Ruslan Rakhmetov, Security Vision
We continue to familiarise ourselves with the regulatory requirements related to the use of IRP/SOAR systems. In this article we will review the legislation related to the protection of information contained in state information systems, as well as to the protection of personal data. And in conclusion we will study the Draft National Standard GOST R ‘Information Protection. Information security monitoring. General Provisions’.
Order of the FSTEC of Russia No. 17 of 11.02.2013 ‘On Approval of Requirements for the Protection of Information Not Constituting a State Secret Contained in State Information Systems’ (as amended by Orders of the FSTEC of Russia No. 27, No. 106).
16.2 Information protection organisational and administrative documents being developed shall define rules and procedures:
...
identification of and response to incidents (a single event or a group of events) that may lead to failures or disruption of the information system and (or) information security threats (hereinafter referred to as incidents);
...
18. Information protection during the operation of the information system shall be provided by the operator in accordance with the operational documentation and organisational and administrative documents on information protection and shall include the following measures:
...
incident response;
...
18.5 Incident response shall include:
Detection and identification of incidents, including denial of service, failures (reboots) in the operation of technical means, software and information protection means, violations of access delimitation rules, unlawful actions to collect information, introductions of malicious computer programmes (viruses) and other events leading to incidents;
timely informing users and administrators of the persons responsible for identifying and responding to incidents about the occurrence of incidents in the information system;
analysing incidents, including determining the sources and causes of incidents, as well as assessing their consequences;
planning and taking measures to eliminate incidents, including restoring the information system and its segments in case of denial of service or after failures, eliminating the consequences of violation of access delimitation rules, unlawful actions to collect information, introduction of malicious computer programmes (viruses) and other events leading to the occurrence of incidents;
planning and taking measures to prevent recurrence of incidents.
Appendix No. 2 to Order No. 17 of the FSTEC of Russia.
V. Registration of Security Events (RSB):
SSR.3 - Collecting, recording and storing information on security events for a specified retention time
SSR.4 - Responding to failures in security event registration, including hardware and software errors, failures in information collection mechanisms and reaching the limit or overflow of memory capacity
SSR.5 - Monitoring (reviewing, analysing) and responding to security event logging results
RSB.8 - Provision of possibility to view and analyse information on actions of individual users in the information system
Order of the Federal Service for Technical and Export Control of Russia No. 21 of 18.02.2013 ‘On Approval of the Composition and Content of Organisational and Technical Measures to Ensure the Security of Personal Data when Processing in Personal Data Information Systems’ (as amended by Order of the Federal Service for Technical and Export Control of Russia No. 49).
8. The composition of measures to ensure the security of personal data, implemented as part of the personal data protection system, taking into account current threats to the security of personal data and information technologies used, includes:
...
registration of security events;
...
identification of incidents (a single event or a group of events) that may lead to failures or disruption of the information system functioning and (or) to the emergence of threats to personal data security (hereinafter referred to as incidents), and response to them;
...
8.5 Security event logging measures shall ensure collection, recording, storage and protection of information on security events in the information system, as well as the ability to view and analyse information on such events and respond to them.
...
8.14. Incident detection and response measures shall ensure that incidents in the information system are detected, identified, analysed, and measures to eliminate and prevent incidents are taken.
Appendix to Order No. 21 of the FSTEC of Russia.
V. Registration of Security Events (RSB):
SSR.H - Collecting, recording and storing information on security events for a specified retention time
SSR.4 - Responding to failures in security event registration, including hardware and software errors, failures in information collection mechanisms, and reaching the limit or overflow of memory size (capacity)
SSR.5 - Monitoring (reviewing, analysing) and responding to security event logging results
XIV. Incident Detection and Response (IDR):
NRC.2 - Detection, identification and logging of incidents
CPI.3 - Timely notification of those responsible for incident detection and response of the occurrence of incidents in the information system by users and administrators.
NRC.4 - Analyse incidents, including identifying the sources and causes of incidents and assessing their consequences
NRC.5 - Taking measures to eliminate the consequences of incidents
NRC.6 - Planning and taking measures to prevent recurrence of incidents
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) has been in force in the European Union since 25.05.2018, its rules on the protection of personal data of EU citizens apply to any organisation working with personal data of EU residents, i.e. any Russian company working with data of European citizens will be obliged to comply with the provisions of the GDPR.
Paragraph 82. Ensuring monitoring of the use of personal data and providing records of such audit upon request from an authorised European supervisory authority.
Article 33. Responding to incidents (leaks) of personal data under the GDPR: notifying the authorised European supervisory authority within 72 hours of the discovery of the incident, specifying the necessary facts about the incident.
Draft national standard GOST R ‘Information Protection. Information security monitoring. General Provisions’
Draft national standard GOST R ‘Information protection. Information security monitoring. General Provisions’ was published by FSTEC of Russia on 11.08.2020, registered in Rosstandart on 27.07.2021, expected to be put into effect from 01.04.2022.
4.2 As part of information security monitoring activities, the following tasks shall be solved:
(a) In terms of activities of analysing security events and other monitoring data:
1) collection of security events and other monitoring data from various sources;
2) normalisation, filtering and aggregation of security event data;
3) analysing security events and other monitoring data;
4) correlating security events with data streams containing indicators of compromise;
5) monitoring, recording and analysing user and administrator actions;
6) collecting and analysing data on the results of monitoring of information flows;
7) detection of information security violations;
8) identification of hidden vulnerabilities by comparing the results of security event registration with the results of vulnerability analyses;
9) timely informing responsible persons about detected information security violations.
...
5.1.1 When monitoring information security, monitoring data may be collected using both automated and non-automated means.
The sources of information security monitoring data are:
- information security means;
- software;
- software and hardware;
- information services;
- information (automated) systems functioning environment;
- operator of information (automated) systems;
- other data sources (including external available data sources).
5.1.2 When forming the list of data sources, the need to obtain the following information should be taken into account:
(a) data on security events from means that carry out registration of security events (sources of security events);
...
5.2.1 When monitoring information security, initial data shall be collected to the extent necessary and sufficient for analyses and various kinds of assessments of the state of information security.
5.2.2 When using automated monitoring tools, the following may be used to obtain initial data:
- agent-based data collection (security event monitoring agents);
- agentless data collection;
- questionnaires (forms);
- instrumental means.
...
5.3.1 Information security monitoring activities shall provide storage of data collected from sources and the results of their processing.
5.3.2 The timing and format of storage of data on security events shall ensure that it is possible to identify and analyse information security breaches that have occurred.
5.3.3 As part of information security monitoring activities, the following functions shall be implemented
the following functions shall be realised:
...
- analysing security events and other monitoring data to identify vulnerabilities, threats and information security violations;
...
- ... detection of information security violations.
5.5.1 Information security monitoring when implementing information security measures shall be performed for all events to be recorded and shall ensure timely detection of signs of information security breaches.
5.5.2 Information security monitoring activities may be applied to the implementation of information protection measures related to:
- control of the composition of software and hardware, software and information protection equipment (inventory);
- registration of security events;
- identification (search) of vulnerabilities;
- control and analysis of network traffic;
- control over the use of interfaces for input (output) of information to machine data carriers;
- analysing user actions
- configuration management of information (automated) systems.
5.5.3 Information security monitoring measures may be applied as compensating measures in case of technical complexity of implementation or inexpediency of application of other information protection measures.
...
5.5.5 The processing and analysis of incoming information security monitoring data provides not only for the detection of various information security violations, but also for the use of the results of response to the detected information security violations in order to develop new and adjust existing rules for analysing security events and monitoring data (adding (deleting) additional conditions in order to increase the efficiency of detecting information security violations or to reduce the number of false violations being registered)
5.5.6 As part of information security monitoring activities, a decision may be made to establish a single coordinating monitoring centre (information security monitoring situation centre) to control the quality of the organisation of the monitoring process, as well as the continuity and effectiveness of the information security monitoring process in various aspects....
