523/2005 Sb.
DECREE
of 5 April 2004. December 2005
about the security of information and communication systems and other
electronic equipment handling of classified information and on the
certification of shielded Chambers
453/2011: Sb.
The National Security Bureau determined in accordance with § 34 paragraph 1. 5, § 35 para. 5, §
paragraph 36. 5 and § 53 (b). a), b), c), (d)), g), (h)), i) and (j)) of law No.
412/2005 Coll., on the protection of classified information and security
eligibility, (hereinafter referred to as the "Act"):
PART THE FIRST
INTRODUCTORY PROVISIONS
§ 1
The subject of the edit
This Decree lays down the requirements for the information systems that handle
classified information ^ 1) (hereinafter referred to as the "information system") and the implementation of the
their certification, the communication systems handling classified
information ^ 2) (hereinafter referred to as "communication system") and the approval of their
safety projects, the protection of classified information in electronic
form in facilities that are not part of the information or
the communication system, the protection of classified information prior to its disclosure
through unintentional emissions and the implementation of the certification of shielded Chambers.
§ 2
Definition of terms
For the purposes of this Ordinance, means the
and asset information system) on the basis of a risk analysis (section 11)
defined by the hardware, software, documentation and information system
the classified information, which is stored in the information system,
(b)) object information system passive element in the information system,
that contains or receives information
(c)) body of the information system the active element of the information system,
that causes the transmission of information between objects in the information system
or change the status of the system,
d) risk analysis process, during which are enumerated assets
information system threats affecting assets information system,
its vulnerabilities, likelihood of execution and an estimate of their
the consequences,
e) audit record record information system about the event that may
affect the safety of the information system,
(f) the identification of the subject of the information system) process to determine its
identity in the information system,
g) authentication of the entity's information system, the validation process
identity in the information system, complying with the required degree of assurance,
(h) authorization of the subject of the information system) the granting of certain rights to
carrying out the activities specified in the information system,
and the confidentiality of classified information to her) property, which makes it impossible to
revealing classified information to any unauthorized person,
j) physical security of an information system or a communications system
measures employed to ensure the physical protection of the assets of these systems against
accidental or malicious threats
to the integrity of the asset information system) or communication system
property, which allows you to implement his changes as intended and only
qualified entity of the information system,
l) Communicaton security measures employed to ensure the protection of
classified information when transmitting a defined communication environment,
m) computer security safety information system provided by the
his technical and program resources
n) mandatory access control means for restricting access of subjects
the information system to the objects of the information system, based on the
comparison of classification of classified information contained in the object
information system and the permission level information system of the body
for access to classified information and to ensure the correct flow of information
among the objects of an information system with varying degrees of secrecy, independently
on the choice made by the user,
o) risk for information system or system of communication
the probability that a particular threat exploits vulnerabilities of some of
These systems,
p) activities and a summary of the intended role of the necessary authorization for the body
information system operating in the information system or communication
the system,
q) safety information system or communication manager
system management information system of the worker or of the communication
system in the role created for the management and control of safety information
system or communication system and implementation of established activities for
ensure the security of the information system or a communications system
r) administrator of the information system or a communications system, the worker
management information system or a communications system in the role created by
in particular, to ensure the required functionality of the information system or
communication system and traffic management information system or
communication system,
with) by information system or the natural communication system
the person in the role created especially for the handling of classified information
in the information system or for the transmission of classified information
communication system,
t) access control means for restricting access of subjects
the information system to the objects of the information system, ensuring that the
gets the access to them by an authorized body of the information system,
u) optional access control means restricting access of subjects
the information system to the objects of the information system, based on the
checking access rights of the subject of the information system to the object
information system, and the user, administrator or security
Manager information system equipped with specific access rights for
access to the information system, you can choose on which other
bodies information system transfers the access rights to this object
information system, and can affect the flow of information between objects
the information system,
in the safety standard of the classified file) rules, in which the
establish procedures, technical solutions, security parameters and organizational
measures to ensure the smallest possible extent the protection of classified
information,
w) security operational mode, in which the environment information system
works, characterized by the classification being processed classified
information and permission levels of users
x) by the applicant authority of the State or an entrepreneur who asked in writing by the National
Safety Authority (hereinafter referred to as ' the authority ') on the certification of the information system,
Sun certification Chamber, approving the project safety
the communication system or of verification of the eligibility of electrical and
electronic devices, a secure area or an object to protect
against the release of classified information through unintentional radiation,
s) nepopiratelností the ability to prove the reverse action or event,
to ensure that the Act or event could not be subsequently disowned,
you information from) a guarantee that the information is authentic and from the
trusted sources.
PART TWO
INFORMATION SYSTEM
TITLE I OF THE
THE REQUIREMENTS FOR THE SECURITY OF INFORMATION SYSTEMS
§ 3
Security of information systems
(1) the security of the information system is accomplished by applying the file
measures from the
and computer and communication security),
b) cryptographic protection,
(c) protection against leakage) compromising emanations,
(d) security and organizational) administrative measures
(e) safety and personnel)
f) physical security of information system.
(2) the measures taken in the process of certification of the information system
ensure that the risks to which it is exposed, the information system was
reduced to an acceptable level.
(3) the set of measures referred to in paragraph 1 is specified in security
documentation information system.
§ 4
Security documentation information system
(1) security documentation information system consists of
and safety) design documentation and information system
b) operational safety documentation information system.
(2) the Project security documentation information system contains
and) security policy information system and the results of the risk analysis,
(b) safety information system) design to meet the
security policy information system, while his verbosity
the description must allow direct implementation of the proposed measures, and
(c) documentation for the safety tests) information system.
(3) operational safety documentation information system contains
and safety guidelines information system), which prescribe
the activities of the security information system managers in the various
roles established in the information system in order to ensure the safety
management information system,
b) safety guidelines, which prescribe the information system
activity information system managers in the various roles established in
information system for managing the information system with regard to
ensure the security of the information system,
c) safety guidelines, which prescribe the information system
user activity information system with respect to ensuring
safety information system.
§ 5
Security policy information system
(1) for each information system must be already in the initial stage of its
the development of processed security policy information system.
Information system security policy consists of a set of norms, rules
and procedures, which sets out the way in which confidentiality is to be secured,
integrity and availability of classified information, the availability of services
information system and the responsibility of the user, the security administrator and
Information System Manager for its operations in the information system.
If it's a function of the information system requires the method
ensure the authenticity of information and nepopiratelnost.
(2) the principle of security policy are elaborated in the draft safety
information system and operational safety documentation information
the system.
(3) in formulating security policy information system and
the assessment of the security properties of the components of the information system
You can also use the international standardized security
^ 3) specifications.
§ 6
The requirements for the formulation of the information system security policy
Security policy information system to formulate on the basis of
and) minimum security requirements in the field of computer
safety,
(b) the system-dependent) security requirements, user requirements, and
the results of risk analysis and
c) security requirements security policy manager's authority,
If it has been processed.
§ 7
Minimum safety requirements in the field of computer security
(1) the information system for handling classified information degree
confidential or higher must ensure these security features
and) unique identification and authentication of the user, the security
the administrator or the information system, which must precede all
their other activities in the information system and to ensure the protection
confidentiality and integrity of the authentication information,
(b)) optional access control to objects of an information system on the basis of
discernment and user rights management, security
the administrator or the information system and their identity or their
user group membership, security administrators or administrators
the information system,
c) continuous recording of events that may affect the safety of
information system to audit records and audit security
records from unauthorized access or modification, in particular
destruction. In particular, the use of the identification is recorded and
authentication information, attempts to investigate access rights,
creating or interference object information system or activity
authorized entities affecting the security of information system
the information system,
(d) the possibility of examining audit records) and determination of liability
the individual user, the security administrator or administrator
the information system,
e) treatment before their next memory objects using, in particular,
before allocating the agency information system, which prevents the
find out their previous content, and
(f) protection of data confidentiality) during transmission between source and destination.
(2) to ensure the safety features referred to in paragraph 1, in
information system are implemented programmatically identified technical
mechanisms. Documentation describing their design and operating
the setting must allow their independent verification and evaluation of their
sufficiency.
(3) security mechanisms are implemented security features
applying the security policy information system, must be in
the entire life cycle of an information system protected from disruption or
unauthorized changes.
(4) in the information system, handling classified information
up to the level of confidentiality reserved, must adequately benefit from
the safety features referred to in paragraph 1, and further measures
personnel, administrative, and physical security of information systems.
§ 8
System-dependent safety requirements derived from the safety
operation mode
(1) information systems can operate only in one of these
security operating modes, which are
and a dedicated security operating mode),
b) safety operating mode with the highest levels,
c) security operation mode with the highest level of formal proceedings
access to information, or
(d) the operation mode of multilevel security).
(2) security operation mode dedicated is the kind of environment that
enables processing of classified information of varying degrees of confidentiality,
and all users must comply with the conditions for access to
classified information of the highest level of classification, that are in the
information system, and at the same time must be authorized to work with
all of the classified information, which are in the information system
contained. The security of the information system, which is operated in
safety operating mode dedicated is by meeting the ensures the
minimum security requirements in the field of computer security
referred to in § 7 para. 1 (b). and), c), (d)), and (f)) and to the measures of
the area of administrative and personnel security and physical safety
information systems. The level of the measures used, areas and
measures to ensure the confidentiality of the data during transfer must correspond to the level of the
required for the highest degree of confidentiality of classified information,
which the information system is treated.
(3) security operation mode with the highest level is the kind of environment,
that allows for the simultaneous processing of classified information
classified different degrees of secrecy, in which all users
must meet the requirements for access to classified information of the Supreme
the classification, which are contained in the information system, and
all users may not be able to work with all classified
information. The security of the information system, which is operated in
safety operating mode with the highest levels, the fulfillment of will
minimum security requirements in the field of computer security
referred to in paragraph 7 and the measures of the area of the administrative and
personnel security and physical security of information systems.
The level of the measures used areas and measures to ensure
the confidentiality of the data during transfer must correspond to the level required for the
the highest classification level of classified information to which the information
the system disposes.
(4) safety operating mode with the highest level of formal proceedings
access to information is the kind of environment that corresponds to the
safety operating mode with the highest levels, where, however, the formal
In addition, access control assumes the formal central management control
access.
(5) Multilevel Security mode is the kind of environment that
in one information system allows simultaneous processing of classified
information classified different degrees of secrecy, in which may not
all users must meet the conditions for access to classified information
the highest level of classification, which are contained in the information system,
and all users may not be able to work with all
classified information. The security of the information system, which is
operated in the safety operating mode multilevel, secures the
the measures referred to in paragraph 3 and the safety function of the statutory
management information system to have access to the objects of the information
the system. The level of used of the action on the administrative and
personnel security, physical security of information systems and
measures to ensure the confidentiality of the data during the transmission shall be determined on the basis of
the principle of mandatory access control.
(6) the mandatory access control Features of the subjects of the information system to
objects must secure information system
and) permanent link of each entity and object information system
an information system with a security attribute that to the body
expresses permission level information system operator information
the system and its information system for object classification
(b) to protect the integrity of the security attribute),
(c)) the exclusive permission to information system security administrator
making changes to the security attributes of entities and information system
objects and information system
d) allocation of predefined attribute values for newly created
information system and the preservation of objects of the attribute when copying
the object of the information system.
(7) the application of mandatory access control security feature
the subjects of the information system to the objects of the information system must be
secured these principles
and information system) can read the information in the object
information system only if the level of permissions the same
or higher than the classification level of the information system, object
(b)) the information system can write information into the object
information system only if the level of permissions the same
or lower than the classification level of the information system, and object
(c)) access to information entity information system contained in the object
information system, if it is possible to permit rules
mandatory access control, optional access control rules.
(8) information system, which is operated in the safety production
Multilevel mode, you must be able to accurately mark the classification
classified information of the information system and allow
assign classification classified information entering information
the system.
(9) for the information system, which is run in the security
operating mode display and handling classified information degree
top secret classification must be carried out for the identification and analysis of
covert channels. A concealed channel means the inadmissible communication
the classified information can get to unauthorized entity
the information system.
§ 9
System-dependent safety requirements for safety in the environment
computer networks
(1) when transmitting classified information communication channel must be
protect its confidentiality and integrity.
(2) the primary means for ensuring the confidentiality of classified information
When you transfer the communication channel is a cryptographic protection ^ 4).
(3) the primary means for ensuring the integrity of classified information
When you transfer the communication channel is the reliable detection of deliberate and
random changes to classified information.
(4) transmission of EU classified information held by the communication channel within the
secure area or object may be, on the basis of risk analysis,
secured only with the use of measures of physical security of all
the components of a communications channel, and transferred classified information
cryptographic protection is not protected or is protected by a cryptographic
protection at a lower level than is required for the classification
transmitted classified information. Follow these steps to secure the transfer of classified
information under the Authority of certification information system.
(5) depending on the communications environment ensures reliable
identification and authentication of communicating parties, including the protection of
identification and authentication information. This identification and authentication
precedes the transmission of classified information.
(6) the transmission of classified information communication channel led by outside the object
must be secured with a certified cryptographic means, that
is certified for at least the same degree of confidentiality as transmitted
classified information.
(7) during certification of the information system, the authority may, on the basis of
submitted by risk analysis, adopted specific security
measures for the detection of a breach of security of the communication channel and
measures to reduce the consequences of the attack, to approve a different system
information system security, than is listed in paragraphs 4 and 6.
§ 9a
Secure connection of information systems
(1) the Linking of information systems for the purposes of this Ordinance means
a direct connection of two or more information systems or information
the system and the information system for the management of neutajovanými
the information for the purpose of the one-way, or vícesměrného data sharing and
other sources of information. Link information system with another
the information system or the information system for the management of
neutajovanými information can be realized only when necessary
operational needs.
(2) Certified information system can be linked with other certified
information system, if it was approved, on the basis of a risk analysis
in the framework of the certification of these information systems, among them
implemented safety interface and certified for handling
classified information
and the same degree of confidentiality) or
(b)) a different classification, provided that it shall apply the measures
in accordance with paragraph 3.
(3) the interconnection of information systems have been certified for waste
classified information of different classification must be carried out,
between them was prevented from transmitting classified information to a higher level
classification is a classification for which the information system
certified.
(4) Certified information system must not be linked with public
communication networks, with the exception of cases where installed for this purpose
between themselves and the public communications network appropriate safety interface
approved on the basis of risk analysis in the context of his certification to
avoid penetration of the certified information system and was
possible only for controlled data transmission which does not disrupt the confidentiality,
integrity, and availability of classified information and the availability of services
Certified Information System.
(5) the Certified information system that handles classified
information classification of top secret or classified information
requiring special treatment which marked "ATOMAL" may not be directly
or gradually linked to the public communications network.
(6) if the public communication network used exclusively for data transmission
between information systems or sites information system and
the information transmitted is protected by a certified cryptographic
means, this is not considered such a link for the link. Between
information system and public communications networks must be built
appropriate safety interface so as to avoid penetration of the
the information system. The connection is subject to risk analysis and must be
approved in the framework of the certification of the information system.
§ 10
The requirements for the availability of classified information and services information
System
(1) the information system must ensure that the required information is secret
It is available in a specified place in the required form and in the specified
time range.
(2) in order to ensure safe operation of the information system in the
information system security policy provides for components that
shall be replaceable without interrupting the activities of the information system. Further
the required minimum range defines the functionality of the information system
the component shall be provided, in the failure must be a minimum
the functionality of the information system is guaranteed.
(3) the asset information system capacity planning and monitoring
capacity requirements shall be carried out so as to avoid errors
due to a lack of capacity.
(4) the information system must be processed by a plan to restore its activities
After the crash. Recommissioning of the information system in a known
secure State can be done manually by the administrator of the information
system, or automatically. All activities that were carried out for the
resume information system, as a rule, be recorded in the
audit records are protected from unauthorized modification or
destruction.
§ 11
System-dependent safety requirements derived from the risk analysis
(1) for determining threats, that threaten the assets information system,
risk analysis must be carried out.
(2) in the framework of the implementation of risk analysis, defining the asset information
system and the threats that are active on each asset information
the system. Assess, in particular, the threats that cause loss of functionality
or the security of the information system.
(3) after the determination of threats to delineate the vulnerabilities of the information
system so that each threat will find vulnerable place or places,
on which this threat acts.
(4) as a result of the risk analysis is made to the list of threats which may
compromise the information system, with an indication of the corresponding risks.
(5) on the basis of a risk analysis is performed by the selection of appropriate
countermeasures and determine the residual risks and their level, taking
to ensure that they are implemented only the functions, facilities and services
that are necessary to meet the purpose for which the information system is
established.
§ 12
Computer security resource substitution
Ensure some security functions of the information system
computer security resources can be used in justified cases, replace
increased use of resources, staffing or administrative
security, physical security of information systems or
organizational measures. When you replace the computer security resource
substitute a safety barrier or group of mechanisms that
to provide a safety function, must be fully implemented
security features and the quality and level of the safety function.
section 13 of the
Requirements for protection of portable and mobile information systems
(1) For mobile and portable information systems in risk analysis
assess the risks that are associated with mobile information systems
with the means of transport, and for portable information systems with
environments in which these information systems being used.
(2) the system of measures used for the overall protection of mobile and
portable information systems containing components, allowing
the preservation of classified information, must in addition to the other requirements of
laid down by this Decree include the conception of this device as a
media classified information classified highest classification
classified information which is treated.
§ 14
Kompromitujícímu radiation protection requirements
(1) the information system Components that handle classified
classification of information of a confidential or higher and secure area
or object, in which the information system to process EU classified
information classification of Confidential or higher, must be secured
in such a way that the radiation did not leak compromising
classified information.
(2) the requirements for security against kompromitujícímu radiation are
dependent on the degree of confidentiality of classified information, that information
system and are set out in the safety standard.
(3) installation of an information system, which handles classified
information of a confidential or of a higher classification level, in terms of its
security against kompromitujícímu radiation must be made in
accordance with the requirements of the safety standard. A record of the installation
components of the information system is inserted into the safety documentation
the information system. The content and form of the record are set out in
safety standard.
§ 15
Safety requirements for the means of delivery of classified information
(1) all carriers of classified information used in the operation of the
the information system must be registered. The classification of these carriers
the information must match the safety operating mode and the Supreme
the classification of classified information stored on a data carrier.
(2) if there is a removable rack of classified information intended exclusively for
use in the operation of a particular information system, together with
classification and name of the information system and registration number
carriers of information. Media intended for the transmission of classified information or
dispersing information from information system to indicate the degree of confidentiality and
other information under special legislation ^ 5).
(3) a carrier of classified information built in to the device and the other
the component that enables the preservation of classified information must be registered
and classified at the latest after their removal from the
device. The equipment shall be registered in the operational safety documentation
the information system.
(4) the level of classification classification classified information carriers Strictly
the secret must not be reduced, except where it is established that the
During his previous life cycle only classified
information with a lower classification or non-classified information.
(5) the level of classification classification classified information carriers of the secret
may be reduced, the classification of Confidential may be reduced or cancelled,
only in the case that deletion of classified information from it was carried out
in the manner specified in paragraph 6, or it is established that it was during
his previous life cycle only stored classified information
a lower classification or information non-confidential or it is established that
classification of classified information stored on it during his
the existing life cycle was cancelled or reduced. Classification level
carriers of classified information classification Reserved may be canceled
only in the case that deletion of classified information from it was carried out
in the manner specified in paragraph 6, or it is established that it was during
his previous life cycle stores only non-classified
or it is demonstrated that the degree of confidentiality of classified information stored on
him during his previous life cycle has been canceled.
(6) Delete the classified information from the carriers of classified information
enables the reduction or cancellation of its degree of confidentiality, it shall be done
so that the classified information is stored on the medium during its previous
the life cycle was difficult to detectable even when using laboratory
methods. The conditions and procedures for the safe erasure of the Office in
a safety standard, the process must be included in the operational safety
documentation of the certified information system and in the context of
its certification.
(7) the Destruction of classified information carrier information system must be
so as to make him classified information again
get.
(8) when you use removable media mass storage must
be specified in the security policy of the management of the user's access to
the input and output device.
section 16 of the
Requirements for access to classified information in the information system
(1) by the user, the security administrator or administrator information
the system may be the only person who was for its work in the information
system authorized by the procedure laid down in the safety documentation
the information system.
(2) the user, the security administrator, and the administrator of the information system must
meet the conditions for access to EU classified information of natural persons
classification level, which is determined in accordance with the safety production
mode and depending on the highest level of classification of classified information,
with whom may the information system.
(3) the information System Manager, which performs the function of the administrator
with full control of the system, the rights and security of the entire Manager
information system shall fulfil the conditions of access by natural persons
to classified information classification one level higher than the
the highest degree of confidentiality of classified information, which may
dispose of the information system. This does not apply for an information system that is
designed to handle classified information top secret classification levels. U
Information System Manager, which performs the function of an administrator with
full control of the system, rights and security administrator for the entire
the information system of small scale or with a low proportion of processing
classified information of the highest degree of confidentiality, for the processing of
is an information system designed, or in which there is no accumulation
classified information or in which only handles the tactical
classified information, the Office may, with the weighing of risks identified,
accept as sufficient evidence that the conditions for the access of natural persons,
the classified information to the level equivalent to the highest classification level of information
of classified information which it can dispose of the information system.
(4) the administrator of the information system, which performs the function of the administrator
with limited rights management system, in particular the administration of servers, managing
the application or the local administration and the Security Administrator information
the system of ensuring safety, in particular area a
safety technology or local administration, must meet the conditions
for access to EU classified information to the individuals level of classification of the same
with the highest degree of confidentiality of classified information, which may
dispose of the information system.
(5) in the event that the responsible person or the authorized person shall approve the
information system into operation for the handling of classified information to the
classification of lower than the classification level of classified information,
with whom we may dispose of the information system, it is necessary for the determination of the
the level of conditions of access by natural persons, classified information,
specifying the classification level of classified information to which the information
approved by the system into operation.
(6) users, security administrators, and system administrators
on the basis of the authorization shall be allocated in the context of the unique information system
the identifier. To ensure continuous availability of classified
information and services for the information system that is in constant operation,
the authority may, where justified, in the context of his certification to enable
that identifier was used by several people,
security administrators, or administrators of the information system. A prerequisite for
is the introduction of a procedure allowing the user to specify which security
the administrator or the information system at the time the
the identifier was used.
(7) users, administrators or administrators, to the security of the information system
permission is granted only to the extent necessary for the implementation of him
designated activities in the information system.
§ 17
The requirement of liability for activities in the information system
(1) the user, the security administrator, and the administrator of the information system
adheres to prescribed procedures set out in the safety documentation
the information system, which is ensured by the safety information
the system.
(2) information on the activities of the subject of the information system in the information
the system shall be recorded so that it is possible to identify the violation
safety information system or attempts to them. Records of activities
the subject of the information system in the information system shall be kept for
examination of the back for the time specified in the security policy information
the system.
(3) if required by the activity for which the information system is established, it is
in the information system provided by the nepopiratelnost provided for negotiations
or event. In the event that it is required in the information system
the functionality of the records in electronic form ^ 6), must be
the software that is implemented, evaluated during certification
the information system.
section 18
Safety management information system
(1) in the information system establishes an appropriate system security management
the information system. In the context of the management of information security system
the system establishes the role of security administrator information system,
separately from the other roles in the management of the information system, if not further
unless otherwise provided for.
(2) if necessary, to ensure a defined range of activities to ensure
safety information system introducing additional roles in the safety
management information system, in particular the organizational structure
security administrators, security administrators of individual sites,
the security administrator for the area of communication security or
the security administrator interface of information systems security.
(3) the Role of security administrator contains performance information system
safety management information system consisting in particular in the
the allocation of access rights, manage authentication and authorization
information, configuration management, and management information system
the evaluation of audit records, update the security directives
solution of security incidents and emergencies, and reporting
about them, ensure the training of users in the field of security of information
the system checks the safety of operational directives, as well as
in other activities laid down in the safety documentation
the information system.
(4) in the information system is small, the authority may, within its
certification to allow connection of the role of security administrator and some
other roles in the management of the information system.
(5) Information System Manager outside activities to ensure functionality
information system and the management of its service activities to fulfill a specified
ensure the computer and communication of safety information system.
§ 19
Staffing requirements of safety in the operation of information system
(1) action by the user, the security administrator, and the administrator of the information
system in the information system is based on its authorization
for this activity, which must be changed when you change its role within
information system or revoked if it no longer fulfils the conditions of
access to EU classified information. The security administrator keeps a list of
users of the information system.
(2) the operator of an information system provides initial training
users, administrators and security managers of information system in
compliance with the measures laid down in the safety documentation information
system and the appropriate use of the information system. Additional training
ensures the material changes in the information system immediately, otherwise
at least once a year.
section 20
Requirements of physical security of information systems
(1) assets information system must be placed in the space
which ensures the physical security of the information system before
unauthorized access, damage and affecting. In the framework of the certification of
the information system is determined that the component information
the system must be placed in a secure area or in the object, and
the category of the secure area.
(2) assets information system must be protected against security
threats and risks arising from the environment in which they are located.
(3) the location of the assets information system must be carried out so as to
did not allow the unauthorized person read classified information or information
used to identify and authenticate the user.
(4) the communication infrastructure carrying data or supporting services
the information system must be protected against the possibility of capture
the transmitted classified information, and damage.
(5) the minimum level of security of the secure area for the location of the part of the
the information system, in which classified information can be stored, with
determined in accordance with the tables of point values minimum standards of security
physical security listed in annex No. 1 of Decree No. 528/2005 Coll.
about the physical safety and certification of technical means, as amended by
amended.
(6) point rating physical security information system is
specified in annex No. 3 to this notice.
section 21
Request information system security testing
(1) the safety of the information system is a must before issuing a certificate
verified by independent testing. To perform the test should not be used
classified information.
(2) the results of the tests must prove that safety features are fully in
accordance with the information system's security policy. The results of the tests
must be zadokumentovány. Errors found during the test must be
removed and their removal must be verified by subsequent tests.
section 22
Safety requirements when you install an information system
How to install an information system must be organised so as to
has not been compromised and weakened its security features. In
information system security policy provides for components
the information system, which must be installed by persons meeting the
the terms of the law for access to classified information of the highest degree
classification, for which the management is an information system designed. This is a
component to ensure safety functions of the information system or
the components evaluated as vulnerable in the phase of the installation. Other
components of the information system can be installed by persons
meeting the conditions of the law for access to classified information of the lower
classification of substandard or conditions for access to
classified information, approved by the safety Director of the operator
the information system, but under the constant supervision of the worker management
information system, proven for access to classified information
the highest level of classification, for which the management is an information system
specified.
Article 23 of the
Safety requirements for operating an information system
(1) the safety of operated information system shall be kept, with the
regard to the actual state of the information system, tested and
being evaluated. A minor change in the information system can be made only after the
assess the impact of this change on the security of the information system and after
its approval by the authority, except where the certification report otherwise.
(2) the integrity of the software and classified information must be
protected from the effects of the malicious code.
(3) in the operated information system is verified the authenticity of the information,
that enter into the information system.
(4) in the operated information system may only be used in
the hardware and software equipment appropriate security documentation
information system approved by the authority and the terms of the certification report to
the certificate of the information system.
(5) in the operated information system must be carried out backup
software and classified information. Backup software
facilities and classified information must be stored so that it is not
damage or destruction of the information is compromised
the system or abuse for prejudicing the confidentiality of classified information.
(6) service activities in operating within the information system shall be
organize so that its safety has not been compromised. From the media
classified information accessible when the service information system
activities must be cleared of classified information and Remote Diagnostics
must be protected from misuse.
(7) the maintenance of components of the information system to ensure safety
the functions of the information system or directly affecting the safety of the
the information system must ensure the person meeting the conditions of the law
for access to classified information the highest level of classification, for
the management information system is designed. Such components must be
set out in the operational safety documentation information system.
Other components of the information system maintenance may be performed
persons meeting the conditions of the Act for the lower classification level or
the operator's safety persons approved by the Director of information
the system, but under the constant supervision of the worker information management
proven system for access to classified information of the Supreme
classification, for which the management is an information system designed.
(8) in the information system shall be operated within the deadlines laid down by the
in the safety documentation information system and in the emergence of a crisis
the situation immediately carried out the evaluation of audit records. Audit
the records shall be archived for a period fixed in security
documentation and information system protected from modifications or
destruction.
(9) in a secure area in which are located the information component
system for handling classified information secret, or the classification
Top secret, at the request of the authority of the State or of the entrepreneur performs
check to detect illegal use of technical means
intended to gather information. This check shall be carried out before the first
the processing of classified information and on repeatedly, usually in the interval
two years.
(10) for the resolution of the crisis situation of the operated information system must
be in the safety documentation information system measures
focused on putting it into the State of the corresponding safety
documentation information system. In the security documentation
the information system must be provided the basic types of crisis situations,
According to the analysis of the risks that may occur, and for each of them
specified activities following
and) immediately after the emergence of a crisis situation aimed at minimising
the damage and providing the information needed for identification of the causes and mechanism
the emergence of a crisis situation and
(b)) after the occurrence of a crisis situation aimed at liquidation of consequences of the crisis
the situation including the definition of personal responsibility for each task.
(11) for the case of software or hardware crash equipment must
be listed in the safety documentation information system way
and information system) backups, storing backup media
(b)) the provision of service activities,
(c) to ensure the safe operation of information) system by listing
the minimum functions that must be maintained, and
(d) functional recovery and putting) information system to a known
safe state.
(12) before a permanent closure of the information system must be
done removal or destruction of the means of delivery of classified information which it
the information system was loading.
TITLE II
CERTIFICATION OF INFORMATION SYSTEMS
section 24
Application for certification of an information system and method, and the conditions for its
the implementation of
(1) an application for certification of the information system contains
and the identity of the requester)
1. trade name, where applicable, the name, address and identification number,
If it was assigned, when the applicant is a legal entity,
2. the trade name or first and last name, or distinguishing
addition, the place of residence or place of stay for foreigners of the like
and the place of business, if different from the residence, date of birth and
the identification number, if assigned, when the applicant is a natural
a person who is an entrepreneur, or
3. name, address, identification number and the name and surname of the responsible
persons, if the authority of the State
(b)) name and surname of contact the worker applicant and contact
connection,
c) a brief description of the purpose and scope of the information system,
(d) the confidentiality of classified information) the degree to which the information
dispose of the system,
(e) safety of operation mode) the establishment of the information system and
f) identification of the supplier information system or its components
affecting the security of the information system, in accordance with point (a) of point 1)
or 2, and the level of classification, for which the certificate was issued to the supplier
entrepreneur or a copy of a valid declaration of the entrepreneur.
(2) for the implementation of certification of the information system, the applicant shall submit to the
the following supporting documents
and) security policy information system and the results of the risk analysis,
(b) the design of information system security),
(c)) the set of tests the security of an information system, their description, and description
the results of testing,
(d) the operational documentation) the security of the information system,
e) description of the development environment and safety
(f)) other evidence necessary for certified information system,
resulting from the specification of the information system.
(3) if requested on the implementation of the information system certification news
the service shall indicate, in the request under paragraph 1 and the supporting documents referred to in paragraph
2 only the necessary information to perform the Certification Authority
the information system.
(4) as a basis for the certification of the information system, the applicant may
also submit the results of the partial tasks in the assessment of some of the components
information system and in the evaluation of individual areas of the safety
referred to in § 3 (1). 1, carried out by the authority of the State or an entrepreneur on
the basis of reinsurance contracts entered into with the Authority's activities.
(5) in the framework of the certification of the information system to assess the suitability of the
the package of measures designed to achieve safety information
system referred to in § 3, the accuracy and completeness of safety documentation
information system and the correctness of the implementation of the proposed set of measures
in the information system.
(6) the Certification of an information system is made by consideration of supporting documents
submitted by the applicant and by performing additional tests. Additional tests
the Office performs in a production environment, the investigational information system for
participation of the applicant and, if necessary, the vendor.
(7) information system Certification can be performed on an ongoing basis after their
each phase of the construction of the information system or to his
the overall finish.
(8) if in the information system, which has been certified and approved
into operation, to the changes mentioned in paragraph 25 (b). (d)), the additional
reviews of the information system to the extent necessary to assess
the changes made. In the case of implementation of additional reviews
the information system shall be applied, mutatis mutandis, in the implementation of
certification information system.
(9) the model of the certificate of the information system is given in annex No. 1 of this
the Decree.
§ 25
The certification report information system
The certification report contains
and) an indicative description of the information system,
(b) the conditions of operation of the information system),
(c) the identification of any acceptable risk) associated with the operation of
information system and
(d) the types of changes to the information system) that require implementation of
a complementary evaluation of the information system.
section 26
A recurring request certification of the information system and the way it
the implementation of
(1) an application for a recurring certification information system contains
and the identification of the applicant pursuant to §) 24 para. 1 (b). and)
(b)) the complete identification of the issued certificate information system
containing its holder, registration number, date of issue and the period of
the validity,
(c) the identification of the information system containing) his name, designation
version and degree of confidentiality of classified information for which was approved by the
his competence, and
(d)) first and last name of the applicant and contact contact worker
connection.
(2) if the applicant proves that at the date of expiry of the existing
the certificate will be an information system operated under the terms of
laid down in the certification report, and the applicant or the authority shall not
new risks for information system, the authority shall issue a certificate based on the
existing safety documentation information system and made
security checks of the information system.
(3) If on the date of expiry of the existing certificate
the operator proposes to change the security policy information system,
Alternatively, new risks have been identified for information system, the
the Office's complement or modify the relevant parts of the documentation and guides
additional reviews of the information system to the extent provided by the authority.
If the information system to satisfy specified security conditions, the Office
will issue the certificate.
(4) in the event that the proposed changes to the security policy information
system are essential for the overall safety of the information system,
the Office will proceed as in the case of a new certification.
PART THREE
COMMUNICATION SYSTEM
section 27 of the
The elements of the project safety communication system
(1) the project safety communication system contains the following elements
and security policy) of the communication system,
(b) organizational and operational procedures) the operation of the communication system,
(c) operational directives for safety) management and communication system
(d) the user directive) operational communication system.
(2) security policy communication system defines the way
It has to be ensured the confidentiality, integrity and availability of classified information
and the responsibility of the user for his activity in the communication system.
(3) security policy communication system provides a summary of the principles and
the requirements in the area of human resources, administrative, physical and communication
security, laid down depending on the degree of confidentiality of the transferred
classified information on the results of the risk analysis, communication
system and on the principles and conditions of operation of the cryptographic
the resource specified in the certification of cryptographic message resource.
(4) the organisational measures and operational procedures for the operation of the communication
system contain
and) how the performance of cryptographic protection is ensured in accordance with the
certification of cryptographic message resource
(b) the management structure) communication system, and
(c) organizational measures and principles) operating procedures
assisted in ensuring the protection of classified information transmitted in
the communication system.
(5) on the basis of security policy and communication system
organisational measures and operating procedures operation of communication
the system is processed separately operating guidelines for safety management
the communication system and the operational directive of the user communication
the system. These directives must contain specific operational procedures for
ensure the security of the communication system and performance management
cryptographic protection and must specify the responsibilities of the personnel management
communication system, workers and users of cryptographic protection to
ensure the protection of classified information.
section 28
Request for approval of project safety communication system
(1) an application for the approval of project safety communication system
submits to the authority of the State or an entrepreneur who will be communication system
operate.
(2) an application under paragraph 1 shall include the
and the identification of the applicant pursuant to §) 24 para. 1 (b). and)
(b)) name and surname of contact the worker and the contact link,
(c)) the degree and certificate number or a copy of a valid declaration
entrepreneurs, when the applicant is an entrepreneur,
(d)) the name and a brief description of the purpose and scope of the communication system, including the
the determination of its normal operating functions,
e) classification level of classified information to which the communication
system to dispose of, and
(f) the identification of each component vendor) communication system
having a bearing on the security of the communication system, in accordance with § 24 para. 1
(a). and 1 or 2), and degree of confidentiality, for which it was issued
the supplier's certificate or copy of a valid declaration of the entrepreneur
entrepreneurs.
(3) the application referred to in paragraph 2 shall in the course of the approval shall be accompanied by
each part of the project safety communication system referred to in section 27 of the
paragraph. 3.
(4) when approving the project safety communication system
Intelligence shall indicate, in the request under paragraph 2, and in supporting documents
pursuant to paragraph 3, only the necessary information to enable the Office of the approval
the project of safety communication system.
section 29
The method and conditions for the approval of project safety communication
System
(1) in the framework of project approval of safety communication system is
desirability of the summary and policy requirements in the areas of personnel,
administrative, physical and communication of safety pursuant to § 27 para. 3 and
organisational measures and operating procedures operation of communication
system referred to in section 27 para. 4, designed to achieve safety
the communication system, and the accuracy and completeness of the operational directives pursuant to §
27 para. 5.
(2) approval of project safety communication system shall be carried out
examination of the supporting documents submitted by the applicant and by checking the
implementation of safety communication system project Office in a production
Environment approved communication system.
(3) approval of project safety communication system can be performed
continuously after the end of the different phases of construction of the communication system
or up to its total completion, according to the requirements of the applicant.
(4) if the approval of the project safety communication
the system determines the eligibility of the investigational communication system for
handling of classified information, the applicant shall be sent in writing to the
approval of the project safety communication system.
(5) if the communication system for material changes that affect
on the overall safety of the communication system, the
additional reviews of the communication system to the extent necessary to
assessment of the changes made. In the case of implementation of additional reviews
the communication system shall be applied, mutatis mutandis, for the approval of
the project of safety communication system.
PART FOUR
COMPROMISING EMANATIONS
TITLE I OF THE
ELECTRICAL AND ELECTRONIC EQUIPMENT, SECURE AREA OR OBJECT
section 29a
Compromising emanations is emissions from electrical and electronic
a device that could cause leakage of classified information degree
classification of top secret, secret or confidential.
section 30
Request for verification of the eligibility of the electrical and electronic equipment,
secure area or object
(1) an application for verification of eligibility for electrical and electronic
the device, a secure area or an object to protect against leakage
information through unintentional radiation contains
and the identification of the applicant pursuant to §) 24 para. 1 (b). and)
(b)) name and surname of contact the worker and the contact link,
(c) identification of the electric or electronic) device, secure
area or object whose eligibility has to be verified, and
d) classification of classified information, which will be in the electrical or
the electronic device, secure area or object being processed.
(2) the application may be accompanied by a report on the outcome of the reviews
eligibility of electrical or electronic equipment, secure
area or object to the protection against the release of EU classified information
through unintentional radiation, carried out by the authority of the State or
businessman on the basis of reinsurance contracts entered into with the Authority's activities.
(3) the conditions and the use of assessment for electrical and electronic
the device, a secure area or object to the protection of classified
information from leakage of classified information through unintentional radiation
the Office shall in safety standards.
section 31
The method of assessment of competence of electrical and electronic equipment,
secure area or object
(1) the assessment of the eligibility of the electrical and electronic equipment from the
the perspective of the leakage of classified information through unintentional radiation
performed by measuring the levels emitted by electromagnetic fields and
by comparing the measured values with the safety standards.
(2) the assessment of the eligibility of the secure areas or object to protect
against the release of classified information through unintentional radiation is done
by measuring the attenuation characteristics and by comparing the measured values with the
safety standards.
(3) where, in the course of the assessment of the competence of electrical and
electronic devices, a secure area or object detected
deficiencies, the Office shall invite the applicant to remove them.
(4) on the progress and results of the assessment of the eligibility of electrical and
electronic devices, a secure area or an object to protect
against the release of classified information through unintentional radiation shall draw up
Result the Office shall notify the applicant in writing.
TITLE II
SHIELDING CHAMBER
§ 32
(1) Shielding Chamber is enclosed a shielded area to prevent the spread
electromagnetic, optical and acoustic radiation from outside this
space.
(2) for the protection of classified information through unintentional leaks before their
electromagnetic emissions is used for shielding Chamber of certified
By the authority. Conditions for evaluations of shielding Chamber to protection of classified
information, the Office of safety standards.
Certification of shielding Chamber
§ 33
Request for certification of a shielding Chamber
(1) an application for certification of a shielding Chamber contains
and the identification of the applicant pursuant to §) 24 para. 1 (b). and)
(b)) name and surname of contact the worker applicant and contact
connection,
(c)) the degree and certificate number or a copy of a valid declaration
entrepreneurs, when the applicant is an entrepreneur,
(d) the identification and location of Sun) the Chamber and
(e) the identity of the manufacturer of Sun) Chamber, in accordance with § 24 para. 1 (b). and)
point 1 or 2.
(2) the application may be accompanied by a report on the outcome of the reviews of Sun
Chamber of Commerce, carried out by the authority of the State or contractor under contract
to ensure the activities of closed with the Office. On the day of application for the
certification of shielding Chamber must not be the result of the evaluation referred to in
the accompanying message older than 6 months.
§ 34
The method and conditions of implementation of certification of shielding Chamber
(1) certification of the shading of the Chamber shall be carried out by measuring the damping properties
shielding Chamber and by comparing them with the safety standards. Measurement
the shield of the Chamber shall be carried out with the participation of the applicant and, if necessary,
vendor shielding Chamber.
(2) on the progress and incremental results of certification of shielding Chamber shall draw up
The Office report.
(3) the model certificate shielding Chamber is given in annex 2 to this
the Decree.
§ 35
The certification message shielding Chamber
The certification message shielding Chamber contains
and an indicative description of the shield of the Chamber), its location and purpose of the
the use,
(b) the conditions of use), the shield of the Chamber and
(c)) the types of changes that require the execution of repeated certification of shielding
Chamber.
section 36
A recurring request certification of shielding Chamber and the way it
the implementation of
(1) an application for certification, the shield of the Chamber contains a recurring
and the identification of the applicant pursuant to §) 24 para. 1 (b). and)
(b)) the complete identification of the issued certificate shielding Chamber containing the
its holder, the registration number, date of issue and period of validity,
(c) identification of the certified Sun Chamber) that contains its name,
the type designation, the variant design and location, and
(d)) first and last name of the applicant and contact contact worker
connection.
(2) the application may be accompanied by a report on the outcome of the reviews of Sun
Chamber of Commerce, carried out by the authority of the State or contractor under contract
to ensure the activities of closed, with the Office in accordance with § 33 para. 2.
(3) If an applicant has submitted evidence that, at the date of expiry of the existing
the certificate does not shield the Chamber validation changes in conditions
the validity of the certificate issued, the Office will issue the certificate.
(4) If on the date of expiry of the certificate applicant shield Chamber
cannot substantiate the facts referred to in paragraph 3, the Office performs
additional evaluation of shielding Chamber, and if it verifies the eligibility of the Sun
Chamber to protect classified information, to issue the certificate. In the case of
material changes to the conditions of service shielding Chamber proceed as when
new certification.
PART FIVE
REQUIREMENTS FOR AN APPLICATION TO THE AUTHORITY OF THE STATE OR ENTREPRENEURS ON THE CONCLUSION OF THE TREATY ON
ENSURE THE ACTIVITIES
§ 37
The application for conclusion of a contract of reinsurance activities includes
and the identification of the applicant pursuant to §) 24 para. 1 (b). and)
(b)) the degree and certificate number or a copy of a valid declaration
entrepreneurs, when the applicant is an entrepreneur,
c) name and surname of the applicant and contact contact worker
connection,
(d) identification of the vocational workplace of) the applicant (the subject of the
the activities and location of workplace pověřovaného detailed specification, name
and the last name of the contact the worker and the contact link),
(e)) to specify the actions to be carried out in accordance with the Treaty,
f) personnel to perform the required prerequisites workplace activities
(name, surname, and the qualifications of the head of the worker's vocational
workplace, first and last names of other professional staff workplace
and their qualifications),
g) statement responsible of the level of physical, personnel, and
administrative security is ensured for the technical departments,
h) degree and the registration number of the certificate, if the information system is
the use of certified information system needed for the implementation of the
activities under the contract, and
I) used the professional workplace and technical equipment required for the
the implementation of activities under the contract.
PART SIX
CONDITIONS OF SAFE OPERATION OF COPYING DEVICES, DISPLAY
EQUIPMENT OR A TYPEWRITER WITH MEMORY
§ 38
(1) the safe processing of classified information in electronic format in
a device that is not part of the information or communication system,
especially in a typewriter with the memory and the machine to copy,
record or view classified information or its transfer to another
data format, depending on the degree of confidentiality of classified
information reaches through the application of measures from the
and safety, personnel)
b) physical security,
(c) safety and organizational) administrative measures and
(d) the protection of classified information) prior to its disclosure through unintentional
radiation.
(2) the Devices referred to in paragraph 1, which are used for processing
classification classified information Confidential or higher, must be
protected against leakage of classified information through unintentional
radiation. When verifying the eligibility of the copying equipment,
display device or a typewriter with memory to protect EU classified
information leak through unintentional radiation before it happens
in accordance with section 31.
(3) the equipment referred to in paragraph 1 shall be placed in an area in which
their physical protection from unauthorized access,
damage and affecting. This space is defined by the elements defined
protection with appropriate entry and security barriers. According to the
the nature of the device is determined on the basis of a risk analysis that must be
located in a secure area or in the object, and the category
secure area. Risk analysis provides for vulnerabilities
likelihood of execution devices possible threats and an estimate of their
the consequences.
(4) the device referred to in paragraph 1 must be physically protected from
security threats and risks environment.
(5) the location of the equipment referred to in paragraph 1 shall be carried out so as to
did not allow the unauthorized person read the classified information.
(6) the device referred to in paragraph 1 containing integrated carrier
classified information or other components to remain
classified information and with a typewriter with memory must be associated
information on the degree of confidentiality of the information stored on these media,
components and memoirs. This information can be expressed on the label
attached to the device, set out in the operational safety directive or
be expressed any other way. Carriers of classified information
built into the device and other components to remain
classified information must be registered and classified
at the latest after their removal from the device.
(7) service activities for the devices referred to in paragraph 1 must organize
so, in order not to compromise the security of classified information. From the media
classified information and components accessible in service activities
classified information shall be erased in accordance with § 15, otherwise it shall not be
the subject of the service activity.
PART SEVEN
The EFFECTIVENESS of the
§ 39
This Decree shall enter into force on 1 January 2000. January 1, 2006.
Director:
Mgr. Mares in the r.
Annex 1
THE NATIONAL SECURITY AGENCY
Post offices. compartments. 49
Prague 150 06 56
------------------------------------------------------------------
The national security agency issued, pursuant to section 46 of the Act No. 412/2005 Coll.
on the protection of classified information and the security of the eligibility
CERTIFICATE
the information system
Registration number:.. ...
...............
(name, version)
------------------------------------------------------------------
The holder of the certificate:
Head Office/place of residence/address: IDENTIFICATION NUMBER/social security number:
------------------------------------------------------------------
This certificate confirms validation and approval of eligibility
information system for handling classified information
to and including the level of classification
.....
Valid from:
Valid to:
The imprint of the official stamp
Signature of authorized representative
Date of issue:
Annex:
Annex 2
THE NATIONAL SECURITY AGENCY
Post offices. compartments. 49
Prague 150 06 56
------------------------------------------------------------------
The national security agency issued, pursuant to section 46 of the Act No. 412/2005 Coll.
on the protection of classified information and the security of the eligibility
CERTIFICATE
shielding Chamber
Registration number:.. ...
...............
(name, type)
------------------------------------------------------------------
The holder of the certificate:
Head Office/place of residence/address: IDENTIFICATION NUMBER/social security number:
------------------------------------------------------------------
------------------------------------------------------------------
Manufacturer of shielding Chamber:
Head Office/place of residence/address: IDENTIFICATION NUMBER/social security number:
------------------------------------------------------------------
This certificate confirms the eligibility of shielding Chamber
to protect against leakage of classified information through unintentional
emissions up to and including level of classification
.....
Valid from:
Valid to:
The imprint of the official stamp
Signature of authorized representative
Date of issue:
Annex:
Annex 3
PHYSICAL SECURITY OF INFORMATION SYSTEMS (IS)
1.1.
THE PROCESSING OF DATA
---------------------------------------------------------------------
1.1.1. The information system can be classified
the only information displayed and processed, or transmitted:
SS1 = 4 points
---------------------------------------------------------------------
In the case that it is in a secure area located one or more pieces
information system, the lowest of the values of the parameter the SS1
related to the individual parts of the information system.
1.2. STORAGE of CLASSIFIED INFORMATION on COMPUTER media (ALL
NON-VOLATILE STORAGE MEDIA)
The spaces in which they are information systems used for storing
classified information classification of Reserved and above, must be
set up as a secure area.
---------------------------------------------------------------------
1.2.1. The stored data is encrypted by a certified
Cryptographic device
SS1 = 4 points
---------------------------------------------------------------------
In addition to the parameter of the SS1, which applies to stored encrypted data, it is
must also work with the S1 cryptographic resource.
---------------------------------------------------------------------
1.2.2. The stored data is not encrypted
SS1 = 1 point
---------------------------------------------------------------------
1.3.
USER IDENTIFICATION AND AUTHENTICATION
1.3.1. identification and authentication on behalf of the subject with an encrypted
content and transmission:
SS2 = 4 points
Cryptographic mechanisms used for the authentication of the item must be
certified by the Office.
This method of authentication consists of a security equivalent to the lock handy storage
object of type 4.
---------------------------------------------------------------------
1.3.2. identification and authentication on behalf of the subject
with an encrypted content:
SS2 = 3 points
---------------------------------------------------------------------
Cryptographic mechanisms used for the authentication of the item must be
certified by the Office.
This method of authentication consists of a security equivalent to the lock handy storage
object of type 3.
---------------------------------------------------------------------
1.3.3. the Identification and authentication of subject name
SS2 = 2 points
---------------------------------------------------------------------
Article used for authentication must be approved by the authority in the framework of the
certification information system.
This method of authentication consists of a security equivalent to the lock handy storage
object of type 2.
---------------------------------------------------------------------
1.3.4. The identification of the name and password authentication
SS2 = 1 point
---------------------------------------------------------------------
The minimum length and the way the creation of passwords must be approved by the authority in
under the certification information system.
This method of authentication consists of a security equivalent to the lock handy storage
object of type 1.
Of the point values of the SS1 and SS2 obtained in accordance with section 1.1. or 1.2. and the point of
1.3. this annex is calculated the value of S1:
+------------------------+
| (S1) = SS1 SS2 x |
+------------------------+
The value of the SS1 and SS2 you can use in the table of point values for the lowest rates
security of the secure area or meeting area.
1) section 34 of Act No. 412/2005 Coll., on the protection of classified information and on the
Security eligibility.
2) section 35 of Act No. 412/2005 Coll.
3) for example, ISO/IEC 15408 evaluation criteria for IT security.
4) Decree No. 524/2005 Coll., on ensuring cryptographic protection
of classified information.
5) Decree No. 529/2005 Coll., on Administrative and security
registers of classified information.
6) Act 499/2004 Coll., on Archives and records service and amending
certain acts, as amended.