Decree No. 453 / 2011 Coll.
Decree amending Decree No. 523 / 2005 Coll., on the security of information and communication systems and other electronic devices handling classified information and on the certification of shielding chambers
Valid
Order
Effective from 01.01.2012
Text versions:
01.01.2012
29.12.2011
453
DECLARATION
of 21 December 2011
amending Decree No 523 / 2005 Coll., on the security of information and communication systems and other electronic equipment handling classified information and on the certification of the shielding chambers
The National Security Authority shall establish pursuant to § 33 (e), § 34 (6), § 35 (6), § 36 (4) and § 53 (a), (b), (c), (d), (g), (h), (i) and (j) of Act No. 412 / 2005 Coll., on the protection of classified information and on security competence, as amended by Act No. 255 / 2011 Coll.:
Decree No. 523 / 2005 Coll., on the safety of information and communication systems and other electronic equipment handling classified information and on the certification of the shielding chambers, is amended as follows:
1. In Section 1, the words "copying equipment, imaging equipment and typewriter with memory 'are replaced by the words" electronic form in equipment not part of the information or communication system'.
2. in § 1, § 2 (x), § 30 (2) and (3), § 31 (1), (2) and (4), § 32, § 38 (1) (d), § 38 (2) and Annex 2, the word "electromagnetic" shall be deleted;
3. In Article 2, at the end of point (x), the dot is replaced by a comma and the following points (y) and (z) are added:
"(y) the undeniable ability to prove a retroactive action or event so that the action or event cannot subsequently be denied,
(z) the authenticity of the information guarantees that the information is authentic and from reliable sources. ';
4. In Article 3 (1) (c), the word "electromagnetic 'is deleted.
5. In Article 5 (1), the words ", availability of information system services" shall be inserted after the words "classified information," and the last sentence shall be: "Where the function of the information system so requires, the means of ensuring the authenticity of information and non-deniability shall also be laid down."
6. in Article 5, the following paragraph 2 is inserted after paragraph 1:
"(2) The principles of security policy shall be developed in the design of the security of the information system and in the operational security documentation of the information system. ';
Paragraph 2 shall become paragraph 3.
7. In Paragraph 8 (1), the word "or 'shall be deleted at the end of point (b) and the following point (c) shall be inserted after point (b):
"(c) a high-level safety operational mode with formal control of access to information; or"
Point (c) shall be renumbered (d).
8. In Paragraph 8, the following paragraph 4 is inserted after paragraph 3:
"(4) The highest level security operational mode with formal access control is an environment that corresponds to the highest level security operating mode, but where the formal access management also envisages formal central access control management. ';
Paragraphs 4 to 8 shall be renumbered paragraphs 5 to 9.
9. Paragraph 9 (4) reads as follows:
"(4) The transmission of classified information through a communication channel maintained within a secure area or object may be secured, on the basis of a risk analysis, only by means of physical security measures for all components of the communication channel, while the transmitted classified information is not protected by cryptographic protection or is protected by cryptographic protection at a lower level than required for the classification level of the transmitted classified information. The Office shall approve such secure transmission of classified information as part of the certification of the information system. ';
10.Paragraph 9 (6) reads as follows:
"(6) The transmission of classified information by a communication channel conducted outside the object shall be secured by a certified cryptographic device certified for at least the same classification level as the classified information transmitted. ';
11. in Article 9, the following paragraph 7 is added:
"(7) During the certification of the information system, the Authority may, on the basis of a risk analysis submitted, adopt specific security measures to detect the security of the communication channel and to reduce the consequences of the attack, approve a different system of security for the information system than referred to in paragraphs 4 and 6. ';
12. The following Section 9a is inserted after Section 9, including the title:
Secure interconnection of information systems
(1) For the purposes of this Decree, the interconnection of information systems shall mean the direct interconnection of two or more information systems or information systems and an information system for the management of non-classified information with a view to sharing data and other information sources, either unilateral or multidirectional. Interconnection of the information system with another information system or with the information system for the handling of non-classified information may only be made in case of necessary operational needs.
(2) A certified information system may be linked to another certified information system, provided that it has been approved on the basis of a risk analysis in the context of certification of such information systems, the security interfaces between them and are certified for the management of classified information
(a) the same classification level; or
(b) a different classification level, provided that the measures referred to in paragraph 3 are applied.
(3) The interconnection of information systems certified for the handling of classified information of a different level of secrecy shall be carried out in such a way as to prevent the transmission of classified information of a higher level than that for which the information system is certified.
(4) A certified information system must not be linked to a public communication network, except where installed for this purpose has an appropriate security interface between it and a public communication network, approved on the basis of a risk analysis in the context of its certification, so as to prevent penetration into the certified information system and to allow only a controlled data transmission which does not undermine the confidentiality, integrity and availability of classified information and the availability of the services of the certified information system.
(5) A certified information system handling classified information of a classified classification level of Top Secret, or of classified information requiring a special treatment regime marked "ATOMAL," shall not be directly or progressively linked to a public communications network.
(6) Where the public communications network is used exclusively for the transmission of data between information systems or information system locations and the information transmitted is protected by a certified cryptographic device, such connection shall not be considered as a link. An appropriate security interface shall be implemented between the information system and the public communications network to prevent penetration into the information system. The connection shall be subject to risk analysis and shall be approved as part of the certification of the information system. ';
13. In Article 11, the words "and the residual risks and their level shall be determined at the end of the text of paragraph 5, ensuring that only the functions, equipment and services necessary to fulfil the purpose for which the information system is established are implemented 'shall be added.
14. Paragraph 14, including the title, reads:
Requirements for protection against compromising radiation
(1) The components of the information system which handle classified information classified in a confidential or higher level and a security area or object in which classified information is processed in an information system of a confidential or higher level must be secured in such a way that compromising radiation does not cause the release of classified information.
(2) The security requirements against compromising radiation depend on the classification level of classified information handled by the information system and are set out in a safety standard.
(3) The installation of an information system handling classified information of a confidential or higher level, in terms of its security against compromising radiation, must be carried out in accordance with the requirements of the safety standard. The record of installation of the information system components is inserted into the information system security documentation. The content and form of the alert are set out in the safety standard. ';
15. in Article 15 (4), "life" is replaced by "life cycle."
16. in Article 15 (5) and (6):
"(5) The classification level of the classified classified information medium of the classified information level may be reduced, the classification level Confidential may be reduced or cancelled only if the deletion of classified information from it has been carried out in the manner referred to in paragraph 6 or it has been demonstrated that only classified information of a lower level or non-classified information has been stored on it during its current life cycle, or that the classification level of classified information stored on it has been cancelled or reduced. The classification level of the classified information medium of the classified information level Reserved may be cancelled only if the deletion of the classified information has been carried out in the manner referred to in paragraph 6 or it is demonstrated that only non-classified information has been stored on it during its current life cycle or it is established that the classification level of classified information stored on it during its current life cycle has been deleted.
(6) The erasure of classified information from the medium of classified information which allows the reduction or cancellation of its classification level shall be carried out in such a way that the classified information stored on the medium during its current life cycle is difficult to detect even using laboratory methods. The conditions and procedures for safe erasure shall be laid down by the Authority in the safety standard, the procedure shall be indicated in the operational safety documentation of the certified information system and approved as part of its certification. ';
17. In Article 15, the following paragraph 8 is added:
"(8) When using large-capacity interchangeable information media, the management of user access to input and output devices shall be determined in the security policy. ';
18. In Article 16 (2), the words "to hold a natural person's certificate 'are replaced by the words" to meet the conditions for access to classified information by a natural person'.
19. In Paragraph 16, the following paragraphs 3 to 5 are inserted after paragraph 2:
"(3) An information system administrator who performs the function of administrator with full system management rights and a security administrator of the entire information system shall comply with the conditions for access by a natural person to classified information at a level above the highest level of classified information that the information system may dispose of. This does not apply to an information system which is intended for processing classified information of a classified classification level of Top Secret. In the case of an information system administrator that performs the function of administrator with full system management rights and with the security administrator of the entire information system of a small scale or with a low proportion of the processing of classified information of the highest level for processing, or where there is no accumulation of classified information or where only tactical classified information is processed, the Office may, taking into account identified risks, recognise as sufficient compliance with the conditions for access by a natural person to classified information at a level consistent with the highest level of classified information that the information system can handle.
(4) The administrator of an information system that performs the function of administrator with limited system management rights, in particular server management, application management or local administration, and the security administrator of the information system providing a sub-security area, in particular certain security technology or local administration, must comply with the conditions for access to classified information by a natural person to a level identical to the highest level of classified information that the information system can handle.
(5) In the event that the responsible person or the authorised person approves the information system into service for the handling of classified information at a level below that which the classified information may be handled by the information system, the level of classified information for which the information system is approved shall be determined in order to determine the level of conditions for access to classified information by a natural person. ';
Paragraphs 3 and 4 shall be renumbered paragraphs 6 and 7.
20. In Article 17, the following paragraph 3 is added:
"(3) Where this is required by the action for which the information system is set up, the information system shall ensure the undeniability of the actions or events established. If the file service functionality is required in the information system in electronic format 6), the software to which it is implemented must be evaluated during the certification of the information system.
6) Act No. 499 / 2004 Coll., on archiving and file services and amending certain laws, as amended. '
21. In Article 20, paragraphs 5 and 6 are added:
"(5) The minimum security level of the security area for the location of part of the information system in which classified information may be stored shall be determined in accordance with the tables of the points of the lowest physical security security security level set out in Annex 1 to Decree No 528 / 2005 Coll., on physical security and certification of technical means, as amended.
(6) Point assessment of the physical safety of the information system is set out in Annex 3 to this Regulation. "
22. In Article 23, the following paragraph 3 is inserted after paragraph 2:
"(3) The information entering the information system shall be authenticated in an operational information system. ';
Paragraphs 3 to 10 shall be renumbered paragraphs 4 to 11.
23. In Article 23, the following paragraph 9 is inserted after paragraph 8:
"(9) In a secure area in which the components of the classified information management information system classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified classified in the public or business authority at the request of the State authority or entrepreneur, a check shall be carried out to detect the unauthorised use of technical means of information. This check shall be carried out before the first processing of classified information and, as a general rule, at a two-year interval. ';
Paragraphs 9 to 11 shall be renumbered paragraphs 10 to 12.
24. in Article 24 (1) (a) (1) and (2), the words "if allocated" shall be inserted after the words "identification number."
25. in Article 24 (1) (a) (2), the words "permanent residence" shall be replaced by "permanent residence or similar residence for a stranger."
26. In Article 24 (1), the words "or a copy of a valid business statement 'shall be added at the end of the text of point (f).
27. in Article 27, the following paragraph 1 is inserted:
"(1) The Communication System Security Project shall include the following elements:
(a) the security policy of the communication system;
(b) organisational and operational procedures for the operation of the communication system;
(c) operational directives for the security management of the communication system; and
(d) operational guidelines for the user of the communication system. ';
Paragraphs 1 to 4 shall be renumbered paragraphs 2 to 5.
28. in § 28 (2) (c), § 33 (1) (c), § 37 (b), the words "to be familiar with classified information" shall be replaced by the words "or a copy of a valid business statement."
29. in Paragraph 28 (2), the words "or a copy of a valid business statement" shall be added at the end of the text of point (f).
30. in Paragraph 28 (3), "27 (2)" is replaced by "27 (3)."
31. in Paragraph 29 (1), "27 (2)" is replaced by "27 (3)," 27 (3) "is replaced by" 27 (4) "and" 27 (4) "is replaced by" 27 (5). "
32. In the title of Part Four, the word "ELECTROMAGNETIC 'is deleted.
33. In Part Four, the following Section 29a is inserted at the beginning of Title I:
Compromise radiation is the radiation of electrical and electronic devices that could cause the leak of classified classified classified classified classified classified classified classified classified, classified or confidential. "
34. In Paragraph 30 (1) of the Introductory Part of the provision, the words "to protect against leakage of information by compromising radiation 'are inserted after the word" object'.
35. in Paragraph 32, the following paragraph 1 is added:
"(1) The shield chamber is a closed shielded space to prevent the spread of electromagnetic, optical and acoustic radiation outside that space. ';
The current text becomes paragraph 2.
36. In Article 38 (1), the words "the operation of a copying device, imaging device or typewriter with a memory that is not part of an information or communication system 'are replaced by the words" the processing of classified information in electronic form in a device that is not part of an information or communication system, in particular in a typewriter with a memory and in a device enabling the copying, recording or displaying of classified information or its transfer to another data format'.
37. in Paragraph 38 (2), the words "Copying equipment, imaging equipment and typewriter with memories used for the processing of classified information of a confidential or higher level shall be replaced by" the equipment referred to in paragraph 1 which is used for the processing of classified information of a confidential or higher level shall be secured. "
38. In Article 38 (3), the words "Copying equipment, imaging equipment and typewriter with memory must be placed 'are replaced by the words" Equipment referred to in paragraph 1 must be placed'.
39. in Paragraph 38 (4), the words "Copying equipment, imaging equipment and typewriters with memory must be physically protected" shall be replaced by the words "The equipment referred to in paragraph 1 must be physically protected."
40. In Paragraph 38 (5), the words "copying equipment, imaging equipment and typewriter with memory 'are replaced by the words" equipment referred to in paragraph 1'.
41. in Paragraph 38 (6), the words "With copying equipment and imaging equipment" shall be replaced by the words "With equipment referred to in paragraph 1" and the words "with components and memories" shall be replaced by "with components."
42. In Article 38 (7), the words "copying equipment, imaging equipment and typewriters with memory 'are replaced by the words" equipment referred to in paragraph 1'; the word "memory 'is replaced by the words" components'; at the end of the text the words "pursuant to paragraph 15, otherwise it must not be subject to service activity ';
43. The following Annex 3 is added, including the title:
"Annex No 3 to Decree No 523 / 2005 Coll.
PHYSICAL SECURITY OF INFORMATION SYSTEMS (IS)
1.1. DATA PROCESSING
1.1.1. A given part of the information system may only display and process or transmit classified information:
SS1 = 4 points
If one or more parts of the information system are located in the secure area, the lowest of the values of the SS1 parameter related to each part of the information system shall be used.
1.2. CLAIMING THE SECRET INFORMATION ON COMPUTER MEDIES (ALL NON-RELATED MEMORY MEDIA)
The premises in which information systems are used to store classified classified information of a level reserved and higher shall be established as secure areas.
1.2.1. The stored data is encrypted with a certified cryptographic device
SS1 = 4 points
In addition to the SS1 parameter that applies to stored encrypted data, it is also necessary to work with the S1 cryptographic device parameter.
1.2.2. The stored data is not encrypted
SS1 = 1 point
1.3.1. Identification by name and authentication of an item with encrypted content and transmission:
SS2 = 4 points
The cryptographic mechanisms of the article used for authentication shall be certified by the Office.
This method of authentication is the security equivalent of the lock of the storage object type 4.
1.3.2. Identification by name and authentication of an item with encrypted content:
SS2 = 3 points
The cryptographic mechanisms of the article used for authentication shall be certified by the Office.
This method of authentication is the security equivalent of a type 3 storage facility lock.
1.3.3. Identification by name and authentication by object
SS2 = 2 points
The object used for authentication shall be approved by the Authority in the context of the certification of the information system.
This method of authentication is the security equivalent of the lock of the type 2 storage object.
1.3.4. Identification by name and password authentication
SS2 = 1 point
The minimum length and method of creating the password shall be approved by the Office in the context of the certification of the information system.
This method of authentication is the security equivalent of the lock of the type 1 storage object.
From points SS1 and SS2 obtained in accordance with points 1.1 or 1.2 and point 1.3 of this Annex, the S1 shall be calculated:
(S1) = SS1 x SS2
The value of SS1 and SS2 may be used in the table of point values of the lowest security level of the secured area or negotiating area. ';
Efficacy
This Decree shall take effect on 1 January 2012.
Director:
Ing.
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree No. 453 / 2011 Coll., amending Decree No. 523 / 2005 Coll., on the safety of information and communication systems and other electronic devices handling classified information and on the certification of shielding chambers |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 29.12.2011 |
|---|---|
| Effective from | 01.01.2012 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0