|
|
|
ADMINISTRATION OF THE STATE SERIVICE FOR SPECIAL COMMUNICATIONS AND INFORMATION PROTECTION OF UKRAINE |
|
ORDER |
|
14.05.2020 Nš 269 |
On establishing security and information protection requirements for qualified electronic trust service providers and their separate registration points
{With amendments made pursuant to the Oeder of the Administration of the State Service
for Special Communications and Information Protection
Nš 289 dated 13.05.2021- the amendments are being processed}
Pursuant to the third paragraph of the second part of Article 8 of the Law of Ukraine "On Electronic Trust Services", point 37 of the first part of Article 14 of the Law of Ukraine "On the State Service for Special Communications and Information Protection of Ukraine" and subpoint 2 of point 3 of the Provisions for the State Service for Special Communications and Information Protection of Ukraine, approved by the Resolution of the Cabinet of Ministers of Ukraine dated 3 September, 2014 Nš 411, I ORDER:
1. To approve the Requirements for Security and Protection of Information for Qualified Providers of Electronic Trust Services and their Separate Registration Points (hereinafter-the Requirements), which are attached.
2. Director of the Department for Information Protection of the Administration of the State Service for Special Communications and Information Protection of Ukraine to ensure this order is submitted to the Ministry of Justice of Ukraine for state registration in the prescribed manner within three days after it is signed.
3. This order shall enter into force on the day of its official publication.
4. Qualified providers of electronic trust services to ensure they:
1) bring their activities in line with the Requirements by amending their regulations by 7 November, 2020;
2) comply with points 1 and 2 of Section IV of the Requirements, until the expiry of certificates of compliance with the comprehensive information protection system of the information and telecommunications system used by them to provide qualified electronic trust services, but not later than 1 January, 2023.
5. Monitoring the implementation of this order shall be assigned to the deputy head of the State Service for Special Communications and Information Protection of Ukraine pursuant to the division of functional responsibilities.
|
AGREED: |
|
|
|
APPROVED |
REQUIREMENTS
for the security and protection of information for qualified providers of electronic trust services and their separate registration points
1. The provisions of these Requirements are mandatory for qualified providers of electronic trust services (hereinafter - providers) when providing services to users of electronic trust services (hereinafter - users), as well as for their separate registration points (hereinafter - SRP) when registering users.
2. These Requirements detail and determine the manner of implementation of the Law of Ukraine "On Electronic Trust Services” and Requirements in the Area of Electronic Trust Services, approved by the Resolution of the Cabinet of Ministers of Ukraine dated 7 November, 2018, Nš 992, to ensure information security and protection at providers and SRPs.
3. Information security at providers or SRPs is ensured by the comprehensive application of the necessary set of complementary measures to protect information at ITS providers or SRPs, organizational (administrative) measures, compliance of premises, storage, software and hardware and electronic equipment with technical requirements.
4. The security and information protection activities of providers (SRPs) are organized, continuously supported and coordinated by the information protection service (hereinafter - IPS) in compliance with the legislation in the area of information protection, electronic trust services and providers’ regulations.
5. In these Requirements, the terms are used in the following meanings:
vulnerability - insufficient stability of an asset or mitigation measure to resist a particular threat or set of threats;
threat - a potential opportunity to exploit a vulnerability;
critical component - a component that affects the provision of qualified electronic trust services if its protection is breached;
premises - premises of the provider or SRP designated for placement of software and hardware (hereinafter - SH) or SH components used in the provision of qualified electronic trust services and are divided into security levels according to the degree of access restrictions;
office premises (safe zone) - premises to which access is provided with the use of organizational and technical control measures (physical and logical control);
special room (increased security zone) - a room designed to accommodate the software and hardware components for the purpose of generating, using, storing and reserving the personal keys of the provider;
registration - a procedure to establish users’ identity and gather, verify and enter into the register users’ identification data required to provide a qualified electronic trust service.
Other terms are used in the meanings given in the Laws of Ukraine "On Electronic Trust Services", "On Information Protection in Information and Telecommunications Systems", Rules for Information Protection in Information, Telecommunications and Information and Telecommunications Systems, approved by the resolution of the Cabinet of Ministers of Ukraine dated March 29 Nš 373 (hereinafter - the Rules), Requirements in the field of electronic trust services, approved by the resolution of the Cabinet of Ministers of Ukraine dated 7 November, 2018 Nš 992.
II. Information protection requirements
1. Information and telecommunications systems (hereinafter - ITS) used for the purposes set forth in point 1 of Section I of these Requirements must meet the requirements for information protection by implementing a comprehensive information security system (hereinafter - CISS) or information security management system (hereinafter - ISMS) with confirmed compliance with the requirements of the legislation in the field of information protection and these Requirements, unless otherwise provided by the Law of Ukraine "On Protection of Information in Information and Telecommunications Systems".
2. A CISS is created pursuant to the requirements of regulatory documents for technical information protection systems approved by the State Special Communications Administration.
An ISMS is created pursuant to the requirements of the standards defining the requirements for information security, defined by the List of Standards used by qualified providers of electronic trust services in providing qualified electronic trust services, attached to the Requirements in the Area of Electronic Trust Services approved by the resolution of the Cabinet of Ministers dated 7 November 2018, Nš 992.
3. Confirmation of CISS compliance is carried out pursuant to the requirements of the Regulation on State Expert Assessment in the Area of Technical Protection of Information, approved by the order of the State Special Communications Service Administration dated 16 May, 2007 Nš 93, registered at the Ministry of Justice of Ukraine on 16 July, 2007, under Nš 820/14087 (as amended).
Confirmation of ISMS compliance is carried out pursuant to the Procedure for Conducting Conformity Assessment Procedures in the Area of Electronic Trust Services, approved by the Resolution of the Cabinet of Ministers of Ukraine dated 18 December, 2018, Nš 1215.
4. If a qualified provider of electronic trust services is assigned to a critical infrastructure facility pursuant to the legislation in the field of cyber security, cyber security measures must be implemented in the provider's ITS pursuant to the Cabinet of Ministers of Ukraine resolution of 19 June 2019, Nš 518 "On Approval of General Requirements for Cyber Security for Critical Infrastructure Facilities".
5. Provision of qualified electronic trust services and registration of users without valid documents confirming the compliance of an ITS with the legislation in the area of information protection is prohibited.
III. Organizational requirements
1. General organizational requirements
1. The provisions of the provider’s regulations regarding the certificate policy and/or the provisions describing the procedures and processes performed during the provision of qualified electronic trust services that do not involve the creation and maintenance of qualified public key certificates should specify the requirements for procedures for managing risks, personnel, operational security, incidents, evidence and archiving, handling of users' personal data, procedures for identifying applicants, SRPs and on-site registration administrators, description of the physical environment taking into account these Requirements and elements of technical specifications and procedures for a high level of assurance in electronic identification as established by the Requirements for Electronic Identification, Assurance Levels in Electronic Identification for Use in E-government, approved by the State Agency for Electronic Government dated 27 November, 2018, Nš 86, registered by the Ministry of Justice of Ukraine on 26 December, 2018 under Nš 1462/32914.
2. The provider must protect its assets in accordance with the risk assessment. Risk management procedures should provide for the implementation of risk assessment measures taking into account these Requirements.
3. Personnel management procedures should include:
1) the provider has at least two security and audit administrator positions;
2) the security and audit administrator holding annual practical exercises on information security that enable the study of new information security threats and how to respond to them;
3) a ban on the security and audit administrator combining their job responsibilities with other job responsibilities directly related to the provision of qualified electronic trust services;
4) the establishment of appropriate requirements for the qualifications of personnel directly related to the provision of qualified electronic trust services.
2. Operational security management
1. Operational security management procedures should include:
1) monitoring the use of information carriers in ITS aimed at preventing theft, damage, use beyond service life, unauthorized access and use;
2) supervising the installation of computer software updates and security updates;
3) backup of data necessary for ITS to function physically separate places to ensure the protection of this data from modification and unauthorized access;
4) access controls for offices and special premises.
2. Security updates that contain vulnerabilities and are unstable are prohibited. Reasons for not applying security updates are documented.
3. It is forbidden to update computer programs used in ITS from unidentified and non-authenticated sources.
1. Incident management procedures should include:
1) implementation of measures specified by the Procedure for Coordination of Activities of State Authorities, Local Self-Government Bodies, Military Formations, Enterprises, Institutions and Organizations Irrespective of Forms of Ownership for the Prevention, Detection and Elimination of Unauthorized Actions Against State Information Resources in Information, Telecommunications and Information-Telecommunications systems, approved by the order of the State Special Communications Administration dated June 10, 2008, Nš 94, registered at the Ministry of Justice of Ukraine on 7 July, 2008, under Nš 603/15294;
2) informing the supervisory body if there is a violation of the requirements for the security and protection of information, as defined in the eleventh paragraph of the second part of Article 13 of the Law of Ukraine "On Electronic Trust Services", within 24 hours after a violation is detected;
3) informing users who are provided with services about security breaches that cause them a negative impact within two hours after the violation is detected.
4. Evidence and archive management
1. Procedures for managing evidence and archives should include the keeping of audit logs of events in which the following types of events are recorded:
1) attempts to create, destroy, set passwords, change access rights in ITS, etc.;
2) replacement of ITS hardware and key pairs;
3) creation, blocking, revocation and renewal of qualified public key certificates, compiling of lists of revoked public key certificates;
4) attempts at unauthorized access to ITS;
5) providing staff with access to ITS;
6) changes in system configurations and ITS maintenance;
7) disruptions in ITS operations;
8) other events necessary for the collection of evidence.
2. All records in event audit logs in electronic or paper form must contain the date and time of the event, as well as identify entities that initiated or participated in it.
3. Event audit logs are reserved and reviewed by the security and audit administrator at least once a week, checking for unauthorized modifications and examining events.
4. The time recorded in the event audit log must be synchronized with Coordinated Universal Time to the nearest second.
5. Event audit logs must be protected from unauthorized review, modification and destruction.
6. Event records in the event audit logs in paper form must be certified and signed by the security administrator.
7. The provider keeps event audit logs at the place of their creation for 10 years, after which it ensures they are transferred to archival storage.
5. Requirements for the treatment of users’ personal data
1. The signatories’ files are stored at premises and repositories that ensure delimitation of access by the personnel of the provider or SRP pursuant to their job responsibilities.
2. Temporary storage (during the working day) of signatories' files at the place of their registration is allowed in order to ensure protection from unauthorized access (storage by enclosure in a fireproof cabinet, safe).
3. If key authentication mechanisms are implemented, key authentication phrase data should be stored in the provider's ITS with access to the information only by the provider's staff responsible for managing the status of signatories' public key certificates.
6. Requirements for procedures for establishing the identity of applicants, SRPs and visiting registration administrators
1. Procedures for identifying applicants must use existing services to verify the validity of documents and identification information. These services may include "Verification on the Basis of Invalid Documents" (nd.dmsu.gov.ua) and "Unified State Register of Legal Entities, Individual Entrepreneurs and Public Associations" (usr.minjust.gov.ua).
2. ID card data is verified in one of the following ways:
without the involvement of additional devices by visual comparison of the same information (the "UNZR", "document ?", "date of birth", "validity period"), which is printed in the visual inspection area and machine-readable area;
by automated reading of information using hardware and software (readers), which have an interface published on the official website of the state enterprise "Printing Plant ‘Ukraine’".
3. If a provider intends to provide qualified electronic trust services through an SRP or apply on-site registration procedures, the provider’s regulations shall specify in the provisions for certificate policy the requirements for publication on the official website of the provider of identification data on its SRP and on-site registration administrators..
1. Requirements for a provider's premises
1. A provider's premises must be divided into functional zones according to the security levels of the premises established by the provider.
For each level of premises security, a minimum necessary set of security mechanisms is defined, in particular: access control, intrusion detection, fire alarm and fire extinguishing, alternative and backup power sources, etc. (hereinafter - premises security mechanisms).
Premises security mechanisms can be changed on the basis of assessed risks and the corresponding mechanisms chosen to mitigate these risks.
Recommendations for establishing and premises security levels and the mechanisms that provide these levels are published by the Administration of the State Service for Special Communications and Information Protection of Ukraine on its official website.
2. Components that are critical to the safe operation of the provider should be located in a secure and secure environment with physical intrusion protection, security perimeter access control, and intrusion detection alarms.
1. Secure storage located in a special room designed to store media exclusively critical for the provision of services by the provider (attributes of access to qualified electronic signatures or seals, which store the provider's private key backup data, authorization tools in the provider's SH, etc.).
2. The storage facility design should provide a sufficient number of individual compartments for each authorized official who, pursuant to his/her official duties, works with critical information for the provider.
3. Access to the compartments is carried out with the participation of two authorized officials who, pursuant to their official duties, work with critical information for the provider.
4. Safe storage must have a certificate of compliance with DSTU EN 1143-1 "Means of Safe Storage. Requirements, classification and burglary resistance test methods. Part 1: Storage, storage doors, safes and ATM safes".
1. SH used in the provision of electronic trust services must meet the requirements of the order of the Ministry of Justice of Ukraine and the Administration of the State Service for Special Communications and Information Protection of Ukraine dated 18, November, 2019, Nš 3563/5/610 “Establishing Requirements for Technical Equipment, Processes of their Creation, Use and Functioning As Part of Information and Telecommunications Systems In Providing Electronic Trust Services”, registered with the Ministry of Justice of Ukraine on 20 November, 2019, under Nš 1172/34143.
V. Requirements for risk assessment
1. Risk assessment is based on the requirements of DSTU ISO/IEC 27005:2015 (ISO/IEC 27005:2011, IDT) "Information technology. Methods of protection. Information Security Risk Management” and other regulatory documents on risk assessment.
To carry out a risk assessment, the provider shall take at least the measures provided for in this section.
2. Risk assessment procedures should include measures to identify assets, threats, vulnerabilities and the likelihood of threats and assess their consequences, mitigation measures. A risk value is a relative value that allows to assess their impact on the activities of the provider.
3. Risks are assessed by the following formula:
RISK = VULNERABILITY * CONSEQUENCE OF THREATS
"vulnerability" has a value from 0 to 2 and is calculated pursuant to point 4 of section V of these Requirements;
"consequences of the exploitation of threats" have values from 1 to 5 and are calculated pursuant to paragraph 3 of section V of these Requirements;
"*" is a mathematical multiplication operation.
4. Risks that have values greater than/equal to 4 are considered unacceptable and require mandatory measures to mitigate them.
1. The provider's assets include tangible assets that the provider may measure in terms of their value, information that the provider provides and/or generates and stores to ensure an appropriate level of confidence, and related processes.
2. All assets must be identified and declared. Persons responsible for the protection and support of each asset are appointed.
3. After the assets are identified, their value for the provider is assessed. The value of an asset is determined based on an assessment of the negative consequences of a possible incident that affects it. The value of an asset can have qualitative (critical) and quantitative (cost) characteristics.
4. Assets should be classified on the basis of their type and characteristics and belong to the following categories:
1) fixed assets that contain information assets and processes;
2) support assets that involve software and hardware, equipment, network, personnel and locations, etc.
5. Main assets must include at least the following:
provider's public key certificates;
applicants’ registration data;
requests to change certificate status;
lists of revoked certificates;
generation of provider key pairs;
use, backup and recovery of provider keys;
destruction of provider personal keys;
public key certificate creation;
public key certificate distribution;
public key certificate status management;
operation of an integrated electronic security system that ensures uninterrupted operation of the provider’s facilities and critical systems in an environment with a general high level of security (hereinafter - ESS).
6. Support assets must include at least the following:
1) ITS provider and SRP software and equipment:
the hardware on which the provider's SH is based;
USB storage and secure storage media used in SH and SRP, smart cards, etc.;
uninterruptible power supply equipment;
provider’s special and office premises;
provider's website environment;
provider employees whose job responsibilities are directly related to the provision of qualified electronic trust services;
provider employees who carry out functions that are not directly related to the provision of qualified electronic trust services;
provider’s business reputation;
provider’s trust relations (relations with business partners, suppliers of electricity and telecommunications services, regulatory authorities, companies engaged in the maintenance and upgrade of SH facilities, networks, etc.);
1. Threat identification procedures should include measures to identify threats and assess the likelihood they will occur and consequences. Threats are identified for each of the identified assets.
2. The provider must generate a list of potential threats with an estimate of the probability they will occur that corresponds to its real business and operational environment.
The probability each threat will occur is estimated on the basis of:
motivation of threat actor for each threat;
opportunities to exploit vulnerabilities, taking into account existing countermeasures;
For each threat, the consequences of its implementation are assessed differentially on a scale from 1 to 5.
A value of 1 means there are no consequences for the provider's activities.
A value of 5 means there are critical consequences that could lead to the termination of the provider.
3. According to the nature of origin, threats can be divided into natural, anthropogenic, failure to receive the necessary tools or services, by the place of origin (internal or external) and be accidental or intentional. This list of threats is not exhaustive. A threat belongs to a certain category according to its predominant characteristics.
4. Natural threats and the probability they will occur are determined taking into account the physical location of a provider's infrastructure and statistical analysis of previous events. Natural hazards may include:
seismic or hydrological events;
water damage (flooding) or corrosion;
electromagnetic phenomena (anomalies);
5. Threats of non-receipt by a provider of the necessary equipment or services are determined on the basis of analysis of the provider's operations that require periodic or systematic receipt of certain equipment or services and failure to receive them may lead to termination of the provider or its units. Threats of failure to receive the necessary equipment or services by the provider may include:
access to telecommunications networks;
maintenance of cooling systems;
equipment and/or consumables required for operation.
6. Anthropogenic threats (caused by human actions) are determined on the basis of analysis of the provider's operations in which a person participates. Anthropogenic threats are divided into intentional (caused by threat actors) or accidental.
Anthropogenic threats may include:
theft or loss of equipment and/or data;
accidental destruction of equipment and/or data;
unauthorized access to equipment and data;
In certain cases, natural threats and threats of failure to receive the necessary equipment or services by the provider may also be caused by a threat actor (be intentional).
4. Identification of vulnerabilities
1. Possible vulnerabilities are identified to establish the potential weakness of an asset or group of assets to threats. To determine the potential for vulnerability, certain assets, threats, and measures to mitigate threats are used. When identifying potential vulnerabilities, all a provider’s assets are assessed.
2. The vulnerability of an asset is determined by the following formula:
VULNERABILITY = THREAT/(THREAT MITIGATION MEASURES+ASSET)
"threat" has a value of 0 if there is none, 1 if probability is low or 2 if it exists;
"threat mitigation measures" have a value of 0 if there are no guarantees that they are effective in counteracting the exploitation of threats to a specific asset, or 2 if they are able to effectively counter the exploitation of threats to a specific asset;
"/" is a mathematical division operation;
"+" is a mathematical addition operation.
3. If the vulnerability is greater than or equal to 1, additional mitigation measures are required. If the vulnerability is less than 1, it is considered mitigated or absent (value 0).
4. The provider takes measures to mitigate threats by complying with the legislation in the area of electronic trust services and takes other appropriate measures pursuant to the standards in the area of information security.
Mitigation measures include those measures that can effectively counteract the exploitation of a threat to a particular asset.
One threat can be exploited for one or more assets.
One mitigation measure can be applied to one or more threats.
5. When identifying potential vulnerabilities, at least the following processes are evaluated:
registration of applicants, events, audit logs and archives;
provider key management (generation, backup, recovery, storage, use and destruction);
use of qualified electronic signatures;
mechanisms for verifying possession of a private key by an applicant and receipt of a public key from the applicant;
authentication of users when submitting requests to change certificate status;
ensuring a provider’s operations (receipt by the service provider of electricity, communications, consumables and equipment, etc.).
6. Vulnerabilities in applicant registration processes, events, audit logs and archives may include:
inadequacy or lack of identity verification policies, which may lead to incorrect identification of an applicant entity;
inadequacy or lack of policies for maintaining and storing audit logs;
insufficient protection of SRP from malicious software that may make unauthorized certification requests or lead to SH failure;
insufficient level of protection of registration records and archives.
7. Vulnerabilities in key management processes may include:
no backup of the provider's private keys;
insufficient protection of backup copies of the provider's personal keys;
not using of methods and measures that guarantee it is impossible to restore a personal key of a provider when it is destroyed.
8. Vulnerabilities in the use of qualified electronic signatures may include:
inadequacy or lack of policies for verifying the use of qualified electronic signatures by users to generate and store private keys;
use for storage of private keys using a qualified electronic signature that does not provide protection of private keys against unauthorized access and against direct discovery of the parameters of private keys and their copying.
9. Vulnerabilities in the mechanisms for verifying the applicant's possession of a private key and obtaining a public key from an applicant may include:
inadequacy or lack of policies to verify an applicant's possession of a private key;
lack of testing for malware of data carriers on which applicants submit to the provider pre-generated requests for certification with public keys and/or connection of such media directly to the SH of the provider.
10. Vulnerabilities in user authentication processes when they request certificate status changes may include inadequacy or lack of keyword authentication policies.
11. Vulnerabilities in the provider's support processes may include:
concluding an agreement with an electricity supplier, which does not guarantee to eliminate power outages before uninterruptible power supply by an autonomous power supply system runs out;
lack of redundancy of telecommunications access networks;
lack of accounting and pre-order of consumables required for the provider’s work;
operation of machinery and equipment beyond the established service life.