Change Search. About The Security Of Information And Communication Systems

Original Language Title: změna vyhl. o bezpečnosti informačních a komunikačních systémů

Read the untranslated law here: https://portal.gov.cz/app/zakony/download?idBiblio=75943&nr=453~2F2011~20Sb.&ft=txt

453/2011 Sb.



DECREE



of 21 June 1999. December 2011,



amending Decree No 523/2005 Coll., on the security of information and

communication systems and other electronic devices handling

of classified information and on the certification of shielded Chambers



The National Security Office shall, pursuant to section 33 (a). (e)), section 34 para. 6, §

35 para. 6, § 36 odst. 4 and § 53 (b). a), b), c), (d)), g), (h)), i) and (j))

Law No. 412/2005 Coll., on the protection of classified information and on the

security, as amended by Act No. 255/2011 Coll.:



Article. (I)



Decree No. 523/2005 Coll., on the security of information and communication

systems and other electronic devices working with classified

information and certification of shielded Chambers, is amended as follows:



1. In paragraph 1, the words "copy device, display device and a work

a machine with memory "are replaced by the words" electronic form in plants

that are not part of the information or communication system ".



2. in article 1, paragraph 2 (a). x), § 30 paragraph 2. 2 and 3, § 31 para. 1, 2 and 4, § 32, §

38 para. 1 (b). (d)), § 38 paragraph 1(a). 2 and in annex 2,

"electromagnetic" is deleted.



3. In paragraph 2, at the end of the letter x) dot is replaced by a comma and the following

the y), and z) are added:



"y) nepopiratelností the ability to prove the reverse action or event,

to ensure that the Act or event could not be subsequently disowned,



you information from) a guarantee that the information is authentic and from the

trusted sources. ".



4. In article 3, paragraph 3. 1 (b). (c)), the word "electromagnetic" is deleted.



5. § 5 para. 1, after the words "classified information", the words ",

the availability of services of the information system "and the last sentence reads:" If it

the functions of the information system requires the method

ensure the authenticity of information and nepopiratelnost. ".



6. In section 5, paragraph 1, the following paragraph 2 is added:



"(2) the principle of security policy are elaborated in the draft

safety information system and operational safety documentation

information system. ".



The former paragraph 2 becomes paragraph 3.



7. In § 8 para. 1 at the end of subparagraph (b)), the word "or" shall be deleted and for the

subparagraph (b)), the following new point (c)), which read as follows:



"(c)) security operation mode with the highest level of formal proceedings

access to information, or ".



Letter c) is renumbered as paragraph (d)).



8. In section 8, paragraph 3, the following paragraph 4 is added:



"(4) safety operating mode with the highest level of formal proceedings

access to information is the kind of environment that corresponds to the

safety operating mode with the highest levels, where, however, the formal

In addition, access control assumes the formal central management control

access. ".



Paragraphs 4 to 8 shall be renumbered as paragraphs 5 to 9.



9. in section 9, paragraph 4 reads:



"(4) the transfer of classified information held by the communication channel within the

secure area or object may be, on the basis of risk analysis,

secured only with the use of measures of physical security of all

the components of a communications channel, and transferred classified information

cryptographic protection is not protected or is protected by a cryptographic

protection at a lower level than is required for the classification

transmitted classified information. Follow these steps to secure the transfer of classified

information under the Authority of certification information system. ".



10. § 9 paragraph 6 is added:



"(6) the transmission of classified information communication channel led by outside

the object must be a certified cryptographic means,

that is certified for at least the same degree of confidentiality as transmitted

secret information. ".



11. in section 9, the following paragraph 7 is added:



"(7) during certification of the information system, the authority may, on the basis of

submitted by risk analysis, adopted specific security

measures for the detection of a breach of security of the communication channel and

measures to reduce the consequences of the attack, to approve a different system

information system security, than is listed in paragraphs 4 and 6. ".



12. under section 9 shall be added to § 9a, which including the title reads as follows:



"§ 9a



Secure connection of information systems



(1) the Linking of information systems for the purposes of this Ordinance means

a direct connection of two or more information systems or information

the system and the information system for the management of neutajovanými

the information for the purpose of the one-way, or vícesměrného data sharing and

other sources of information. Link information system with another

the information system or the information system for the management of

neutajovanými information can be realized only when necessary

operational needs.



(2) Certified information system can be linked with other certified

information system, if it was approved, on the basis of a risk analysis

in the framework of the certification of these information systems, among them

implemented safety interface and certified for handling

classified information



and the same degree of confidentiality) or



(b)) a different classification, provided that it shall apply the measures

in accordance with paragraph 3.



(3) the interconnection of information systems have been certified for waste

classified information of different classification must be carried out,

between them was prevented from transmitting classified information to a higher level

classification is a classification for which the information system

certified.



(4) Certified information system must not be linked with public

communication networks, with the exception of cases where installed for this purpose

between themselves and the public communications network appropriate safety interface

approved on the basis of risk analysis in the context of his certification to

avoid penetration of the certified information system and was

possible only for controlled data transmission which does not disrupt the confidentiality,

integrity, and availability of classified information and the availability of services

Certified Information System.



(5) the Certified information system that handles classified

information classification of top secret or classified information

requiring special treatment which marked "ATOMAL" may not be directly

or gradually linked to the public communications network.



(6) if the public communication network used exclusively for data transmission

between information systems or sites information system and

the information transmitted is protected by a certified cryptographic

means, this is not considered such a link for the link. Between

information system and public communications networks must be built

appropriate safety interface so as to avoid penetration of the

the information system. The connection is subject to risk analysis and must be

approved in the framework of the certification information system. ".



13. in paragraph 11 of the text at the end of paragraph 5, the words "and specify the

residual risks and their level, while ensuring that the

implemented only the functions, facilities and services that are necessary for the

the fulfilment of the purpose for which the information system is established ".



14. section 14 including the title reads as follows:



"section 14



Kompromitujícímu radiation protection requirements



(1) the information system Components that handle classified

classification of information of a confidential or higher and secure area

or object, in which the information system to process EU classified

information classification of Confidential or higher, must be secured

in such a way that the radiation did not leak compromising

classified information.



(2) the requirements for security against kompromitujícímu radiation are

dependent on the degree of confidentiality of classified information, that information

system and are set out in the safety standard.



(3) installation of an information system, which handles classified

information of a confidential or of a higher classification level, in terms of its

security against kompromitujícímu radiation must be made in

accordance with the requirements of the safety standard. A record of the installation

components of the information system is inserted into the safety documentation

the information system. The content and form of the record are set out in

security standard. ".



15. in article 15, paragraph 2. 4, the word "life" is replaced by "life cycle".



16. in article 15, paragraphs 5 and 6 are added:



"(5) the level of classification classification classified information carriers of the secret

may be reduced, the classification of Confidential may be reduced or cancelled,

only in the case that deletion of classified information from it was carried out

in the manner specified in paragraph 6, or it is established that it was during

his previous life cycle only stored classified information

a lower classification or information non-confidential or it is established that

classification of classified information stored on it during his

the existing life cycle was cancelled or reduced. Classification level

carriers of classified information classification Reserved may be canceled

only in the case that deletion of classified information from it was carried out

in the manner specified in paragraph 6, or it is established that it was during


his previous life cycle stores only non-classified

or it is demonstrated that the degree of confidentiality of classified information stored on

him during his previous life cycle has been canceled.



(6) Delete the classified information from the carriers of classified information

enables the reduction or cancellation of its degree of confidentiality, it shall be done

so that the classified information is stored on the medium during its previous

the life cycle was difficult to detectable even when using laboratory

methods. The conditions and procedures for the safe erasure of the Office in

a safety standard, the process must be included in the operational safety

documentation of the certified information system and in the context of

his certification. ".



17. in article 15, the following paragraph 8 is added:



"(8) when you use removable media mass storage must

be specified in the security policy of the management of the user's access to

the input and output device. ".



18. In article 16(1). 2 the words "natural person certificate"

replaced by the words "meet the conditions for access of natural persons,

EU classified information ".



19. in article 16, paragraph 2, the following paragraphs 3 to 5 shall be added:



"(3) the information System Manager, which performs the function of the administrator

with full control of the system, the rights and security of the entire Manager

information system shall fulfil the conditions of access by natural persons

to classified information classification one level higher than the

the highest degree of confidentiality of classified information, which may

dispose of the information system. This does not apply for an information system that is

designed to handle classified information top secret classification levels. U

Information System Manager, which performs the function of an administrator with

full control of the system, rights and security administrator for the entire

the information system of small scale or with a low proportion of processing

classified information of the highest degree of confidentiality, for the processing of

is an information system designed, or in which there is no accumulation

classified information or in which only handles the tactical

classified information, the Office may, with the weighing of risks identified,

accept as sufficient evidence that the conditions for the access of natural persons,

the classified information to the level equivalent to the highest classification level of information

of classified information which it can dispose of the information system.



(4) the administrator of the information system, which performs the function of the administrator

with limited rights management system, in particular the administration of servers, managing

the application or the local administration and the Security Administrator information

the system of ensuring safety, in particular area a

safety technology or local administration, must meet the conditions

for access to EU classified information to the individuals level of classification of the same

with the highest degree of confidentiality of classified information, which may

dispose of the information system.



(5) in the event that the responsible person or the authorized person shall approve the

information system into operation for the handling of classified information to the

classification of lower than the classification level of classified information,

with whom we may dispose of the information system, it is necessary for the determination of the

the level of conditions of access by natural persons, classified information,

specifying the classification level of classified information to which the information

the system is approved to operate. ".



Paragraphs 3 and 4 shall be renumbered paragraphs 6 and 7.



20. In article 17, the following paragraph 3, including footnote No 6

added:



"(3) if required by the activity for which the information system is established, it is

in the information system provided by the nepopiratelnost provided for negotiations

or event. In the event that it is required in the information system

the functionality of the records in electronic form ^ 6), must be

the software that is implemented, evaluated during certification

the information system.



6) Law No 499/2004 Coll. on Archives and records service and amending

certain acts, as amended. ".



21. in section 20, the following paragraphs 5 and 6 are added:



"(5) the minimum level of security of the secure area for the location of the part of the

the information system, in which classified information can be stored, with

determined in accordance with the tables of point values minimum standards of security

physical security listed in annex No. 1 of Decree No. 528/2005 Coll.

about the physical safety and certification of technical means, as amended by

amended.



(6) point rating physical security information system is

specified in annex No. 3 to this Ordinance. ".



22. in article 23, paragraph 2, the following paragraph 3 is added:



"(3) in the operated information system is verified the authenticity of the information,

that enter into the information system. ".



Paragraphs 3 to 10 shall be renumbered as paragraphs 4 to 11.



23. In article 23, paragraph 8, the following paragraph 9 is added:



"(9) in a secure area in which are located the information component

system for handling classified information secret, or the classification

Top secret, at the request of the authority of the State or of the entrepreneur performs

check to detect illegal use of technical means

intended to gather information. This check shall be carried out before the first

the processing of classified information and on repeatedly, usually in the interval

two years. ".



Paragraphs 9 to 11 shall become paragraph 10 to 12.



24. in § 24 para. 1 (b). a) points 1 and 2, after the words "identification

the number of "words", it was assigned ".



25. In § 24 para. 1 (b). and (2) the words of) "permanent residents" are replaced by

the words "place of residence or place of stay for foreigners of the like".



26. in section 24 para. 1 at the end of the text of the letter f), the words "or

copy of a valid declaration of the entrepreneur. "



27. in section 27, the following paragraph 1, which reads as follows:



"(1) the project safety communication system contains the following

Essentials



and security policy) of the communication system,



(b) organizational and operational procedures) the operation of the communication system,



(c) operational directives for safety) management and communication system



(d) the user directive) operational communication system. ".



Paragraphs 1 to 4 shall be renumbered 2 to 5.



28. in section 28 para. 2 (a). (c)), § 33 para. 1 (b). (c)), section 37 (b). (b))

the words "for the inspection of classified information" shall be replaced by

"or a copy of a valid declaration of the entrepreneur."



29. in § 28 para. 2 at the end of the text of the letter f), the words "or

copy of a valid declaration of the entrepreneur. "



30. In § 28 para. 3, the words "article. 2 "shall be replaced by the words" of the Commission. 3. "



31. in section 29 para. 1, the words "article. 2 "shall be replaced by the words" of the Commission. 3 "

the words "by the Commission. 3 "shall be replaced by the words" of the Commission. 4 "and the words" the Commission. 4 "

shall be replaced by the words "of the Commission. 5. "



32. In the title of part four, the word "ELECTROMAGNETIC" is deleted.



33. In part four of the beginning of the title I, § 29a shall be inserted:



"§ 29a



Compromising emanations is emissions from electrical and electronic

a device that could cause leakage of classified information degree

classification of top secret, secret or confidential. "



34. In section 30 paragraph 2. 1 introductory part of the provisions for the word "object"

the words "to protect against data loss through unintentional

radiation ".



35. In paragraph 32, the following paragraph 1, which reads as follows:



"(1) Sun Chamber is enclosed a shielded area to prevent the spread

electromagnetic, optical and acoustic radiation from outside this

space. ".



The present text becomes paragraph 2.



36. In § 38 paragraph 1(a). 1 the words "operation of copying equipment,

display device or a typewriter with a memory that are not

part of the information or communication system "shall be replaced by

"the processing of classified information in electronic format on the device

that is not part of the information or communication system, in particular in the

a typewriter with the memory and the device that allows copying, recording or

view classified information or its transfer to another data

the format ".



37. In § 38 paragraph 1(a). 2 the words "copying device, display device

and a typewriter with memory, which are used for the processing of classified

information classification of Confidential or higher, must be secured "

replaced by the words "Equipment referred to in paragraph 1, which are used for

processing of classified information confidential or of a higher classification level,

must be secured ".



38. In § 38 paragraph 1(a). 3 the words "copying device, display device

and a typewriter with memory must be placed "shall be replaced by" devices

referred to in paragraph 1 shall be placed ".



39. In § 38 paragraph 1(a). 4, the words "copying device, display device

and typewriters with memory must be physically protected "shall be replaced by

"The device referred to in paragraph 1 must be physically protected".



40. In § 38 paragraph 1(a). 5, the words "a copy of the device, the display

device and memory typewriter "shall be replaced by" devices by

paragraph 1 ".




41. In § 38 paragraph 1(a). 6, the words "with a copying device and display

device "shall be replaced by" with the device referred to in paragraph 1, ' and the words ',

components and the memoirs "are replaced by the words" and components ".



42. In § 38 paragraph 1(a). 7, the words "copying device, display device

and typewriters with memory "are replaced by the words" the establishment in paragraph 1 "

the word "memory" are replaced by the words "component" and at the end of the text

the words "in accordance with § 15, otherwise it shall not be the subject of a service

activities ".



43. the following appendix 3, which including the title reads as follows:



"Appendix No. 3 to Decree No. 523/2005 Sb.



PHYSICAL SECURITY OF INFORMATION SYSTEMS (IS)



1.1.



THE PROCESSING OF DATA

---------------------------------------------------------------------

1.1.1. The information system can be classified

the only information displayed and processed, or transmitted:

SS1 = 4 points

---------------------------------------------------------------------



In the case that it is in a secure area located one or more pieces

information system, the lowest of the values of the parameter the SS1

related to the individual parts of the information system.



1.2. STORAGE of CLASSIFIED INFORMATION on COMPUTER media (ALL

NON-VOLATILE STORAGE MEDIA)



The spaces in which they are information systems used for storing

classified information classification of Reserved and above, must be

set up as a secure area.

---------------------------------------------------------------------

1.2.1. The stored data is encrypted by a certified

Cryptographic device

SS1 = 4 points

---------------------------------------------------------------------



In addition to the parameter of the SS1, which applies to stored encrypted data, it is

must also work with the S1 cryptographic resource.

---------------------------------------------------------------------

1.2.2. The stored data is not encrypted

SS1 = 1 point

---------------------------------------------------------------------



1.3.



USER IDENTIFICATION AND AUTHENTICATION

1.3.1. identification and authentication on behalf of the subject with an encrypted

content and transmission:

SS2 = 4 points



Cryptographic mechanisms used for the authentication of the item must be

certified by the Office.



This method of authentication consists of a security equivalent to the lock handy storage

object of type 4.

---------------------------------------------------------------------

1.3.2. identification and authentication on behalf of the subject

with an encrypted content:

SS2 = 3 points

---------------------------------------------------------------------



Cryptographic mechanisms used for the authentication of the item must be

certified by the Office.



This method of authentication consists of a security equivalent to the lock handy storage

object of type 3.

---------------------------------------------------------------------

1.3.3. the Identification and authentication of subject name

SS2 = 2 points

---------------------------------------------------------------------



Article used for authentication must be approved by the authority in the framework of the

certification information system.



This method of authentication consists of a security equivalent to the lock handy storage

object of type 2.



---------------------------------------------------------------------

1.3.4. The identification of the name and password authentication

SS2 = 1 point

---------------------------------------------------------------------



The minimum length and the way the creation of passwords must be approved by the authority in

under the certification information system.



This method of authentication consists of a security equivalent to the lock handy storage

object of type 1.



Of the point values of the SS1 and SS2 obtained in accordance with section 1.1. or 1.2. and the point of

1.3. this annex is calculated the value of S1:



+------------------------+

| (S1) = SS1 SS2 x |

+------------------------+



The value of the SS1 and SS2 you can use in the table of point values for the lowest rates

security of the secure area or in the rules area. ".



Article. (II)



The effectiveness of the



This Decree shall enter into force on 1 January 2000. January 2012.



Director:



Ing. He returned in r.