SlideShare uma empresa Scribd logo

Обзор требований ГОСТ Р 57580.1-2017 en-GB.pdf

S
SenseofAwareness

Обзор требований ГОСТ Р 57580.1-2017 en-GB.pdf

Internet
1 de 50
Baixar para ler offline
Overview of GOST R 57580.1-2017 requirements Sergei Borisov Diana Leychuk Subscribe to DeepL Pro to translate larger documents. Visit www.DeepL.com/pro for more information.
Presenters of the fourth edition Sergei Borisov Deputy Head of IS at the Krasnodar branch office of UCSB Working in IS - 15 years Blog: https://sborisov.blogspot.com Diana Leychuk Audit manager UCSB Analytical Centre Yekaterinburg Working in IS - 8 years CISM 2
Plan Overview of GOST R 57580.1-2017 Recommendations for the implementation of priority actions Discussion of complex activities Roadmap for implementing the requirements 3
GOST P 57580.1-2017 The basis for an effective data protection system A set of best practices ✓ uniform terminology ✓ catalogue of 408 data protection measures ✓ a strapping which will help to identify the objects of protection, determine the required the level of protection, choose protection measures and how to implement them ✓ a methodology to help assess the selection and implementation of protection measures in the organisation, the final level of compliance ✓ recommendations for the implementation of individual measures*
Safety loops and protection levels Safety circuit A set of information objects, defined by the scope of this standard, used to implement business processes and (or) technological processes of a financial institution of a single degree of criticality (importance), for which a single policy (regime) of information protection (a single set of requirements for information protection) is applied by a financial institution Level of information protection A defined set of information protection measures included in the information protection system and the information protection organisation and management system, applied jointly within the security contour to implement an information protection policy (regime) appropriate to the criticality of the protected information of the business processes and/or technological processes of a financial organisation 5
Requirements of Bank of Russia regulations 683-П All credit financial institutions Implementing enhanced or standard level of protection Conducting security level compliance assessment Ensure compliance level at least three Ensure compliance level at least four с 01.01.2021 с 01.01.2023 684-П Non-credit financial institutions Implementing enhanced or standard level of protection Conducting security level compliance assessment Ensure compliance level at least three Ensure compliance level at least four с 01.01.2021 с 01.01.2022 с 01.07.2023 672-П Members of the Bank of Russia payment system Implementing enhanced or standard level of protection Conducting a security level compliance assessment Ensure a level of compliance of at least level 4 с 01.07.2021 с 06.04.2019 Order №321 Banks when connecting to the EBS Implementing a standard level of protection с 01.07.2021 6
7 Requirements from the NAP to provide a level of protection in accordance with GOST 57580.1 683-П 684-П 382-П (new) 672-П Order Ministry of Communications №321 Automated systems + + + + + Software provision + + + + + Computer hardware + + + + + Telecommunications equipment + + + + + .. Used and operated for the purpose of Banking Financial Money transfers Money transfers Identifications using biometrics
Example of a protection measure from GOST R 57580.1-2017 NWI measure Level of protection of information 3 2 1 UZP.21 Implement logical access rights management rules to ensure that one logical access subject is not able to overlap the following functions: • The operation and/or control of the operation of the access resource, including the AS, simultaneously with the intended use of the access resource as part of the implementation of the financial institution's business process; • The creation and/or upgrading of the access resource, including the AS. at the same time as the intended use of the access resource in the implementation of the business process of the financial institution; • operation of information protection tools and systems at the same time as monitoring the operation of information protection tools and systems; • management of logical access subject accounts at the same time as managing the rights of subjects of logical access Н О Т Measures: H - not applicable to the level A - organisational
T - technical 8
Objects and access resources Access object is recommended as a minimum to be considered: ✓ User workstations ✓ Maintenance personnel workstation ✓ server hardware ✓ network equipment ✓ SAN ✓ HSM ✓ Printing and copying devices ✓ facilities in public places (ATMs, payment terminals) Access resource is recommended as a minimum Consider: ✓ AC ✓ databases ✓ network file shares ✓ virtual machines with server components ✓ virtual machines with ARMs users ✓ email services ✓ WEB services
Structuring information protection measures CI processes Directions of the FOI Selection Planning Implementa tion Monitoring Improveme nt Ensuring the protection of information in access control UZP, RD, FD, UI FTI RHI KZI FTI Ensuring the protection of computer networks SME, WSA, WSA, WSB, WSB FTI RHI KZI FTI Monitoring the integrity and security of the information infrastructure FTI FTI RHI KZI FTI Protection against malicious code ZVK FTI RHI KZI FTI Preventing information leaks PUI FTI RHI KZI FTI Information security incident management IAU, RI FTI RHI KZI FTI Protecting the virtualisation environment FOI A FTI RHI KZI FTI Information security in remote logical access using mobile (portable) devices ZUD FTI RHI KZI FTI Protection in the lifecycle stages of automated systems and applications HC
(Recommended) Organisational measures related to the processing of personal data Б
Structuring information protection measures Processes Sub-processes Groups Measures Group of measures FIS measure Level of protection of information 3 2 1 PUI.33 Registration of information security events related to the implementation of information leakage prevention protection Registration of erasure events of information from the MSI О О О
Selection of protection measures from GOST R 57580.1-2017 1 Selection of the basic composition of the measures Adapting the chosen mix of measures to 2 Threat models and structural and functional characteristics 3 Exclusion of measures not related to the information technology used 4 Complementing the measures with the requirements set out other NAPs 5 Application of measures 12
Circuit protection level Threat model Characteristics of objects Automation Evaluation of the feasibility of implementation Risk assessment The information used by the object of information technologies Other NAPs
Levels of compliance with GOST 57580.2 Process evaluation Level of compliance Е = 0 Zero 0< E <=0,5 First 0,5< E <=0,7 Second 0,7< E <=0,85 Third 0,85< E <=0,9 Fourth 13
Plan Overview of GOST R 57580.1-2017 Recommendations for the implementation of priority actions Discussion of complex activities Roadmap for implementing the requirements 14
Threat model Current threat model Covers the protection circuits Correspondence between current threats and protection measures from GOST R 57580.1-2017 Used when choosing protection measures or justifying the application of compensatory protection measures The need for certified FIS Identification of the threats that require certified FIS to neutralise 15
Regulation on the applicability of measures from GOST R 57580.1-2017 List of safety circuits The levels of protection required for them Selection of measures for the circuits indicated Rationale for the choice: availability in the core set of measures, adaptation, exclusion, addition Identification of measures that are not technically feasible/expedient to implement Justification of impossibility or economic impracticability Definition of compensatory measures Justification for the application of the compensatory measure Definition of certified means of protection Record the measures that require the use of certified information security features (when necessary to neutralise current threats) Implementation of measures in the area of "Information security planning" (FTI.1-FTI.4) 16
Regulation on the applicability of measures from GOST R 57580.1-2017 17
Implementation plan for the first phase of protection measures For each measure of information protection List of safety circuits For which a measure is necessary Choosing how to implement the measure By the application of organisational or technical measures, built-in or overhead PPE, a specific tool Responsible for implementation Justification of impossibility or economic impracticability Implementation period Justification for the application of the compensatory measure Planned outcome Record the measures that require the use of certified information security features (where necessary to neutralise current threats) 18
Implementation plan for the first phase of protection measures 19
Plan Overview of GOST R 57580.1 Recommendations for the implementation of priority actions Discussion of complex activities Roadmap for implementing the requirements 20
П1. Ensuring information security in access control Technical measures ⮚ 2FA ⮚ IDM and/or Application Management System for resource access and/or EDI ⮚ SSO ⮚ SIEM ⮚ Video surveillance system ⮚ IT resource accounting system and/or CMDB built-in features ⮚ AC ⮚ OS ⮚ DBMS ⮚ Network equipment ⮚ File services ⮚ Virtualisation systems ⮚ AD and/or LDAP ⮚ BIOS and/or UEFI 21 Organisational measures ⮚ Regulation on logical access management ⮚ Order appointing resource owners ⮚ Regulation on physical access management ⮚ Accounting for access resources
П2. Securing computer networks Technical measures ⮚ FW (L3 and L7) ⮚ IPS ⮚ VPN ⮚ Mail GW ⮚ AntiDDoS ⮚ SIEM ⮚ CMDB built-in features ⮚ Network equipment ⮚ Email systems ⮚ Network management system ⮚ AC ⮚ OS ⮚ DBMS ⮚ File services 22 Organisational measures ⮚ Regulation on working with removable data carriers (monitoring The content of the information as it is transferred between security loop segments with using alienable media)
П3. Controlling the integrity and security of the information infrastructure Technical measures ⮚ VM ⮚ Pentest service ⮚ Software update management system ⮚ Intrusion and/or Endpoint protection ⮚ AV ⮚ SIEM built-in features ⮚ AC ⮚ OS ⮚ PGO ⮚ Browser ⮚ DBMS ⮚ Network equipment 23 Organisational measures ⮚ Vulnerability management regulation ⮚ Updating the software (software) ⮚ Availability of software reference copies and restore capability ⮚ List of approved software for installation
П4. Protection against malicious code Technical measures ⮚ AV or Endpoint protection ⮚ NGFW ⮚ Web GW ⮚ Mail GW ⮚ SIEM built-in features ⮚ OS ⮚ Browser ⮚ AD 24 Organisational measures ⮚ Regulation on anti-virus protection ⮚ Procedures for carrying out pre-tests for software to be installed or modified ⮚ Prohibit uncontrolled opening of self-extracting archives and executable files obtained from the Internet
П5. Prevention of information leakage Technical measures ⮚ DLP ⮚ Web GW ⮚ Mail GW ⮚ Endpoint Protection ⮚ Failure to comply ⮚ A means of erasing information ⮚ SIEM built-in features ⮚ email systems 25 Organisational measures ⮚ Regulations on the handling of removable data carriers (RMI) ⮚ Prohibiting the processing of sensitive information at sites connected to the Internet ⮚ Recording the erasure of information from the MSI
П6. Information security incident management Technical measures ⮚ SIEM ⮚ VPN ⮚ Failure to comply ⮚ NTP ⮚ Incident management system built-in features ⮚ AC ⮚ OS ⮚ network management systems ⮚ service monitoring systems 26 Organisational measures ⮚ Regulation on information security incident management ⮚ Formation of an information security incident response team with a list of roles
П7. Protecting the virtualisation environment Technical measures ⮚ Virtualisation environment failsafe ⮚ FW (L3 and L7) ⮚ 2FA built-in features ⮚ Virtualisation environments ⮚ SAN ⮚ Networking equipment ⮚ AD and/or LDAP 27 Organisational measures ⮚ Regulation on virtual infrastructure protection
П8. Information security for logical remote access from mobile devices Technical measures ⮚ MDM ⮚ 2FA ⮚ VPN ⮚ FW built-in features ⮚ AC ⮚ OS ⮚ DBMS ⮚ Network equipment ⮚ File services 28 Organisational measures ⮚ Regulation on remote access to resources
M&E in the life cycle phases of a nuclear power plant Technical measures ⮚ All FIS built-in features ⮚ AC Organisational measures ⮚ List of protected information to be processed in the AS ⮚ Composition and application of organisational and technical protection measures ⮚ Prohibit the use of protected information in the development and testing segments ⮚ Regulations for monitoring the application of protection measures ⮚ Maintenance of technical protection measures for the duration of their use (technical support contracts) ⮚ Vulnerability Management Regulation / Procedures for the prompt elimination of detected vulnerabilities 29
Difficult to implement technical measures 1. Two-factor authentication ✓ P.1 WP.4 Operational identification and multi-factor authentication staff ✓ P.1 EP.28 Registration of personification, issuance (transfer) and destruction of personal technical authentication devices implementing multifactor authentication ✓ P.1 OPC.26 Recording of information security events related to actions and monitoring the actions of operating personnel with rights to management of technical measures implementing multi-factor authentication ✓ R.7 CCTV.9 Control and logging of maintenance staff access to server virtualisation and storage components with implementation two-factor authentication ✓ O.8 SUD.5 Identification, two-factor authentication and authorisation of subjects of access after secured network communication is established, execution Authentication required by measures MDS.2 and MDS.4 30
Difficult to implement technical measures 2. Account data management systems (IDM) ✓ OLA.9 monitoring the consistency of actual logical access rights with the reference information on the logical access rights granted ✓ UZP.13 Logical access termination control and blocking accounts when the logical access period (period) expires ✓ LLA.14 Determination of the failure of logical access subjects to exercise their logical access rights over a period of time a set period of time ✓ EPC.17 implementation of the ability to define the composition of the logical access rights granted for a specific access resource ✓ OLA.18 realising the possibility of defining the composition of entitlements logical access for a specific logical access subject ✓ KPP.19 and 20 define roles, implement logical access rights management rules to ensure that one entity does not overlap logical access access to specific roles 31
Difficult to implement technical measures 3. Internal network firewalling (L3 and L7) ✓ safety loop segments ✓ development and testing segments ✓ segments for ATMs and payment terminals ✓ wireless network segments ✓ segments of the virtualisation system ✓ segment for checking removable media ✓ mobile segment ✓ other internal segments 4. Detection of malicious code in internet traffic 32
Statistics on the participation of individual types of FIS in the implementation of measures Firewall (FW) 35 IS event management system (SIEM) 32 Anti-malware (AV) tools 25 Virtualisation environment failsafe 20 Email protection gateway (Mail GW) 19 Web traffic filtering system (Web GW) 17 An account management system (IDM) 17 Two-factor authentication system (2FA) 17 Next generation firewall (NGFW) 15 Software update management system 10 Failure to comply 10 Incident management system (IRP) 8
IPS 6 33
Implementing organisational protection measures NWI measure Level of protection of information 3 2 1 RD.26 Keep copies of the authentication data of the operating personnel on allocated by the MSI or on paper О О О RD.27 Implement protection of copies of authentication data of operating personnel against unauthorised access when stored on MSI or hard copy О О О FD.6 Assignment to all premises of the physical access manager О О О FD.7 Granting independent physical access rights at the discretion of the physical access manager О О О RZI.10 Ensuring that technical information security measures can be maintained throughout their lifetime Н О О WBC.8 Use of compliance-certified application software information security, or for which a vulnerability analysis has been carried out on the estimated confidence level requirements no lower than LSG 4 in accordance with the requirements of GOST R ISO/IEC 15408-3 Н О О
34
Implementing organisational protection measures FIS measure Level of protection of information 3 2 1 RI.9 Highlight the following main roles within GRIZI: • The Head of GRIZI, whose main functional responsibility is to provide operational management of the response to information security incidents: • GRIZI Dispatcher Operator, whose main functional responsibility is to ensure the collection and recording of information on information protection incidents: • The GRIZI Analyst, whose main functional responsibilities include direct response to an information security incident: • GRIZI secretary, whose main functional responsibilities include documenting the results of information security incident response, generating analytical reports of materials Н О О
35
Plan Overview of GOST R 57580.1 Recommendations for the implementation of priority actions Discussion of complex activities Roadmap for implementing the requirements 36
Roadmap for the implementation of GOST R 57580.1-2017 1-2 months Choosing Planning Implementation Monitoring Improvement 1. Threat modelling 2. Regulation on the applicability of measures from GOST R 57580.1-2017 3. IS policy 37
Roadmap for the implementation of GOST R 57580.1-2017 1-2 months 1-2 months Choosing Planning Implementation Monitoring Improvement 1. Self-assessment and GAP analysis 2. Plans for the implementation of the first phase of measures 38
Roadmap for the implementation of GOST R 57580.1-2017 1-2 months 1-2 months 1-6 months Choosing Planning Implementation Monitoring Improvement Implementation of the first phase of measures 39
Roadmap for the implementation of GOST R 57580.1-2017 1-2 months 1-2 months 1-6 months 01.01.2021 2-3 months Choosing Planning Implementation Monitoring Improvement Conduct an assessment of the level of compliance with the involvement of FSTEC Russia's licensees 40
Our offers for financial institutions 41
About us Experience UCSB specialists have been carrying out information security projects for more than 10 years Certifications Project team - staff with higher professional education in the field The training programme is based on the 090100 "Information Security" and has certificates: ⮚ Certified Information Systems Auditor (CISA); ⮚ Certified Information Systems Security Professional (CISSP); ⮚ Certified Information Security Manager (CISM); ⮚ Cisco Certified Internetwork Expert (CCIE); ⮚ Ethical Hacking and Penetration Testing (CEH); ⮚ Computer Hacking Forensic Investigator (CHFI); ⮚ Offensive Security Certified Professional (OSCP); ⮚ Offensive Security Certified Expert (OSCE); 42
Kouce'eHyHH The Urals Centre for Systemic Security (UCSS) is an expert company in the safe use of information technology. Since 2007, the company has been growing steadily, building up its competencies and carrying out increasingly complex projects. Nninformation technology Information security Co-existence of security engineering and technical equipment Infrastructures for infrastructures 23, Tkachey St., Ekaterinburg, b 620100, Ekaterinburg, 23, Tkachey St. Analysis Service of security service Industrial safety automation and control systems Thea.: +7 (343) 379-98-34, e-mail: iЛfO@мѕѕс.гм 43 About us
QUESTIONS ? THANK YOU FOR YOUR ATTENTION! THANK YOU FOR YOUR ATTENTION! QUESTIONS? Borisov Sergey Branch office in Krasnodar sborisov@ussc.ru Leychuk Diana Analytical centre dleichuk@ussc.ru 44

Recomendados

Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 sKhaltar Togtuun
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specificationsSsendiSamuel
 
Principles and risk assessment of managing distributed ontologies hosted by e...
Principles and risk assessment of managing distributed ontologies hosted by e...Principles and risk assessment of managing distributed ontologies hosted by e...
Principles and risk assessment of managing distributed ontologies hosted by e...FAST-Lab. Factory Automation Systems and Technologies Laboratory, Tampere University of Technology
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler HelpSystems
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...Brussels Legal Hackers
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 

Recomendados

Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 sKhaltar Togtuun
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specificationsSsendiSamuel
 
Principles and risk assessment of managing distributed ontologies hosted by e...
Principles and risk assessment of managing distributed ontologies hosted by e...Principles and risk assessment of managing distributed ontologies hosted by e...
Principles and risk assessment of managing distributed ontologies hosted by e...FAST-Lab. Factory Automation Systems and Technologies Laboratory, Tampere University of Technology
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler HelpSystems
 
20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...20190423 PRiSE model to tackle data protection impact assessments and data pr...
20190423 PRiSE model to tackle data protection impact assessments and data pr...Brussels Legal Hackers
 
S nandakumar
S nandakumarS nandakumar
S nandakumarIPPAI
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.pptMuhammad Mazhar
 
EuroPriSe and ISDP10003 2015 -
EuroPriSe and ISDP10003 2015 - EuroPriSe and ISDP10003 2015 -
EuroPriSe and ISDP10003 2015 - Marco Moreschini
 
EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015Marco Moreschini
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Jerimi Soma
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentationKenneth Dorado, CISA, HCISPP
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Anshu Gupta
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...IJCSIS Research Publications
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security processUlf Mattsson
 
Bml 303 past papers pack
Bml 303 past papers packBml 303 past papers pack
Bml 303 past papers packSan King
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security StandardsConferencias FIST
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security FrameworkNorbi Hegedus
 
Lesson 2 - System Specific Policy
Lesson 2 - System Specific PolicyLesson 2 - System Specific Policy
Lesson 2 - System Specific PolicyMLG College of Learning, Inc
 
Witdom overview 2016
Witdom overview 2016Witdom overview 2016
Witdom overview 2016Elsa Prieto
 
UNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiUNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiBL4CKSWAN Srl
 
cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...
cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...
cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...BAINIDA
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessAssurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessSeungjoo Kim
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 

Mais conteúdo relacionado

Semelhante a Обзор требований ГОСТ Р 57580.1-2017 en-GB.pdf

PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
EuroPriSe and ISDP10003 2015 -
EuroPriSe and ISDP10003 2015 - EuroPriSe and ISDP10003 2015 -
EuroPriSe and ISDP10003 2015 - Marco Moreschini
 
EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015Marco Moreschini
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Jerimi Soma
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Anshu Gupta
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...IJCSIS Research Publications
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security processUlf Mattsson
 
Bml 303 past papers pack
Bml 303 past papers packBml 303 past papers pack
Bml 303 past papers packSan King
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security StandardsConferencias FIST
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security FrameworkNorbi Hegedus
 
Witdom overview 2016
Witdom overview 2016Witdom overview 2016
Witdom overview 2016Elsa Prieto
 
UNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiUNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiBL4CKSWAN Srl
 
cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...
cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...
cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...BAINIDA
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessAssurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessSeungjoo Kim
 

Semelhante a Обзор требований ГОСТ Р 57580.1-2017 en-GB.pdf (20)

PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
 
EuroPriSe and ISDP10003 2015 -
EuroPriSe and ISDP10003 2015 - EuroPriSe and ISDP10003 2015 -
EuroPriSe and ISDP10003 2015 -
 
EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015EuroPriSe and ISDP 10003 2015
EuroPriSe and ISDP 10003 2015
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
 
IASA ey deck presentation
IASA ey deck presentationIASA ey deck presentation
IASA ey deck presentation
 
Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap Security and Compliance Initial Roadmap
Security and Compliance Initial Roadmap
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...Security Level Analysis of Academic Information Systems Based on Standard ISO...
Security Level Analysis of Academic Information Systems Based on Standard ISO...
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
 
Bml 303 past papers pack
Bml 303 past papers packBml 303 past papers pack
Bml 303 past papers pack
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
OEB Cyber Security Framework
OEB Cyber Security FrameworkOEB Cyber Security Framework
OEB Cyber Security Framework
 
Lesson 2 - System Specific Policy
Lesson 2 - System Specific PolicyLesson 2 - System Specific Policy
Lesson 2 - System Specific Policy
 
Witdom overview 2016
Witdom overview 2016Witdom overview 2016
Witdom overview 2016
 
UNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - GuasconiUNINFO - BIG DATA & Information Security Standards - Guasconi
UNINFO - BIG DATA & Information Security Standards - Guasconi
 
cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...
cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...
cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวย...
 
Assurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC ProcessAssurance-Level Driven Method for Integrating Security into SDLC Process
Assurance-Level Driven Method for Integrating Security into SDLC Process
 

Último

Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 

Último (20)

Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 

Обзор требований ГОСТ Р 57580.1-2017 en-GB.pdf

  • 1. Overview of GOST R 57580.1-2017 requirements Sergei Borisov Diana Leychuk Subscribe to DeepL Pro to translate larger documents. Visit www.DeepL.com/pro for more information.
  • 2. Presenters of the fourth edition Sergei Borisov Deputy Head of IS at the Krasnodar branch office of UCSB Working in IS - 15 years Blog: https://sborisov.blogspot.com Diana Leychuk Audit manager UCSB Analytical Centre Yekaterinburg Working in IS - 8 years CISM 2
  • 3. Plan Overview of GOST R 57580.1-2017 Recommendations for the implementation of priority actions Discussion of complex activities Roadmap for implementing the requirements 3
  • 4. GOST P 57580.1-2017 The basis for an effective data protection system A set of best practices ✓ uniform terminology ✓ catalogue of 408 data protection measures ✓ a strapping which will help to identify the objects of protection, determine the required the level of protection, choose protection measures and how to implement them ✓ a methodology to help assess the selection and implementation of protection measures in the organisation, the final level of compliance ✓ recommendations for the implementation of individual measures*
  • 5. Safety loops and protection levels Safety circuit A set of information objects, defined by the scope of this standard, used to implement business processes and (or) technological processes of a financial institution of a single degree of criticality (importance), for which a single policy (regime) of information protection (a single set of requirements for information protection) is applied by a financial institution Level of information protection A defined set of information protection measures included in the information protection system and the information protection organisation and management system, applied jointly within the security contour to implement an information protection policy (regime) appropriate to the criticality of the protected information of the business processes and/or technological processes of a financial organisation 5
  • 6. Requirements of Bank of Russia regulations 683-П All credit financial institutions Implementing enhanced or standard level of protection Conducting security level compliance assessment Ensure compliance level at least three Ensure compliance level at least four с 01.01.2021 с 01.01.2023 684-П Non-credit financial institutions Implementing enhanced or standard level of protection Conducting security level compliance assessment Ensure compliance level at least three Ensure compliance level at least four с 01.01.2021 с 01.01.2022 с 01.07.2023 672-П Members of the Bank of Russia payment system Implementing enhanced or standard level of protection Conducting a security level compliance assessment Ensure a level of compliance of at least level 4 с 01.07.2021 с 06.04.2019 Order №321 Banks when connecting to the EBS Implementing a standard level of protection с 01.07.2021 6
  • 7. 7 Requirements from the NAP to provide a level of protection in accordance with GOST 57580.1 683-П 684-П 382-П (new) 672-П Order Ministry of Communications №321 Automated systems + + + + + Software provision + + + + + Computer hardware + + + + + Telecommunications equipment + + + + + .. Used and operated for the purpose of Banking Financial Money transfers Money transfers Identifications using biometrics
  • 8. Example of a protection measure from GOST R 57580.1-2017 NWI measure Level of protection of information 3 2 1 UZP.21 Implement logical access rights management rules to ensure that one logical access subject is not able to overlap the following functions: • The operation and/or control of the operation of the access resource, including the AS, simultaneously with the intended use of the access resource as part of the implementation of the financial institution's business process; • The creation and/or upgrading of the access resource, including the AS. at the same time as the intended use of the access resource in the implementation of the business process of the financial institution; • operation of information protection tools and systems at the same time as monitoring the operation of information protection tools and systems; • management of logical access subject accounts at the same time as managing the rights of subjects of logical access Н О Т Measures: H - not applicable to the level A - organisational
  • 10. Objects and access resources Access object is recommended as a minimum to be considered: ✓ User workstations ✓ Maintenance personnel workstation ✓ server hardware ✓ network equipment ✓ SAN ✓ HSM ✓ Printing and copying devices ✓ facilities in public places (ATMs, payment terminals) Access resource is recommended as a minimum Consider: ✓ AC ✓ databases ✓ network file shares ✓ virtual machines with server components ✓ virtual machines with ARMs users ✓ email services ✓ WEB services
  • 11. Structuring information protection measures CI processes Directions of the FOI Selection Planning Implementa tion Monitoring Improveme nt Ensuring the protection of information in access control UZP, RD, FD, UI FTI RHI KZI FTI Ensuring the protection of computer networks SME, WSA, WSA, WSB, WSB FTI RHI KZI FTI Monitoring the integrity and security of the information infrastructure FTI FTI RHI KZI FTI Protection against malicious code ZVK FTI RHI KZI FTI Preventing information leaks PUI FTI RHI KZI FTI Information security incident management IAU, RI FTI RHI KZI FTI Protecting the virtualisation environment FOI A FTI RHI KZI FTI Information security in remote logical access using mobile (portable) devices ZUD FTI RHI KZI FTI Protection in the lifecycle stages of automated systems and applications HC
  • 12. (Recommended) Organisational measures related to the processing of personal data Б
  • 13. Structuring information protection measures Processes Sub-processes Groups Measures Group of measures FIS measure Level of protection of information 3 2 1 PUI.33 Registration of information security events related to the implementation of information leakage prevention protection Registration of erasure events of information from the MSI О О О
  • 14. Selection of protection measures from GOST R 57580.1-2017 1 Selection of the basic composition of the measures Adapting the chosen mix of measures to 2 Threat models and structural and functional characteristics 3 Exclusion of measures not related to the information technology used 4 Complementing the measures with the requirements set out other NAPs 5 Application of measures 12
  • 15. Circuit protection level Threat model Characteristics of objects Automation Evaluation of the feasibility of implementation Risk assessment The information used by the object of information technologies Other NAPs
  • 16. Levels of compliance with GOST 57580.2 Process evaluation Level of compliance Е = 0 Zero 0< E <=0,5 First 0,5< E <=0,7 Second 0,7< E <=0,85 Third 0,85< E <=0,9 Fourth 13
  • 17. Plan Overview of GOST R 57580.1-2017 Recommendations for the implementation of priority actions Discussion of complex activities Roadmap for implementing the requirements 14
  • 18. Threat model Current threat model Covers the protection circuits Correspondence between current threats and protection measures from GOST R 57580.1-2017 Used when choosing protection measures or justifying the application of compensatory protection measures The need for certified FIS Identification of the threats that require certified FIS to neutralise 15
  • 19. Regulation on the applicability of measures from GOST R 57580.1-2017 List of safety circuits The levels of protection required for them Selection of measures for the circuits indicated Rationale for the choice: availability in the core set of measures, adaptation, exclusion, addition Identification of measures that are not technically feasible/expedient to implement Justification of impossibility or economic impracticability Definition of compensatory measures Justification for the application of the compensatory measure Definition of certified means of protection Record the measures that require the use of certified information security features (when necessary to neutralise current threats) Implementation of measures in the area of "Information security planning" (FTI.1-FTI.4) 16
  • 20. Regulation on the applicability of measures from GOST R 57580.1-2017 17
  • 21. Implementation plan for the first phase of protection measures For each measure of information protection List of safety circuits For which a measure is necessary Choosing how to implement the measure By the application of organisational or technical measures, built-in or overhead PPE, a specific tool Responsible for implementation Justification of impossibility or economic impracticability Implementation period Justification for the application of the compensatory measure Planned outcome Record the measures that require the use of certified information security features (where necessary to neutralise current threats) 18
  • 22. Implementation plan for the first phase of protection measures 19
  • 23. Plan Overview of GOST R 57580.1 Recommendations for the implementation of priority actions Discussion of complex activities Roadmap for implementing the requirements 20
  • 24. П1. Ensuring information security in access control Technical measures ⮚ 2FA ⮚ IDM and/or Application Management System for resource access and/or EDI ⮚ SSO ⮚ SIEM ⮚ Video surveillance system ⮚ IT resource accounting system and/or CMDB built-in features ⮚ AC ⮚ OS ⮚ DBMS ⮚ Network equipment ⮚ File services ⮚ Virtualisation systems ⮚ AD and/or LDAP ⮚ BIOS and/or UEFI 21 Organisational measures ⮚ Regulation on logical access management ⮚ Order appointing resource owners ⮚ Regulation on physical access management ⮚ Accounting for access resources
  • 25. П2. Securing computer networks Technical measures ⮚ FW (L3 and L7) ⮚ IPS ⮚ VPN ⮚ Mail GW ⮚ AntiDDoS ⮚ SIEM ⮚ CMDB built-in features ⮚ Network equipment ⮚ Email systems ⮚ Network management system ⮚ AC ⮚ OS ⮚ DBMS ⮚ File services 22 Organisational measures ⮚ Regulation on working with removable data carriers (monitoring The content of the information as it is transferred between security loop segments with using alienable media)
  • 26. П3. Controlling the integrity and security of the information infrastructure Technical measures ⮚ VM ⮚ Pentest service ⮚ Software update management system ⮚ Intrusion and/or Endpoint protection ⮚ AV ⮚ SIEM built-in features ⮚ AC ⮚ OS ⮚ PGO ⮚ Browser ⮚ DBMS ⮚ Network equipment 23 Organisational measures ⮚ Vulnerability management regulation ⮚ Updating the software (software) ⮚ Availability of software reference copies and restore capability ⮚ List of approved software for installation
  • 27. П4. Protection against malicious code Technical measures ⮚ AV or Endpoint protection ⮚ NGFW ⮚ Web GW ⮚ Mail GW ⮚ SIEM built-in features ⮚ OS ⮚ Browser ⮚ AD 24 Organisational measures ⮚ Regulation on anti-virus protection ⮚ Procedures for carrying out pre-tests for software to be installed or modified ⮚ Prohibit uncontrolled opening of self-extracting archives and executable files obtained from the Internet
  • 28. П5. Prevention of information leakage Technical measures ⮚ DLP ⮚ Web GW ⮚ Mail GW ⮚ Endpoint Protection ⮚ Failure to comply ⮚ A means of erasing information ⮚ SIEM built-in features ⮚ email systems 25 Organisational measures ⮚ Regulations on the handling of removable data carriers (RMI) ⮚ Prohibiting the processing of sensitive information at sites connected to the Internet ⮚ Recording the erasure of information from the MSI
  • 29. П6. Information security incident management Technical measures ⮚ SIEM ⮚ VPN ⮚ Failure to comply ⮚ NTP ⮚ Incident management system built-in features ⮚ AC ⮚ OS ⮚ network management systems ⮚ service monitoring systems 26 Organisational measures ⮚ Regulation on information security incident management ⮚ Formation of an information security incident response team with a list of roles
  • 30. П7. Protecting the virtualisation environment Technical measures ⮚ Virtualisation environment failsafe ⮚ FW (L3 and L7) ⮚ 2FA built-in features ⮚ Virtualisation environments ⮚ SAN ⮚ Networking equipment ⮚ AD and/or LDAP 27 Organisational measures ⮚ Regulation on virtual infrastructure protection
  • 31. П8. Information security for logical remote access from mobile devices Technical measures ⮚ MDM ⮚ 2FA ⮚ VPN ⮚ FW built-in features ⮚ AC ⮚ OS ⮚ DBMS ⮚ Network equipment ⮚ File services 28 Organisational measures ⮚ Regulation on remote access to resources
  • 32. M&E in the life cycle phases of a nuclear power plant Technical measures ⮚ All FIS built-in features ⮚ AC Organisational measures ⮚ List of protected information to be processed in the AS ⮚ Composition and application of organisational and technical protection measures ⮚ Prohibit the use of protected information in the development and testing segments ⮚ Regulations for monitoring the application of protection measures ⮚ Maintenance of technical protection measures for the duration of their use (technical support contracts) ⮚ Vulnerability Management Regulation / Procedures for the prompt elimination of detected vulnerabilities 29
  • 33. Difficult to implement technical measures 1. Two-factor authentication ✓ P.1 WP.4 Operational identification and multi-factor authentication staff ✓ P.1 EP.28 Registration of personification, issuance (transfer) and destruction of personal technical authentication devices implementing multifactor authentication ✓ P.1 OPC.26 Recording of information security events related to actions and monitoring the actions of operating personnel with rights to management of technical measures implementing multi-factor authentication ✓ R.7 CCTV.9 Control and logging of maintenance staff access to server virtualisation and storage components with implementation two-factor authentication ✓ O.8 SUD.5 Identification, two-factor authentication and authorisation of subjects of access after secured network communication is established, execution Authentication required by measures MDS.2 and MDS.4 30
  • 34. Difficult to implement technical measures 2. Account data management systems (IDM) ✓ OLA.9 monitoring the consistency of actual logical access rights with the reference information on the logical access rights granted ✓ UZP.13 Logical access termination control and blocking accounts when the logical access period (period) expires ✓ LLA.14 Determination of the failure of logical access subjects to exercise their logical access rights over a period of time a set period of time ✓ EPC.17 implementation of the ability to define the composition of the logical access rights granted for a specific access resource ✓ OLA.18 realising the possibility of defining the composition of entitlements logical access for a specific logical access subject ✓ KPP.19 and 20 define roles, implement logical access rights management rules to ensure that one entity does not overlap logical access access to specific roles 31
  • 35. Difficult to implement technical measures 3. Internal network firewalling (L3 and L7) ✓ safety loop segments ✓ development and testing segments ✓ segments for ATMs and payment terminals ✓ wireless network segments ✓ segments of the virtualisation system ✓ segment for checking removable media ✓ mobile segment ✓ other internal segments 4. Detection of malicious code in internet traffic 32
  • 36. Statistics on the participation of individual types of FIS in the implementation of measures Firewall (FW) 35 IS event management system (SIEM) 32 Anti-malware (AV) tools 25 Virtualisation environment failsafe 20 Email protection gateway (Mail GW) 19 Web traffic filtering system (Web GW) 17 An account management system (IDM) 17 Two-factor authentication system (2FA) 17 Next generation firewall (NGFW) 15 Software update management system 10 Failure to comply 10 Incident management system (IRP) 8
  • 38. Implementing organisational protection measures NWI measure Level of protection of information 3 2 1 RD.26 Keep copies of the authentication data of the operating personnel on allocated by the MSI or on paper О О О RD.27 Implement protection of copies of authentication data of operating personnel against unauthorised access when stored on MSI or hard copy О О О FD.6 Assignment to all premises of the physical access manager О О О FD.7 Granting independent physical access rights at the discretion of the physical access manager О О О RZI.10 Ensuring that technical information security measures can be maintained throughout their lifetime Н О О WBC.8 Use of compliance-certified application software information security, or for which a vulnerability analysis has been carried out on the estimated confidence level requirements no lower than LSG 4 in accordance with the requirements of GOST R ISO/IEC 15408-3 Н О О
  • 39. 34
  • 40. Implementing organisational protection measures FIS measure Level of protection of information 3 2 1 RI.9 Highlight the following main roles within GRIZI: • The Head of GRIZI, whose main functional responsibility is to provide operational management of the response to information security incidents: • GRIZI Dispatcher Operator, whose main functional responsibility is to ensure the collection and recording of information on information protection incidents: • The GRIZI Analyst, whose main functional responsibilities include direct response to an information security incident: • GRIZI secretary, whose main functional responsibilities include documenting the results of information security incident response, generating analytical reports of materials Н О О
  • 41. 35
  • 42. Plan Overview of GOST R 57580.1 Recommendations for the implementation of priority actions Discussion of complex activities Roadmap for implementing the requirements 36
  • 43. Roadmap for the implementation of GOST R 57580.1-2017 1-2 months Choosing Planning Implementation Monitoring Improvement 1. Threat modelling 2. Regulation on the applicability of measures from GOST R 57580.1-2017 3. IS policy 37
  • 44. Roadmap for the implementation of GOST R 57580.1-2017 1-2 months 1-2 months Choosing Planning Implementation Monitoring Improvement 1. Self-assessment and GAP analysis 2. Plans for the implementation of the first phase of measures 38
  • 45. Roadmap for the implementation of GOST R 57580.1-2017 1-2 months 1-2 months 1-6 months Choosing Planning Implementation Monitoring Improvement Implementation of the first phase of measures 39
  • 46. Roadmap for the implementation of GOST R 57580.1-2017 1-2 months 1-2 months 1-6 months 01.01.2021 2-3 months Choosing Planning Implementation Monitoring Improvement Conduct an assessment of the level of compliance with the involvement of FSTEC Russia's licensees 40
  • 47. Our offers for financial institutions 41
  • 48. About us Experience UCSB specialists have been carrying out information security projects for more than 10 years Certifications Project team - staff with higher professional education in the field The training programme is based on the 090100 "Information Security" and has certificates: ⮚ Certified Information Systems Auditor (CISA); ⮚ Certified Information Systems Security Professional (CISSP); ⮚ Certified Information Security Manager (CISM); ⮚ Cisco Certified Internetwork Expert (CCIE); ⮚ Ethical Hacking and Penetration Testing (CEH); ⮚ Computer Hacking Forensic Investigator (CHFI); ⮚ Offensive Security Certified Professional (OSCP); ⮚ Offensive Security Certified Expert (OSCE); 42
  • 49. Kouce'eHyHH The Urals Centre for Systemic Security (UCSS) is an expert company in the safe use of information technology. Since 2007, the company has been growing steadily, building up its competencies and carrying out increasingly complex projects. Nninformation technology Information security Co-existence of security engineering and technical equipment Infrastructures for infrastructures 23, Tkachey St., Ekaterinburg, b 620100, Ekaterinburg, 23, Tkachey St. Analysis Service of security service Industrial safety automation and control systems Thea.: +7 (343) 379-98-34, e-mail: iЛfO@мѕѕс.гм 43 About us
  • 50. QUESTIONS ? THANK YOU FOR YOUR ATTENTION! THANK YOU FOR YOUR ATTENTION! QUESTIONS? Borisov Sergey Branch office in Krasnodar sborisov@ussc.ru Leychuk Diana Analytical centre dleichuk@ussc.ru 44