453/2011 Sb.
DECREE
of 21 June 1999. December 2011,
amending Decree No 523/2005 Coll., on the security of information and
communication systems and other electronic devices handling
of classified information and on the certification of shielded Chambers
The National Security Office shall, pursuant to section 33 (a). (e)), section 34 para. 6, §
35 para. 6, § 36 odst. 4 and § 53 (b). a), b), c), (d)), g), (h)), i) and (j))
Law No. 412/2005 Coll., on the protection of classified information and on the
security, as amended by Act No. 255/2011 Coll.:
Article. (I)
Decree No. 523/2005 Coll., on the security of information and communication
systems and other electronic devices working with classified
information and certification of shielded Chambers, is amended as follows:
1. In paragraph 1, the words "copy device, display device and a work
a machine with memory "are replaced by the words" electronic form in plants
that are not part of the information or communication system ".
2. in article 1, paragraph 2 (a). x), § 30 paragraph 2. 2 and 3, § 31 para. 1, 2 and 4, § 32, §
38 para. 1 (b). (d)), § 38 paragraph 1(a). 2 and in annex 2,
"electromagnetic" is deleted.
3. In paragraph 2, at the end of the letter x) dot is replaced by a comma and the following
the y), and z) are added:
"y) nepopiratelností the ability to prove the reverse action or event,
to ensure that the Act or event could not be subsequently disowned,
you information from) a guarantee that the information is authentic and from the
trusted sources. ".
4. In article 3, paragraph 3. 1 (b). (c)), the word "electromagnetic" is deleted.
5. § 5 para. 1, after the words "classified information", the words ",
the availability of services of the information system "and the last sentence reads:" If it
the functions of the information system requires the method
ensure the authenticity of information and nepopiratelnost. ".
6. In section 5, paragraph 1, the following paragraph 2 is added:
"(2) the principle of security policy are elaborated in the draft
safety information system and operational safety documentation
information system. ".
The former paragraph 2 becomes paragraph 3.
7. In § 8 para. 1 at the end of subparagraph (b)), the word "or" shall be deleted and for the
subparagraph (b)), the following new point (c)), which read as follows:
"(c)) security operation mode with the highest level of formal proceedings
access to information, or ".
Letter c) is renumbered as paragraph (d)).
8. In section 8, paragraph 3, the following paragraph 4 is added:
"(4) safety operating mode with the highest level of formal proceedings
access to information is the kind of environment that corresponds to the
safety operating mode with the highest levels, where, however, the formal
In addition, access control assumes the formal central management control
access. ".
Paragraphs 4 to 8 shall be renumbered as paragraphs 5 to 9.
9. in section 9, paragraph 4 reads:
"(4) the transfer of classified information held by the communication channel within the
secure area or object may be, on the basis of risk analysis,
secured only with the use of measures of physical security of all
the components of a communications channel, and transferred classified information
cryptographic protection is not protected or is protected by a cryptographic
protection at a lower level than is required for the classification
transmitted classified information. Follow these steps to secure the transfer of classified
information under the Authority of certification information system. ".
10. § 9 paragraph 6 is added:
"(6) the transmission of classified information communication channel led by outside
the object must be a certified cryptographic means,
that is certified for at least the same degree of confidentiality as transmitted
secret information. ".
11. in section 9, the following paragraph 7 is added:
"(7) during certification of the information system, the authority may, on the basis of
submitted by risk analysis, adopted specific security
measures for the detection of a breach of security of the communication channel and
measures to reduce the consequences of the attack, to approve a different system
information system security, than is listed in paragraphs 4 and 6. ".
12. under section 9 shall be added to § 9a, which including the title reads as follows:
"§ 9a
Secure connection of information systems
(1) the Linking of information systems for the purposes of this Ordinance means
a direct connection of two or more information systems or information
the system and the information system for the management of neutajovanými
the information for the purpose of the one-way, or vícesměrného data sharing and
other sources of information. Link information system with another
the information system or the information system for the management of
neutajovanými information can be realized only when necessary
operational needs.
(2) Certified information system can be linked with other certified
information system, if it was approved, on the basis of a risk analysis
in the framework of the certification of these information systems, among them
implemented safety interface and certified for handling
classified information
and the same degree of confidentiality) or
(b)) a different classification, provided that it shall apply the measures
in accordance with paragraph 3.
(3) the interconnection of information systems have been certified for waste
classified information of different classification must be carried out,
between them was prevented from transmitting classified information to a higher level
classification is a classification for which the information system
certified.
(4) Certified information system must not be linked with public
communication networks, with the exception of cases where installed for this purpose
between themselves and the public communications network appropriate safety interface
approved on the basis of risk analysis in the context of his certification to
avoid penetration of the certified information system and was
possible only for controlled data transmission which does not disrupt the confidentiality,
integrity, and availability of classified information and the availability of services
Certified Information System.
(5) the Certified information system that handles classified
information classification of top secret or classified information
requiring special treatment which marked "ATOMAL" may not be directly
or gradually linked to the public communications network.
(6) if the public communication network used exclusively for data transmission
between information systems or sites information system and
the information transmitted is protected by a certified cryptographic
means, this is not considered such a link for the link. Between
information system and public communications networks must be built
appropriate safety interface so as to avoid penetration of the
the information system. The connection is subject to risk analysis and must be
approved in the framework of the certification information system. ".
13. in paragraph 11 of the text at the end of paragraph 5, the words "and specify the
residual risks and their level, while ensuring that the
implemented only the functions, facilities and services that are necessary for the
the fulfilment of the purpose for which the information system is established ".
14. section 14 including the title reads as follows:
"section 14
Kompromitujícímu radiation protection requirements
(1) the information system Components that handle classified
classification of information of a confidential or higher and secure area
or object, in which the information system to process EU classified
information classification of Confidential or higher, must be secured
in such a way that the radiation did not leak compromising
classified information.
(2) the requirements for security against kompromitujícímu radiation are
dependent on the degree of confidentiality of classified information, that information
system and are set out in the safety standard.
(3) installation of an information system, which handles classified
information of a confidential or of a higher classification level, in terms of its
security against kompromitujícímu radiation must be made in
accordance with the requirements of the safety standard. A record of the installation
components of the information system is inserted into the safety documentation
the information system. The content and form of the record are set out in
security standard. ".
15. in article 15, paragraph 2. 4, the word "life" is replaced by "life cycle".
16. in article 15, paragraphs 5 and 6 are added:
"(5) the level of classification classification classified information carriers of the secret
may be reduced, the classification of Confidential may be reduced or cancelled,
only in the case that deletion of classified information from it was carried out
in the manner specified in paragraph 6, or it is established that it was during
his previous life cycle only stored classified information
a lower classification or information non-confidential or it is established that
classification of classified information stored on it during his
the existing life cycle was cancelled or reduced. Classification level
carriers of classified information classification Reserved may be canceled
only in the case that deletion of classified information from it was carried out
in the manner specified in paragraph 6, or it is established that it was during
his previous life cycle stores only non-classified
or it is demonstrated that the degree of confidentiality of classified information stored on
him during his previous life cycle has been canceled.
(6) Delete the classified information from the carriers of classified information
enables the reduction or cancellation of its degree of confidentiality, it shall be done
so that the classified information is stored on the medium during its previous
the life cycle was difficult to detectable even when using laboratory
methods. The conditions and procedures for the safe erasure of the Office in
a safety standard, the process must be included in the operational safety
documentation of the certified information system and in the context of
his certification. ".
17. in article 15, the following paragraph 8 is added:
"(8) when you use removable media mass storage must
be specified in the security policy of the management of the user's access to
the input and output device. ".
18. In article 16(1). 2 the words "natural person certificate"
replaced by the words "meet the conditions for access of natural persons,
EU classified information ".
19. in article 16, paragraph 2, the following paragraphs 3 to 5 shall be added:
"(3) the information System Manager, which performs the function of the administrator
with full control of the system, the rights and security of the entire Manager
information system shall fulfil the conditions of access by natural persons
to classified information classification one level higher than the
the highest degree of confidentiality of classified information, which may
dispose of the information system. This does not apply for an information system that is
designed to handle classified information top secret classification levels. U
Information System Manager, which performs the function of an administrator with
full control of the system, rights and security administrator for the entire
the information system of small scale or with a low proportion of processing
classified information of the highest degree of confidentiality, for the processing of
is an information system designed, or in which there is no accumulation
classified information or in which only handles the tactical
classified information, the Office may, with the weighing of risks identified,
accept as sufficient evidence that the conditions for the access of natural persons,
the classified information to the level equivalent to the highest classification level of information
of classified information which it can dispose of the information system.
(4) the administrator of the information system, which performs the function of the administrator
with limited rights management system, in particular the administration of servers, managing
the application or the local administration and the Security Administrator information
the system of ensuring safety, in particular area a
safety technology or local administration, must meet the conditions
for access to EU classified information to the individuals level of classification of the same
with the highest degree of confidentiality of classified information, which may
dispose of the information system.
(5) in the event that the responsible person or the authorized person shall approve the
information system into operation for the handling of classified information to the
classification of lower than the classification level of classified information,
with whom we may dispose of the information system, it is necessary for the determination of the
the level of conditions of access by natural persons, classified information,
specifying the classification level of classified information to which the information
the system is approved to operate. ".
Paragraphs 3 and 4 shall be renumbered paragraphs 6 and 7.
20. In article 17, the following paragraph 3, including footnote No 6
added:
"(3) if required by the activity for which the information system is established, it is
in the information system provided by the nepopiratelnost provided for negotiations
or event. In the event that it is required in the information system
the functionality of the records in electronic form ^ 6), must be
the software that is implemented, evaluated during certification
the information system.
6) Law No 499/2004 Coll. on Archives and records service and amending
certain acts, as amended. ".
21. in section 20, the following paragraphs 5 and 6 are added:
"(5) the minimum level of security of the secure area for the location of the part of the
the information system, in which classified information can be stored, with
determined in accordance with the tables of point values minimum standards of security
physical security listed in annex No. 1 of Decree No. 528/2005 Coll.
about the physical safety and certification of technical means, as amended by
amended.
(6) point rating physical security information system is
specified in annex No. 3 to this Ordinance. ".
22. in article 23, paragraph 2, the following paragraph 3 is added:
"(3) in the operated information system is verified the authenticity of the information,
that enter into the information system. ".
Paragraphs 3 to 10 shall be renumbered as paragraphs 4 to 11.
23. In article 23, paragraph 8, the following paragraph 9 is added:
"(9) in a secure area in which are located the information component
system for handling classified information secret, or the classification
Top secret, at the request of the authority of the State or of the entrepreneur performs
check to detect illegal use of technical means
intended to gather information. This check shall be carried out before the first
the processing of classified information and on repeatedly, usually in the interval
two years. ".
Paragraphs 9 to 11 shall become paragraph 10 to 12.
24. in § 24 para. 1 (b). a) points 1 and 2, after the words "identification
the number of "words", it was assigned ".
25. In § 24 para. 1 (b). and (2) the words of) "permanent residents" are replaced by
the words "place of residence or place of stay for foreigners of the like".
26. in section 24 para. 1 at the end of the text of the letter f), the words "or
copy of a valid declaration of the entrepreneur. "
27. in section 27, the following paragraph 1, which reads as follows:
"(1) the project safety communication system contains the following
Essentials
and security policy) of the communication system,
(b) organizational and operational procedures) the operation of the communication system,
(c) operational directives for safety) management and communication system
(d) the user directive) operational communication system. ".
Paragraphs 1 to 4 shall be renumbered 2 to 5.
28. in section 28 para. 2 (a). (c)), § 33 para. 1 (b). (c)), section 37 (b). (b))
the words "for the inspection of classified information" shall be replaced by
"or a copy of a valid declaration of the entrepreneur."
29. in § 28 para. 2 at the end of the text of the letter f), the words "or
copy of a valid declaration of the entrepreneur. "
30. In § 28 para. 3, the words "article. 2 "shall be replaced by the words" of the Commission. 3. "
31. in section 29 para. 1, the words "article. 2 "shall be replaced by the words" of the Commission. 3 "
the words "by the Commission. 3 "shall be replaced by the words" of the Commission. 4 "and the words" the Commission. 4 "
shall be replaced by the words "of the Commission. 5. "
32. In the title of part four, the word "ELECTROMAGNETIC" is deleted.
33. In part four of the beginning of the title I, § 29a shall be inserted:
"§ 29a
Compromising emanations is emissions from electrical and electronic
a device that could cause leakage of classified information degree
classification of top secret, secret or confidential. "
34. In section 30 paragraph 2. 1 introductory part of the provisions for the word "object"
the words "to protect against data loss through unintentional
radiation ".
35. In paragraph 32, the following paragraph 1, which reads as follows:
"(1) Sun Chamber is enclosed a shielded area to prevent the spread
electromagnetic, optical and acoustic radiation from outside this
space. ".
The present text becomes paragraph 2.
36. In § 38 paragraph 1(a). 1 the words "operation of copying equipment,
display device or a typewriter with a memory that are not
part of the information or communication system "shall be replaced by
"the processing of classified information in electronic format on the device
that is not part of the information or communication system, in particular in the
a typewriter with the memory and the device that allows copying, recording or
view classified information or its transfer to another data
the format ".
37. In § 38 paragraph 1(a). 2 the words "copying device, display device
and a typewriter with memory, which are used for the processing of classified
information classification of Confidential or higher, must be secured "
replaced by the words "Equipment referred to in paragraph 1, which are used for
processing of classified information confidential or of a higher classification level,
must be secured ".
38. In § 38 paragraph 1(a). 3 the words "copying device, display device
and a typewriter with memory must be placed "shall be replaced by" devices
referred to in paragraph 1 shall be placed ".
39. In § 38 paragraph 1(a). 4, the words "copying device, display device
and typewriters with memory must be physically protected "shall be replaced by
"The device referred to in paragraph 1 must be physically protected".
40. In § 38 paragraph 1(a). 5, the words "a copy of the device, the display
device and memory typewriter "shall be replaced by" devices by
paragraph 1 ".
41. In § 38 paragraph 1(a). 6, the words "with a copying device and display
device "shall be replaced by" with the device referred to in paragraph 1, ' and the words ',
components and the memoirs "are replaced by the words" and components ".
42. In § 38 paragraph 1(a). 7, the words "copying device, display device
and typewriters with memory "are replaced by the words" the establishment in paragraph 1 "
the word "memory" are replaced by the words "component" and at the end of the text
the words "in accordance with § 15, otherwise it shall not be the subject of a service
activities ".
43. the following appendix 3, which including the title reads as follows:
"Appendix No. 3 to Decree No. 523/2005 Sb.
PHYSICAL SECURITY OF INFORMATION SYSTEMS (IS)
1.1.
THE PROCESSING OF DATA
---------------------------------------------------------------------
1.1.1. The information system can be classified
the only information displayed and processed, or transmitted:
SS1 = 4 points
---------------------------------------------------------------------
In the case that it is in a secure area located one or more pieces
information system, the lowest of the values of the parameter the SS1
related to the individual parts of the information system.
1.2. STORAGE of CLASSIFIED INFORMATION on COMPUTER media (ALL
NON-VOLATILE STORAGE MEDIA)
The spaces in which they are information systems used for storing
classified information classification of Reserved and above, must be
set up as a secure area.
---------------------------------------------------------------------
1.2.1. The stored data is encrypted by a certified
Cryptographic device
SS1 = 4 points
---------------------------------------------------------------------
In addition to the parameter of the SS1, which applies to stored encrypted data, it is
must also work with the S1 cryptographic resource.
---------------------------------------------------------------------
1.2.2. The stored data is not encrypted
SS1 = 1 point
---------------------------------------------------------------------
1.3.
USER IDENTIFICATION AND AUTHENTICATION
1.3.1. identification and authentication on behalf of the subject with an encrypted
content and transmission:
SS2 = 4 points
Cryptographic mechanisms used for the authentication of the item must be
certified by the Office.
This method of authentication consists of a security equivalent to the lock handy storage
object of type 4.
---------------------------------------------------------------------
1.3.2. identification and authentication on behalf of the subject
with an encrypted content:
SS2 = 3 points
---------------------------------------------------------------------
Cryptographic mechanisms used for the authentication of the item must be
certified by the Office.
This method of authentication consists of a security equivalent to the lock handy storage
object of type 3.
---------------------------------------------------------------------
1.3.3. the Identification and authentication of subject name
SS2 = 2 points
---------------------------------------------------------------------
Article used for authentication must be approved by the authority in the framework of the
certification information system.
This method of authentication consists of a security equivalent to the lock handy storage
object of type 2.
---------------------------------------------------------------------
1.3.4. The identification of the name and password authentication
SS2 = 1 point
---------------------------------------------------------------------
The minimum length and the way the creation of passwords must be approved by the authority in
under the certification information system.
This method of authentication consists of a security equivalent to the lock handy storage
object of type 1.
Of the point values of the SS1 and SS2 obtained in accordance with section 1.1. or 1.2. and the point of
1.3. this annex is calculated the value of S1:
+------------------------+
| (S1) = SS1 SS2 x |
+------------------------+
The value of the SS1 and SS2 you can use in the table of point values for the lowest rates
security of the secure area or in the rules area. ".
Article. (II)
The effectiveness of the
This Decree shall enter into force on 1 January 2000. January 2012.
Director:
Ing. He returned in r.