About The Security Of Information Systems And Certification Of Shielded Chambers

Original Language Title: o bezpečnosti informačních systémů a certifikaci stínicích komor

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now

Read the untranslated law here: https://portal.gov.cz/app/zakony/download?idBiblio=60721&nr=523~2F2005~20Sb.&ft=txt

523/2005 Sb.



DECREE



of 5 April 2004. December 2005



about the security of information and communication systems and other

electronic equipment handling of classified information and on the

certification of shielded Chambers



453/2011: Sb.



The National Security Bureau determined in accordance with § 34 paragraph 1. 5, § 35 para. 5, §

paragraph 36. 5 and § 53 (b). a), b), c), (d)), g), (h)), i) and (j)) of law No.

412/2005 Coll., on the protection of classified information and security

eligibility, (hereinafter referred to as the "Act"):



PART THE FIRST



INTRODUCTORY PROVISIONS



§ 1



The subject of the edit



This Decree lays down the requirements for the information systems that handle

classified information ^ 1) (hereinafter referred to as the "information system") and the implementation of the

their certification, the communication systems handling classified

information ^ 2) (hereinafter referred to as "communication system") and the approval of their

safety projects, the protection of classified information in electronic

form in facilities that are not part of the information or

the communication system, the protection of classified information prior to its disclosure

through unintentional emissions and the implementation of the certification of shielded Chambers.



§ 2



Definition of terms



For the purposes of this Ordinance, means the



and asset information system) on the basis of a risk analysis (section 11)

defined by the hardware, software, documentation and information system

the classified information, which is stored in the information system,



(b)) object information system passive element in the information system,

that contains or receives information



(c)) body of the information system the active element of the information system,

that causes the transmission of information between objects in the information system

or change the status of the system,



d) risk analysis process, during which are enumerated assets

information system threats affecting assets information system,

its vulnerabilities, likelihood of execution and an estimate of their

the consequences,



e) audit record record information system about the event that may

affect the safety of the information system,



(f) the identification of the subject of the information system) process to determine its

identity in the information system,



g) authentication of the entity's information system, the validation process

identity in the information system, complying with the required degree of assurance,



(h) authorization of the subject of the information system) the granting of certain rights to

carrying out the activities specified in the information system,



and the confidentiality of classified information to her) property, which makes it impossible to

revealing classified information to any unauthorized person,



j) physical security of an information system or a communications system

measures employed to ensure the physical protection of the assets of these systems against

accidental or malicious threats



to the integrity of the asset information system) or communication system

property, which allows you to implement his changes as intended and only

qualified entity of the information system,



l) Communicaton security measures employed to ensure the protection of

classified information when transmitting a defined communication environment,



m) computer security safety information system provided by the

his technical and program resources



n) mandatory access control means for restricting access of subjects

the information system to the objects of the information system, based on the

comparison of classification of classified information contained in the object

information system and the permission level information system of the body

for access to classified information and to ensure the correct flow of information

among the objects of an information system with varying degrees of secrecy, independently

on the choice made by the user,



o) risk for information system or system of communication

the probability that a particular threat exploits vulnerabilities of some of

These systems,



p) activities and a summary of the intended role of the necessary authorization for the body

information system operating in the information system or communication

the system,



q) safety information system or communication manager

system management information system of the worker or of the communication

system in the role created for the management and control of safety information

system or communication system and implementation of established activities for

ensure the security of the information system or a communications system



r) administrator of the information system or a communications system, the worker

management information system or a communications system in the role created by

in particular, to ensure the required functionality of the information system or

communication system and traffic management information system or

communication system,



with) by information system or the natural communication system

the person in the role created especially for the handling of classified information

in the information system or for the transmission of classified information

communication system,



t) access control means for restricting access of subjects

the information system to the objects of the information system, ensuring that the

gets the access to them by an authorized body of the information system,



u) optional access control means restricting access of subjects

the information system to the objects of the information system, based on the

checking access rights of the subject of the information system to the object

information system, and the user, administrator or security

Manager information system equipped with specific access rights for

access to the information system, you can choose on which other

bodies information system transfers the access rights to this object

information system, and can affect the flow of information between objects

the information system,



in the safety standard of the classified file) rules, in which the

establish procedures, technical solutions, security parameters and organizational

measures to ensure the smallest possible extent the protection of classified

information,



w) security operational mode, in which the environment information system

works, characterized by the classification being processed classified

information and permission levels of users



x) by the applicant authority of the State or an entrepreneur who asked in writing by the National

Safety Authority (hereinafter referred to as ' the authority ') on the certification of the information system,

Sun certification Chamber, approving the project safety

the communication system or of verification of the eligibility of electrical and

electronic devices, a secure area or an object to protect

against the release of classified information through unintentional radiation,



s) nepopiratelností the ability to prove the reverse action or event,

to ensure that the Act or event could not be subsequently disowned,



you information from) a guarantee that the information is authentic and from the

trusted sources.



PART TWO



INFORMATION SYSTEM



TITLE I OF THE



THE REQUIREMENTS FOR THE SECURITY OF INFORMATION SYSTEMS



§ 3



Security of information systems



(1) the security of the information system is accomplished by applying the file

measures from the



and computer and communication security),



b) cryptographic protection,



(c) protection against leakage) compromising emanations,



(d) security and organizational) administrative measures



(e) safety and personnel)



f) physical security of information system.



(2) the measures taken in the process of certification of the information system

ensure that the risks to which it is exposed, the information system was

reduced to an acceptable level.



(3) the set of measures referred to in paragraph 1 is specified in security

documentation information system.



§ 4



Security documentation information system



(1) security documentation information system consists of



and safety) design documentation and information system



b) operational safety documentation information system.



(2) the Project security documentation information system contains



and) security policy information system and the results of the risk analysis,



(b) safety information system) design to meet the

security policy information system, while his verbosity

the description must allow direct implementation of the proposed measures, and



(c) documentation for the safety tests) information system.



(3) operational safety documentation information system contains



and safety guidelines information system), which prescribe

the activities of the security information system managers in the various

roles established in the information system in order to ensure the safety

management information system,



b) safety guidelines, which prescribe the information system

activity information system managers in the various roles established in

information system for managing the information system with regard to

ensure the security of the information system,



c) safety guidelines, which prescribe the information system

user activity information system with respect to ensuring

safety information system.



§ 5



Security policy information system



(1) for each information system must be already in the initial stage of its

the development of processed security policy information system.


Information system security policy consists of a set of norms, rules

and procedures, which sets out the way in which confidentiality is to be secured,

integrity and availability of classified information, the availability of services

information system and the responsibility of the user, the security administrator and

Information System Manager for its operations in the information system.

If it's a function of the information system requires the method

ensure the authenticity of information and nepopiratelnost.



(2) the principle of security policy are elaborated in the draft safety

information system and operational safety documentation information

the system.



(3) in formulating security policy information system and

the assessment of the security properties of the components of the information system

You can also use the international standardized security

^ 3) specifications.



§ 6



The requirements for the formulation of the information system security policy



Security policy information system to formulate on the basis of



and) minimum security requirements in the field of computer

safety,



(b) the system-dependent) security requirements, user requirements, and

the results of risk analysis and



c) security requirements security policy manager's authority,

If it has been processed.



§ 7



Minimum safety requirements in the field of computer security



(1) the information system for handling classified information degree

confidential or higher must ensure these security features



and) unique identification and authentication of the user, the security

the administrator or the information system, which must precede all

their other activities in the information system and to ensure the protection

confidentiality and integrity of the authentication information,



(b)) optional access control to objects of an information system on the basis of

discernment and user rights management, security

the administrator or the information system and their identity or their

user group membership, security administrators or administrators

the information system,



c) continuous recording of events that may affect the safety of

information system to audit records and audit security

records from unauthorized access or modification, in particular

destruction. In particular, the use of the identification is recorded and

authentication information, attempts to investigate access rights,

creating or interference object information system or activity

authorized entities affecting the security of information system

the information system,



(d) the possibility of examining audit records) and determination of liability

the individual user, the security administrator or administrator

the information system,



e) treatment before their next memory objects using, in particular,

before allocating the agency information system, which prevents the

find out their previous content, and



(f) protection of data confidentiality) during transmission between source and destination.



(2) to ensure the safety features referred to in paragraph 1, in

information system are implemented programmatically identified technical

mechanisms. Documentation describing their design and operating

the setting must allow their independent verification and evaluation of their

sufficiency.



(3) security mechanisms are implemented security features

applying the security policy information system, must be in

the entire life cycle of an information system protected from disruption or

unauthorized changes.



(4) in the information system, handling classified information

up to the level of confidentiality reserved, must adequately benefit from

the safety features referred to in paragraph 1, and further measures

personnel, administrative, and physical security of information systems.



§ 8



System-dependent safety requirements derived from the safety

operation mode



(1) information systems can operate only in one of these

security operating modes, which are



and a dedicated security operating mode),



b) safety operating mode with the highest levels,



c) security operation mode with the highest level of formal proceedings

access to information, or



(d) the operation mode of multilevel security).



(2) security operation mode dedicated is the kind of environment that

enables processing of classified information of varying degrees of confidentiality,

and all users must comply with the conditions for access to

classified information of the highest level of classification, that are in the

information system, and at the same time must be authorized to work with

all of the classified information, which are in the information system

contained. The security of the information system, which is operated in

safety operating mode dedicated is by meeting the ensures the

minimum security requirements in the field of computer security

referred to in § 7 para. 1 (b). and), c), (d)), and (f)) and to the measures of

the area of administrative and personnel security and physical safety

information systems. The level of the measures used, areas and

measures to ensure the confidentiality of the data during transfer must correspond to the level of the

required for the highest degree of confidentiality of classified information,

which the information system is treated.



(3) security operation mode with the highest level is the kind of environment,

that allows for the simultaneous processing of classified information

classified different degrees of secrecy, in which all users

must meet the requirements for access to classified information of the Supreme

the classification, which are contained in the information system, and

all users may not be able to work with all classified

information. The security of the information system, which is operated in

safety operating mode with the highest levels, the fulfillment of will

minimum security requirements in the field of computer security

referred to in paragraph 7 and the measures of the area of the administrative and

personnel security and physical security of information systems.

The level of the measures used areas and measures to ensure

the confidentiality of the data during transfer must correspond to the level required for the

the highest classification level of classified information to which the information

the system disposes.



(4) safety operating mode with the highest level of formal proceedings

access to information is the kind of environment that corresponds to the

safety operating mode with the highest levels, where, however, the formal

In addition, access control assumes the formal central management control

access.



(5) Multilevel Security mode is the kind of environment that

in one information system allows simultaneous processing of classified

information classified different degrees of secrecy, in which may not

all users must meet the conditions for access to classified information

the highest level of classification, which are contained in the information system,

and all users may not be able to work with all

classified information. The security of the information system, which is

operated in the safety operating mode multilevel, secures the

the measures referred to in paragraph 3 and the safety function of the statutory

management information system to have access to the objects of the information

the system. The level of used of the action on the administrative and

personnel security, physical security of information systems and

measures to ensure the confidentiality of the data during the transmission shall be determined on the basis of

the principle of mandatory access control.



(6) the mandatory access control Features of the subjects of the information system to

objects must secure information system



and) permanent link of each entity and object information system

an information system with a security attribute that to the body

expresses permission level information system operator information

the system and its information system for object classification



(b) to protect the integrity of the security attribute),



(c)) the exclusive permission to information system security administrator

making changes to the security attributes of entities and information system

objects and information system



d) allocation of predefined attribute values for newly created

information system and the preservation of objects of the attribute when copying

the object of the information system.



(7) the application of mandatory access control security feature

the subjects of the information system to the objects of the information system must be

secured these principles



and information system) can read the information in the object

information system only if the level of permissions the same

or higher than the classification level of the information system, object



(b)) the information system can write information into the object

information system only if the level of permissions the same

or lower than the classification level of the information system, and object



(c)) access to information entity information system contained in the object


information system, if it is possible to permit rules

mandatory access control, optional access control rules.



(8) information system, which is operated in the safety production

Multilevel mode, you must be able to accurately mark the classification

classified information of the information system and allow

assign classification classified information entering information

the system.



(9) for the information system, which is run in the security

operating mode display and handling classified information degree

top secret classification must be carried out for the identification and analysis of

covert channels. A concealed channel means the inadmissible communication

the classified information can get to unauthorized entity

the information system.



§ 9



System-dependent safety requirements for safety in the environment

computer networks



(1) when transmitting classified information communication channel must be

protect its confidentiality and integrity.



(2) the primary means for ensuring the confidentiality of classified information

When you transfer the communication channel is a cryptographic protection ^ 4).



(3) the primary means for ensuring the integrity of classified information

When you transfer the communication channel is the reliable detection of deliberate and

random changes to classified information.



(4) transmission of EU classified information held by the communication channel within the

secure area or object may be, on the basis of risk analysis,

secured only with the use of measures of physical security of all

the components of a communications channel, and transferred classified information

cryptographic protection is not protected or is protected by a cryptographic

protection at a lower level than is required for the classification

transmitted classified information. Follow these steps to secure the transfer of classified

information under the Authority of certification information system.



(5) depending on the communications environment ensures reliable

identification and authentication of communicating parties, including the protection of

identification and authentication information. This identification and authentication

precedes the transmission of classified information.



(6) the transmission of classified information communication channel led by outside the object

must be secured with a certified cryptographic means, that

is certified for at least the same degree of confidentiality as transmitted

classified information.



(7) during certification of the information system, the authority may, on the basis of

submitted by risk analysis, adopted specific security

measures for the detection of a breach of security of the communication channel and

measures to reduce the consequences of the attack, to approve a different system

information system security, than is listed in paragraphs 4 and 6.



§ 9a



Secure connection of information systems



(1) the Linking of information systems for the purposes of this Ordinance means

a direct connection of two or more information systems or information

the system and the information system for the management of neutajovanými

the information for the purpose of the one-way, or vícesměrného data sharing and

other sources of information. Link information system with another

the information system or the information system for the management of

neutajovanými information can be realized only when necessary

operational needs.



(2) Certified information system can be linked with other certified

information system, if it was approved, on the basis of a risk analysis

in the framework of the certification of these information systems, among them

implemented safety interface and certified for handling

classified information



and the same degree of confidentiality) or



(b)) a different classification, provided that it shall apply the measures

in accordance with paragraph 3.



(3) the interconnection of information systems have been certified for waste

classified information of different classification must be carried out,

between them was prevented from transmitting classified information to a higher level

classification is a classification for which the information system

certified.



(4) Certified information system must not be linked with public

communication networks, with the exception of cases where installed for this purpose

between themselves and the public communications network appropriate safety interface

approved on the basis of risk analysis in the context of his certification to

avoid penetration of the certified information system and was

possible only for controlled data transmission which does not disrupt the confidentiality,

integrity, and availability of classified information and the availability of services

Certified Information System.



(5) the Certified information system that handles classified

information classification of top secret or classified information

requiring special treatment which marked "ATOMAL" may not be directly

or gradually linked to the public communications network.



(6) if the public communication network used exclusively for data transmission

between information systems or sites information system and

the information transmitted is protected by a certified cryptographic

means, this is not considered such a link for the link. Between

information system and public communications networks must be built

appropriate safety interface so as to avoid penetration of the

the information system. The connection is subject to risk analysis and must be

approved in the framework of the certification of the information system.



§ 10



The requirements for the availability of classified information and services information

System



(1) the information system must ensure that the required information is secret

It is available in a specified place in the required form and in the specified

time range.



(2) in order to ensure safe operation of the information system in the

information system security policy provides for components that

shall be replaceable without interrupting the activities of the information system. Further

the required minimum range defines the functionality of the information system

the component shall be provided, in the failure must be a minimum

the functionality of the information system is guaranteed.



(3) the asset information system capacity planning and monitoring

capacity requirements shall be carried out so as to avoid errors

due to a lack of capacity.



(4) the information system must be processed by a plan to restore its activities

After the crash. Recommissioning of the information system in a known

secure State can be done manually by the administrator of the information

system, or automatically. All activities that were carried out for the

resume information system, as a rule, be recorded in the

audit records are protected from unauthorized modification or

destruction.



§ 11



System-dependent safety requirements derived from the risk analysis



(1) for determining threats, that threaten the assets information system,

risk analysis must be carried out.



(2) in the framework of the implementation of risk analysis, defining the asset information

system and the threats that are active on each asset information

the system. Assess, in particular, the threats that cause loss of functionality

or the security of the information system.



(3) after the determination of threats to delineate the vulnerabilities of the information

system so that each threat will find vulnerable place or places,

on which this threat acts.



(4) as a result of the risk analysis is made to the list of threats which may

compromise the information system, with an indication of the corresponding risks.



(5) on the basis of a risk analysis is performed by the selection of appropriate

countermeasures and determine the residual risks and their level, taking

to ensure that they are implemented only the functions, facilities and services

that are necessary to meet the purpose for which the information system is

established.



§ 12



Computer security resource substitution



Ensure some security functions of the information system

computer security resources can be used in justified cases, replace

increased use of resources, staffing or administrative

security, physical security of information systems or

organizational measures. When you replace the computer security resource

substitute a safety barrier or group of mechanisms that

to provide a safety function, must be fully implemented

security features and the quality and level of the safety function.



section 13 of the



Requirements for protection of portable and mobile information systems



(1) For mobile and portable information systems in risk analysis

assess the risks that are associated with mobile information systems

with the means of transport, and for portable information systems with

environments in which these information systems being used.



(2) the system of measures used for the overall protection of mobile and

portable information systems containing components, allowing

the preservation of classified information, must in addition to the other requirements of

laid down by this Decree include the conception of this device as a

media classified information classified highest classification

classified information which is treated.



§ 14




Kompromitujícímu radiation protection requirements



(1) the information system Components that handle classified

classification of information of a confidential or higher and secure area

or object, in which the information system to process EU classified

information classification of Confidential or higher, must be secured

in such a way that the radiation did not leak compromising

classified information.



(2) the requirements for security against kompromitujícímu radiation are

dependent on the degree of confidentiality of classified information, that information

system and are set out in the safety standard.



(3) installation of an information system, which handles classified

information of a confidential or of a higher classification level, in terms of its

security against kompromitujícímu radiation must be made in

accordance with the requirements of the safety standard. A record of the installation

components of the information system is inserted into the safety documentation

the information system. The content and form of the record are set out in

safety standard.



§ 15



Safety requirements for the means of delivery of classified information



(1) all carriers of classified information used in the operation of the

the information system must be registered. The classification of these carriers

the information must match the safety operating mode and the Supreme

the classification of classified information stored on a data carrier.



(2) if there is a removable rack of classified information intended exclusively for

use in the operation of a particular information system, together with

classification and name of the information system and registration number

carriers of information. Media intended for the transmission of classified information or

dispersing information from information system to indicate the degree of confidentiality and

other information under special legislation ^ 5).



(3) a carrier of classified information built in to the device and the other

the component that enables the preservation of classified information must be registered

and classified at the latest after their removal from the

device. The equipment shall be registered in the operational safety documentation

the information system.



(4) the level of classification classification classified information carriers Strictly

the secret must not be reduced, except where it is established that the

During his previous life cycle only classified

information with a lower classification or non-classified information.



(5) the level of classification classification classified information carriers of the secret

may be reduced, the classification of Confidential may be reduced or cancelled,

only in the case that deletion of classified information from it was carried out

in the manner specified in paragraph 6, or it is established that it was during

his previous life cycle only stored classified information

a lower classification or information non-confidential or it is established that

classification of classified information stored on it during his

the existing life cycle was cancelled or reduced. Classification level

carriers of classified information classification Reserved may be canceled

only in the case that deletion of classified information from it was carried out

in the manner specified in paragraph 6, or it is established that it was during

his previous life cycle stores only non-classified

or it is demonstrated that the degree of confidentiality of classified information stored on

him during his previous life cycle has been canceled.



(6) Delete the classified information from the carriers of classified information

enables the reduction or cancellation of its degree of confidentiality, it shall be done

so that the classified information is stored on the medium during its previous

the life cycle was difficult to detectable even when using laboratory

methods. The conditions and procedures for the safe erasure of the Office in

a safety standard, the process must be included in the operational safety

documentation of the certified information system and in the context of

its certification.



(7) the Destruction of classified information carrier information system must be

so as to make him classified information again

get.



(8) when you use removable media mass storage must

be specified in the security policy of the management of the user's access to

the input and output device.



section 16 of the



Requirements for access to classified information in the information system



(1) by the user, the security administrator or administrator information

the system may be the only person who was for its work in the information

system authorized by the procedure laid down in the safety documentation

the information system.



(2) the user, the security administrator, and the administrator of the information system must

meet the conditions for access to EU classified information of natural persons

classification level, which is determined in accordance with the safety production

mode and depending on the highest level of classification of classified information,

with whom may the information system.



(3) the information System Manager, which performs the function of the administrator

with full control of the system, the rights and security of the entire Manager

information system shall fulfil the conditions of access by natural persons

to classified information classification one level higher than the

the highest degree of confidentiality of classified information, which may

dispose of the information system. This does not apply for an information system that is

designed to handle classified information top secret classification levels. U

Information System Manager, which performs the function of an administrator with

full control of the system, rights and security administrator for the entire

the information system of small scale or with a low proportion of processing

classified information of the highest degree of confidentiality, for the processing of

is an information system designed, or in which there is no accumulation

classified information or in which only handles the tactical

classified information, the Office may, with the weighing of risks identified,

accept as sufficient evidence that the conditions for the access of natural persons,

the classified information to the level equivalent to the highest classification level of information

of classified information which it can dispose of the information system.



(4) the administrator of the information system, which performs the function of the administrator

with limited rights management system, in particular the administration of servers, managing

the application or the local administration and the Security Administrator information

the system of ensuring safety, in particular area a

safety technology or local administration, must meet the conditions

for access to EU classified information to the individuals level of classification of the same

with the highest degree of confidentiality of classified information, which may

dispose of the information system.



(5) in the event that the responsible person or the authorized person shall approve the

information system into operation for the handling of classified information to the

classification of lower than the classification level of classified information,

with whom we may dispose of the information system, it is necessary for the determination of the

the level of conditions of access by natural persons, classified information,

specifying the classification level of classified information to which the information

approved by the system into operation.



(6) users, security administrators, and system administrators

on the basis of the authorization shall be allocated in the context of the unique information system

the identifier. To ensure continuous availability of classified

information and services for the information system that is in constant operation,

the authority may, where justified, in the context of his certification to enable

that identifier was used by several people,

security administrators, or administrators of the information system. A prerequisite for

is the introduction of a procedure allowing the user to specify which security

the administrator or the information system at the time the

the identifier was used.



(7) users, administrators or administrators, to the security of the information system

permission is granted only to the extent necessary for the implementation of him

designated activities in the information system.



§ 17



The requirement of liability for activities in the information system



(1) the user, the security administrator, and the administrator of the information system

adheres to prescribed procedures set out in the safety documentation

the information system, which is ensured by the safety information

the system.



(2) information on the activities of the subject of the information system in the information

the system shall be recorded so that it is possible to identify the violation

safety information system or attempts to them. Records of activities

the subject of the information system in the information system shall be kept for

examination of the back for the time specified in the security policy information

the system.



(3) if required by the activity for which the information system is established, it is

in the information system provided by the nepopiratelnost provided for negotiations

or event. In the event that it is required in the information system

the functionality of the records in electronic form ^ 6), must be

the software that is implemented, evaluated during certification

the information system.



section 18



Safety management information system



(1) in the information system establishes an appropriate system security management


the information system. In the context of the management of information security system

the system establishes the role of security administrator information system,

separately from the other roles in the management of the information system, if not further

unless otherwise provided for.



(2) if necessary, to ensure a defined range of activities to ensure

safety information system introducing additional roles in the safety

management information system, in particular the organizational structure

security administrators, security administrators of individual sites,

the security administrator for the area of communication security or

the security administrator interface of information systems security.



(3) the Role of security administrator contains performance information system

safety management information system consisting in particular in the

the allocation of access rights, manage authentication and authorization

information, configuration management, and management information system

the evaluation of audit records, update the security directives

solution of security incidents and emergencies, and reporting

about them, ensure the training of users in the field of security of information

the system checks the safety of operational directives, as well as

in other activities laid down in the safety documentation

the information system.



(4) in the information system is small, the authority may, within its

certification to allow connection of the role of security administrator and some

other roles in the management of the information system.



(5) Information System Manager outside activities to ensure functionality

information system and the management of its service activities to fulfill a specified

ensure the computer and communication of safety information system.



§ 19



Staffing requirements of safety in the operation of information system



(1) action by the user, the security administrator, and the administrator of the information

system in the information system is based on its authorization

for this activity, which must be changed when you change its role within

information system or revoked if it no longer fulfils the conditions of

access to EU classified information. The security administrator keeps a list of

users of the information system.



(2) the operator of an information system provides initial training

users, administrators and security managers of information system in

compliance with the measures laid down in the safety documentation information

system and the appropriate use of the information system. Additional training

ensures the material changes in the information system immediately, otherwise

at least once a year.



section 20



Requirements of physical security of information systems



(1) assets information system must be placed in the space

which ensures the physical security of the information system before

unauthorized access, damage and affecting. In the framework of the certification of

the information system is determined that the component information

the system must be placed in a secure area or in the object, and

the category of the secure area.



(2) assets information system must be protected against security

threats and risks arising from the environment in which they are located.



(3) the location of the assets information system must be carried out so as to

did not allow the unauthorized person read classified information or information

used to identify and authenticate the user.



(4) the communication infrastructure carrying data or supporting services

the information system must be protected against the possibility of capture

the transmitted classified information, and damage.



(5) the minimum level of security of the secure area for the location of the part of the

the information system, in which classified information can be stored, with

determined in accordance with the tables of point values minimum standards of security

physical security listed in annex No. 1 of Decree No. 528/2005 Coll.

about the physical safety and certification of technical means, as amended by

amended.



(6) point rating physical security information system is

specified in annex No. 3 to this notice.



section 21



Request information system security testing



(1) the safety of the information system is a must before issuing a certificate

verified by independent testing. To perform the test should not be used

classified information.



(2) the results of the tests must prove that safety features are fully in

accordance with the information system's security policy. The results of the tests

must be zadokumentovány. Errors found during the test must be

removed and their removal must be verified by subsequent tests.



section 22



Safety requirements when you install an information system



How to install an information system must be organised so as to

has not been compromised and weakened its security features. In

information system security policy provides for components

the information system, which must be installed by persons meeting the

the terms of the law for access to classified information of the highest degree

classification, for which the management is an information system designed. This is a

component to ensure safety functions of the information system or

the components evaluated as vulnerable in the phase of the installation. Other

components of the information system can be installed by persons

meeting the conditions of the law for access to classified information of the lower

classification of substandard or conditions for access to

classified information, approved by the safety Director of the operator

the information system, but under the constant supervision of the worker management

information system, proven for access to classified information

the highest level of classification, for which the management is an information system

specified.



Article 23 of the



Safety requirements for operating an information system



(1) the safety of operated information system shall be kept, with the

regard to the actual state of the information system, tested and

being evaluated. A minor change in the information system can be made only after the

assess the impact of this change on the security of the information system and after

its approval by the authority, except where the certification report otherwise.



(2) the integrity of the software and classified information must be

protected from the effects of the malicious code.



(3) in the operated information system is verified the authenticity of the information,

that enter into the information system.



(4) in the operated information system may only be used in

the hardware and software equipment appropriate security documentation

information system approved by the authority and the terms of the certification report to

the certificate of the information system.



(5) in the operated information system must be carried out backup

software and classified information. Backup software

facilities and classified information must be stored so that it is not

damage or destruction of the information is compromised

the system or abuse for prejudicing the confidentiality of classified information.



(6) service activities in operating within the information system shall be

organize so that its safety has not been compromised. From the media

classified information accessible when the service information system

activities must be cleared of classified information and Remote Diagnostics

must be protected from misuse.



(7) the maintenance of components of the information system to ensure safety

the functions of the information system or directly affecting the safety of the

the information system must ensure the person meeting the conditions of the law

for access to classified information the highest level of classification, for

the management information system is designed. Such components must be

set out in the operational safety documentation information system.

Other components of the information system maintenance may be performed

persons meeting the conditions of the Act for the lower classification level or

the operator's safety persons approved by the Director of information

the system, but under the constant supervision of the worker information management

proven system for access to classified information of the Supreme

classification, for which the management is an information system designed.



(8) in the information system shall be operated within the deadlines laid down by the

in the safety documentation information system and in the emergence of a crisis

the situation immediately carried out the evaluation of audit records. Audit

the records shall be archived for a period fixed in security

documentation and information system protected from modifications or

destruction.



(9) in a secure area in which are located the information component

system for handling classified information secret, or the classification

Top secret, at the request of the authority of the State or of the entrepreneur performs

check to detect illegal use of technical means

intended to gather information. This check shall be carried out before the first

the processing of classified information and on repeatedly, usually in the interval

two years.



(10) for the resolution of the crisis situation of the operated information system must


be in the safety documentation information system measures

focused on putting it into the State of the corresponding safety

documentation information system. In the security documentation

the information system must be provided the basic types of crisis situations,

According to the analysis of the risks that may occur, and for each of them

specified activities following



and) immediately after the emergence of a crisis situation aimed at minimising

the damage and providing the information needed for identification of the causes and mechanism

the emergence of a crisis situation and



(b)) after the occurrence of a crisis situation aimed at liquidation of consequences of the crisis

the situation including the definition of personal responsibility for each task.



(11) for the case of software or hardware crash equipment must

be listed in the safety documentation information system way



and information system) backups, storing backup media



(b)) the provision of service activities,



(c) to ensure the safe operation of information) system by listing

the minimum functions that must be maintained, and



(d) functional recovery and putting) information system to a known

safe state.



(12) before a permanent closure of the information system must be

done removal or destruction of the means of delivery of classified information which it

the information system was loading.



TITLE II



CERTIFICATION OF INFORMATION SYSTEMS



section 24



Application for certification of an information system and method, and the conditions for its

the implementation of



(1) an application for certification of the information system contains



and the identity of the requester)



1. trade name, where applicable, the name, address and identification number,

If it was assigned, when the applicant is a legal entity,



2. the trade name or first and last name, or distinguishing

addition, the place of residence or place of stay for foreigners of the like

and the place of business, if different from the residence, date of birth and

the identification number, if assigned, when the applicant is a natural

a person who is an entrepreneur, or



3. name, address, identification number and the name and surname of the responsible

persons, if the authority of the State



(b)) name and surname of contact the worker applicant and contact

connection,



c) a brief description of the purpose and scope of the information system,



(d) the confidentiality of classified information) the degree to which the information

dispose of the system,



(e) safety of operation mode) the establishment of the information system and



f) identification of the supplier information system or its components

affecting the security of the information system, in accordance with point (a) of point 1)

or 2, and the level of classification, for which the certificate was issued to the supplier

entrepreneur or a copy of a valid declaration of the entrepreneur.



(2) for the implementation of certification of the information system, the applicant shall submit to the

the following supporting documents



and) security policy information system and the results of the risk analysis,



(b) the design of information system security),



(c)) the set of tests the security of an information system, their description, and description

the results of testing,



(d) the operational documentation) the security of the information system,



e) description of the development environment and safety



(f)) other evidence necessary for certified information system,

resulting from the specification of the information system.



(3) if requested on the implementation of the information system certification news

the service shall indicate, in the request under paragraph 1 and the supporting documents referred to in paragraph

2 only the necessary information to perform the Certification Authority

the information system.



(4) as a basis for the certification of the information system, the applicant may

also submit the results of the partial tasks in the assessment of some of the components

information system and in the evaluation of individual areas of the safety

referred to in § 3 (1). 1, carried out by the authority of the State or an entrepreneur on

the basis of reinsurance contracts entered into with the Authority's activities.



(5) in the framework of the certification of the information system to assess the suitability of the

the package of measures designed to achieve safety information

system referred to in § 3, the accuracy and completeness of safety documentation

information system and the correctness of the implementation of the proposed set of measures

in the information system.



(6) the Certification of an information system is made by consideration of supporting documents

submitted by the applicant and by performing additional tests. Additional tests

the Office performs in a production environment, the investigational information system for

participation of the applicant and, if necessary, the vendor.



(7) information system Certification can be performed on an ongoing basis after their

each phase of the construction of the information system or to his

the overall finish.



(8) if in the information system, which has been certified and approved

into operation, to the changes mentioned in paragraph 25 (b). (d)), the additional

reviews of the information system to the extent necessary to assess

the changes made. In the case of implementation of additional reviews

the information system shall be applied, mutatis mutandis, in the implementation of

certification information system.



(9) the model of the certificate of the information system is given in annex No. 1 of this

the Decree.



§ 25



The certification report information system



The certification report contains



and) an indicative description of the information system,



(b) the conditions of operation of the information system),



(c) the identification of any acceptable risk) associated with the operation of

information system and



(d) the types of changes to the information system) that require implementation of

a complementary evaluation of the information system.



section 26



A recurring request certification of the information system and the way it

the implementation of



(1) an application for a recurring certification information system contains



and the identification of the applicant pursuant to §) 24 para. 1 (b). and)



(b)) the complete identification of the issued certificate information system

containing its holder, registration number, date of issue and the period of

the validity,



(c) the identification of the information system containing) his name, designation

version and degree of confidentiality of classified information for which was approved by the

his competence, and



(d)) first and last name of the applicant and contact contact worker

connection.



(2) if the applicant proves that at the date of expiry of the existing

the certificate will be an information system operated under the terms of

laid down in the certification report, and the applicant or the authority shall not

new risks for information system, the authority shall issue a certificate based on the

existing safety documentation information system and made

security checks of the information system.



(3) If on the date of expiry of the existing certificate

the operator proposes to change the security policy information system,

Alternatively, new risks have been identified for information system, the

the Office's complement or modify the relevant parts of the documentation and guides

additional reviews of the information system to the extent provided by the authority.

If the information system to satisfy specified security conditions, the Office

will issue the certificate.



(4) in the event that the proposed changes to the security policy information

system are essential for the overall safety of the information system,

the Office will proceed as in the case of a new certification.



PART THREE



COMMUNICATION SYSTEM



section 27 of the



The elements of the project safety communication system



(1) the project safety communication system contains the following elements



and security policy) of the communication system,



(b) organizational and operational procedures) the operation of the communication system,



(c) operational directives for safety) management and communication system



(d) the user directive) operational communication system.



(2) security policy communication system defines the way

It has to be ensured the confidentiality, integrity and availability of classified information

and the responsibility of the user for his activity in the communication system.



(3) security policy communication system provides a summary of the principles and

the requirements in the area of human resources, administrative, physical and communication

security, laid down depending on the degree of confidentiality of the transferred

classified information on the results of the risk analysis, communication

system and on the principles and conditions of operation of the cryptographic

the resource specified in the certification of cryptographic message resource.



(4) the organisational measures and operational procedures for the operation of the communication

system contain



and) how the performance of cryptographic protection is ensured in accordance with the

certification of cryptographic message resource



(b) the management structure) communication system, and



(c) organizational measures and principles) operating procedures

assisted in ensuring the protection of classified information transmitted in

the communication system.



(5) on the basis of security policy and communication system

organisational measures and operating procedures operation of communication

the system is processed separately operating guidelines for safety management

the communication system and the operational directive of the user communication

the system. These directives must contain specific operational procedures for

ensure the security of the communication system and performance management

cryptographic protection and must specify the responsibilities of the personnel management


communication system, workers and users of cryptographic protection to

ensure the protection of classified information.



section 28



Request for approval of project safety communication system



(1) an application for the approval of project safety communication system

submits to the authority of the State or an entrepreneur who will be communication system

operate.



(2) an application under paragraph 1 shall include the



and the identification of the applicant pursuant to §) 24 para. 1 (b). and)



(b)) name and surname of contact the worker and the contact link,



(c)) the degree and certificate number or a copy of a valid declaration

entrepreneurs, when the applicant is an entrepreneur,



(d)) the name and a brief description of the purpose and scope of the communication system, including the

the determination of its normal operating functions,



e) classification level of classified information to which the communication

system to dispose of, and



(f) the identification of each component vendor) communication system

having a bearing on the security of the communication system, in accordance with § 24 para. 1

(a). and 1 or 2), and degree of confidentiality, for which it was issued

the supplier's certificate or copy of a valid declaration of the entrepreneur

entrepreneurs.



(3) the application referred to in paragraph 2 shall in the course of the approval shall be accompanied by

each part of the project safety communication system referred to in section 27 of the

paragraph. 3.



(4) when approving the project safety communication system

Intelligence shall indicate, in the request under paragraph 2, and in supporting documents

pursuant to paragraph 3, only the necessary information to enable the Office of the approval

the project of safety communication system.



section 29



The method and conditions for the approval of project safety communication

System



(1) in the framework of project approval of safety communication system is

desirability of the summary and policy requirements in the areas of personnel,

administrative, physical and communication of safety pursuant to § 27 para. 3 and

organisational measures and operating procedures operation of communication

system referred to in section 27 para. 4, designed to achieve safety

the communication system, and the accuracy and completeness of the operational directives pursuant to §

27 para. 5.



(2) approval of project safety communication system shall be carried out

examination of the supporting documents submitted by the applicant and by checking the

implementation of safety communication system project Office in a production

Environment approved communication system.



(3) approval of project safety communication system can be performed

continuously after the end of the different phases of construction of the communication system

or up to its total completion, according to the requirements of the applicant.



(4) if the approval of the project safety communication

the system determines the eligibility of the investigational communication system for

handling of classified information, the applicant shall be sent in writing to the

approval of the project safety communication system.



(5) if the communication system for material changes that affect

on the overall safety of the communication system, the

additional reviews of the communication system to the extent necessary to

assessment of the changes made. In the case of implementation of additional reviews

the communication system shall be applied, mutatis mutandis, for the approval of

the project of safety communication system.



PART FOUR



COMPROMISING EMANATIONS



TITLE I OF THE



ELECTRICAL AND ELECTRONIC EQUIPMENT, SECURE AREA OR OBJECT



section 29a



Compromising emanations is emissions from electrical and electronic

a device that could cause leakage of classified information degree

classification of top secret, secret or confidential.



section 30



Request for verification of the eligibility of the electrical and electronic equipment,

secure area or object



(1) an application for verification of eligibility for electrical and electronic

the device, a secure area or an object to protect against leakage

information through unintentional radiation contains



and the identification of the applicant pursuant to §) 24 para. 1 (b). and)



(b)) name and surname of contact the worker and the contact link,



(c) identification of the electric or electronic) device, secure

area or object whose eligibility has to be verified, and



d) classification of classified information, which will be in the electrical or

the electronic device, secure area or object being processed.



(2) the application may be accompanied by a report on the outcome of the reviews

eligibility of electrical or electronic equipment, secure

area or object to the protection against the release of EU classified information

through unintentional radiation, carried out by the authority of the State or

businessman on the basis of reinsurance contracts entered into with the Authority's activities.



(3) the conditions and the use of assessment for electrical and electronic

the device, a secure area or object to the protection of classified

information from leakage of classified information through unintentional radiation

the Office shall in safety standards.



section 31



The method of assessment of competence of electrical and electronic equipment,

secure area or object



(1) the assessment of the eligibility of the electrical and electronic equipment from the

the perspective of the leakage of classified information through unintentional radiation

performed by measuring the levels emitted by electromagnetic fields and

by comparing the measured values with the safety standards.



(2) the assessment of the eligibility of the secure areas or object to protect

against the release of classified information through unintentional radiation is done

by measuring the attenuation characteristics and by comparing the measured values with the

safety standards.



(3) where, in the course of the assessment of the competence of electrical and

electronic devices, a secure area or object detected

deficiencies, the Office shall invite the applicant to remove them.



(4) on the progress and results of the assessment of the eligibility of electrical and

electronic devices, a secure area or an object to protect

against the release of classified information through unintentional radiation shall draw up

Result the Office shall notify the applicant in writing.



TITLE II



SHIELDING CHAMBER



§ 32



(1) Shielding Chamber is enclosed a shielded area to prevent the spread

electromagnetic, optical and acoustic radiation from outside this

space.



(2) for the protection of classified information through unintentional leaks before their

electromagnetic emissions is used for shielding Chamber of certified

By the authority. Conditions for evaluations of shielding Chamber to protection of classified

information, the Office of safety standards.



Certification of shielding Chamber



§ 33



Request for certification of a shielding Chamber



(1) an application for certification of a shielding Chamber contains



and the identification of the applicant pursuant to §) 24 para. 1 (b). and)



(b)) name and surname of contact the worker applicant and contact

connection,



(c)) the degree and certificate number or a copy of a valid declaration

entrepreneurs, when the applicant is an entrepreneur,



(d) the identification and location of Sun) the Chamber and



(e) the identity of the manufacturer of Sun) Chamber, in accordance with § 24 para. 1 (b). and)

point 1 or 2.



(2) the application may be accompanied by a report on the outcome of the reviews of Sun

Chamber of Commerce, carried out by the authority of the State or contractor under contract

to ensure the activities of closed with the Office. On the day of application for the

certification of shielding Chamber must not be the result of the evaluation referred to in

the accompanying message older than 6 months.



§ 34



The method and conditions of implementation of certification of shielding Chamber



(1) certification of the shading of the Chamber shall be carried out by measuring the damping properties

shielding Chamber and by comparing them with the safety standards. Measurement

the shield of the Chamber shall be carried out with the participation of the applicant and, if necessary,

vendor shielding Chamber.



(2) on the progress and incremental results of certification of shielding Chamber shall draw up

The Office report.



(3) the model certificate shielding Chamber is given in annex 2 to this

the Decree.



§ 35



The certification message shielding Chamber



The certification message shielding Chamber contains



and an indicative description of the shield of the Chamber), its location and purpose of the

the use,



(b) the conditions of use), the shield of the Chamber and



(c)) the types of changes that require the execution of repeated certification of shielding

Chamber.



section 36



A recurring request certification of shielding Chamber and the way it

the implementation of



(1) an application for certification, the shield of the Chamber contains a recurring



and the identification of the applicant pursuant to §) 24 para. 1 (b). and)



(b)) the complete identification of the issued certificate shielding Chamber containing the

its holder, the registration number, date of issue and period of validity,



(c) identification of the certified Sun Chamber) that contains its name,

the type designation, the variant design and location, and



(d)) first and last name of the applicant and contact contact worker

connection.



(2) the application may be accompanied by a report on the outcome of the reviews of Sun

Chamber of Commerce, carried out by the authority of the State or contractor under contract

to ensure the activities of closed, with the Office in accordance with § 33 para. 2.



(3) If an applicant has submitted evidence that, at the date of expiry of the existing

the certificate does not shield the Chamber validation changes in conditions

the validity of the certificate issued, the Office will issue the certificate.



(4) If on the date of expiry of the certificate applicant shield Chamber

cannot substantiate the facts referred to in paragraph 3, the Office performs


additional evaluation of shielding Chamber, and if it verifies the eligibility of the Sun

Chamber to protect classified information, to issue the certificate. In the case of

material changes to the conditions of service shielding Chamber proceed as when

new certification.



PART FIVE



REQUIREMENTS FOR AN APPLICATION TO THE AUTHORITY OF THE STATE OR ENTREPRENEURS ON THE CONCLUSION OF THE TREATY ON

ENSURE THE ACTIVITIES



§ 37



The application for conclusion of a contract of reinsurance activities includes



and the identification of the applicant pursuant to §) 24 para. 1 (b). and)



(b)) the degree and certificate number or a copy of a valid declaration

entrepreneurs, when the applicant is an entrepreneur,



c) name and surname of the applicant and contact contact worker

connection,



(d) identification of the vocational workplace of) the applicant (the subject of the

the activities and location of workplace pověřovaného detailed specification, name

and the last name of the contact the worker and the contact link),



(e)) to specify the actions to be carried out in accordance with the Treaty,



f) personnel to perform the required prerequisites workplace activities

(name, surname, and the qualifications of the head of the worker's vocational

workplace, first and last names of other professional staff workplace

and their qualifications),



g) statement responsible of the level of physical, personnel, and

administrative security is ensured for the technical departments,



h) degree and the registration number of the certificate, if the information system is

the use of certified information system needed for the implementation of the

activities under the contract, and



I) used the professional workplace and technical equipment required for the

the implementation of activities under the contract.



PART SIX



CONDITIONS OF SAFE OPERATION OF COPYING DEVICES, DISPLAY

EQUIPMENT OR A TYPEWRITER WITH MEMORY



§ 38



(1) the safe processing of classified information in electronic format in

a device that is not part of the information or communication system,

especially in a typewriter with the memory and the machine to copy,

record or view classified information or its transfer to another

data format, depending on the degree of confidentiality of classified

information reaches through the application of measures from the



and safety, personnel)



b) physical security,



(c) safety and organizational) administrative measures and



(d) the protection of classified information) prior to its disclosure through unintentional

radiation.



(2) the Devices referred to in paragraph 1, which are used for processing

classification classified information Confidential or higher, must be

protected against leakage of classified information through unintentional

radiation. When verifying the eligibility of the copying equipment,

display device or a typewriter with memory to protect EU classified

information leak through unintentional radiation before it happens

in accordance with section 31.



(3) the equipment referred to in paragraph 1 shall be placed in an area in which

their physical protection from unauthorized access,

damage and affecting. This space is defined by the elements defined

protection with appropriate entry and security barriers. According to the

the nature of the device is determined on the basis of a risk analysis that must be

located in a secure area or in the object, and the category

secure area. Risk analysis provides for vulnerabilities

likelihood of execution devices possible threats and an estimate of their

the consequences.



(4) the device referred to in paragraph 1 must be physically protected from

security threats and risks environment.



(5) the location of the equipment referred to in paragraph 1 shall be carried out so as to

did not allow the unauthorized person read the classified information.



(6) the device referred to in paragraph 1 containing integrated carrier

classified information or other components to remain

classified information and with a typewriter with memory must be associated

information on the degree of confidentiality of the information stored on these media,

components and memoirs. This information can be expressed on the label

attached to the device, set out in the operational safety directive or

be expressed any other way. Carriers of classified information

built into the device and other components to remain

classified information must be registered and classified

at the latest after their removal from the device.



(7) service activities for the devices referred to in paragraph 1 must organize

so, in order not to compromise the security of classified information. From the media

classified information and components accessible in service activities

classified information shall be erased in accordance with § 15, otherwise it shall not be

the subject of the service activity.



PART SEVEN



The EFFECTIVENESS of the



§ 39



This Decree shall enter into force on 1 January 2000. January 1, 2006.



Director:



Mgr. Mares in the r.



Annex 1

THE NATIONAL SECURITY AGENCY



Post offices. compartments. 49

Prague 150 06 56



------------------------------------------------------------------



The national security agency issued, pursuant to section 46 of the Act No. 412/2005 Coll.

on the protection of classified information and the security of the eligibility



CERTIFICATE

the information system



Registration number:.. ...



...............

(name, version)



------------------------------------------------------------------

The holder of the certificate:



Head Office/place of residence/address: IDENTIFICATION NUMBER/social security number:

------------------------------------------------------------------



This certificate confirms validation and approval of eligibility

information system for handling classified information

to and including the level of classification



.....



Valid from:

Valid to:



The imprint of the official stamp



Signature of authorized representative



Date of issue:



Annex:



Annex 2

THE NATIONAL SECURITY AGENCY



Post offices. compartments. 49

Prague 150 06 56



------------------------------------------------------------------



The national security agency issued, pursuant to section 46 of the Act No. 412/2005 Coll.

on the protection of classified information and the security of the eligibility



CERTIFICATE

shielding Chamber



Registration number:.. ...



...............

(name, type)



------------------------------------------------------------------

The holder of the certificate:



Head Office/place of residence/address: IDENTIFICATION NUMBER/social security number:

------------------------------------------------------------------



------------------------------------------------------------------

Manufacturer of shielding Chamber:



Head Office/place of residence/address: IDENTIFICATION NUMBER/social security number:

------------------------------------------------------------------



This certificate confirms the eligibility of shielding Chamber

to protect against leakage of classified information through unintentional

emissions up to and including level of classification



.....



Valid from:

Valid to:



The imprint of the official stamp



Signature of authorized representative



Date of issue:



Annex:



Annex 3



PHYSICAL SECURITY OF INFORMATION SYSTEMS (IS)



1.1.



THE PROCESSING OF DATA

---------------------------------------------------------------------

1.1.1. The information system can be classified

the only information displayed and processed, or transmitted:

SS1 = 4 points

---------------------------------------------------------------------



In the case that it is in a secure area located one or more pieces

information system, the lowest of the values of the parameter the SS1

related to the individual parts of the information system.



1.2. STORAGE of CLASSIFIED INFORMATION on COMPUTER media (ALL

NON-VOLATILE STORAGE MEDIA)



The spaces in which they are information systems used for storing

classified information classification of Reserved and above, must be

set up as a secure area.

---------------------------------------------------------------------

1.2.1. The stored data is encrypted by a certified

Cryptographic device

SS1 = 4 points

---------------------------------------------------------------------



In addition to the parameter of the SS1, which applies to stored encrypted data, it is

must also work with the S1 cryptographic resource.

---------------------------------------------------------------------

1.2.2. The stored data is not encrypted

SS1 = 1 point

---------------------------------------------------------------------



1.3.



USER IDENTIFICATION AND AUTHENTICATION

1.3.1. identification and authentication on behalf of the subject with an encrypted

content and transmission:

SS2 = 4 points



Cryptographic mechanisms used for the authentication of the item must be

certified by the Office.



This method of authentication consists of a security equivalent to the lock handy storage

object of type 4.

---------------------------------------------------------------------

1.3.2. identification and authentication on behalf of the subject

with an encrypted content:

SS2 = 3 points

---------------------------------------------------------------------



Cryptographic mechanisms used for the authentication of the item must be

certified by the Office.




This method of authentication consists of a security equivalent to the lock handy storage

object of type 3.

---------------------------------------------------------------------

1.3.3. the Identification and authentication of subject name

SS2 = 2 points

---------------------------------------------------------------------



Article used for authentication must be approved by the authority in the framework of the

certification information system.



This method of authentication consists of a security equivalent to the lock handy storage

object of type 2.



---------------------------------------------------------------------

1.3.4. The identification of the name and password authentication

SS2 = 1 point

---------------------------------------------------------------------



The minimum length and the way the creation of passwords must be approved by the authority in

under the certification information system.



This method of authentication consists of a security equivalent to the lock handy storage

object of type 1.



Of the point values of the SS1 and SS2 obtained in accordance with section 1.1. or 1.2. and the point of

1.3. this annex is calculated the value of S1:



+------------------------+

| (S1) = SS1 SS2 x |

+------------------------+



The value of the SS1 and SS2 you can use in the table of point values for the lowest rates

security of the secure area or meeting area.



1) section 34 of Act No. 412/2005 Coll., on the protection of classified information and on the

Security eligibility.



2) section 35 of Act No. 412/2005 Coll.



3) for example, ISO/IEC 15408 evaluation criteria for IT security.



4) Decree No. 524/2005 Coll., on ensuring cryptographic protection

of classified information.



5) Decree No. 529/2005 Coll., on Administrative and security

registers of classified information.



6) Act 499/2004 Coll., on Archives and records service and amending

certain acts, as amended.