New guests on IB or how FSTEC is changing the methodological base. What are information security standards? National Information Security Standards

GOST R 53113.1-2008 Information technology (IT). Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions

GOST R 53113.1-2008

Group T00

NATIONAL STANDARD OF THE RUSSIAN FEDERATION

Information technology

PROTECTION OF INFORMATION TECHNOLOGIES AND AUTOMATED SYSTEMS FROM INFORMATION SECURITY THREATS USING COVERT CHANNELS

Part 1

General provisions

Information technology. Protection of information technologies and automated systems against security threats posed by use of covert channels. Part 1. General principles

OKS 35.040

Date of introduction 2009-10-01

Preface

Preface

1 DEVELOPED by Limited Liability Company "Cryptocom"

2 INTRODUCED by the Federal Agency for Technical Regulation and Metrology

3 APPROVED AND ENTERED INTO EFFECT by Order of the Federal Agency for Technical Regulation and Metrology dated December 18, 2008 N 531-st

4 INTRODUCED FOR THE FIRST TIME

5 REPUBLICATION. October 2018


The rules for the application of this standard are established in Article 26 of the Federal Law of June 29, 2015 N 162-FZ "On Standardization in the Russian Federation". Information about changes to this standard is published in the annual (as of January 1 of the current year) information index "National Standards", and the official text of changes and amendments is published in the monthly information index "National Standards". In case of revision (replacement) or cancellation of this standard, the corresponding notice will be published in the next issue of the monthly information index "National Standards". Relevant information, notices and texts are also posted in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet (www.gost.ru)

Introduction

The development, implementation and use of distributed information systems and technologies, the use of imported software and hardware platforms without design documentation have led to the emergence of a class of information security (IS) threats associated with the use of so-called hidden information channels, “invisible” to traditional information security means.

Traditional information security tools, such as access control tools, firewalls, and intrusion detection systems, control only information flows that pass through channels intended for their transmission. The possibility of exchanging information outside this framework through covert channels (CC) is not taken into account.

In systems that require an increased level of trust, security threats arising from the possibility of unauthorized action using the CS must be taken into account.

The danger of IC for information technologies (IT) and automated systems (AS) and other assets of the organization is associated with the lack of control by means of protecting information flows, which can lead to information leakage, violate the integrity of information resources and software in computer systems, or create other obstacles to implementation IT.

To ensure the protection of information processed in the automated system, it is necessary to identify and neutralize all possible information channels of unauthorized action - both traditional and hidden.

This standard is part of a series of interrelated standards, united by the common name "Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels", including:

- general provisions;

- recommendations for organizing the protection of information, IT and AS from attacks using CS.

The general provisions define the tasks to be solved when analyzing the security system, describe the classification of the security system and provide a classification of assets according to the degree of danger of attacks using the security system.

An essential aspect of the security of IT and AS systems is trust in the security systems. Ensuring trust is carried out through in-depth analysis or examination of software and hardware products from the point of view of their security. In many cases, this analysis is difficult due to the lack of source data for its implementation, that is, source codes, design and test documentation, which results in threats to information resources that can be implemented using unknown software and hardware systems and through interfaces of interacting software and hardware products.

The requirements for trust in information security are established in GOST R ISO/IEC 15408-3, according to which for systems with an estimated level of confidence (EAL), starting with EAL5, mandatory analysis of the IC is provided. When using hardware and software products from foreign manufacturers in the absence of design, test documentation and source codes, it is impossible to guarantee the absence of potentially malicious components included on purpose or that arose accidentally (for example, a software vulnerability). Thus, the requirement to analyze the IC in the Russian Federation is a necessary condition for the safe operation of systems that process valuable information or use imported hardware and software, including for systems with EAL below EAL5.

Recommendations for organizing the protection of information, IT and AS from attacks using CS define the procedure for searching for CS and countering CS.

This standard was developed as a development of GOST R ISO/IEC 15408-3, GOST R ISO/IEC 27002 (regarding measures to counter information security threats implemented using security systems) and.

1 area of ​​use

This standard establishes the classification of the security system and defines the tasks to be solved during the analysis of the security system, which is a necessary component for determining the further procedure for organizing the protection of information from attacks using the system, and also establishes the procedure for conducting the analysis of the security system for IT and AS products and systems, the results of which are used when assessing confidence in information systems and IT protection measures.

This standard is intended for customers, developers and users of IT as they formulate requirements for the development, acquisition and use of IT products and systems that are intended to process, store or transmit information that is subject to protection in accordance with the requirements of regulatory documents or requirements established by the owner of the information. This standard is also intended for certification bodies and testing laboratories when conducting security assessments and certification of IT and AS security, as well as for analytical units and security services for comparing threats to valuable information assets with the potential for damage through the security system.

2 Normative references

This standard uses normative references to the following standards:

GOST R ISO/IEC 15408-3 Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3: Components of Security Trust

GOST R ISO/IEC 27002 Information technology. Methods and means of ensuring security. Set of norms and rules for information security management

Note - When using this standard, it is advisable to check the validity of the reference standards in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet or using the annual information index "National Standards", which was published as of January 1 of the current year, and on issues of the monthly information index "National Standards" for the current year. If an undated reference standard is replaced, it is recommended that the current version of that standard be used, taking into account any changes made to that version. If a dated reference standard is replaced, it is recommended to use the version of that standard with the year of approval (adoption) indicated above. If, after the approval of this standard, a change is made to the referenced standard to which a dated reference is made that affects the provision referred to, it is recommended that that provision be applied without regard to that change. If the reference standard is canceled without replacement, then the provision in which a reference to it is given is recommended to be applied in the part that does not affect this reference.

3 Terms and definitions

The following terms with corresponding definitions are used in this standard:

3.1 automated system: A system consisting of personnel and a set of automation tools for their activities, implementing information technology to perform established functions.

3.2 offender agent: A person, software, firmware or hardware acting on behalf of the infringer.

3.3 assets(assets): Anything that has value to an organization and is in its possession.

Note: An organization's assets may include:

- computing, telecommunications and other resources;

- information assets, incl. various types of information at the following phases of their life cycle: generation (creation), processing, storage, transmission, destruction;

- products and services provided to third parties.

3.4 blocking access (to information): Termination or obstruction of legitimate users' access to information.

3.5 malware: A program designed to provide unauthorized access and (or) influence on information or resources of an information system.

3.6 covert channel analysis depth: The degree of variation in complexity of the means used to identify the covert channel and its characteristics.

3.7 confidence assurance: The basis for confidence that an object meets security objectives.

3.8 covert channel identification: Identifying the possibility of the existence of a hidden channel and determining its place in the classification.

3.9 restricted information: A type of information to which access is limited and the disclosure of which may harm the interests of other persons, society and the state.

3.10 Information Security(information security): All aspects related to defining, achieving and maintaining the confidentiality, integrity, availability, non-repudiation, accountability, authenticity and reliability of information or means of processing it.

3.11 Information system: An organizationally ordered set of documents (arrays of documents) and information technologies, including the use of computer technology and communications that implement information processes.

Note - Information systems are designed to store, process, search, distribute, transmit and provide information.

3.12 information technology: Techniques, methods and methods of using computer technology in performing the functions of collecting, storing, processing, transmitting and using data.

3.13 information object: A program element containing pieces of information circulating in the program.

Note - Depending on the programming language, variables, arrays, records, tables, files, fragments of RAM, etc. can serve as information objects.

3.14 information flow information flow: The process of interaction between the source of information and its recipient.

Note - An information flow can be permitted or unauthorized. An information flow between objects X and Y exists if the average mutual information I (X, Y) is greater than 0. The mathematical model of the information flow can be defined as a finite state machine in which the message source sends an input word to the input of the machine, and the message recipient sees the output sequence of the machine .

3.15 comprehensive covert channel analysis Exhaustive covert channel analysis: An analysis that requires the presentation of additional evidence showing that the covert channel identification plan is sufficient to establish that all possible covert channel investigations have been tried.

3.16 key: A specific secret state of some parameters of a cryptographic data transformation algorithm, ensuring the selection of one transformation from a set of all possible transformations for a given algorithm.

3.17 communication channel: A set of information carriers that deliver a message from a source to a receiver.

3.18 critical objects: Objects, the disruption or cessation of operation of which leads to loss of control, destruction of infrastructure, irreversible negative change or destruction of the economy of a country, subject or administrative-territorial unit, or to a significant deterioration in the safety of life of the population living in these territories for a long period of time.

3.19 information transfer mechanism: An implemented method of transmitting information from the sender to the recipient.

3.20 information modification: Purposeful change in the form of presentation and content of information.

3.21 information security violator(adversary): An individual (subject) who accidentally or intentionally committed actions that result in a violation of the security of information when processed by technical means in information systems.

3.22 unauthorized access to information(unauthorized access to information): Access to information or actions with information that violate the rules of access control using standard means provided by computer technology or automated systems.

Note - Access to an object also includes access to the information contained in it.

3.23 an object(object): A passive component of a system that stores, receives, or transmits information.

3.24 hazard assessment: Determining the degree of possible destructive impact.

3.25 estimated level of confidence evaluation assurance level: A package of assurance components representing some position on the assurance scale predefined within it.

Note - The package of trust components is determined in accordance with the requirements of GOST R ISO/IEC 15408-3.

3.26 access password(password): The identifier of the access subject, which is his (the subject's) secret.

3.27 Personal Information: Any information relating to an individual identified or determined on the basis of such information (subject of personal data).

Note - Last name, first name, patronymic, year, month, date and place of birth of the subject of personal data, as well as address, family, social, property status, education, profession, income and other information can be used as personal data.

3.28 information security policy information security policy: A set of documented rules, procedures, practices, or guidelines in the field of information security that guide an organization's activities.

3.29 product(product): A set of software, firmware and/or information technology hardware that provides specific functionality and is intended for direct use or inclusion in various systems.

3.30 covert channel capacity covert channel capacity: The amount of information that can be transmitted over a covert channel per unit of time or relative to some other scale of measurement.

3.31 system(system): A specific embodiment of information technology with a specific purpose and operating conditions.

3.32 systematic analysis of covert channels systematic covert channel analysis: Analysis in which the designer of an information technology and automated systems system must identify covert channels in a structured and repeatable manner, as opposed to identifying covert channels in a particular method applicable to a particular situation.

NOTE Covert channels are usually identified in accordance with the security plan.

3.33 hidden channel(covert channel): A communication channel not intended by the developer of an information technology and automated systems system that can be used to violate security policy.

3.34 transmission medium: Physical implementation of the information transfer process.

3.35 subject(subject): An active component of a system, usually represented by a user, process, or device, that can cause the flow of information from object to object or change the state of the system.

3.36 security threat(threat): A set of conditions and factors that create a potential or actual danger associated with information leakage and/or unauthorized and/or unintentional impacts on it.

3.37 authorized user(authorized user): A user who is authorized by security policy to perform an operation.

3.38 damage: Negative consequences arising from damage to assets.

3.39 vulnerability: A property of a system that can be used to violate the information security of an information technology system and automated systems.

4 General provisions

4.1 This standard defines the following procedure for determining the degree of danger of a system for an organization’s assets, identifying and countering a system:

- classification of assets depending on the degree of danger of attacks using CS, taking into account possible security threats to assets;

- determining the required depth of analysis of the insurance system depending on the type of assets;

- conducting an analysis of the quality control system, which includes performing the following tasks:

identification (detection) of SC,

assessment of the capacity of the SC and assessment of the danger posed by their hidden functioning;

- measures to protect against threats implemented using the security system, and including the implementation of the following tasks:

making decisions on the implementation of protective measures to counter the specified security threats,

opposition to the implementation of the IC up to its destruction.

4.2 The classification of protected assets depending on the degree of danger of attacks using CC is given in Section 7.

4.3 The depth of the analysis of the security system is determined by the value of the assets, that is, the damage that can be caused as a result of the implementation of security threats implemented using the security system, that is, the risks arising from the presence of these threats. The classification of such threats is given in section 6.

4.4 Identification of the CS determines the subjects (source and recipient) between whom the CS can potentially exist, the parameters, when manipulated, the information is transmitted, the parameters, due to the variation of which the information is read, the information transmission medium, the logical conditions under which the information is transmitted. Identification of SCs can be carried out both during system development by examining potential leakage channels or exposure channels, and during system operation by observing signs identifying the presence of SCs. In the latter case, SCs are identified by monitoring the system parameters. The information security documentation should reflect which classes of security systems can be identified using the surveillance system used.

4.5 The capacity of identified SCs is assessed using formal, technical or modeling methods.

4.6 When making decisions on the implementation of protective measures to counter security threats implemented using the CS, it is necessary to take into account the possible risk of damage to the organization’s assets, which is also associated with the throughput of the CS.

4.7 Countering dangerous SCs can be carried out using the following means and methods:

- building an IT or AS architecture that allows you to block the IC or make their throughput so low that the channels become harmless. This method is used at the IT or AS design stage;

- the use of technical means that make it possible to block SCs or reduce their throughput below a given level;

- use of software and hardware tools that make it possible to identify the operation of dangerous SCs during system operation. Identification of signs of the operation of the IC may make it possible to block their impact on information resources;

- application of organizational and technical measures to eliminate SCs or reduce their capacity to a safe value.

5 Classification of covert channels

5.1 CS according to the information transmission mechanism is divided into:

- SC from memory;

- SC by time;

- hidden statistical channels.

5.2 Memory based systems are based on the presence of memory into which the transmitting subject writes information and the receiving subject reads it.

The concealment of memory channels is determined by the fact that an outside observer does not know the place in memory where the hidden information is recorded.

Memory based systems involve the use of memory resources, but the way memory is used is not taken into account by the security system developers and therefore cannot be detected by the security tools used.

5.3 CS in time assume that the subject transmitting information modulates with the help of the transmitted information some time-varying process, and the subject receiving the information is able to demodulate the transmitted signal by observing the information-carrying process in time. For example, in a multitasking operating system (OS), the central processor is a shared information and computing resource for application programs. By modulating the CPU time, applications can transfer illegal data to each other.

5.4 The hidden statistical channel uses to transmit information changes in the parameters of probability distributions of any characteristics of the system that can be considered random and described by probabilistic statistical models.

The secrecy of such channels is based on the fact that the recipient of the information has less uncertainty in determining the parameters of the distributions of the observed characteristics of the system than an observer who does not have knowledge about the structure of the social network.

For example, the appearance of a real but unlikely combination in a sent packet within a given period of time may signal a failure in the computer system.

5.5 CS from memory, in turn, is divided into:

- SC based on hiding information in structured data;

- SC based on hiding information in unstructured data.

5.6 SCs based on hiding information in structured data use data embedding into information objects with a formally described structure and formal processing rules. For example, the internal file format used by modern word processors contains a number of fields that are not displayed when the file is edited, so they can be used to insert hidden information.

5.7 SCs based on hiding information in unstructured data use data embedding in information objects without taking into account the formally described structure (for example, writing hidden information into the least significant bits of the image, which does not lead to visible image distortions).

5.8 SC according to throughput is divided into:

- low-bandwidth channel;

- a high-capacity channel.

5.9 CS is a low-bandwidth channel if its capacity is sufficient to transmit valuable information objects of a minimum volume (for example, cryptographic keys, passwords) or commands during the period of time during which this transmission is relevant.

5.10 CS is a high-bandwidth channel if its capacity allows the transmission of medium-sized and large-sized information objects (for example, text files, images, databases) over a period of time during which these information objects are valuable.

To solve complex problems, a combination of SCs based on various transmission mechanisms can be used.

6 Classification of security threats implemented using covert channels

6.1 Security threats that can be implemented using CS include:

- introduction of malicious programs and data;

- the attacker issuing commands to the agent for execution;

- leakage of cryptographic keys or passwords;

- leakage of individual information objects.

6.2 The implementation of these threats may lead to:

- violation of the confidentiality of information assets;

- disruption of IT and AS functionality;

- blocking access to resources;

- violation of the integrity of data and software.

6.3 The systems most susceptible to attacks using CS are:

- multi-user distributed systems;

- systems with access to global networks;

- systems using cryptographic security measures;

- systems that use a multi-level (mandatory) access control policy;

- systems in which software and hardware agents cannot be detected (due to the use of software and hardware with inaccessible source code and due to the lack of design documentation).

6.4 The relationship between threats implemented using CS and types of CS depending on their throughput is shown in Table 1.


Table 1 - Relationship between threats implemented using covert channels and types of covert channels depending on their capacity

7 Classification of assets according to the degree of danger of attacks using covert channels

7.1 Depending on the degree of danger of attacks using CS, the protected assets of the organization are divided into the following classes:

1st class - assets containing information, the degree of susceptibility of which to attacks implemented using an automated system is determined by the owner.

Class 2 - assets containing restricted access information or personal data and processed in systems that have technical interfaces with open networks or public computer systems, as well as computer systems that do not provide protection against leakage through technical channels.

3rd class - assets containing information constituting a state secret.

7.2 In addition, there is a special class of assets that are vulnerable to threats carried out using low-bandwidth security systems. This group includes:

Class A - assets related to the operation of critical facilities. For example, transmission of a command capable of initializing a destructive effect on an object of this type can be carried out via an CS with low throughput.

Class B - assets containing key/password information, including keys of cryptographic information protection systems and passwords for access to other assets. For example, a leak of key/password information via an insurance system can jeopardize the functioning of the entire information system.

Bibliography

Electronic document text
prepared by Kodeks JSC and verified against:
official publication
M.: Standartinform, 2018

GOST R 53113.1-2008 Information technology (IT). Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions

GOST R 53113.1-2008 Information technology (IT). Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions

The importance of ensuring information security is difficult to overestimate, since the need to store and transfer data is an integral part of running any business.

Various methods of information security depend on the form in which it is stored, however, in order to systematize and streamline this area, it is necessary to establish information security standards, since standardization is an important determinant of quality in assessing the services provided.

Any provision of information security requires control and verification, which cannot be carried out only by individual assessment, without taking into account international and state standards.

The formation of information security standards occurs after a clear definition of its functions and boundaries. Information security is ensuring the confidentiality, integrity and availability of data.

To determine the state of information security, a qualitative assessment is most applicable, since it is possible to express the degree of security or vulnerability as a percentage, but this does not give a complete and objective picture.

To assess and audit the security of information systems, you can apply a number of instructions and recommendations, which imply regulatory support.

State and international information security standards

Monitoring and assessment of the security state is carried out by checking their compliance with state standards (GOST, ISO) and international standards (Iso, Common criteris for IT security).

The international set of standards developed by the International Organization for Standardization (ISO) is a set of practices and recommendations for the implementation of information security systems and equipment.

ISO 27000 is one of the most applicable and widespread assessment standards, including more than 15 provisions, and sequentially numbered.

According to the ISO 27000 standardization assessment criteria, information security is not only its integrity, confidentiality and availability, but also authenticity, reliability, fault tolerance and identifiability. Conventionally, this series of standards can be divided into 4 sections:

• overview and introduction to terminology, description of terms used in the field of security;
• mandatory requirements for an information security management system, a detailed description of methods and means of managing the system. Is the main standard of this group;
• audit recommendations, security controls guidance;
• standards that recommend practices for implementing, developing and improving an information security management system.

State information security standards include a number of regulations and documents consisting of more than 30 provisions (GOST).

Various standards are aimed not only at establishing general assessment criteria, such as GOST R ISO/IEC 15408, which contains methodological guidelines for safety assessment and a list of requirements for the management system. They can be specific and also contain practical guidance.

Proper organization of the warehouse and its regular monitoring of its operation will help eliminate the theft of commodity and material assets, which negatively affects the financial well-being of any enterprise, regardless of its form of ownership.

By the time of launch, the warehouse automation system goes through two more stages: internal testing and data filling. After such preparation, the system starts up in full. Read more about automation here.

The interrelation and set of techniques lead to the development of general provisions and to the merging of international and state standardization. Thus, GOSTs of the Russian Federation contain additions and references to international ISO standards.

Such interaction helps to develop a unified system of monitoring and evaluation, which, in turn, significantly increases the efficiency of applying these provisions in practice, objectively assessing work results and generally improving.

Comparison and analysis of national and international standardization systems

The number of European standardization standards for ensuring and controlling information security significantly exceeds those legal standards established by the Russian Federation.

In national state standards, the prevailing provisions are on the protection of information from possible hacking, leakage and threats of loss. Foreign security systems specialize in developing standards for data access and authentication.

There are also differences in the provisions relating to the implementation of control and audit of systems. In addition, the practice of applying and implementing the information security management system of European standardization is manifested in almost all spheres of life, and the standards of the Russian Federation are mainly aimed at preserving material well-being.

However, constantly updated state standards contain the necessary minimum set of requirements to create a competent information security management system.

Information security standards for data transmission

Doing business involves storing, exchanging, and transmitting data via the Internet. In the modern world, currency transactions, commercial activities and transfers of funds often take place online, and it is possible to ensure the information security of this activity only by applying a competent and professional approach.

There are many standards on the Internet that ensure secure storage and transmission of data, well-known anti-virus protection programs, special protocols for financial transactions, and many others.

The speed of development of information technologies and systems is so great that it significantly outstrips the creation of protocols and uniform standards for their use.

One of the popular secure data transfer protocols is SSL (Secure Socket Layer), developed by American specialists. It allows you to protect data using cryptography.

The advantage of this protocol is the possibility of verification and authentication, for example, immediately before data exchange. However, the use of such systems when transferring data is rather advisory, since the use of these standards is not mandatory for entrepreneurs.

To open an LLC, you need a charter of the enterprise. A procedure that is being developed in accordance with the legislation of the Russian Federation. You can write it yourself, take a standard sample as a guide, or you can contact specialists who will write it.

An aspiring businessman planning to develop his own business as an individual entrepreneur must indicate the economic activity code in accordance with OKVED when filling out the application. Details here.

To carry out secure transactions and operations, the SET (Security Electronic Transaction) transmission protocol was developed, which allows minimizing risks when conducting commercial and trading operations. This protocol is a standard for Visa and Master Card payment systems, allowing the use of a payment system security mechanism.

Committees that standardize Internet resources are voluntary, therefore the activities they carry out are not legal and mandatory.

However, fraud on the Internet in the modern world is recognized as one of the global problems; therefore, it is simply impossible to ensure information security without the use of special technologies and their standardization.

GOST R 53114-2008 Information protection. Ensuring information security in the organization. Basic terms and definitions

FEDERAL AGENCY FOR TECHNICAL REGULATION AND METROLOGY

Preface

The goals and principles of standardization in the Russian Federation are established by Federal Law No. 184-FZ of December 27, 2002 “On Technical Regulation”, and the rules for applying national standards of the Russian Federation are GOST R 1.0-2004 “Standardization in the Russian Federation. Basic provisions"

Standard information

1 DEVELOPED by the Federal State Institution “State Research Testing Institute for Problems of Technical Information Security of the Federal Service for Technical and Export Control” (FGU “GNIIII PTZI FSTEC of Russia”), Limited Liability Company “Research and Production Company “Kristall” (OOO NPF "Crystal")

2 INTRODUCED by the Department of Technical Regulation and Standardization of the Federal Agency for Technical Regulation and Metrology

3 APPROVED AND ENTERED INTO EFFECT by order of the Federal Agency for Technical Regulation and Metrology dated December 18, 2008 No. 532-st

4 INTRODUCED FOR THE FIRST TIME

Information about changes to this standard is published in the annually published information index “National Standards”, and the text of changes and amendments is published in the monthly published information index “National Standards”. In case of revision (replacement) or cancellation of this standard, the corresponding notice will be published in the monthly published information index “National Standards”. Relevant information, notifications and texts are also posted in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet

Introduction

The terms established by this standard are arranged in a systematic order, reflecting the system of concepts in this field of knowledge.

There is one standardized term for each concept.

The presence of square brackets in a terminological article means that it includes two terms that have common term elements. These terms are listed separately in the alphabetical index.

The part of a term enclosed in parentheses may be omitted when using the term in standardization documents, while the part of the term not included in parentheses forms its short form. Following the standardized terms are their short forms, separated by semicolons, represented by abbreviations.

The given definitions can be changed, if necessary, by introducing derived features into them, revealing the meanings of the terms used in them, indicating the objects included in the scope of the defined concept.

Changes must not affect the scope and content of the concepts defined in this standard.

Standardized terms are typed in bold, their short forms in the text and in the alphabetical index, including abbreviations, are in light, and synonyms are in italics.

Terms and definitions of general technical concepts necessary for understanding the text of the main part of this standard are given in Appendix A.

Name:

Data protection. Ensuring information security in the organization.

Valid

Date of introduction:

Cancellation date:

Replaced by:

Text GOST R 53114-2008 Information protection. Ensuring information security in the organization. Basic terms and definitions

FEDERAL AGENCY FOR TECHNICAL REGULATION AND METROLOGY

NATIONAL

STANDARD

RUSSIAN

FEDERATION

Data protection

ENSURING INFORMATION SECURITY IN THE ORGANIZATION

Basic terms and definitions

Official publication

Oteidartenform

GOST R 53114-2008

Preface

The goals and principles of standardization in the Russian Federation are established by Federal Law No. 184-FZ of December 27, 2002 “On Technical Regulation”, and the rules for applying national standards of the Russian Federation are GOST R 1.0-2004 “Standardization in the Russian Federation. Basic provisions »

Standard information

1 DEVELOPED by the Federal State Institution “State Research Testing Institute for Problems of Technical Information Security of the Federal Service for Technical and Export Control” (FGU “GNIIII PTZI FSTEC of Russia”), Limited Liability Company “Research and Production Company “Kristall” (OOO NPF "Crystal")

2 INTRODUCED by the Department of Technical Regulation and Standardization of the Federal Agency for Technical Regulation and Metrology

3 APPROVED AND ENTERED INTO EFFECT by order of the Federal Agency for Technical Regulation and Metrology dated December 18, 2008 No. 532-st

4 8DRIVEN FOR THE FIRST TIME

Information about changes to this standard is published in the annually published information index “National Standards” and the text of changes and amendments is published in the monthly published information index “National Standards”. In case of revision (replacement) or cancellation of this standard, the corresponding notice will be published in the monthly published information index “National Standards”. Relevant information, notifications and texts are also posted in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet

© Sgandartinform.2009

This standard cannot be fully or partially reproduced, replicated or distributed as an official publication without permission from the Federal Agency for Technical Regulation and Metrology

GOST R 53114-2008

1 area of ​​use............................................... ....1

3 Terms and definitions................................................... ..2

3.1 General concepts................................................... .....2

3.2 Terms related to the object of information protection............................................4

3.3 Terms related to information security threats....................................7

3.4 Terms related to organizational information security management......8

3.5 Terms related to the control and assessment of an organization's information security. ... 8

3.6 Terms related to information security controls

organizations........................................................ .......9

Alphabetical index of terms...................................................11

Appendix A (for reference) Terms and definitions of general technical concepts.................................13

Appendix B (for reference) Interrelation of basic concepts in the field of information security in an organization....................................................15

Bibliography................................................. .......16

GOST R 53114-2008

Introduction

The terms established by this standard are arranged in a systematic order, reflecting the system of concepts in this field of knowledge.

There is one standardized term for each concept.

The presence of square brackets in a terminology article means that it includes two terms that have common term elements. These terms are listed separately in the alphabetical index.

The part of a term enclosed in parentheses may be omitted when using the term in standardization documents, while the part of the term not included in parentheses forms its short form. Following the standardized terms are their short forms, separated by semicolons, represented by abbreviations.

The given definitions can be changed if necessary by introducing derived characteristics into them. revealing the meanings of the terms used in them, indicating the objects included in the scope of the defined concept.

Changes must not affect the scope and content of the concepts defined in this standard.

Standardized terms are typed in bold, their short forms are in the text and in the alphabetical index, including abbreviations. - light, and synonyms - italics.

Terms and definitions of general technical concepts necessary for understanding the text of the main part of this standard are given in Appendix A.

GOST R 53114-2008

NATIONAL STANDARD OF THE RUSSIAN FEDERATION

Data protection

ENSURING INFORMATION SECURITY 8 ORGANIZATIONS

Basic terms and definitions

Protection of information. Information security provision In organization.

Basic terms and definitions

Date of introduction - 2009-10-01

1 area of ​​use

This standard establishes the basic terms used when carrying out standardization work in the field of information security in an organization.

The terms established by this standard are recommended for use in regulatory documents, legal, technical and organizational and administrative documentation, scientific, educational and reference literature.

This standard is applied in conjunction with GOST 34.003. GOST 19781. GOST R 22.0.02. GOST R 51897. GOST R 50922. GOST R 51898, GOST R 52069.0. GOST R 51275. GOST R ISO 9000. GOST R ISO 9001. GOST R IS014001. GOST R ISO/IEC 27001. GOST R ISO/IEC13335-1. . (2J.

The terms given in this standard comply with the provisions of the Federal Law of the Russian Federation of December 27, 2002 M"184*FZ "Technical Regulation" |3]. Federal Law of the Russian Federation of July 27, 2006 No. 149-FZ “On information, information technologies and information protection”. Federal Law of the Russian Federation of July 27, 2006 No. 152-FZ “On Personal Data”. Doctrines of information security of the Russian Federation, approved by the President of the Russian Federation on September 9, 2000 Pr -1895.

2 Normative references

GOST R 22.0.02-94 Safety in emergency situations. Terms and definitions of basic concepts

GOST R ISO 9000-2001 Quality management systems. Fundamentals and Vocabulary

GOST R ISO 9001-2008 Quality management systems. Requirements

GOST R IS0 14001-2007 Environmental management systems. Requirements and instructions for use

GOST R ISO/IEC 13335-1-2006 Information technology. Methods and means of ensuring security. Part 1. Concept and models of security management of information and telecommunication technologies

GOST R ISO/IEC 27001-2006 Information technology. Methods and means of ensuring security. Information security management systems. Requirements

GOST R 50922-2006 Information protection. Basic terms and definitions

GOST R 51275-2006 Information protection. Information object. Factors influencing information. General provisions

GOST R 51897-2002 Risk management. Terms and Definitions

Official publication

GOST R 53114-2008

GOST R51898-2003 Safety aspects. Rules for inclusion in standards GOST R 52069.0-2003 Information protection. System of standards. Basic provisions of GOST 34.003-90 Information technology. Set of standards for automated systems. Automated systems. Terms and Definitions

GOST 19781-90 Software for information processing systems. Terms and Definitions

Note - When using this standard, it is advisable to check the validity of the reference standards in the public information system - on the official website of the Federal Agency for Technical Regulation and Metrology on the Internet or according to the annually published information index “National Standards”, which was published as of January 1 of the current year , and according to the corresponding monthly information indexes published in the current year. If the reference standard is replaced (changed), then when using this standard you should be guided by the replaced (changed) standard. If a reference standard is canceled without replacement, then the provision in which a reference to it is given applies to the part not affecting this reference.

3 Terms and definitions

3.1 General concepts

security of information [data]: The state of security of information [data], in which its [their] confidentiality, availability and integrity are ensured.

[GOST R 50922-2006. paragraph 2.4.5]

information technology security: The state of security of information technology. which ensures the security of the information for which it is used for processing. and information security of the information system in which it is implemented.

[R 50.1.056-2006. paragraph 2.4.5]

information sphere: The totality of information, information infrastructure, subjects. carrying out the collection, formation, dissemination and use of information, as well as systems for regulating the social relations that arise in this case.

3.1.4 information infrastructure: A set of informatization objects that provides consumers with access to information resources.

informatization object: A set of information resources, tools and information processing systems used in accordance with a given information technology, as well as support facilities, premises or facilities (buildings, structures, technical means) in which these tools and systems are installed, or premises and facilities , intended for conducting confidential negotiations.

[GOST R 51275-2006. clause 3.1]

3.1.6 assets of the organization: All. what is of value to the organization in the interests of achieving its goals and is at its disposal.

Note: An organization's assets may include:

Information assets, including various types of information circulating in the information system (service, management, analytical, business, etc.) at all stages of the life cycle (generation, storage, processing, transmission, destruction):

Resources (financial, human, computing, information, telecommunications and others):

Processes (technological, information, etc.);

Manufactured products or services provided.

GOST R 53114-2008

information processing system resource: An information processing system facility that can be allocated to the data processing process for a certain time interval.

Note - The main resources are processors, main memory areas, data sets. peripheral devices, programs.

[GOST 19781-90. paragraph 93)

3.1.8 information process: The process of creation, collection, processing, accumulation, storage, search. dissemination and use of information.

information technology; IT: Processes, methods of searching, collecting, storing, processing, providing. dissemination of information and ways of carrying out such processes and methods. [Federal Law of the Russian Federation dated December 27, 2002 No. 184-FZ. article 2. paragraph 2)]

technical support of the automated system; NPP technical support: The totality of all technical means used in the operation of the NPP.

[GOST R 34.003-90. clause 2.5]

automated system software; AS software: A set of programs on storage media and program documents intended for debugging, operating and testing the functionality of the AS.

[GOST R 34.003-90. paragraph 2.7]

information support of the automated system; AS information support: A set of document forms, classifiers, regulatory framework and implemented solutions on the volume, placement and forms of existence of information used in the AS during its operation.

[GOST R 34.003-90. clause 2.8]

3.1.13 service; service: The result of the performer’s activities to satisfy the consumer’s needs.

Note - 8 an organization, an individual or a process can act as a performer (consumer) of a service.

3.1.14 information technology services: IT services: The set of functional capabilities of information and. possibly non-information technology provided to end users as a service.

NOTE Examples of IT services include messaging, business applications, file and print services, network services, etc.

3.1.15 critical information infrastructure system; key information infrastructure system: FIAC: Information management or information telecommunication system that manages or provides information to a critical object or process, or is used to officially inform society and citizens, the disruption or interruption of the functioning of which (as a result of destructive information influences, as well as failures or failures) can lead to an emergency with significant negative consequences.

3.1.18 critical object: An object or process, disruption of the continuity of operation of which could cause significant damage.

GOST R 53114-2008

Note - Damage may be caused to the property of individuals or legal entities. state or municipal property, the environment, as well as causing harm to the life or health of citizens.

personal data information system: An information system that is a set of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without the use of such tools.

personal data: Any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name. patronymic, year month, date and place of birth, address, family, social, property status, education, profession, income, other information.

3.1.19 automated system in a protected design; AS in a protected design: An automated system that implements information technology to perform established functions in accordance with the requirements of standards and/or regulatory documents on information protection.

3.2 Terms related to the object of information protection

3.2.1 information security of the organization; Organizational intelligence: The state of protection of the organization's interests in the face of threats in the information sphere.

Note - Security is achieved by ensuring a set of information security properties - confidentiality, integrity, availability of information assets and the organization's infrastructure. The priority of information security properties is determined by the significance of information assets for the interests (goals) of the organization.

object of information protection: Information or information carrier, or information process. which must be protected in accordance with the purpose of protecting information.

[GOST R 50922-2006. clause 2.5.1]

3.2.3 protected process (information technology): A process used by information technology to process protected information with the required level of its security.

3.2.4 violation of the organization’s information security: violation of the organization’s information security: Accidental or intentional unlawful action of an individual (subject, object) in relation to the organization’s assets, the consequence of which is a violation of the security of information when it is processed by technical means in information systems, causing negative consequences (damage/ harm) for the organization.

emergency; unforeseen situation; Emergency: A situation in a certain territory or water area that has developed as a result of an accident, a dangerous natural phenomenon, a catastrophe, a natural or other disaster that may result in loss of life or entail human casualties, damage to human health or the environment, significant material losses and disruption of living conditions of people.

Note - Emergency situations are distinguished by the nature of the source (natural, man-made, biological-social and military) and by scale (local, local, territorial, regional, federal and transboundary).

(GOST R 22.0.02-94. Article 2.1.1)

GOST R 53114-2008

3.2.6

hazardous situation: Circumstances in which people, property or the environment are at risk.

(GOST R 51898-2003. paragraph 3.6)

3.2.7

information security incident: Any unexpected or unwanted event that may disrupt operations or information security.

Note - Information security incidents are:

Loss of services, equipment or devices:

System failures or overloads:

User errors.

Violation of physical protection measures:

Uncontrolled changes to systems.

Software failures and hardware failures:

Violation of access rules.

(GOST R ISO/IEC 27001 -2006. Article 3.6)

3.2.8 event: The occurrence or presence of a certain set of circumstances.

Notes

1 The nature, likelihood and consequences of the event may not be fully known.

2 An event can occur one or more times.

3 The probability associated with an event can be estimated.

4 An event may consist of the non-occurrence of one or more circumstances.

5 An unpredictable event is sometimes called an "incident".

6 An event in which no losses occur is sometimes called a prerequisite for an incident (incident), a dangerous condition, a dangerous combination of circumstances, etc.

3.2.9 risk: The impact of uncertainties on the process of achieving goals.

Notes

1 Goals can have different aspects: financial, health, safety and environmental aspects, and can be set at different levels: at the strategic level, at the organizational level, at the project, product and process levels.

3 Risk is often expressed in terms of a combination of the consequences of an event or change in circumstances and their likelihood.

3.2.10

Risk Assessment: A process that combines risk identification, risk analysis and risk quantification.

(GOST R ISO/IEC 13335-1 -2006, paragraph 2.21]

3.2.11 information security risk assessment (of the organization); information security risk assessment (organization): The overall process of identifying, analyzing and determining the acceptability of an organization's information security risk level.

3.2.12 risk identification: The process of detecting, recognizing and describing risks.

Notes

1 Risk identification includes the identification of risk sources, events and their causes, as well as their possible consequences.

NOTE 2 Risk identification may include statistical data, theoretical analysis, informed views and expert opinions, and stakeholder needs.

GOST R 53114-2008

risk analysis: The systematic use of information to identify sources of risk and quantify risk.

(GOST R ISO/IEC 27001-2006. Article 3.11)

3.2.14 risk acceptability determination: The process of comparing the results of a risk analysis with risk criteria to determine the acceptability or tolerability of the risk level.

NOTE Determining the acceptability of the level of risk helps make treatment decisions

3.2.15 handling the organization’s information security risk; Organizational Information Security Risk Treatment: The process of developing and/or selecting and implementing measures to manage an organization's information security risks.

Notes

1 Risk treatment may include:

Avoiding risk by deciding not to initiate or continue activities that create conditions

Seeking an opportunity by deciding to initiate or continue activities that may create or increase risk;

Eliminating the source of risk:

Changes in the nature and magnitude of risk:

Changing consequences;

Sharing risk with another party or parties.

Persistence of risk both as a result of a conscious decision and “by default”.

2 Risk treatments with negative consequences are sometimes called mitigation, elimination, prevention. reduction, suppression and risk correction.

3.2.16 risk management: Coordinated actions to direct and control the organization's activities in relation to risks.

3.2.17 source of risk for the organization’s information security; source of organizational information security risk: An object or action that can cause [create) a risk.

Notes

1 There is no risk if there is no interaction between an object, person or organization with the source of risk.

2 The source of risk can be tangible or intangible.

3.2.18 information security policy (of the organization); information security policy (organization): A formal statement of the information security rules, procedures, practices, or guidelines that guide an organization's activities.

Note - Policies must contain.

Subject, main goals and objectives of the security policy:

Conditions for applying the security policy and possible restrictions:

Description of the position of the organization's management regarding the implementation of the security policy and the organization of the organization's information security regime as a whole.

Rights and responsibilities, as well as the degree of responsibility of employees for compliance with the organization's security policy.

Emergency procedures in case of security policy violation

3.2.19 information security goal (of the organization); IS (organization) goal: A predetermined result of ensuring the information security of an organization in accordance with the established requirements in the IS (organization) policy.

Note - The result of ensuring information security may be the prevention of damage to the information owner due to possible information leakage and (or) unauthorized and unintentional impact on information.

3.2.20 system of documents on information security in the organization; system of information security documents in an organization: an ordered set of documents united by a target orientation. interconnected on the basis of origin, purpose, type, scope of activity, uniform requirements for their design and regulating the organization’s activities to ensure information security.

GOST R 53114-2008

3.3 Terms related to information security threats

3.3.1 threat to the organization’s information security; information security threat to an organization: A set of factors and conditions that create a danger of a violation of an organization’s information security, causing or capable of causing negative consequences (damage/harm) for the organization.

Notes

1 The form of implementation (manifestation) of an information security threat is the outbreak of one or more interrelated information security events and information security incidents. leading to violations of the information security properties of the organization's protected object(s).

2 A threat is characterized by the presence of an object of threat, a source of threat and a manifestation of the threat.

threat (information security): A set of conditions and factors that create a potential or actual danger of a violation of information security.

[GOST R 50922-2006. clause 2.6.1]

3.3.3 threat (information security) model: Physical, mathematical, descriptive representation of the properties or characteristics of information security threats.

Note - a special regulatory document can be a type of descriptive representation of the properties or characteristics of information security threats.

vulnerability (of information system); breach: A property of an information system that makes it possible to implement threats to the security of the information processed in it.

Notes

1 The condition for the implementation of a security threat processed in the information system may be a deficiency or weakness in the information system.

2 If the vulnerability matches the threat, then there is a risk.

[GOST R 50922-2006. clause 2.6.4]

3.3.5 violator of the organization’s information security; organization's information security violator: An individual or logical entity that accidentally or intentionally committed an action, the consequence of which is a violation of the organization's information security.

3.3.6 unauthorized access: Access to information or to resources of an automated information system, carried out in violation of established access rights (or) rules.

Notes

1 Unauthorized access may be intentional or unintentional.

2 Rights and rules for access to information and information system resources are established for information processing processes, maintenance of an automated information system, and software changes. technical and information resources, as well as obtaining information about them.

3.3.7 network attack: Actions using software and (or) hardware and using a network protocol, aimed at implementing threats of unauthorized access to information, influencing it or the resources of an automated information system.

Application - Network protocol is a set of semantic and syntactic rules that determine the interaction of network management programs located on the same computer. with programs of the same name located on another computer.

3.3.8 blocking access (to information): Termination or difficulty of access to information of persons. entitled to do so (legitimate users).

3.3.9 denial of service attack: Network attack leading to blocking of information processes in an automated system.

3.3.10 information leakage: Uncontrolled dissemination of protected information as a result of its disclosure, unauthorized access to information and receipt of protected information by foreign intelligence services.

3.3.11 disclosure of information: Unauthorized communication of protected information to persons. not authorized to access this information.

GOST R 53114-2008

interception (of information): Illegal receipt of information using a technical means that detects, receives and processes informative signals.

(R 50.1.053-2005, paragraph 3.2.5]

informative signal: A signal whose parameters can be used to determine the protected information.

[R 50.1.05S-2005. paragraph 3.2.6]

3.3.14 declared capabilities: Functional capabilities of computer hardware and software that are not described or do not correspond to those described in the documentation. which may lead to a decrease or violation of the security properties of information.

3.3.15 spurious electromagnetic radiation and interference: Electromagnetic radiation from technical information processing equipment, arising as a side effect and caused by electrical signals acting in their electrical and magnetic circuits, as well as electromagnetic interference of these signals on conductive lines, structures and power circuits.

3.4 Terms related to organizational information security management

3.4.1 information security management of the organization; management of information security organization; Coordinated actions for the leadership and management of the organization in terms of ensuring its information security in accordance with the changing conditions of the internal and external environment of the organization.

3.4.2 information security risk management of the organization; organization's information security risk management: Coordinated actions to guide and manage an organization in relation to information security risk in order to minimize it.

NOTE The core processes of risk management are setting the context, assessing the risk, treating and accepting the risk, monitoring and reviewing the risk.

information security management system; ISMS: Part of the overall management system. based on the use of bioenergy risk assessment methods for development, implementation, and operation. monitoring, analysis, support and improvement of information security.

NOTE A management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.

[GOST R ISO/IEC 27001 -2006. clause 3.7]

3.4.4 the role of information security in the organization; role of information security in an organization: A set of specific functions and tasks for ensuring the information security of an organization that establish acceptable interaction between a subject and an object in an organization.

Notes

1 Subjects include persons from among the managers of the organization, its personnel or processes initiated on their behalf to perform actions on objects

2 Objects can be hardware, software, software and hardware, or an information resource on which actions are performed.

3.4.5 information security service of an organization: The organizational and technical structure of the information security management system of an organization that implements the solution of a specific task aimed at countering threats to the organization’s information security.

3.5 Terms related to monitoring and assessing an organization's information security

3.5.1 control over ensuring the information security of the organization; control of the organization's information security provision: Checking the compliance of information security provision in the organization.

GOST R 53114-2008

3.5.2 monitoring the organization’s information security; organization's information security monitoring: Constant monitoring of the information security process in the organization in order to establish its compliance with information security requirements.

3.5.3 audit of the organization’s information security; audit of an information security organization: A systematic, independent and documented process of obtaining evidence of the organization’s activities to ensure information security and establishing the degree of fulfillment of information security criteria in the organization, as well as allowing the possibility of forming a professional audit judgment about the state of the organization’s information security.

3.5.4 evidence (evidence) of an organization’s information security audit; Organizational information security audit data: Records, statements of facts, or other information that are relevant to the organization's information security audit criteria and can be verified.

NOTE Information security evidence can be qualitative or quantitative.

3.5.5 assessment of compliance of the organization’s information security with established requirements; assessment of compliance of an organization's information security with established requirements: Activities involved in directly or indirectly determining compliance or non-compliance with established information security requirements in an organization.

3.5.6 criterion for auditing an organization’s information security; audit criterion of an information security organization: A set of principles, provisions, requirements and indicators of current regulatory documents* related to the organization’s activities in the field of information security.

Application - Information security audit criteria are used to compare information security audit evidence with them.

3.5.7 certification of an automated system in a secure design: The process of comprehensive verification of the performance of the specified functions of an automated system for processing protected information for compliance with the requirements of standards and/or regulatory documents in the field of information protection and the preparation of documents on its compliance with the performance of the function of processing protected information at a specific facility informatization.

3.5.8 criterion for ensuring the information security of the organization; organization's information security criterion: An indicator on the basis of which the degree of achievement of the organization's information security goal(s) is assessed.

3.5.9 effectiveness of information security; effectiveness of information security: The relationship between the achieved result and the resources used to ensure a given level of information security.

3.6 Terms related to an organization's information security controls

3.6.1 ensuring the information security of the organization; providing an organization's information security: Activities aimed at eliminating (neutralizing, countering) internal and external threats to an organization's information security or minimizing damage from the possible implementation of such threats.

3.6.2 security measure; security control: A established practice, procedure, or mechanism for handling risk.

3.6.3 measures to ensure information security; information security measures: A set of actions aimed at the development and/or practical application of methods and means of ensuring information security.

3.6.4 organizational measures to ensure information security; organizational measures to ensure information security: Measures to ensure information security, providing for the establishment of temporary, territorial, spatial, legal, methodological and other restrictions on the conditions of use and operating modes of an informatization object.

3.6.5 technical means of ensuring information security; information security technical means: Equipment used to ensure the information security of an organization using non-cryptographic methods.

Note - Such equipment can be represented by hardware and software built into the protected object and/or operating autonomously (independent of the protected object).

GOST R 53114-2008

3.5.6 intrusion detection tool, attack detection tool: A software or software-hardware tool that automates the process of monitoring events occurring in a computer system or network, and also independently analyzes these events in search of signs of an information security incident.

3.6.7 means of protection against unauthorized access: Software, hardware or software and hardware designed to prevent or significantly hinder unauthorized access.

GOST R 53114-2008

Alphabetical index of terms

organization assets 3.1.6

risk analysis 3.2.13

Speakers in protected version 3.1.19

denial of service attack 3.3.9

network attack 3.3.7

certification of an automated system in a protected version 3.5.7

organization information security audit 3.5.3

organization information security audit 3.5.3

security (data] 3.1.1

information security 3.1.1

information technology security 3.1.2

organization information security 3.2.1

blocking access (to information) 3.3.8

breach 3.3.4

undeclared capabilities 3.3.14

personal data 3.1.18

unauthorized access 3.3.6

Organizational information security 3.2.1

risk identification 3.2.12

information infrastructure 3.1.4

information security incident 3.2.7

source of organizational information security risk 3.2.17

source of risk for the organization's information security 3.2.17

control of the organization's information security 3.5.1

control over the information security of the organization 3.5.1

criteria for ensuring the organization's information security 3.5.8

organizational IS audit criterion 3.5.6

organization information security audit criterion 3.5.6

criterion for ensuring information security of the organization 3.5.8

organization information security management 3.4.1

organization information security management 3.4.1

organization information security risk management 3.4.2

organization information security risk management 3.4.2

security measure 3.6.2

security measure 3.6.2

information security measures 3.6.3

organizational information security measures 3.6.4

information security measures 3.6.3

organizational information security measures 3.4.6

threat model (information security) 3.3.3

organization information security monitoring 3.5.2

monitoring of organization information security 3.5.2

violation of the organization's information security 3.2.4

violation of the organization's information security 3.2.4

organization information security violator 3.3.5

violator of an organization's information security 3.3.5

automated information system support 3.1.12

automated system software 3.1.11

technical support of the automated system 3.1.10

AS information support 3.1.12

AC software 3.1.11

AC technical support 3.1.10

ensuring the organization's information security 3.6.1

ensuring the information security of the organization 3.6.1

organization's information security risk treatment 3.2.15

GOST R 53114-2008

managing the organization's information security risk 3.2.1S

information protection object 3.2.2

informatization object 3.1.5

critical object 3.1.16

determination of acceptable level of risk 3.2.14

risk assessment 3.2.10

risk assessment I6 (organizations) 3.2.11

information security risk assessment (organization) 3.2.11

assessing the organization's IS compliance with established requirements 3.5.5

assessment of compliance of the organization's information security with established requirements 3.5.5

interception (information) 3.3.12

IS policy (organization) 3.2.18

information security policy (organization) 3.2.18

process (information technology) protected 3.2.3

information process 3.1.8

disclosure of information 3.3.11

information processing system resource 3.1.7

role of information security in the organization 3.4.4

role of information security 8 in the organization 3.4.4

certificates (evidence) of an organization's IS audit 3.5.4

evidence (evidence) of an organization’s information security audit 3.5.4

service 3.1.13

informative signal 3.3.13

secure automated system 3.1.19

information security document system in the organization 3.2.20

system of documents on information security in the organization 3.2.20

key information infrastructure system 3.1.15

critical information infrastructure system 3.1.15

information security management system 3.4.3

personal data information system 3.1.17

unforeseen situation 3.2.5

dangerous situation 3.2.6

emergency situation 3.2.5

organization information security service 3.4.6

event 3.2.8

protection against unauthorized access 3.6.7

technical information security tool 3.6.5

technical information security tool 3.6.5

Attack Detection Tool 3.6.6

Intrusion Detection Tool 3.6.6

information sphere 3.1.3

information technology 3.1.9

threat (information security) 3.3.2

threat to the organization's information security 3.3.1

threat to the organization's information security 3.3.1

risk management 3.2.16

service 3.1.13

information technology services 3.1.14

IT services 3.1.14

information leak 3.3.10

vulnerability (information system) 3.3.4

IS goal (organization) 3.2.19

information security goal (organization) 3.2.19

electromagnetic radiation and side interference 3.3.15

IS efficiency 3.5.9

effectiveness of information security 3.5.9

GOST R 53114-2008

Appendix A (reference)

Terms and definitions of general technical concepts

organization: A group of workers and necessary resources with the distribution of responsibilities, powers and relationships.

(GOST R ISO 9000-2001, paragraph 3.3.1]

Notes

1 Organizations include: company, corporation, firm, enterprise, institution, charitable organization, retail trade enterprise, association. as well as their subdivisions or a combination of them.

2 The distribution is usually ordered.

3 An organization can be public or private.

A.2 business: Economic activity that produces profit; any type of activity that generates income and is a source of enrichment.

A.Z business process: Processes used in the economic activities of an organization.

information: Information (messages, data) regardless of the form of their presentation.

assets: All. what is of value to the organization. (GOST R ISO/IEC13335-1-2006, paragraph 2.2(

A.6 resources: Assets (of an organization) that are used or consumed during the execution of a process. Notes

1 Resources can include such diverse items as personnel, equipment, fixed assets, tools, and utilities such as energy, water, fuel and communications network infrastructure.

2 Resources can be reusable, renewable or consumable.

A.7 danger: A property of an object that characterizes its ability to cause damage or harm to other objects. A.8 emergency event: An event leading to an emergency situation.

A.9 damage: Physical damage or harm to human health or damage to property or the environment.

A. 10 threat: A set of conditions and factors that can cause a violation of integrity and availability. privacy.

A.11 vulnerability: Internal properties of an object that create susceptibility to the effects of a risk source that can lead to some consequence.

A. 12 attack: An attempt to overcome the security system of an information system.

Notes - The degree of “success” of an attack depends on the vulnerability and effectiveness of the defense system.

A.13 management: Coordinated activities for the direction and management of the organization

A.14 business (continuity) management: Coordinated management and control activities

business processes of the organization.

A. 15 role: A predetermined set of rules and procedures for the activities of an organization that establish acceptable interaction between the subject and object of the activity.

owner of information: A person who independently created information or received, on the basis of law or agreement, the right to permit or restrict access to information determined by any criteria.

GOST R 53114-2008

infrastructure: The totality of buildings, equipment and support services necessary for the functioning of an organization.

[GOST R ISO 9000-2001. clause 3.3.3]

A.18 audit: A systematic, independent and documented process of obtaining audit evidence and evaluating it objectively to determine the extent to which agreed audit criteria have been met.

Notes

1 Internal audits, called first-party audits, are carried out for internal purposes by the organization itself or on its behalf by another organization. The results of the internal audit may serve as the basis for a declaration of conformity. In many cases, especially in small businesses, the audit must be carried out by specialists (people who are not responsible for the activity being audited).

NOTE 2 External audits include audits called second party audits and third party audits. Second party audits are carried out by parties interested in the activities of the enterprise, for example.

consumers or others on their behalf. Third party audits are carried out by external independent organizations. These organizations carry out certification or registration for compliance with requirements, for example, the requirements of GOST R ISO 9001 and GOST R ISO 14001.

3 An audit of quality and environmental management systems carried out simultaneously is called a “comprehensive audit”.

4 If the audit of the audited organization is carried out simultaneously by several organizations, then such an audit is called a “joint audit”.

A.19 monitoring: Systematic or continuous monitoring of an object, ensuring control and/or measurement of its parameters, as well as conducting analysis to predict the variability of parameters and make decisions on the need and composition of corrective and preventive actions.

declaration of conformity: A form of confirmation of product compliance with the requirements of technical regulations.

A.21 technology: A system of interconnected methods, methods, techniques of objective activity. A.22

document: Information recorded on a tangible medium with details that allow it to be identified.

[GOST R 52069.0-2003. paragraph 3.18]

A.23 information processing: A set of operations of collection, accumulation, input, output, reception, transmission, recording, storage, registration, destruction, transformation, display, carried out on information.

GOST R 53114-2008

Appendix B (for reference)

The relationship of basic concepts in the field of information security in an organization

The relationship between the basic concepts is shown in Figure B.1.

Figure B.1 - relationship between basic concepts

GOST R 53114-2008

Bibliography

(1] R 50.1.053-2005

(2]PS0.1.056-2005

Information Technology. Basic terms and definitions in the field of technical information security Technical information security. Basic terms and definitions

About technical regulation

About information, information technologies and information protection

About personal data

Information Security Doctrine of the Russian Federation

UDC 351.864.1:004:006.354 OKS 35.020 LLP

Key words: information, information security, information security in an organization, threats to information security, information security criteria

Editor V.N. Cops soya Technical editor V.N. Prusakova Corrector V.E. Nestorovo Computer software I.A. NapeikinoO

Delivered for recruitment on 11/06/2009. Signed stamp 12/01/2009. Format 60"84 Offset paper. Arial typeface. Offset printing. Usp. oven l. 2.32. Uch.-ed. l. 1.90. Circulation 373 »kz. Zach. 626

FSUE "STANDARTINFORM*. 123995 Moscow. Pomegranate por.. 4. info@goslmlo gi

Typed into FSUE "STANDARTINFORM" on a PC.

Printed at the branch of FSUE "STANDARTINFORM* - type. "Moscow Printer". 105062 Moscow. Lyalin lane.. 6.

• GOST 22731-77 Data transmission systems, data link control procedures in the main mode for half-duplex information exchange
• GOST 26525-85 Data processing systems. Usage metrics
• GOST 27771-88 Procedural characteristics at the interface between data terminal equipment and data channel termination equipment. General requirements and standards
• GOST 28082-89 Information processing systems. Methods for detecting errors in serial data transmission
• GOST 28270-89 Information processing systems. Data Description File Specification for Information Exchange
• GOST R 43.2.11-2014 Information support for equipment and operator activities. Operator language. Structured presentation of text information in message formats
• GOST R 43.2.8-2014 Information support for equipment and operator activities. Operator language. Message Formats for Technical Activities
• GOST R 43.4.1-2011 Information support for equipment and operator activities. “Man-information” system
• GOST R 53633.10-2015 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Organization management. Organizational risk management
• GOST R 53633.11-2015 Information technologies. Telecommunications control network. Extended communication organization activity diagram (eTOM). Decomposition and process descriptions. eTOM Level 2 Processes. Organization management. Organizational Performance Management
• GOST R 53633.4-2015 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Service management and operation
• GOST R 53633.7-2015 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Development and resource management
• GOST R 53633.9-2015 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Organization management. Planning strategy and development of the organization
• GOST R 55767-2013 Information technology. European ICT Competence Framework 2.0. Part 1. Common European Competence Framework for ICT Professionals for all Industry Sectors
• GOST R 55768-2013 Information technology. Model of an open Grid system. Basic provisions
• GOST R 56093-2014 Information protection. Automated systems in a secure design. Means for detecting intentional force electromagnetic influences. General requirements
• GOST R 56115-2014 Information protection. Automated systems in a secure design. Means of protection against intentional force electromagnetic influences. General requirements
• GOST R 56545-2015 Information protection. Vulnerabilities of information systems. Rules for describing vulnerabilities
• GOST R 56546-2015 Information protection. Vulnerabilities of information systems. Classification of information system vulnerabilities
• GOST IEC 60950-21-2013 Information technology equipment. Safety requirements. Part 21. Remote power supply
• GOST IEC 60950-22-2013 Information technology equipment. Safety requirements. Part 22. Equipment intended for installation outdoors
• GOST R 51583-2014 Information protection. The procedure for creating automated systems in a secure design. General provisions
• GOST R 55766-2013 Information technology. European ICT Competence Framework 2.0. Part 3. Creation of e-CF - combining methodological foundations and expert experience
• GOST R 55248-2012 Electrical safety. Classification of interfaces for equipment connected to information and communication technology networks
• GOST R 43.0.11-2014 Information support for equipment and operator activities. Databases in technical activities
• GOST R 56174-2014 Information technologies. Architecture of services of an open Grid environment. Terms and Definitions
• GOST IEC 61606-4-2014 Audio and audiovisual equipment. Components of digital audio equipment. Basic methods for measuring sound characteristics. Part 4. Personal computer
• GOST R 43.2.5-2011 Information support for equipment and operator activities. Operator language. Grammar
• GOST R 53633.5-2012 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Marketing and product offering management
• GOST R 53633.6-2012 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Service development and management
• GOST R 53633.8-2012 Information technologies. Telecommunications control network. Extended Communications Organization Activity Map (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Strategy, infrastructure and product. Supply chain development and management
• GOST R 43.0.7-2011 Information support for equipment and operator activities. Hybrid-intellectualized human-information interaction. General provisions
• GOST R 43.2.6-2011 Information support for equipment and operator activities. Operator language. Morphology
• GOST R 53633.14-2016 Information technologies. Telecommunications management network is an extended communications organization operation framework (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Organization management. Stakeholder and external relations management
• GOST R 56938-2016 Information protection. Information protection when using virtualization technologies. General provisions
• GOST R 56939-2016 Information protection. Secure software development. General requirements
• GOST R ISO/IEC 17963-2016 Specification of web services for management (WS-management)
• GOST R 43.0.6-2011 Information support for equipment and operator activities. Naturally intellectualized human-information interaction. General provisions
• GOST R 54817-2011 Ignition of audio, video, information technology and communications equipment accidentally caused by a candle flame
• GOST R IEC 60950-23-2011 Information technology equipment. Safety requirements. Part 23. Equipment for storing large volumes of data
• GOST R IEC 62018-2011 Energy consumption of information technology equipment. Measurement methods
• GOST R 53538-2009 Multi-pair cables with copper conductors for broadband access circuits. General technical requirements
• GOST R 53633.0-2009 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). General structure of business processes
• GOST R 53633.1-2009 Information technology. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Managing relationships with suppliers and partners
• GOST R 53633.2-2009 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Resource Management and Operation
• GOST R 53633.3-2009 Information technology. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. eTOM Level 2 Processes. Primary activity. Customer Relationship Management
• GOST R ISO/IEC 20000-2-2010 Information technology. Service management. Part 2: Code of Practice
• GOST R 43.0.3-2009 Information support for equipment and operator activities. Noon technology in technical activities. General provisions
• GOST R 43.0.4-2009 Information support for equipment and operator activities. Information in technical activities. General provisions
• GOST R 43.0.5-2009 Information support for equipment and operator activities. Information exchange processes in technical activities. General provisions
• GOST R 43.2.1-2007 Information support for equipment and operator activities. Operator language. General provisions
• GOST R 43.2.2-2009 Information support for equipment and operator activities. Operator language. General provisions for use
• GOST R 43.2.3-2009 Information support for equipment and operator activities. Operator language. Types and properties of iconic components
• GOST R 43.2.4-2009 Information support for equipment and operator activities. Operator language. Syntactics of sign components
• GOST R 52919-2008 Information technology. Methods and means of physical protection. Classification and test methods for fire resistance. Data rooms and containers
• GOST R 53114-2008 Information protection. Ensuring information security in the organization. Basic terms and definitions
• GOST R 53245-2008 Information technologies. Structured cable systems. Installation of the main components of the system. Test methods
• GOST R 53246-2008 Information technologies. Structured cable systems. Design of the main components of the system. General requirements
• GOST R IEC 60990-2010 Methods for measuring touch current and protective conductor current
• GOST 33707-2016 Information technologies. Dictionary
• GOST R 57392-2017 Information technologies. Service management. Part 10. Basic concepts and terminology
• GOST R 43.0.13-2017 Information support for equipment and operator activities. Directed training of specialists
• GOST R 43.0.8-2017 Information support for equipment and operator activities. Artificially intellectualized human-information interaction. General provisions
• GOST R 43.0.9-2017 Information support for equipment and operator activities. Informational resources
• GOST R 43.2.7-2017 Information support for equipment and operator activities. Operator language. Syntax
• GOST R ISO/IEC 38500-2017 Information technologies. Strategic IT management in an organization
• GOST R 43.0.10-2017 Information support for equipment and operator activities. Information objects, object-oriented design in the creation of technical information
• GOST R 53633.21-2017 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. Primary activity. Management and operation of services. eTOM Level 3 Processes. Process 1.1.2.1 - Support and Availability of SM&O Processes
• GOST R 57875-2017 Telecommunications. Connection diagrams and grounding in telecommunication centers
• GOST R 53633.22-2017 Information technologies. Telecommunications control network. Extended scheme of communication organization activities (eTOM). Decomposition and descriptions of processes. Primary activity. Management and operation of services. eTOM Level 3 Processes. Process 1.1.2.2 - Configuring and activating services

This section provides general information and texts of national standards of the Russian Federation in the field of information security GOST R.

Current list of modern GOSTs developed in recent years and planned for development. Certification system for information security tools according to information security requirements No. ROSS RU.0001.01BI00 (FSTEC of Russia). STATE STANDARD OF THE RUSSIAN FEDERATION. Data protection. PROCEDURE FOR CREATION OF AUTOMATED SYSTEMS IN SECURED EXECUTION. General provisions. Moscow STATE STANDARD OF THE RUSSIAN FEDERATION. Computer facilities. Protection against unauthorized access to information. General technical requirements. Date of introduction 1996-01-01 National standard of the Russian Federation. Data protection. Basic terms and definitions. Protection of information. Basic terms and definitions. Date of introduction 2008-02-01 STATE STANDARD OF THE RUSSIAN FEDERATION. DATA PROTECTION. SYSTEM OF STANDARDS. BASIC PROVISIONS (SAFETY OF INFORMATION. SYSTEM OF STANDARDS. BASIC PRINCIPLES) STATE STANDARD OF THE RUSSIAN FEDERATION. Data protection. TESTING SOFTWARE FOR THE PRESENCE OF COMPUTER VIRUSES. Model manual (Information security. Software testing for the existence of computer viruses. The sample manual). Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General provisions Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels Information technology. Methods and means of ensuring security. Guidance for developing protection profiles and security tasks Automatic identification. Biometric identification. Performance tests and test reports in biometrics. Part 3. Features of testing for various biometric modalities Information technology. Methods and means of ensuring security. Methodology for assessing information technology security GOST R ISO/IEC 15408-1-2008 Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 1. Introduction and general model (Information technology. Security techniques. Evaluation criteria for IT security. Part 1. Introduction and general model) GOST R ISO/IEC 15408-2-2008 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 2. Functional security requirements (Information technology. Security techniques. Evaluation criteria for IT security. Part 2. Security functional requirements) GOST R ISO/IEC 15408-3-2008 Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3. Security assurance requirements (Information technology. Security techniques. Evaluation criteria for IT security. Part 3. Security assurance requirements) GOST R 53109-2008 System for ensuring information security of a public communication network. Information security communications organization passport. Information security of the public communications network providing system. Passport of the organization communications of information security. Effective date: 09/30/2009. GOST R 53114-2008 Information protection. Ensuring information security in the organization. Basic terms and definitions. Protection of information. Information security provision in organizations. Basic terms and definitions. Effective date: 09/30/2009. GOST R 53112-2008 Information protection. Complexes for measuring parameters of spurious electromagnetic radiation and interference. Technical requirements and test methods. Information protection. Facilities for measuring side electromagnetic radiation and pickup parameters. Technical requirements and test methods. Effective date: 09/30/2009. GOST R 53115-2008 Information protection. Testing of technical means of information processing for compliance with the requirements of security against unauthorized access. Methods and means. Information protection. Conformance testing of technical information processing facilities to unauthorized access protection requirements. Methods and techniques. Effective date: 09/30/2009. GOST R 53113.2-2009 Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels. Information technology. Protection of information technology and automated systems against security threats posed by use of covert channels. Part 2. Recommendations on protecting information, information technology and automated systems against covert channel attacks. Effective date: 12/01/2009. GOST R ISO/IEC TO 19791-2008 Information technology. Methods and means of ensuring security. Security assessment of automated systems. Information technology. Security techniques. Security assessment of operational systems. Effective date: 09/30/2009. GOST R 53131-2008 Information protection. Recommendations for disaster recovery services for information and telecommunications technology security functions and mechanisms. General provisions. Information protection. Guidelines for recovery services of information and communications technology security functions and mechanisms. General. Effective date: 09/30/2009. GOST R 54581-2011 Information technology. Methods and means of ensuring security. Fundamentals of trust in IT security. Part 1: Overview and Basics. Information technology. Security techniques. A framework for IT security assurance. Part 1. Overview and framework. Effective date: 07/01/2012. GOST R ISO/IEC 27033-1-2011 Information technology. Methods and means of ensuring security. Network security. Part 1: Overview and Concepts. Information technology. Security techniques. Network security. Part 1. Overview and concepts. Effective date: 01/01/2012. GOST R ISO/IEC 27006-2008 Information technology. Methods and means of ensuring security. Requirements for bodies performing audit and certification of information security management systems. Information technology. Security techniques. Requirements for bodies providing audit and certification of information security management systems. Effective date: 09/30/2009. GOST R ISO/IEC 27004-2011 Information technology. Methods and means of ensuring security. Information security management. Measurements. Information technology. Security techniques. Information security management. Measurement. Effective date: 01/01/2012. GOST R ISO/IEC 27005-2010 Information technology. Methods and means of ensuring security. Information security risk management. Information technology. Security techniques. Information security risk management. Effective date: 12/01/2011. GOST R ISO/IEC 31010-2011 Risk management. Risk assessment methods (Risk management. Risk assessment methods). Effective date: 12/01/2012 GOST R ISO 31000-2010 Risk management. Risk management. Principles and guidelines. Effective date: 08/31/2011 GOST 28147-89 Information processing systems. Cryptographic protection. Cryptographic conversion algorithm. Effective date: 06/30/1990. GOST R ISO/IEC 27013-2014 “Information technology. Methods and means of ensuring security. Guidance on the combined use of ISO/IEC 27001 and ISO/IEC 20000-1 - effective September 1, 2015. GOST R ISO/IEC 27033-3-2014 “Network security. Part 3. Reference network scenarios. Threats, design methods and management issues” – comes into force November 1, 2015 GOST R ISO/IEC 27037-2014 “Information technology. Methods and means of ensuring security. Guidelines for the Identification, Collection, Retrieval and Retention of Digital Evidence - effective November 1, 2015. GOST R ISO/IEC 27002-2012 Information technology. Methods and means of ensuring security. Set of norms and rules for information security management. Information technology. Security techniques. Code of practice for information security management. Effective date: 01/01/2014. OKS code 35.040. GOST R 56939-2016 Information protection. Secure software development. General requirements (Information protection. Secure Software Development. General requirements). Effective date: 06/01/2017. GOST R 51583-2014 Information protection. The procedure for creating automated systems in a secure design. General provisions. Information protection. Sequence of protected operational system formation. General. 09/01/2014 GOST R 7.0.97-2016 System of standards for information, library and publishing. Organizational and administrative documentation. Requirements for the preparation of documents (System of standards on information, librarianship and publishing. Organizational and administrative documentation. Requirements for presentation of documents). Effective date: 07/01/2017. OKS code 01.140.20. GOST R 57580.1-2017 Security of financial (banking) transactions. Protection of information of financial organizations. The basic composition of organizational and technical measures - Security of Financial (banking) Operations. Information Protection of Financial Organizations. Basic Set of Organizational and Technical Measures. GOST R ISO 22301-2014 Business continuity management systems. General requirements - Business continuity management systems. Requirements. GOST R ISO 22313-2015 Business continuity management. Implementation Guide - Business continuity management systems. Guidance for implementation. GOST R ISO/IEC 27031-2012 Information technology. Methods and means of ensuring security. A Guide to Information and Communications Technology Readiness for Business Continuity - Information technology. Security techniques. Guidelines for information and communication technology readiness for business continuity. GOST R IEC 61508-1-2012 Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 1. General requirements. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 1. General requirements. Date of introduction 2013-08-01. GOST R IEC 61508-2-2012 Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 2. System requirements. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 2. Requirements for systems. Date of introduction 2013-08-01. GOST R IEC 61508-3-2012 FUNCTIONAL SAFETY OF ELECTRICAL, ELECTRONIC, PROGRAMMABLE ELECTRONIC, SAFETY-RELATED SYSTEMS. Software requirements. IEC 61508-3:2010 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements (IDT). GOST R IEC 61508-4-2012 FUNCTIONAL SAFETY OF ELECTRICAL, ELECTRONIC, PROGRAMMABLE ELECTRONIC, SAFETY-RELATED SYSTEMS Part 4 Terms and definitions. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 4. Terms and definitions. Date of introduction 2013-08-01. . GOST R IEC 61508-6-2012 Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 6. Guidelines for the use of GOST R IEC 61508-2 and GOST R IEC 61508-3. IEC 61508-6:2010. Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 (IDT). GOST R IEC 61508-7-2012 Functional safety of electrical systems, Functional safety of electrical, electronic, programmable electronic systems related to safety. Part 7. Methods and means. Functional safety of electrical electronic programmable electronic safety-related systems. Part 7. Techniques and measures. Date of introduction 2013-08-01. GOST R 53647.6-2012. Business continuity management. Requirements for a personal information management system to ensure data protection