Standard requirements for the organization and maintenance of functioning. Prigorodny District Court of the Sverdlovsk Region
leadership of the 8th Center of the FSB of Russia
TYPICAL REQUIREMENTS
ON ORGANIZATION AND FUNCTIONING
CRYPTOGRAPHIC (CRYPTOGRAPHIC) MEANS INTENDED
TO PROTECT INFORMATION THAT DOES NOT CONTAIN INFORMATION CONSTITUTING
STATE SECRET, IF THEY ARE USED
TO ENSURE THE SECURITY OF PERSONAL DATA
DURING THEIR PROCESSING IN INFORMATION SYSTEMS
PERSONAL DATA
1. General Provisions
1.1. These Requirements define the procedure for organizing and ensuring the functioning of encryption (cryptographic) tools designed to protect information that does not contain information constituting a state secret (hereinafter referred to as a cryptographic tool), if they are used to ensure the security of personal data during their processing in personal data information systems ( Further - Information system).
1.2. These Requirements have been developed in response to:
Regulations on ensuring the security of personal data during their processing in information systems of personal data, approved by the Decree Government of the Russian Federation of November 17, 2007 N 781 (hereinafter - the Regulation);
Regulations on the Federal Security Service Russian Federation, approved by Decree of the President of the Russian Federation of August 11, 2003 N 960.
1.3. Real Requirements:
Are mandatory for the operator processing personal data, as well as the person to whom, on the basis of an agreement, the operator entrusts the processing of personal data, and (or) the person to whom, on the basis of an agreement, the operator entrusts the provision of services for organizing and ensuring the security of personal data protection during their processing in information system using cryptographic tools. Wherein essential condition contract is a duty authorized person ensure the confidentiality of personal data and the security of personal data during their processing in the information system in cases provided for by applicable law;
They apply to cryptographic tools designed to ensure the security of personal data during their processing in personal data information systems, all the technical means of which are located within the Russian Federation, as well as in systems, the technical means of which are partially or entirely located outside the Russian Federation;
Do not cancel the requirements of other documents regulating the procedure for handling official information limited distribution in federal executive bodies.
The operator, taking into account the peculiarities of his activity, can develop guidelines on their application.
The terms and definitions used for the purposes of these Requirements are given in Appendix 1.
2. Organization and security of processing
using encryption (cryptographic)
means of personal data
2.1. The security of personal data processing using cryptographic tools is organized and ensured by operators, as well as persons to whom, on the basis of an agreement, the operator entrusts the processing of personal data, and (or) persons to whom, on the basis of an agreement, the operator entrusts the provision of services for organizing and ensuring the security of processing in the information system of personal data using cryptographic tools.
Ensuring the security of personal data using cryptographic tools should be carried out in accordance with:
1) Order of the Federal Security Service of Russia dated February 9, 2005 N 66 "On approval of the Regulations on the development, production, sale and operation of encryption (cryptographic) means of protecting information (Regulation PKZ-2005)";
2) Decree of the Government of the Russian Federation of December 29, 2007 N 957 "On approval of regulations on licensing certain types activities related to encryption (cryptographic) means";
3) Guidelines for ensuring the security of personal data using cryptographic tools when they are processed in personal data information systems using automation tools (N 149 / 54-144, 2008, FSB of Russia);
4) These Requirements.
2.2. Operators are responsible for the compliance of their measures to organize and ensure the security of processing personal data using cryptographic tools with licensing requirements and conditions, operational and technical documentation to crypto-means, as well as these Requirements.
At the same time, operators must ensure the comprehensiveness of the protection of personal data, including through the use of non-cryptographic means of protection.
2.3. When developing and implementing measures to organize and ensure the security of personal data during their processing in the information system, the operator or a person authorized by the operator shall:
Development for each information system of personal data of a model of threats to the security of personal data during their processing;
Development on the basis of the threat model of a personal data security system that ensures the neutralization of all threats listed in the model;
Determining the need to use cryptographic tools to ensure the security of personal data and, in case of a positive decision, determining, based on the threat model, the purpose of using cryptographic tools to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of personal data and (or ) other illegal actions during their processing;
Installation and commissioning of cryptographic tools in accordance with the operational and technical documentation for these tools;
Checking the readiness of cryptographic tools for use with drawing up conclusions on the possibility of their operation;
Training of persons using crypto-means to work with them;
Instance accounting of used cryptographic tools, operational and technical documentation for them, carriers of personal data;
Accounting for persons authorized to work with cryptographic tools designed to ensure the security of personal data in the information system (users of crypto tools);
Monitoring compliance with the conditions for the use of cryptographic tools provided for by the operational and technical documentation for them;
Investigation and drawing up conclusions on the facts of violation of the storage conditions of personal data carriers, the use of cryptographic tools that may lead to a violation of the confidentiality of personal data or other violations leading to a decrease in the level of protection of personal data, the development and adoption of measures to prevent possible dangerous consequences of such violations;
Description of the organizational and technical measures that the operator undertakes to implement in order to ensure the security of personal data using cryptographic means during their processing in information systems, indicating in particular:
A) index, code name and registration numbers cryptocurrencies used;
B) compliance of the placement and installation of equipment and equipment that is part of the cryptographic tools with the requirements normative documentation and rules for the use of cryptocurrencies;
C) compliance of the premises in which the crypto-means are located and stored key documentation to them, these Requirements with a description of the main means of protection;
D) fulfillment of the Requirements for material carriers of biometric personal data and technologies for storing such data outside personal data information systems.
A description of the measures taken must be included in the notification provided for by Part 1 of Article 22 of the Federal Law "On Personal Data".
2.4. Users of cryptographic tools are allowed to work with them according to a decision approved by the operator. If there are two or more users of cryptographic tools, the duties between them should be distributed taking into account personal responsibility for the safety of cryptographic tools, key, operational and technical documentation, as well as for the assigned areas of work.
2.5. Users of cryptocurrencies are required to:
Not to disclose the information to which they are admitted, including information about cryptocurrencies, key documents for them and other protection measures;
Comply with the requirements for ensuring the security of personal data, the requirements for ensuring the security of crypto-means and key documents for them;
Report attempts by unauthorized persons that have become known to them to obtain information about the cryptocurrencies used or key documents for them;
Immediately notify the operator about the facts of loss or shortage of crypto-means, key documents to them, keys to premises, vaults, personal seals and other facts that may lead to the disclosure of protected personal data;
Hand over crypto-means, operational and technical documentation for them, key documents in accordance with the procedure established by these Requirements, upon dismissal or removal from the performance of duties related to the use of crypto-means.
2.6. Ensuring the functioning and security of cryptographic tools is entrusted to the responsible user of cryptographic tools, having the required level of qualification, appointed by the order of the operator (hereinafter referred to as the responsible user of cryptographic tools).
It is allowed to assign the functions of a responsible user of cryptographic tools to:
One of the users of cryptocurrencies;
On the structural subdivision or executive(employee) responsible for ensuring the security of personal data appointed by the operator;
To a special structural unit for the protection of state secrets, using encryption tools for this.
2.7. Responsible users of cryptographic tools should have functional responsibilities developed in accordance with these Requirements.
2.8. When determining the obligations of the user of cryptographic tools, it must be taken into account that the security of processing personal data using cryptographic tools is ensured by:
Observance by users of cryptographic tools of confidentiality when handling information that they are entrusted with or become aware of at work, including information about the operation and security procedures of the cryptographic tools used and key documents for them;
Accurate fulfillment by users of cryptographic tools of the requirements for ensuring the security of personal data;
Reliable storage of operational and technical documentation for cryptographic tools, key documents, media of limited distribution;
Ensuring measures taken in accordance with the Requirements for material carriers of biometric personal data and technologies for storing such data outside personal data information systems;
Timely detection of attempts by unauthorized persons to obtain information about the protected personal data, about the cryptographic tools used or key documents for them;
Taking immediate measures to prevent the disclosure of protected personal data, as well as their possible leakage in the event of loss or shortage of crypto-means, key documents for them, certificates, passes, keys to premises, vaults, safes (metal cabinets), personal seals, etc. .
2.9. Persons registered for work as users (responsible users) of cryptographic tools must be familiar with these Requirements and other documents regulating the organization and ensuring the security of personal data during their processing in information systems, against receipt and are responsible for non-compliance with the requirements of these documents in in accordance with the legislation of the Russian Federation.
2.10. The current control over the organization and maintenance of the functioning of cryptographic tools is assigned to the operator and the responsible user of cryptographic tools within their official powers.
2.11. Control over the organization, ensuring the functioning and security of cryptographic tools designed to protect personal data during their processing in personal data information systems is carried out in accordance with the current legislation of the Russian Federation.
2.12. If it is necessary to interact with information system operators when using cryptographic tools to ensure the security of personal data processing, to organize the interaction of cryptographic tools, by decision of the personal data operators, a coordinating body responsible for ensuring the security of personal data is allocated, the instructions of which are mandatory for all users of cryptographic tools.
3. Procedure for handling crypto-means and crypto-keys
to them. Measures to take when crypto keys are compromised
3.1. Users of cryptocurrencies are required to:
Do not disclose information about key documents;
Avoid making copies of key documents;
Do not allow output of key documents to the display (monitor) of a PC or printer;
Do not allow recording of extraneous information on the key carrier;
Do not allow key documents to be installed on other PCs.
3.2. If it is necessary to transmit service messages of limited access regarding the organization and operation of cryptographic means via technical means of communication, these messages must be transmitted only using cryptographic means. The transfer of crypto-keys over technical means of communication is not allowed, with the exception of specifically organized systems with decentralized supply of crypto-keys.
3.3. Crypto-means used to ensure the security of personal data during their processing in information systems are subject to accounting using indexes or conventional names and registration numbers.
The list of indices, conditional names and registration numbers of cryptocurrencies is determined Federal Service security of the Russian Federation.
3.4. Used or stored crypto-means, operational and technical documentation for them, key documents are subject to copy accounting. The recommended forms are given in Appendix No. 2. In this case, software cryptographic tools should be taken into account together with the hardware with which their regular operation is carried out. If hardware or firmware cryptographic tools are connected to the system bus or to one of the internal interfaces of the hardware, then such cryptographic tools are also taken into account together with the corresponding hardware.
The unit of copy accounting of key documents is considered to be a reusable key carrier, a key notepad. If the same key medium is repeatedly used to record crypto keys, then it should be registered separately each time.
3.5. All received copies of crypto-means, operational and technical documentation for them, key documents must be issued against receipt in the appropriate copy register to users of crypto-means who are personally responsible for their safety.
The responsible user of cryptographic tools opens and maintains a personal account for each user of cryptographic tools, in which he registers the cryptographic tools assigned to them, operational and technical documentation for them, and key documents.
3.6. If the operational and technical documentation for cryptographic tools provides for the use of one-time key carriers or crypto keys are entered and stored (for the entire period of their validity) directly in crypto tools, then such a one-time key carrier or an electronic record of the corresponding crypto key must be recorded in a technical (hardware) journal maintained directly by the user crypto-means. The technical (hardware) log also reflects data on the operation of crypto-means and other information provided for by the operational and technical documentation. In other cases, a technical (hardware) log for crypto-means is not started (unless there are direct instructions about its maintenance in the operational or technical documentation for crypto-means). A typical form of a technical (hardware) journal is given in Appendix N 3.
Approvedleadership of the 8th Center of the FSB of Russia
ON ORGANIZATION AND FUNCTIONING
CRYPTOGRAPHIC (CRYPTOGRAPHIC) MEANS INTENDED
TO PROTECT INFORMATION THAT DOES NOT CONTAIN INFORMATION CONSTITUTING
STATE SECRET, IF THEY ARE USED
TO ENSURE THE SECURITY OF PERSONAL DATA
DURING THEIR PROCESSING IN INFORMATION SYSTEMS
PERSONAL DATA
1. General Provisions
1.1. These Requirements define the procedure for organizing and ensuring the functioning of encryption (cryptographic) tools designed to protect information that does not contain information constituting a state secret (hereinafter referred to as a cryptographic tool), if they are used to ensure the security of personal data during their processing in personal data information systems ( hereinafter referred to as the information system).
1.2. These Requirements have been developed in response to:
Regulations on ensuring the security of personal data during their processing in personal data information systems, approved by Decree of the Government of the Russian Federation of November 17, 2007 N 781 (hereinafter referred to as the Regulation);
Regulations on the Federal Security Service of the Russian Federation, approved by Decree of the President of the Russian Federation of August 11, 2003 N 960.
1.3. Real Requirements:
Are mandatory for the operator processing personal data, as well as the person to whom, on the basis of an agreement, the operator entrusts the processing of personal data, and (or) the person to whom, on the basis of an agreement, the operator entrusts the provision of services for organizing and ensuring the security of personal data protection during their processing in information system using cryptographic tools. At the same time, an essential condition of the contract is the obligation of the authorized person to ensure the confidentiality of personal data and the security of personal data during their processing in the information system in cases provided for by applicable law;
They apply to cryptographic tools designed to ensure the security of personal data during their processing in personal data information systems, all the technical means of which are located within the Russian Federation, as well as in systems, the technical means of which are partially or entirely located outside the Russian Federation;
They do not cancel the requirements of other documents regulating the procedure for handling limited distribution official information in federal executive bodies.
The operator, taking into account the peculiarities of his activities, may develop methodological recommendations for their application that do not contradict these Requirements.
The terms and definitions used for the purposes of these Requirements are given in Appendix 1.
2. Organization and security of processing
using encryption (cryptographic)
means of personal data
2.1. The security of personal data processing using cryptographic tools is organized and ensured by operators, as well as persons to whom, on the basis of an agreement, the operator entrusts the processing of personal data, and (or) persons to whom, on the basis of an agreement, the operator entrusts the provision of services for organizing and ensuring the security of processing in the information system of personal data using cryptographic tools.
Ensuring the security of personal data using cryptographic tools should be carried out in accordance with:
1) Order of the Federal Security Service of Russia dated February 9, 2005 N 66 "On approval of the Regulations on the development, production, sale and operation of encryption (cryptographic) means of protecting information (Regulation PKZ-2005)";
2) Decree of the Government of the Russian Federation of December 29, 2007 N 957 "On approval of regulations on licensing certain types of activities related to encryption (cryptographic) means";
3) Guidelines for ensuring the security of personal data using cryptographic tools when they are processed in personal data information systems using automation tools (N 149 / 54-144, 2008, FSB of Russia);
4) These Requirements.
2.2. Operators are responsible for the compliance of their measures to organize and ensure the security of processing personal data using cryptographic tools with licensing requirements and conditions, operational and technical documentation for cryptographic tools, as well as these Requirements.
At the same time, operators must ensure the comprehensiveness of the protection of personal data, including through the use of non-cryptographic means of protection.
2.3. When developing and implementing measures to organize and ensure the security of personal data during their processing in the information system, the operator or a person authorized by the operator shall:
Development for each information system of personal data of a model of threats to the security of personal data during their processing;
Development on the basis of the threat model of a personal data security system that ensures the neutralization of all threats listed in the model;
Determining the need to use cryptographic tools to ensure the security of personal data and, in case of a positive decision, determining, based on the threat model, the purpose of using cryptographic tools to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of personal data and (or ) other illegal actions during their processing;
Installation and commissioning of cryptographic tools in accordance with the operational and technical documentation for these tools;
Checking the readiness of cryptographic tools for use with drawing up conclusions on the possibility of their operation;
Training of persons using crypto-means to work with them;
Instance accounting of used cryptographic tools, operational and technical documentation for them, carriers of personal data;
Accounting for persons authorized to work with cryptographic tools designed to ensure the security of personal data in the information system (users of crypto tools);
Monitoring compliance with the conditions for the use of cryptographic tools provided for by the operational and technical documentation for them;
Investigation and drawing up conclusions on the facts of violation of the storage conditions of personal data carriers, the use of cryptographic tools that may lead to a violation of the confidentiality of personal data or other violations leading to a decrease in the level of protection of personal data, the development and adoption of measures to prevent possible dangerous consequences of such violations;
Description of the organizational and technical measures that the operator undertakes to implement in order to ensure the security of personal data using cryptographic means during their processing in information systems, indicating in particular:
a) index, code name and registration numbers of the cryptographic tools used;
b) compliance with the placement and installation of equipment and equipment that is part of cryptographic tools, the requirements of regulatory documentation and the rules for using cryptographic tools;
c) compliance of the premises in which cryptographic tools are located and key documentation for them is stored with these Requirements with a description of the main means of protection;
d) fulfillment of the Requirements for material carriers of biometric personal data and technologies for storing such data outside personal data information systems.
A description of the measures taken must be included in the notification provided for by Part 1 of Article 22 of the Federal Law "On Personal Data".
2.4. Users of cryptographic tools are allowed to work with them according to a decision approved by the operator. If there are two or more users of cryptographic tools, the duties between them should be distributed taking into account personal responsibility for the safety of cryptographic tools, key, operational and technical documentation, as well as for the assigned areas of work.
2.5. Users of cryptocurrencies are required to:
Not to disclose the information to which they are admitted, including information about cryptocurrencies, key documents for them and other protection measures;
Comply with the requirements for ensuring the security of personal data, the requirements for ensuring the security of crypto-means and key documents for them;
Report attempts by unauthorized persons that have become known to them to obtain information about the cryptocurrencies used or key documents for them;
Immediately notify the operator about the facts of loss or shortage of crypto-means, key documents to them, keys to premises, vaults, personal seals and other facts that may lead to the disclosure of protected personal data;
Hand over crypto-means, operational and technical documentation for them, key documents in accordance with the procedure established by these Requirements, upon dismissal or removal from the performance of duties related to the use of crypto-means.
2.6. Ensuring the functioning and security of cryptographic tools is entrusted to the responsible user of cryptographic tools, having the required level of qualification, appointed by the order of the operator (hereinafter referred to as the responsible user of cryptographic tools).
It is allowed to assign the functions of a responsible user of cryptographic tools to:
One of the users of cryptocurrencies;
To the structural unit or official (employee) responsible for ensuring the security of personal data appointed by the operator;
To a special structural unit for the protection of state secrets, using encryption tools for this.
2.7. Responsible users of cryptographic tools should have functional responsibilities developed in accordance with these Requirements.
2.8. When determining the obligations of the user of cryptographic tools, it must be taken into account that the security of processing personal data using cryptographic tools is ensured by:
Observance by users of cryptographic tools of confidentiality when handling information that they are entrusted with or become aware of at work, including information about the operation and security procedures of the cryptographic tools used and key documents for them;
Accurate fulfillment by users of cryptographic tools of the requirements for ensuring the security of personal data;
Reliable storage of operational and technical documentation for cryptographic tools, key documents, media of limited distribution;
Ensuring measures taken in accordance with the Requirements for material carriers of biometric personal data and technologies for storing such data outside personal data information systems;
Timely detection of attempts by unauthorized persons to obtain information about the protected personal data, about the cryptographic tools used or key documents for them;
Taking immediate measures to prevent the disclosure of protected personal data, as well as their possible leakage in the event of loss or shortage of crypto-means, key documents for them, certificates, passes, keys to premises, vaults, safes (metal cabinets), personal seals, etc. .
2.9. Persons registered for work as users (responsible users) of cryptographic tools must be familiar with these Requirements and other documents regulating the organization and ensuring the security of personal data during their processing in information systems, against receipt and are responsible for non-compliance with the requirements of these documents in in accordance with the legislation of the Russian Federation.
2.10. The current control over the organization and maintenance of the functioning of cryptographic tools is assigned to the operator and the responsible user of cryptographic tools within their official powers.
2.11. Control over the organization, ensuring the functioning and security of cryptographic tools designed to protect personal data during their processing in personal data information systems is carried out in accordance with the current legislation of the Russian Federation.
2.12. If it is necessary to interact with information system operators when using cryptographic tools to ensure the security of personal data processing, to organize the interaction of cryptographic tools, by decision of the personal data operators, a coordinating body responsible for ensuring the security of personal data is allocated, the instructions of which are mandatory for all users of cryptographic tools.
3. Procedure for handling crypto-means and crypto-keys
to them. Measures to take when crypto keys are compromised
3.1. Users of cryptocurrencies are required to:
Do not disclose information about key documents;
Avoid making copies of key documents;
Do not allow output of key documents to the display (monitor) of a PC or printer;
Do not allow recording of extraneous information on the key carrier;
Do not allow key documents to be installed on other PCs.
3.2. If it is necessary to transmit service messages of limited access regarding the organization and operation of cryptographic means via technical means of communication, these messages must be transmitted only using cryptographic means. The transfer of crypto keys by technical means of communication is not allowed, with the exception of specially organized systems with decentralized supply of crypto keys.
3.3. Crypto-means used to ensure the security of personal data during their processing in information systems are subject to accounting using indexes or conventional names and registration numbers.
The list of indexes, conventional names and registration numbers of cryptocurrencies is determined by the Federal Security Service of the Russian Federation.
3.4. Used or stored crypto-means, operational and technical documentation for them, key documents are subject to copy accounting. The recommended forms are given in Appendix No. 2. In this case, software cryptographic tools should be taken into account together with the hardware with which their regular operation is carried out. If hardware or firmware cryptographic tools are connected to the system bus or to one of the internal interfaces of the hardware, then such cryptographic tools are also taken into account together with the corresponding hardware.
The unit of copy accounting of key documents is considered to be a reusable key carrier, a key notepad. If the same key medium is repeatedly used to record crypto keys, then it should be registered separately each time.
3.5. All received copies of crypto-means, operational and technical documentation for them, key documents must be issued against receipt in the appropriate copy register to users of crypto-means who are personally responsible for their safety.
The responsible user of cryptographic tools opens and maintains a personal account for each user of cryptographic tools, in which he registers the cryptographic tools assigned to them, operational and technical documentation for them, and key documents.
3.6. If the operational and technical documentation for cryptographic tools provides for the use of one-time key carriers or crypto keys are entered and stored (for the entire period of their validity) directly in crypto tools, then such a one-time key carrier or an electronic record of the corresponding crypto key must be recorded in a technical (hardware) journal maintained directly by the user crypto-means. The technical (hardware) log also reflects data on the operation of crypto-means and other information provided for by the operational and technical documentation. In other cases, a technical (hardware) log for crypto-means is not started (unless there are direct instructions about its maintenance in the operational or technical documentation for crypto-means). A typical form of a technical (hardware) journal is given in Appendix N 3.
Legal basis
Typical requirements on the organization and maintenance of the functioning of encryption (cryptographic) tools designed to protect information ...
Approved
leadership of the 8th Center of the FSB of Russia
TYPICAL REQUIREMENTS
ON ORGANIZATION AND FUNCTIONING
CRYPTOGRAPHIC (CRYPTOGRAPHIC) MEANS INTENDED
TO PROTECT INFORMATION THAT DOES NOT CONTAIN INFORMATION CONSTITUTING
STATE SECRET, IF THEY ARE USED
TO ENSURE THE SECURITY OF PERSONAL DATA
DURING THEIR PROCESSING IN INFORMATION SYSTEMS
PERSONAL DATA
1. General Provisions
1.1. These Requirements define the procedure for organizing and ensuring the functioning of encryption (cryptographic) tools designed to protect information that does not contain information constituting a state secret (hereinafter referred to as a cryptographic tool), if they are used to ensure the security of personal data during their processing in personal data information systems ( hereinafter referred to as the information system).
1.2. These Requirements have been developed in response to:
- Regulations on ensuring the security of personal data during their processing in personal data information systems, approved by Decree of the Government of the Russian Federation of November 17, 2007 N 781 (hereinafter referred to as the Regulation);
- Regulations on the Federal Security Service of the Russian Federation, approved by Decree of the President of the Russian Federation of August 11, 2003 N 960.
1.3. Real Requirements:
Are mandatory for the operator processing personal data, as well as the person to whom, on the basis of an agreement, the operator entrusts the processing of personal data, and (or) the person to whom, on the basis of an agreement, the operator entrusts the provision of services for organizing and ensuring the security of personal data protection during their processing in information system using cryptographic tools. At the same time, an essential condition of the contract is the obligation of the authorized person to ensure the confidentiality of personal data and the security of personal data during their processing in the information system in cases provided for by applicable law;
They apply to cryptographic tools designed to ensure the security of personal data during their processing in personal data information systems, all the technical means of which are located within the Russian Federation, as well as in systems, the technical means of which are partially or entirely located outside the Russian Federation;
They do not cancel the requirements of other documents regulating the procedure for handling limited distribution official information in federal executive bodies.
The operator, taking into account the peculiarities of his activities, may develop methodological recommendations for their application that do not contradict these Requirements.
The terms and definitions used for the purposes of these Requirements are given in Annex 1.
2. Organization and security of processing
using encryption (cryptographic)
means of personal data
2.1. The security of personal data processing using cryptographic tools is organized and ensured by operators, as well as persons to whom, on the basis of an agreement, the operator entrusts the processing of personal data, and (or) persons to whom, on the basis of an agreement, the operator entrusts the provision of services for organizing and ensuring the security of processing in the information system of personal data using cryptographic tools.
Ensuring the security of personal data using cryptographic tools should be carried out in accordance with:
1) Order FSB of Russia of February 9, 2005 N 66 "On approval of the Regulations on the development, production, sale and operation of encryption (cryptographic) means of information protection (Regulation PKZ-2005)";
2) Decree Government of the Russian Federation of December 29, 2007 N 957 "On approval of regulations on licensing certain types of activities related to encryption (cryptographic) means";
3) Guidelines on ensuring the security of personal data using cryptographic tools during their processing in personal data information systems using automation tools (N 149 / 54-144, 2008, FSB of Russia);
4) These Requirements.
2.2. Operators are responsible for the compliance of their measures to organize and ensure the security of processing personal data using cryptographic tools with licensing requirements and conditions, operational and technical documentation for cryptographic tools, as well as these Requirements.
At the same time, operators must ensure the comprehensiveness of the protection of personal data, including through the use of non-cryptographic means of protection.
2.3. When developing and implementing measures to organize and ensure the security of personal data during their processing in the information system, the operator or a person authorized by the operator shall:
Development for each information system of personal data of a model of threats to the security of personal data during their processing;
Development on the basis of the threat model of a personal data security system that ensures the neutralization of all threats listed in the model;
Determining the need to use cryptographic tools to ensure the security of personal data and, in case of a positive decision, determining, based on the threat model, the purpose of using cryptographic tools to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of personal data and (or ) other illegal actions during their processing;
Installation and commissioning of cryptographic tools in accordance with the operational and technical documentation for these tools;
Checking the readiness of cryptographic tools for use with drawing up conclusions on the possibility of their operation;
Training of persons using crypto-means to work with them;
Instance accounting of used cryptographic tools, operational and technical documentation for them, carriers of personal data;
Accounting for persons authorized to work with cryptographic tools designed to ensure the security of personal data in the information system (users of crypto tools);
Monitoring compliance with the conditions for the use of cryptographic tools provided for by the operational and technical documentation for them;
Investigation and drawing up conclusions on the facts of violation of the storage conditions of personal data carriers, the use of cryptographic tools that may lead to a violation of the confidentiality of personal data or other violations leading to a decrease in the level of protection of personal data, the development and adoption of measures to prevent possible dangerous consequences of such violations;
Description of the organizational and technical measures that the operator undertakes to implement in order to ensure the security of personal data using cryptographic means during their processing in information systems, indicating in particular:
a) index, code name and registration numbers of the cryptographic tools used;
b) compliance with the placement and installation of equipment and equipment that is part of cryptographic tools, the requirements of regulatory documentation and the rules for using cryptographic tools;
c) compliance of the premises in which cryptographic tools are located and key documentation for them is stored with these Requirements with a description of the main means of protection;
d) fulfillment of the Requirements for material carriers of biometric personal data and technologies for storing such data outside personal data information systems.
A description of the measures taken must be included in the notification provided forpart 1 of article 22 Federal Law "On Personal Data".
2.4. Users of cryptographic tools are allowed to work with them according to a decision approved by the operator. If there are two or more users of cryptographic tools, the duties between them should be distributed taking into account personal responsibility for the safety of cryptographic tools, key, operational and technical documentation, as well as for the assigned areas of work.
2.5. Users of cryptocurrencies are required to:
Not to disclose the information to which they are admitted, including information about cryptocurrencies, key documents for them and other protection measures;
Comply with the requirements for ensuring the security of personal data, the requirements for ensuring the security of crypto-means and key documents for them;
Report attempts by unauthorized persons that have become known to them to obtain information about the cryptocurrencies used or key documents for them;
Immediately notify the operator about the facts of loss or shortage of crypto-means, key documents to them, keys to premises, vaults, personal seals and other facts that may lead to the disclosure of protected personal data;
Hand over crypto-means, operational and technical documentation for them, key documents in accordance with the procedure established by these Requirements, upon dismissal or removal from the performance of duties related to the use of crypto-means.
2.6. Ensuring the functioning and security of cryptographic tools is entrusted to the responsible user of cryptographic tools, having the required level of qualification, appointed by the order of the operator (hereinafter referred to as the responsible user of cryptographic tools).
It is allowed to assign the functions of a responsible user of cryptographic tools to:
One of the users of cryptocurrencies;
To the structural unit or official (employee) responsible for ensuring the security of personal data appointed by the operator;
To a special structural unit for the protection of state secrets, using encryption tools for this.
2.7. Responsible users of cryptographic tools should have functional responsibilities developed in accordance with these Requirements.
2.8. When determining the obligations of the user of cryptographic tools, it must be taken into account that the security of processing personal data using cryptographic tools is ensured by:
Observance by users of cryptographic tools of confidentiality when handling information that they are entrusted with or become aware of at work, including information about the operation and security procedures of the cryptographic tools used and key documents for them;
Accurate fulfillment by users of cryptographic tools of the requirements for ensuring the security of personal data;
Reliable storage of operational and technical documentation for cryptographic tools, key documents, media of limited distribution;
Ensuring measures taken in accordance with the Requirements for material carriers of biometric personal data and technologies for storing such data outside personal data information systems;
Timely detection of attempts by unauthorized persons to obtain information about the protected personal data, about the cryptographic tools used or key documents for them;
Taking immediate measures to prevent the disclosure of protected personal data, as well as their possible leakage in the event of loss or shortage of crypto-means, key documents for them, certificates, passes, keys to premises, vaults, safes (metal cabinets), personal seals, etc. .
2.9. Persons registered for work as users (responsible users) of cryptographic tools must be familiar with these Requirements and other documents regulating the organization and ensuring the security of personal data during their processing in information systems, against receipt and are responsible for non-compliance with the requirements of these documents in in accordance with the legislation of the Russian Federation.
2.10. The current control over the organization and maintenance of the functioning of cryptographic tools is assigned to the operator and the responsible user of cryptographic tools within their official powers.
2.11. Control over the organization, ensuring the functioning and security of cryptographic tools designed to protect personal data during their processing in personal data information systems is carried out in accordance with the current legislation of the Russian Federation.
2.12. If it is necessary to interact with information system operators when using cryptographic tools to ensure the security of personal data processing, to organize the interaction of cryptographic tools, by decision of the personal data operators, a coordinating body responsible for ensuring the security of personal data is allocated, the instructions of which are mandatory for all users of cryptographic tools.
3. Procedure for handling crypto-means and crypto-keys
to them. Measures to take when crypto keys are compromised
3.1. Users of cryptocurrencies are required to:
Do not disclose information about key documents;
Avoid making copies of key documents;
Do not allow output of key documents to the display (monitor) of a PC or printer;
Do not allow recording of extraneous information on the key carrier;
Do not allow key documents to be installed on other PCs.
3.2. If it is necessary to transmit service messages of limited access regarding the organization and operation of cryptographic means via technical means of communication, these messages must be transmitted only using cryptographic means. The transfer of crypto keys by technical means of communication is not allowed, with the exception of specially organized systems with decentralized supply of crypto keys.
3.3. Crypto-means used to ensure the security of personal data during their processing in information systems are subject to accounting using indexes or conventional names and registration numbers.
The list of indexes, conventional names and registration numbers of cryptocurrencies is determined by the Federal Security Service of the Russian Federation.
3.4. Used or stored crypto-means, operational and technical documentation for them, key documents are subject to copy accounting. Featured forms are given in Appendix N 2. At the same time, software cryptographic tools should be taken into account together with the hardware with which their regular operation is carried out. If hardware or firmware cryptographic tools are connected to the system bus or to one of the internal interfaces of the hardware, then such cryptographic tools are also taken into account together with the corresponding hardware.
The unit of copy accounting of key documents is considered to be a reusable key carrier, a key notepad. If the same key medium is repeatedly used to record crypto keys, then it should be registered separately each time.
3.5. All received copies of crypto-means, operational and technical documentation for them, key documents must be issued against receipt in the appropriate copy register to users of crypto-means who are personally responsible for their safety.
The responsible user of cryptographic tools opens and maintains a personal account for each user of cryptographic tools, in which he registers the cryptographic tools assigned to them, operational and technical documentation for them, and key documents.
3.6. If the operational and technical documentation for cryptographic tools provides for the use of one-time key carriers or crypto keys are entered and stored (for the entire period of their validity) directly in crypto tools, then such a one-time key carrier or an electronic record of the corresponding crypto key must be recorded in a technical (hardware) journal maintained directly by the user crypto-means. The technical (hardware) log also reflects data on the operation of crypto-means and other information provided for by the operational and technical documentation. In other cases, a technical (hardware) log for crypto-means is not started (unless there are direct instructions about its maintenance in the operational or technical documentation for crypto-means). Standard form technical (hardware) journal is given in Appendix N 3.
3.7. The transfer of crypto-means, operational and technical documentation to them, key documents is allowed only between users of crypto-means and (or) the responsible user of crypto-means against receipt in the relevant journals of copy accounting. Such transfers between users of cryptographic tools must be authorized by the responsible user of crypto tools.
3.8. Users of cryptographic tools store media that installs cryptographic tools, operational and technical documentation for cryptographic tools, key documents in cabinets (boxes, storages) for individual use in conditions that exclude uncontrolled access to them, as well as their unintentional destruction.
Users of cryptographic tools also provide for separate secure storage of valid and backup key documents intended for use in case of compromise of existing key documents.
3.9. The hardware with which the regular operation of cryptographic tools is carried out, as well as hardware and hardware-software cryptographic tools, must be equipped with controls for their opening (sealed, sealed). The place of sealing (sealing) of cryptographic means, hardware must be such that it can be visually controlled. If there is a technical possibility for the absence of users of cryptographic tools, these tools must be disconnected from the communication line and put away in sealed storages.
3.10. Cryptocurrency tools and key documents can be delivered by courier (including departmental) communication or with specially designated operators of responsible users of cryptographic tools and employees, subject to measures that exclude uncontrolled access to cryptographic tools and key documents during delivery.
Operational and technical documentation for cryptocurrencies can be sent by registered or valuable mail.
3.11. To send crypto-means and key documents, they must be placed in a strong package that excludes the possibility of their physical damage and external influence, especially on the recorded key information. Cryptocurrencies are sent separately from key documents to them. The packages indicate the operator or responsible user of the cryptographic tools for which these packages are intended. Such packages are marked "Personally". The packages are sealed in such a way that it is impossible to extract the contents from them without violating the packages and seal impressions.
Prior to the initial deportation (or return), the addressee is informed by a separate letter of the description of the packages sent to him and the seals with which they can be sealed.
3.12. To send crypto-means, operational and technical documentation for them, key documents, you should prepare a cover letter in which you must specify: what is being sent and in what quantity, account numbers of products or documents, as well as, if necessary, the purpose and procedure for using the sent item. A cover letter is enclosed in one of the packages.
3.13. The received packages are opened only by the operator or the responsible user of the cryptographic tools for which they are intended. If the contents of the package received do not correspond to those specified in cover letter or the packaging itself and the seal - their description (print), and also if the packaging is damaged, resulting in free access to its contents, then the recipient draws up an act that is sent to the sender. Cryptocurrencies and key documents received with such shipments are not allowed to be used until instructions are received from the sender.
3.14. If defective key documents or crypto keys are found, one copy of the defective product should be returned to the manufacturer to determine the causes of the incident and eliminate them in the future, and the remaining copies should be stored until additional instructions from the manufacturer are received.
3.15. Receipt of crypto-means, operational and technical documentation for them, key documents must be confirmed to the sender in accordance with the procedure specified in the cover letter. The sender is obliged to control the delivery of his items to the addressees. If the appropriate confirmation has not been received from the addressee in a timely manner, then the sender must send him a request and take measures to clarify the location of the items.
3.16. An order for the production of the next key documents, their production and distribution to the places of use for the timely replacement of existing key documents should be made in advance. An indication of the entry into force of the next key documents can be given by the responsible user of cryptographic tools only after confirmation from all interested users of cryptographic tools that they have received the next key documents.
3.17. Unused or out of action key documents are to be returned to the responsible user of cryptographic tools or, at his direction, must be destroyed on the spot.
3.18. Destruction of crypto keys (original key information) can be done by physically destroying the key medium on which they are located, or by erasing (destroying) crypto keys (original key information) without damaging the key medium (to ensure its reuse).
Crypto keys (original key information) are erased according to the technology adopted for the corresponding key reusable media (floppy disks, compact discs (CD-ROM), Data Key, Smart Card, Touch Memory, etc.). Direct actions to erase crypto keys (initial key information), as well as possible restrictions on the further use of the corresponding key reusable media, are regulated by the operational and technical documentation for the relevant cryptographic tools, as well as instructions from the organization that recorded the crypto keys (initial key information).
Key carriers are destroyed by inflicting irreparable physical damage on them, excluding the possibility of their use, as well as restoring key information. Direct actions for the destruction of a specific type of key carrier are regulated by the operational and technical documentation for the relevant cryptographic tools, as well as instructions from the organization that recorded the crypto keys (initial key information).
Paper and other combustible key carriers, as well as operational and technical documentation for crypto-means, are destroyed by burning or using any paper-cutting machines.
3.19. Cryptocurrency tools are destroyed (disposed of) by decision of the operator owning the cryptographic tools, and with notification of the organization responsible in accordance with PKZ-2005 for organizing instance-by-instance accounting of crypto-means.
The crypto-means scheduled for destruction (utilization) are subject to withdrawal from the hardware with which they functioned. At the same time, cryptographic tools are considered withdrawn from the hardware if the removal procedure provided for by the operational and technical documentation for cryptographic tools is executed. software cryptographic tools and they are completely disconnected from the hardware.
3.20. Hardware units and parts suitable for further use general purpose, not specifically designed for hardware implementation of cryptographic algorithms or other functions of cryptographic tools, as well as equipment that works in conjunction with cryptographic tools (monitors, printers, scanners, keyboards, etc.) can be used without restrictions after the destruction of cryptographic tools. At the same time, information that may remain in the memory devices of the equipment (for example, in printers, scanners) must be securely deleted (erased).
3.21. Key documents must be destroyed within the time specified in the operational and technical documentation for the relevant cryptographic tools. If the deadline for destruction is not established by the operational and technical documentation, then the key documents must be destroyed no later than 10 days after their withdrawal from validity (expiration). The fact of destruction is documented in the relevant copy-by-instance registers. Within the same period, with a note in the technical (hardware) journal, one-time key carriers and previously entered and stored in cryptographic tools or other additional devices key information corresponding to the deactivated crypto keys; data stored in a cryptographically protected form should be re-encrypted with new crypto-keys.
3.22. One-time key carriers, as well as electronic records of key information corresponding to the withdrawn crypto keys, directly in crypto tools or other additional devices are destroyed by users of these crypto tools independently against receipt in a technical (hardware) journal.
Key documents are destroyed either by users of cryptographic tools, or by the responsible user of crypto tools against receipt in the corresponding journals of copy accounting, and the destruction of a large amount of key documents can be formalized by an act. At the same time, users of cryptographic tools are allowed to destroy only the crypto keys used directly by them (intended for them). After destruction, users of cryptographic tools must notify (by telephone message, verbal message by phone, etc.) the responsible user of cryptographic tools to write off the destroyed documents from their personal accounts.
Destruction according to the act is carried out by a commission consisting of at least two people from among the persons admitted to the use of cryptocurrencies. The act specifies what is destroyed and in what quantity. At the end of the act, a final entry is made (in numbers and in words) on the number of items and copies of the destroyed key documents that install the cryptographic media, operational and technical documentation. Corrections in the text of the act must be specified and certified by the signatures of all members of the commission who took part in the destruction. About the destruction carried out, marks are made in the corresponding journals of copy accounting.
3.23. Crypto keys that are suspected of being compromised, as well as other crypto keys acting in conjunction with them, must be immediately deactivated, unless otherwise specified in the operational and technical documentation for crypto tools. In emergency cases, when there are no crypto keys to replace the compromised ones, it is allowed, by decision of the responsible user of crypto tools agreed with the operator, to use compromised crypto keys. In this case, the period of use of compromised crypto keys should be as short as possible, and the protected information should be as less valuable as possible.
3.24. About violations that can lead to compromise of crypto keys, their constituent parts or transmitted (stored) with their use of personal data, users of cryptographic tools are obliged to inform the responsible user of cryptographic tools and (or) the operator.
Inspection of key reusable media by unauthorized persons should not be considered as a suspicion of compromising cryptokeys, if this excluded the possibility of their copying (reading, reproduction).
In cases of shortage, non-presentation of key documents, as well as the uncertainty of their location, urgent measures are taken to search for them.
3.25. Activities to search for and localize the consequences of compromising key documents are organized and carried out by the operator.
3.26. Key documents for crypto-means or initial key information for the development of key documents are produced by the FSB of Russia on a contractual basis or by persons licensed by the FSB of Russia for the production of key documents for crypto-means.
Operators or responsible users of cryptographic tools can produce key documents from the original key information, using standard crypto tools, if such a possibility is provided for by the operational and technical documentation for crypto tools.
4. Accommodation, special equipment, security
and organization of the regime in the premises where
crypto-means or key documents for them are stored
4.1. Placement, special equipment, security and organization of the regime in the premises where crypto-means are installed or key documents for them are stored (hereinafter referred to as secure premises) must ensure the safety of personal data, crypto-means and key documents for them.
When equipping secure rooms, the requirements for the placement, installation of cryptographic tools, as well as other equipment operating with cryptographic tools, must be met.
The requirements for secure premises listed in this document may not be imposed if this is provided for by the rules for the use of cryptographic tools agreed with the FSB of Russia.
4.2. Security premises are allocated taking into account the size of controlled areas, regulated by operational and technical documentation for cryptographic tools. Premises should have strong entrance doors with locks that guarantee secure closing of the premises during non-working hours. Windows of rooms located on the first or last floors of buildings, as well as windows located near fire escapes and other places from where unauthorized persons can enter sensitive rooms, must be equipped with metal bars or shutters, or security alarms, or other means that prevent uncontrolled penetration in control rooms.
4.3. Placement, special equipment, security and organization of the regime in the premises should exclude the possibility of uncontrolled entry or stay in them by unauthorized persons, as well as viewing by unauthorized persons of the work being carried out there.
4.4. The security regime of the premises, including the rules for the admission of employees and visitors during working and non-working hours, is established by the responsible user of cryptographic tools in agreement, if necessary, with the operator in whose premises cryptographic tools are installed or key documents for them are stored. The established security regime should provide for periodic monitoring of the state of technical security equipment, if any, and also take into account the provisions of these Requirements.
4.5. Doors to special premises must be locked at all times and may only be opened for authorized entry by employees and visitors. The keys to the entrance doors are numbered, accounted for and issued to employees who have the right to enter secure rooms against receipt in the register of storage facilities. Duplicate keys from the entrance doors of such premises should be kept in the safe of the operator or the responsible user of cryptographic tools.
4.6. In order to prevent viewing from the outside of sensitive rooms, their windows must be protected.
4.7. Security premises, as a rule, should be equipped with a burglar alarm associated with the building security service or the organization's duty officer. The serviceability of the alarm must be periodically checked by the responsible user of cryptographic tools together with a representative of the security service or the duty officer of the organization with a note in the relevant logs.
4.8. For the storage of key documents, operational and technical documentation that installs cryptographic media, the necessary number of reliable metal storage facilities equipped with internal locks with two copies of keys and combination locks or devices for sealing keyholes should be provided. One copy of the vault key must be kept by the employee responsible for the vault. Duplicate keys from vaults are stored by employees in the safe of the responsible user of cryptographic tools. A duplicate of the key from the repository of the responsible user of cryptographic tools in a sealed package must be transferred to the storage of the operator against receipt in the appropriate journal.
4.9. At the end of the working day, the security room and the vaults installed in it must be closed, the vaults sealed. The keys from the vaults that are in use must be handed over against receipt in the appropriate log to the responsible user of cryptographic tools or an authorized (duty) person who stores these keys in a personal or specially allocated vault.
The keys to the secure premises, as well as the key to the vault, which contains the keys to all other vaults of the secure premises, in a sealed form must be handed over against receipt in the appropriate log of the security service or to the duty officer at the same time as the security premises themselves are transferred under protection. Seals intended for sealing vaults must be kept by users of cryptographic tools responsible for these vaults.
4.10. If you lose the key to the vault or front door in a secure room, the lock must be replaced or its secret must be redone with the manufacture of new keys to it with documentation. If the vault lock cannot be altered, then such vault must be replaced. The procedure for storing key and other documents in the vault from which the key is lost, until the lock secret is changed, is established by the operator or the responsible user of cryptographic tools.
4.11. Under normal conditions, sensitive rooms and sealed vaults located in them can only be opened by users of crypto-means, a responsible user of crypto-means or an operator.
If signs are found that indicate a possible unauthorized entry into these premises or storage facilities by unauthorized persons, the incident must be immediately reported to the responsible user of cryptographic tools or the operator. The arrived responsible user of cryptographic tools must assess the possibility of compromising stored key and other documents, draw up an act and take measures, if necessary, to localize the consequences of compromising personal data and to replace compromised crypto keys.
4.12. Placement and installation of cryptographic tools, as well as other equipment operating with cryptographic tools, in secure premises should minimize the possibility of uncontrolled access by unauthorized persons to these tools. Maintenance such equipment and the change of crypto keys are carried out in the absence of persons who are not allowed to work with these crypto tools.
During the absence of users of cryptographic tools, the specified equipment, if technically possible, should be turned off, disconnected from the communication line and removed to sealed storage. Otherwise, in agreement with the responsible user of cryptographic tools, it is necessary to provide for organizational and technical measures that exclude the possibility of using cryptographic tools by unauthorized persons.
Attachment 1
BASIC TERMS AND DEFINITIONS
Blocking of personal data - a temporary cessation of the collection, systematization, accumulation, use, distribution of personal data, including their transfer.
Access to information - the ability to obtain information and use it.
Information system - a set of information contained in databases and providing its processing information technologies and technical means.
Personal data information system - an information system, which is a collection of personal data contained in the database, as well as information technologies and technical means that allow the processing of such personal data with or without the use of automation tools.
Controlled zone - a space within which control over the stay and actions of persons and (or) vehicles is carried out.
The boundary of the controlled zone can be: the perimeter of the protected territory of the enterprise (institution), the enclosing structures of the protected building, the protected part of the building, the allocated premises.
Confidentiality of personal data is a mandatory requirement for an operator or other person who has gained access to personal data to prevent their distribution without the consent of the subject of personal data or other legal grounds.
Cryptomeans - an encryption (cryptographic) tool designed to protect information that does not contain information constituting a state secret. In particular, cryptographic means include means of cryptographic information protection (CIPF) - encryption (cryptographic) means of protecting information with limited access that does not contain information constituting a state secret.
Attacker model - assumptions about the capabilities of the attacker that he can use to develop and conduct attacks, as well as the restrictions on these capabilities.
The threat model is a list of possible threats.
Processing of personal data - actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction of personal data.
Publicly available personal data - personal data, access to which is granted to an unlimited number of persons with the consent of the subject of personal data or to which, in accordance with federal laws confidentiality requirement does not apply.
Operator - government agency, municipal authority, legal or natural person organizing and (or) carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data.
Personal data - any information relating to a certain or determined on the basis of such information to an individual(to the subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income, other information.
User - a person participating in the operation of a cryptographic tool or using the results of its operation.
Dissemination of personal data - actions aimed at the transfer of personal data to a certain circle of persons (transfer of personal data) or to familiarization with personal data of an unlimited number of persons, including the disclosure of personal data in means mass media, placement in information and telecommunication networks or providing access to personal data in any other way.
Security premises - premises where crypto-means are installed or key documents for them are stored.
Information security tool - technical, software tool, substance and (or) material intended or used to protect information.
Encryption (cryptographic) means - cryptographic means:
a) encryption means - hardware, software and hardware-software, systems and complexes that implement algorithms for cryptographic transformation of information and are designed to protect information during transmission over communication channels and (or) to protect information from unauthorized access during its processing and storage;
b) means of imitation protection - hardware, software and hardware-software, systems and complexes that implement algorithms for cryptographic transformation of information and are designed to protect against the imposition of false information;
c) means of electronic digital signature- hardware, software and hardware-software facilities that provide, on the basis of cryptographic transformations, the implementation of at least one of the following functions: creating an electronic digital signature using the private key of the electronic digital signature, confirming the authenticity of the electronic digital signature using the public key of the electronic digital signature, creating closed and public keys of electronic digital signature;
d) coding means - means that implement algorithms for cryptographic transformation of information with the implementation of a part of the transformation by manual operations or using automated means based on such operations;
e) means of producing key documents (regardless of the type of carrier of key information);
f) key documents (regardless of the type of carrier of key information).
Appendix 2
STANDARD FORM
journal of instance-by-instance accounting of cryptocurrencies,
operational and technical documentation
to them, key documents
|
N |
Name |
Registration |
Rooms |
mark about |
mark about |
||
|
From |
date and |
FULL NAME. |
date and |
||||
|
Mark of connection (installation) CIPF |
A mark on the withdrawal of CIPF from |
Note- |
||||
|
FULL NAME. user- |
Connection date |
Hardware Rooms |
date of |
FULL NAME. useful |
Number |
|
Annex 3
STANDARD FORM
technical (hardware) magazine
|
N |
date date |
Type and |
Entries |
Used crypto keys |
Mark about |
Note- |
|||
|
Type |
Serial, |
Part number |
date date |
Signature |
|||||