Совершенствование нормативно-правовой базы информационной безопасности для устройств терминального доступа государственной информационной системыстатья из журнала
База данных: Каталог библиотеки СФУ (С 349)
Библиографическое описание: Сизов, Валерий Александрович. Совершенствование нормативно-правовой базы информационной безопасности для устройств терминального доступа государственной информационной системы = Improvement of the Regulatory Framework of Information Security for Terminal Access Devices of the State Information System / В. А. Сизов, Д. М. Малиничев, В. В. Мочалов. - (Проблемы информатизации экономики и управления). - Текст : непосредственный // Открытое образование. - 2020. - № 2. - С. 73-79. - Библиогр.: с. 78-79 (14 назв.). - ISSN 1818-4243.
Аннотация: Защита государственной информационной системы регламентируется большим числом нормативно-правовых актов, которые постоянно совершенствуются с изменением и дополнением контента. На содержательном уровне она включает в себя множество этапов, таких как формирование требований к ГИС, разработка системы защиты, её внедрение, аттестация. Защищаемая информация обрабатывается в целях исполнения законодательства и обеспечения функционирования органов власти. Необходимость защиты конфиденциальной информации определяется законодательством Российской Федерации [5, 6]. Поэтому для оценки качества нормативно-правовой базы информационной безопасности для устройств терминального доступа государственной информационной системы в работе проводится анализ основных нормативно-правовых актов и на его основе методом аналогии разрабатываются предложения по совершенствованию имеющихся регулирующих документов в области информационной безопасности. В работе разработаны предложения по совершенствованию нормативно-правовой базы информационной безопасности для устройств терминального доступа государственной информационной системы - для единообразия и унификации обоснованы термины с соответствующими определениями для их установления в документы ФСТЭК или Росстандарта; правила формирования требований к терминалам, которые должны быть аналогом требований к средствам вычислительной техники в "Концепции защиты средств вычислительной техники и автоматизированных систем от несанкционированного доступа к информации". Предложены общие рекомендации по защите информации в государственных информационных системах, использующих архитектуру "тонкого клиента", а также обоснованы специфичные угрозы, отсутствующие в банке угроз ФСТЭК и определены направления дальнейшего обеспечения информационной безопасности для рассматриваемого класса государственных информационных систем. В связи с большим числом заинтересованных субъектов, участвующих в согласовании и выработки единых решений, более конкретное рассмотрение поднятых проблем и вопросов возможно только с привлечением к обсуждению представителей уполномоченных федеральных органов исполнительной власти и представителей бизнеса.
The aim of the study is to increase the effectiveness of information security management for state information systems (SIS) with terminal access devices by improving regulatory legal acts that should be logically interconnected and not contradict each other, as well as use a single professional thesaurus that allows understanding and describe information security processes. Currently, state information systems with terminal access devices are used to ensure the realization of the legitimate interests of citizens in information interaction with public authorities [1]. One of the types of such systems are public systems [2]. They are designed to provide electronic services to citizens, such as paying taxes, obtaining certificates, filing of applications and other information. The processed personal data may belong to special, biometric, publicly available and other categories [3]. Various categories of personal data, concentrated in a large volume about a large number of citizens, can lead to significant damage as a result of their leakage, which means that this creates information risks. There are several basic types of architectures of state information systems: systems based on the "thin client"; peer-to-peer network systems; file server systems; data processing centers; systems with remote user access; the use of different types of operating systems (heterogeneity of the environment) ; use of applications independent of operating systems; use of dedicated communication channels [4]. Such diversity and heterogeneity of state information systems, on the one hand, and the need for high-quality state regulation in the field of information security in these systems, on the other hand, require the study and development of legal acts that take into account primarily the features of systems that have a typical modern architecture of "thin customer". The protection of the state information system is regulated by a large number of legal acts that are constantly being improved with changes and additions to the content. At the substantive level, it includes many stages, such as the formation of SIS requirements, the development of a security system, its implementation, and certification. The protected information is processed in order to enforce the law and ensure the functioning of the authorities. The need to protect confidential information is determined by the legislation of the Russian Federation [5, 6]. Therefore, to assess the quality of the regulatory framework of information security for terminal access devices of the state information system, the analysis of the main regulatory legal acts is carried out and on the basis of it, proposals are developed by analogy to improve existing regulatory documents in the field of information security. The paper has developed proposals for improving the regulatory framework of information security for terminal access devices of the state information system - for uniformity and unification, the terms with corresponding definitions are justified for their establishment in the documents of the Federal Service for Technical and Export Control (FSTEC) or Rosstandart; - rules for the formation of requirements for terminals, which should be equivalent requirements for computer equipment in the "Concept for the protection of computer equipment and automated systems from unauthorized access to information". General recommendations on information protection in state information systems using the "thin client" architecture are proposed, specific threats that are absent in the FSTEC threat bank are justified, and directions for further information security for the class of state information systems under consideration are identified. Due to the large number of stakeholders involved in the coordination and development of unified solutions, a more specific consideration of the problems and issues raised is possible only with the participation of representatives of authorized federal executive bodies and business representatives for discussion.
The aim of the study is to increase the effectiveness of information security management for state information systems (SIS) with terminal access devices by improving regulatory legal acts that should be logically interconnected and not contradict each other, as well as use a single professional thesaurus that allows understanding and describe information security processes. Currently, state information systems with terminal access devices are used to ensure the realization of the legitimate interests of citizens in information interaction with public authorities [1]. One of the types of such systems are public systems [2]. They are designed to provide electronic services to citizens, such as paying taxes, obtaining certificates, filing of applications and other information. The processed personal data may belong to special, biometric, publicly available and other categories [3]. Various categories of personal data, concentrated in a large volume about a large number of citizens, can lead to significant damage as a result of their leakage, which means that this creates information risks. There are several basic types of architectures of state information systems: systems based on the "thin client"; peer-to-peer network systems; file server systems; data processing centers; systems with remote user access; the use of different types of operating systems (heterogeneity of the environment) ; use of applications independent of operating systems; use of dedicated communication channels [4]. Such diversity and heterogeneity of state information systems, on the one hand, and the need for high-quality state regulation in the field of information security in these systems, on the other hand, require the study and development of legal acts that take into account primarily the features of systems that have a typical modern architecture of "thin customer". The protection of the state information system is regulated by a large number of legal acts that are constantly being improved with changes and additions to the content. At the substantive level, it includes many stages, such as the formation of SIS requirements, the development of a security system, its implementation, and certification. The protected information is processed in order to enforce the law and ensure the functioning of the authorities. The need to protect confidential information is determined by the legislation of the Russian Federation [5, 6]. Therefore, to assess the quality of the regulatory framework of information security for terminal access devices of the state information system, the analysis of the main regulatory legal acts is carried out and on the basis of it, proposals are developed by analogy to improve existing regulatory documents in the field of information security. The paper has developed proposals for improving the regulatory framework of information security for terminal access devices of the state information system - for uniformity and unification, the terms with corresponding definitions are justified for their establishment in the documents of the Federal Service for Technical and Export Control (FSTEC) or Rosstandart; - rules for the formation of requirements for terminals, which should be equivalent requirements for computer equipment in the "Concept for the protection of computer equipment and automated systems from unauthorized access to information". General recommendations on information protection in state information systems using the "thin client" architecture are proposed, specific threats that are absent in the FSTEC threat bank are justified, and directions for further information security for the class of state information systems under consideration are identified. Due to the large number of stakeholders involved in the coordination and development of unified solutions, a more specific consideration of the problems and issues raised is possible only with the participation of representatives of authorized federal executive bodies and business representatives for discussion.
Год издания: 2020
Источник: Открытое образование
Выпуск: № 2
Номера страниц: 73-79
Количество экземпляров:
- Абонемент научной литературы (пр. Свободный, 79, 3 этаж, холл): свободно 1 из 1 экземпляров
Ключевые слова: государственные информационные системы, защищенные информационные системы, информационная безопасность, тонкий клиент, центр обработки данных
Рубрики: Образование. Педагогика,
Применение вычислительной техники в педагогике
Применение вычислительной техники в педагогике
ISSN: 1818-4243
Идентификаторы: полочный индекс С 349, шифр otob/2020/2-403308223