Information systems security classes
Information security systems are divided according to the degree of database protection. Establishing an actual security class helps to determine for what purpose and level of information they can be used. International standards help create a security model for most government and corporate IP by describing different security standards.
What is contained in the standard
The governing document establishing the requirements for the IP of enterprises and organizations and their security classes, to be called a standard, must define:
- general conceptual apparatus perceived by specialists at all levels;
- a unified scale for measuring information security classes;
- a technology for assessing the security level common to the community of specialists - developers, users, regulators;
- the level of compatibility of software and hardware that ensure the operation of the current information security model;
- not only recommendations, but also norms that are binding on all market participants.
The Russian FSTEC RF standards are largely based on international ones. But the difference between the Russian model of information security and, for example, the American one, is that in the United States, standards for private business that determine the degree of information security are advisory, and for Russian business entities - operators of personal data - are mandatory.
IS standards that establish the degree allow solving the following tasks:
- for manufacturers - they define sets of requirements, help improve the quality of software, make it possible to get the latest data on the security of confidential information;
- for consumers - help to create an IS of guaranteed quality by specifying the requirements for software and hardware.
When determining the types of information security, standards establish requirements for:
- security audit of confidential data, including access audit, audit of information security incidents, audit of infrastructure health;
- security models, including risk model and IP infrastructure model;
- methods and means of creating an information security architecture;
- used means of cryptographic protection;
- models of protection of protocols of internetworking;
- the logic of management of the information security architecture.
IP security classes are established in standards that are relevant to the construction of IS as a whole, for example, to state information systems (GIS) in relation to information that is not classified as state secrets.
International standards in the field of description of types of information security
The documents describing the classes of information security systems are named in several international standards issued by various organizations, public and state. They are often based on the model proposed in the US Department of Defense Trusted Computer System Evaluation Criteria (TCSEC) standard. Among cybersecurity specialists, the documentation proposed by TCSEC is often referred to as the "Orange Book".
IP in this standard is divided into four categories. The level of protection D is recognized as low, level A is the highest, and levels B and C are divided into several subclasses according to the degree of protection. This means that the American model assumes the presence of classes C1, C2, B1, B2, B3 and A1.
The higher the level of protection, the stricter the requirements for the company's IP according to various criteria. The first priority is the requirement for an access control mechanism. Level C is described as random access control. The primary security level is to separate the access levels for users and files.
For type C1, the basic requirements must be met:
- the model of separation of user access levels and file level is implemented, the access control mechanism is maximally protected from incorrect actions of system administrators;
- IS is able to identify users as accurately as possible;
- Authentication software excludes unauthorized access;
- Computing resource management programs run in their own environment and are protected from external influences;
- the IS provides for monitoring the health of its infrastructure;
- defense mechanisms have been tested for the absence of ways to bypass or destroy the protection means of the trusted computing base;
- organizational documents have been developed that describe the criteria for the work of the IS and the rules for user actions.
For type C2, requirements have been introduced that should organize a system of user responsibility for incorrect or unauthorized actions:
- access rights are specified for each user and are granted to him according to the principle of minimum necessary rights, access levels are controlled for any object;
- user actions with objects are recorded in the OS logs;
- all users have precise identification, the activity accounting program allows you to determine each specific author of operations with a file, database, account;
- testing confirms the absence of visible flaws in the mechanisms for isolating resources and protecting registration information.
This security protection model is effective for IS up to the medium level of confidentiality.
For Class B, a more advanced access control architecture needs to be implemented. For the IC type B1 category, the following requirements must be met:
- a differentiated access control model allows you to assign labels to each user or file, if they match, access to the file or resource is allowed;
- access of all subjects to all objects is controlled;
- the most important processes are isolated in separate address spaces;
- monitoring of the IS architecture, source code and the current state of program files is regularly carried out, revealing their unauthorized changes;
- the formal security policy model is fully reflected in the system architecture.
For the type of information security B2, additional tasks arise:
- all IP resources receive confidentiality labels;
- the administrator who configures the identification and authentication system has a confidential and trusted path to its resources that solve these tasks;
- all events are registered, access to registration archives is limited;
- the company's database contains structured information, the database itself is divided into independent modules, which store data of varying degrees of confidentiality or different topics;
- the developer in charge of the IC architecture constantly tests the possibility of organizing secret channels of exchange with memory and estimates the maximum throughput of each identified channel;
- an internal or external audit tested the database for hack resistance and established its effectiveness;
- the security policy fully reflects the system architecture;
- the work uses a configuration management model that provides control of changes in files, infrastructure, source codes, the working version of the object code, test data and documentation;
- tests confirm that confidential information is transmitted over secure channels.
Implementing the recommended solutions helps you build a highly secure infrastructure that protects its health and prevents data leaks. Protection type B3 allows you to implement even more serious additional requirements:
- documented access control lists are created;
- a system for monitoring computer security incidents has been implemented, notifications about them are immediately sent to the mail of a trusted employee, events are recorded, data about them is analyzed;
- the architecture of the company's IS allows to implement the lightest and simplest protection mechanisms;
- failure recovery occurs in the shortest possible time;
- the system has a trusted role of the security administrator; other employees of the IT department cannot get access to resources;
- the resistance of the base to attempts to penetrate was demonstrated to the regulator.
Solving these problems leads to the possibility of using the created infrastructure to protect high-level confidential information.
For type A, a verified security system is implemented, in addition to the requirements created for class B3, the following solutions are applied:
- the audit showed that the architecture of the information infrastructure meets the formal high-level specifications;
- modern methods of systems verification are applied, in relation to Russian realities, this indicates the use of certified solutions;
- the system is managed and monitored at all stages of its life cycle.
The requirements correspond to those that apply to the protection of public IP.
Other international and national standards
The US Department of Defense IP certification rules do not always match the IP being implemented in other states at the level of large companies or governments that would like to see more robust protections. The Information Technology Security Evaluation Criteria (ITSEC), issued in 1991, are still in place and formally meet IP requirements. In some respects, ITSEC standards meet the requirements expressed in the Orange Book.
In Russia, there are standards established by the FSTEC RF. Order No. 17 establishes information security classes for state systems - GIS. They are certified according to the IS class, defined in the appendix to the order, and only then are they put into effect.
Classes are determined based on the quality of the system preparation for the following parameters:
- identification and authentication of users and information resources;
- management of differentiated user access;
- limiting the software environment, launching important processes in a separate address space;
- protection of storage media, removable and hard drives;
- registration of computer security incidents;
- anti-virus protection;
- detection of external intrusions and their suppression and prevention;
- data security audit;
- integrity of IP and information;
- availability of information;
- protection of the virtualization environment;
- protection of IP, software and technical means of information protection, communication systems and data transmission.
Each component of the system's protection is also described by the degree of protection; for a system of a certain class, it is unacceptable to use software or hardware certified below the class of the system itself. There are three levels of protection in total, and their typification is determined by the parameters of the scale of the information system (federal, regional, municipal) and the level of confidentiality of the protected information. The introduction of this type of classification standardizes the requirements for developers and customers.