National Security Office Decree No. 56 / 1999 Coll.
Ordinance of the National Security Office on the security of classified information systems, their certification and certification requirements
Valid
Order
Effective from 30.03.1999
Text versions:
30.03.1999
Zobrazeno prvních 200 z celkem 250 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
56
DECLARATION
National Security Office
of 19 March 1999
on the security of information systems handling classified information, carrying out their certification and certification requirements
The National Security Office ("the Office ') provides, pursuant to Sections 51 (3) and 53 (3) of Act No. 148 / 1998 Coll., on the protection of classified information and on the amendment of certain acts (" the Act'):
Subject matter
This Decree sets out the security requirements for information systems handling classified information (hereinafter referred to as the Information System), the minimum requirements in the field of computer security, as well as the procedures and procedures for the certification process of information systems and the details of the certificate.
Definition of terms
For the purposes of this decree:
(a) the asset of the hardware information system, software, classified classified classified classified classified information ("classified information") stored in the information system and the information system documentation;
(b) by an information system object (hereinafter referred to as "object") a passive element of an information system which contains or receives information;
(c) an information system entity (hereinafter referred to as "the entity") an active element of the information system that causes the information to be transmitted between objects or changes in the status of the system;
(d) risk analysis of the process during which the assets of the information system, the threats to the assets of the information system, its vulnerabilities, the likelihood of the threat being realised and the estimation of its consequences;
(e) an audit record of events which may affect the security of the information system;
(f) by authentication of the entity, the process of verifying its identity meeting the required level of guarantee;
(g) authorising the entity to grant certain rights to carry out designated activities;
(h) the safety mechanism for the implementation of the safety function;
(i) security operational mode of the environment in which the information system operates, characterised by the classification level of classified classified information and user authorisation levels;
(j) by confidentiality of classified information, its property which makes it impossible to reveal classified information to an unauthorised entity;
(k) the physical security of the information system of the measures used to ensure the physical protection of the assets of the information system against accidental or intentional threats;
(l) the integrity of the asset of the information system, a property which allows its change to be made in a specified manner and only by an authorised entity;
(m) the communication security measures used to ensure the protection of classified information when transmitting telecommunications channels;
(n) computer security of the information system provided by its technical and programme means;
(o) mandatory access management means to restrict access by entities to objects based on a comparison of the classified information level contained in the object and the level of authorisation of the entity for access to classified information and ensuring the correct flow of information between objects of different classification levels, independently of the choice made by the user;
(p) the risk to the information system of the likelihood of a threat taking advantage of the vulnerability of the information system;
(r) the role of the summary of designated activities and the necessary authorisations for users in the information system;
(s) access management means to restrict access by entities to objects, ensuring that only an authorized user or process obtains access to them;
t) optional access management means of limiting access to objects by entities based on checking the access rights of the entity to the object, whereby a user equipped with certain access rights for access to the object may choose to which other entities will transfer access rights to that object and thus may affect the flow of information between objects.
Safety requirements for information systems
Security of information systems
(1) The security of the information system consists of a system of measures from the area of:
(a) computer and communication security;
(b) administrative security and organisational measures;
(c) personnel security;
(d) physical security of the information system.
(2) The system of action referred to in paragraph 1 is specified in the information system security documentation.
Information system security documentation
(1) The security documentation of the information system consists of:
(a) project security documentation of the information system;
(b) the operational security documentation of the information system.
(2) The information system project security documentation shall include:
(a) the security policy of the information system and the risk analysis assessment;
(b) draft security measures for the different phases of the information system proposal;
(c) documentation for the safety tests of the information system.
(3) The operational security documentation of the information system shall include:
(a) the information system security directive describing the activities of the security administrator in the relevant information system;
(b) security directives for individual types of users of the information system.
(4) The security documentation referred to in paragraphs 2 and 3 (a) shall be classified and identified by a classification level identical to the highest classification level of classified information handled by the information system.
Access requirements for classified information in the information system
(1) Access to classified information in the information system may only be granted to a designated person authorised for such access. Authorization is based on a unique user identifier within the information system.
(2) Access to classified information in the information system may be granted only to those persons who necessarily need such access to carry out their activities. Such persons shall be authorised only to the extent necessary to carry out their designated activities in the information system.
Requirement of responsibility for activities in the information system
(1) Users of the information system are responsible for complying with their obligations to ensure the security of the information system. These obligations shall be laid down in the operational security documentation of the information system, including the determination of responsibility for the protection of the individual assets of the information system.
(2) In the information system, the role of the security administrator of the information system is introduced separately from that of the information system administrator.
(3) The role of the security administrator of the information system includes the performance of the security management of the information system, consisting in particular of the allocation of access rights, the management of authentication and authorisation information, the evaluation of audit records, the updating of safety directives, the preparation of a safety incident report and other activities set out in the operational security documentation of the information system.
(4) Information on the activity of the entity in the information system shall be recorded in such a way that the security breaches or attempts on the information system can be assigned to a specific user in each of its roles in the information system. Records shall be kept for the period specified in the information system security policy.
Request for classification marking information
The classified information, which appears in any form from the information system, shall be identified by an appropriate classification level in such a way as to ensure that the level of confidentiality specified is respected in any subsequent handling of that information.
Information system security policy
(1) For each information system, the security policy of the information system must already be developed at the initial stage of its development. The security policy of the information system shall consist of a set of standards, rules and procedures which define how confidentiality, integrity and availability of classified information and the responsibility of the user for his activities in the information system are to be ensured. Security policy principles are developed in the information system's project and operational security documentation.
(2) The security policy of the information system must be processed in accordance with the legislation and international treaties by which the Czech Republic is bound and with the security policy of the superior body, if it has been processed.
(3) International standardised security specifications 1)
Information system security policy formulation requirements
The security policy of the information system shall be formulated on the basis of:
(a) minimum security requirements in the field of computer security;
(b) systemically dependent safety requirements, user requirements and risk analysis results;
(c) the security requirements of the security policy of the superior authority, if any.
Minimum security requirements in the field of computer security
(1) The information system handling classified information of the "Confidential" level or higher shall include the following minimum security functions:
(a) the unambiguous identification and authentication of the user, which must prevent all other activities of users in the information system and must ensure the confidentiality and integrity of authentication information;
(b) the optional management of access to objects based on the distinction and management of user access rights and user identity or its membership in a group of users;
(c) continuous recording of events which may affect the security of the information system in the audit records and the security of audit records before unauthorised access, in particular by modification or destruction. In particular, the use of identification and authentication information, attempts to examine access rights, create or disturb an object or the activity of authorised users affecting the security of the information system shall be recorded,
(d) the possibility of examining audit records and determining the responsibility of the individual user of the information system;
(e) the treatment of memory objects prior to their further use, in particular before the assignment to another body which makes it impossible to determine their previous content;
(f) the protection of data confidentiality during network transmission, with the need to protect classified information in the transmission process between source and target in an appropriate manner.
(2) In order to ensure the minimum security functions referred to in paragraph 1, identifiable programme technical mechanisms are implemented in the information system. Their execution and operational settings are documented in such a way that they can be independently checked and their adequacy assessed.
(3) The security mechanisms applying the security policy of the information system must be protected from disturbances or unauthorised changes throughout the entire life cycle of the information system.
(4) In an information system handling only classified information of the "Reserved 'level, the user's responsibility for his activities in the information system shall be ensured and access to classified information may be allowed on the basis of the principle of access to information. The security functions referred to in paragraph 1, as well as measures relating to personnel, administrative and physical security of information systems, shall be used in an appropriate manner.
Systemically dependent safety requirements derived from the safety operational mode
(1) Information systems may only be operated in one of the following safety operational modes:
(a) safety-restricted operating mode;
(b) a high-level safety operational mode;
(c) multi-level security operational mode.
(2) A security operational mode reserved is an environment in which the information system is intended exclusively for the processing of one specialised type of classified information, all users being designated for access to classified information of the highest level contained in the information system and, at the same time, being authorised to work with all classified information contained in the information system. The security of the information system operated in the security operational mode reserved shall be ensured by compliance with the minimum security requirements in the field of computer security referred to in Article 10 (1) (a), (c), (d) and (f), as well as measures in the field of administrative, personnel and physical security of information systems. The level of the measures applied from those areas and the measures to ensure confidentiality of data during transmission shall correspond to the level required for the highest level of classified information handled by the information system.
(3) A high-level security operational mode is an environment that allows the simultaneous processing of classified classified classified classified classified classified classified information, in which all users must be designated to access classified information of the highest level contained in the information system, while all users may not be authorised to deal with all classified information. The security of the information system, which is operated in a high-level safety operational mode, shall be ensured by meeting the minimum security requirements in the field of computer security referred to in Section 10, as well as measures in the field of administrative, personnel and physical security of information systems. The level of the measures applied from those areas and the measures to ensure confidentiality of data during transmission shall correspond to the level required for the highest level of classified information handled by the information system.
(4) A multi-level security operational mode is an environment that allows for the simultaneous processing of classified classified classified classified classified classified classified classified information in one information system, in which all users are not intended to work with classified information of the highest level contained in the information system, while all users may not be authorised to work with all classified information. The security of the information system operated in multi-level security mode shall be ensured by the measures referred to in paragraph 3 and by the security function of the mandatory management of the access of subjects to objects. The level of administrative and personnel security, physical security of information systems and measures to ensure confidentiality of data during transmission shall be determined on the basis of the principle of mandatory access management.
(5) The functions of the compulsory management of the access of entities to objects must ensure:
(a) a permanent link between each entity and an object with a security attribute that expresses to the entity the level of approval of the entity and its classification level for the object;
(b) protection of the integrity of the security attribute;
(c) the exclusive authorisation of the security administrator of the information system to make changes to security attributes of both entities and objects;
d) assigning predefined attributes values for newly created objects and maintaining the attribute while copying the object.
(6) The following principles shall be ensured in the application of the security function of the mandatory management of access of entities to objects:
(a) the entity may only read the information in the object if its level of authorisation is equal to or higher than the classification level of the object;
(b) the entity may only enter information in the object if the level of its authorisation is equal to or less than the classification level of the object;
(c) access to the information contained in the object is possible if it is permitted by both the rules of the compulsory access management and the rules of the optional access management.
(7) The information system operated in multi-level security mode must be able to accurately indicate the classification of classified information coming out of the information system and to enable the classification of classified information entering the information system.
(8) In the case of an information system operated in multi-level security operational mode and handled with classified classified classified "Top Secret" classified information, identification and analysis of hidden channels must be carried out. A hidden channel means an inadmissible communication by which classified information reaches an unauthorised entity.
System-dependent safety requirements for computer network environment
(1) When transmitting classified information through a communication channel, confidentiality and integrity shall be ensured.
(2) Cryptographic protection is the basic means of ensuring confidentiality of classified information when transmitted through the communication channel.
(3) The essential means of ensuring the integrity of classified information when transmitted through the communication channel is reliable detection of both intentional and accidental changes to classified information.
(4) Depending on the communication environment, reliable identification and authentication of communicating parties is ensured, including protection of identification and authentication information. This identification and authentication shall prevent the transmission of classified information.
(5) The connection of the network under the control of the management of the information system to an external network not under the control of the management of the information system shall be ensured by an appropriate security interface to prevent penetration into the information system.
Access requirements for classified information and information system services
(1) The information system must ensure that the classified information requested is accessible at a specified location, in the required form and within a specified time range.
(2) In order to ensure the safe operation of the information system, the security policy of the information system shall specify the components which must be replaceable without interruption of the information system. The scope of the required minimum functionality of the information system shall be further defined and the components for which the minimum functionality of the information system must be guaranteed shall be indicated.
(3) The planning of the assets of the information system and the monitoring of capacity requirements are carried out in such a way as to avoid errors caused by their deficiency.
(4) A plan for the recovery of activities following an information system accident must be developed. The reintroduction of the information system into a known secure state can be done manually by the information system administrator or automatically. All activities carried out for the renewal of the information system shall, as a general rule, be recorded in audit records protected from unauthorised modification or destruction.
Systemically dependent safety requirements derived from risk analysis
(1) A risk analysis must be carried out to determine the threats to the assets of the information system.
(2) In carrying out the risk analysis, the assets of the information system are defined and the threats that affect the individual assets of the information system are identified. In particular, threats which cause a loss of functionality or security of the information system shall be considered.
(3) Once the threats have been identified, the vulnerable points of the information system shall be identified in such a way that each threat is identified as being vulnerable or affected.
(4) The risk analysis shall result in a list of threats which may endanger the information system, indicating the corresponding risk.
(5) Appropriate countermeasures shall be selected on the basis of the risk analysis carried out.
Possibility of replacing computer security devices
In the event of disproportionate costs to ensure a security function of the information system, computer security means may be replaced by means of personnel or administrative security, physical security of information systems or organisational measures. The following principles shall be complied with when replacing computer security devices with an alternative security mechanism or with a group of mechanisms designed to provide a security function:
(a) the safety function must be fully implemented;
(b) the quality and level of the safety function shall be maintained.
Physical security requirements for information systems
(1) Information system assets must be placed in a secure area in which physical protection of the information system against unauthorised access, damage and influence is ensured. This space is defined by defined protection elements with appropriate access controls and safety barriers.
(2) The asset of the information system must be physically protected against security threats and environmental risks.
(3) The location of the assets of the information system shall be such as to prevent the unauthorised person from reading classified information.
(4) The telecommunications infrastructure that transmits data or supports information system services must be protected from the possibility of capturing and damaging transmitted classified information.
(5) The physical security of information systems shall be supplemented by measures of object or technical security.
Protection against parasitic radiation
(1) The components of the information system which handle classified information must be protected against parasitic electromagnetic radiation which could cause the disclosure of classified information.
(2) The level of security depends on the classification level of classified information handled by the information system.
Security requirements for classified information media
(1) All media of the classified information system must be registered.
(2) The interchangeable medium of classified information shall also be identified in a manner specified for classified information of a non-paper nature.
(3) The classification level of the interchangeable medium of classified information which has been classified as "Top Secret" shall not be reduced.
(4) The classification level of the interchangeable medium of classified information which has been classified as "Secret," "Confidential" or "Reserved" may be reduced only if the deletion of classified information has been carried out in the manner set out in paragraph 5.
(5) The erasure of classified information from an interchangeable medium of classified information that allows a reduction in its classification level shall be carried out in such a way that it is not possible or highly difficult to obtain residual classified information by using special laboratory methods and means.
(6) The destruction of the medium of classified information to the information system shall be carried out in such a way that it cannot be retrieved from it in any way.
Protection of classified information in separate personal computers
(1) In a State authority or organisation, the security policy for separate personal computers that handle classified information may be developed in a uniform manner, in particular for the management of classified information through text editors, spreadsheets, database systems with local databases or specialised programmes installed on separate personal computers.
(2) The system of measures used for the overall protection of a separate personal computer is based on the concept of such a device as a medium of classified information classified by the highest level of secrecy of classified information handled by a separate personal computer.
Requirements for the protection of mobile and portable information systems
(1) For mobile and portable information systems, the risk analysis shall also assess the risks associated with means of transport for mobile information systems and for portable information systems with environments in which such information systems will be used.
(2) The protection of a component of a mobile and portable information system containing classified information is based on the concept of such a component as a medium of classified classified classified classified classified classified classified information by that component.
Request for testing the security of the information system
(1) The security of the information system must be verified by testing before certification. The testing shall be carried out by a commission whose members shall not be biased in relation to the information system and the development team by participating in the development of the information system, by having a personal interest in the results of the testing, or by linking them with the development team to a personal or work and other similar relationship. Classified information shall not be used for testing.
(2) The test results shall show that the security functions are fully in line with the security policy of the information system. Test results shall be documented. The errors found during testing must be removed and their removal verified by subsequent tests.
Safety requirements for the information system operated
(1) The security of the information system operated must be continuously checked and evaluated, taking into account the actual state of the information system. A partial change in the information system may be made only after an assessment of the impact of this change on the security of the information system.
(2) The integrity of both software and classified information must be protected against malware.
(3) Only software that has been supplied by the information system operator may be used in an operational information system.
(4) The software and classified information shall be backed up in an operational information system. The backup of software and classified information shall be stored in such a way that it cannot be damaged or destroyed when the information system is compromised.
(5) The service activity in the information system operated must be organised in such a way that its safety is not compromised. The media of classified information of the information system accessible in the course of service activities shall be deleted and the remote diagnostics shall be secured against misuse.
(6) An evaluation of the audit records shall be carried out without delay at the time specified in the information system safety documentation and when a crisis situation arises. Audit records shall be kept for the period specified in the information system security documentation.
(7) In order to address the emergency situation of the information system operated, provision must be made for measures aimed at putting it in a known safe state in the information system safety documentation. The security documentation of the information system shall include the following measures:
(a) action immediately following a crisis situation aimed at minimising damage;
(b) action following a crisis situation aimed at resolving the consequences of a crisis situation, including the definition of personal responsibility for each task;
(c) how the information system is backed up;
(d) the way in which service activities are provided;
(e) the means of ensuring the emergency operation of the information system with a list of minimum functions to be maintained;
(f) the method of restoring functionality and putting the information system in a familiar safe state.
(8) Prior to the destruction of the information system, the removal, erasure or destruction of classified information that the information system has handled shall be carried out.
Personnel safety requirements for the operation of the information system
(1) The user of the information system must be authorised to operate in the information system and this authorization must be changed when changing his role within the information system or when the information system ceases to exist.
(2) The information system operator must ensure that users of the information system are trained in compliance with the measures set out in the information system security documentation and the correct use of the information system.
Certification of information systems
Procedure and method of certification of the information system
(1) An application for certification of an information system shall be submitted to the Authority by the authority of the State or organisation which will operate the information system (hereinafter referred to as the applicant).
(2) The application referred to in paragraph 1 shall contain:
(a) a brief description of the purpose and scope of the information system, including the determination of its normal and minimum functions;
(b) the classification of classified information with which the information system will be handled;
(c) establishing the security operational mode of the information system;
(d) identification of the information system supplier.
(3) The Office shall draw up a list of supporting documents for verifying the competence of the information system to handle classified information (hereinafter referred to as "evaluation") and a timetable for their submission by the applicant. In order to carry out the evaluation, the applicant shall always provide the following supporting documents:
(a) the security policy of the information system and the results of the risk analysis;
(b) design of the security of the information system;
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Decree of National Security Office No. 56 / 1999 Coll., on the security of classified information systems, their certification and certification requirements |
|---|---|
| Regulation Type | Order |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 30.03.1999 |
|---|---|
| Effective from | 30.03.1999 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0