability from the interval (0.50 ± 0.01);
7) cryptographic information security tools should implement procedures for calculating and verifying control information about keys in order to prevent the use of keys that are accidentally distorted at the stage of distribution and loading with a probability of at least 0.9999;
8) when pre-encrypting the means of cryptographic protection of information, procedures for calculating and verifying control information about the encrypted data should be implemented in order to identify accidentally distorted encrypted data with a probability of at least 0.9999;
9) the means of cryptographic protection of information must inform the operator about the establishment, reset, as well as about the impossibility of establishing the encryption mode.
17. Requirements for the means of cryptographic protection of information of the third level of security:
1) the key length of the implemented cryptographic information security tools of symmetric cryptographic transformation algorithms must be at least 150 bits;
2) the key length of the implemented means of cryptographic protection of information of asymmetric cryptographic transformation algorithms must be at least 250 bits;
3) the key length of the implemented means of cryptographic protection of information of asymmetric cryptographic transformation algorithms, the cryptographic strength of which is based on the computational complexity of the problem of decomposing a composite number into multipliers or the problem of discrete logarithm in a finite field, must be at least 4000 bits;
4) the length of the calculated hash code of cryptographic information protection means must be at least 250 bits;
5) the length of the generated electronic signature of the means of cryptographic protection of information must be at least 300 bits;
6) the implemented principle of generating means of cryptographic information protection and key generation should ensure that each bit of the key accepts a single value with a probability from the interval (0.500 ± 0.003), while the keys should be sequences of random numbers and formed using physical noise generators;
7) cryptographic information security tools must implement procedures for the formation and verification of imitations or electronic signatures for keys in order to prevent the use of keys that are accidentally or intentionally distorted at the stage of distribution and loading with a probability of at least 0.999999
8) in case of preliminary encryption, cryptographic information protection tools must implement procedures for the formation and verification of imitations or electronic signatures for encrypted data in order to identify accidentally or intentionally distorted encrypted data with a probability of at least 0.999999;
9) the means of cryptographic protection of information must inform the operator about the establishment, reset, as well as about the impossibility of establishing the encryption mode and other abnormal situations;
10) cryptographic information security tools must provide hierarchical cryptographic protection of keys at the stage of their distribution and management in order to prevent disclosure and unauthorized modification of these keys (except for disclosure of public keys), as well as the imposition of false keys, or the operational documentation of cryptographic information security tools must contain organizational and technical measures to ensure protection against these threats;
11) implemented regular procedures for the removal (destruction) of cryptographic information security keys should ensure that they cannot be restored.
18. Requirements for the means of cryptographic protection of information of the fourth level of security:
1) the key length of implemented cryptographic information security algorithms of symmetric cryptographic transformation must be at least 200 bits;
2) the key length of the implemented means of cryptographic protection of information algorithms of asymmetric cryptographic transformation must be at least 400 bits;
3) the key length of the implemented means of cryptographic protection of information algorithms of asymmetric cryptographic transformation, the cryptographic strength of which is based on the computational complexity of the problem of decomposition of a composite number into multipliers or the problem of discrete logarithm in a finite field, must be at least 8000 bits;
4) the length of the calculated hash code of cryptographic information security tools must be at least 400 bits;
5) the length of the generated electronic signature of the means of cryptographic protection of information must be at least 400 bits;
6) the implemented principle of generating cryptographic information security tools and generating keys should ensure that each bit of the key takes one value with a probability from the interval (0.500 ± 0.001), while the keys should be sequences of random numbers and formed using physical noise generators
7) cryptographic information security tools should implement procedures for the formation and verification of imitations or electronic signatures for keys in order to prevent the use of keys accidentally or intentionally distorted at the stage of distribution and download, with a probability of at least 0.999999999;
8) cryptographic information security tools must implement procedures for the formation and verification of imitations or electronic signatures for encrypted data in order to identify accidentally or intentionally distorted encrypted data with a probability of at least 0.999999999;
9) means of cryptographic protection of information must inform the operator about the establishment, reset, as well as about the impossibility of establishing an encryption mode and other abnormal situations, prevent the transit of open data through itself for storage, distribution and subsequent processing of encrypted data;
10) cryptographic means of information protection must provide hierarchical cryptographic protection of keys at the stage of their distribution and management in order to prevent the disclosure and unauthorized modification of these keys (except for the disclosure of public keys), as well as from the imposition of false keys;
11) implemented regular procedures for the removal (destruction) of cryptographic information security keys should ensure that they cannot be restored. If the means of cryptographic protection of information do not implement these procedures, then these procedures for guaranteed deletion (destruction) of keys (except public keys) must be implemented by technical means supplied with the means of cryptographic protection of information.
Appendix 2
to the Requirements for the protection
of information contained in databases
of state information systems
The LIST
of technologies set out in international standards for state information systems using encryption systems and cryptographic protection of information, with the exception of information classified as state secrets
1) GOST 28147-89 "Information processing systems. Cryptographic protection. Cryptographic conversion algorithm";
2) GOST R 34.10-2012 "Information technology. Cryptographic protection of information. Processes of formation and verification of EDS";
3) GOST R 34.11-2012 "Information technology. Cryptographic protection of information. Hashing function";
4) GOST R 34.12-2015 "Information technology. Cryptographic protection of information. Block ciphers";
5) GOST R 34.13-2015 "Information technology. Cryptographic protection of information. Modes of operation of block ciphers";
6) GOST 34.310-2004 "Information technology. Cryptographic protection of information. Procedures for the development and verification of an electronic digital signature based on an asymmetric cryptographic algorithm";
7) GOST 34.311-2004 "Information technology. Cryptographic protection of information. Hashing function";
8) RFC 3647 Certificate Policy and Certification Practices Framework (IETF series of international standards);
9) RFC 5280 from the IETF series of international standards (regulating the requirements for the structure of registration certificates and the list of revoked registration certificates)
10) RFC 3280 from the IETF series of international standards (Certificate and Certificate Revocation List (CRL) Profile);
11) RFC 1422 from the IETF series of international standards;
12) RFC 3029 Data Validation and Certification Server Protocols of the IETF series of international standards;
13) ITU-T X.500 series of Standards version 3 (ITU-T X.509, ITU-T X.501);
14) RFC 3161 - Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP);
15) RFC 5816 - update of RFC 3161;
16) RFC 6960 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP;
17) RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2;
18) RFC 4346 - The Transport Layer Security (TLS) Protocol Version 1.1;
19) (RFC 4033, RFC 4034, RFC 4035) DNSSEC;
20) Associated Signature Containers (ASiC) (ETSI EN 319 162-1 V1.1.1 (2016-04);
21) XML Advanced Electronic Signatures ETSI EN 319 132-1 V1.1.0;
22) RFC 4253 SSH;
23) RFC 3447 - (PKCS) #1: RSA Cryptography Specifications Version 2.1;
24) ISO/IEC 18033-3:2005 for AES;
25)ISO/IES 10118-3 for SHA-1, SHA-256, SHA-384, SHA-512;
26) HMAC RFC 2104 (for imitators);
27) ISO/IEC 9797-1 SMAC, CBC-MAC (for imitators);
28) ISO/IEC 14888-3:2016.