In accordance with subparagraph 3) of article 6 of the Law of the Republic of Kazakhstan dated November 24, 2015 On Informatization, the Government of the Republic of Kazakhstan hereby RESOLVES:
1. To approve the attached uniform requirements in the field of information and communication technologies and ensuring information security (hereinafter - the uniform requirements).
2. To recognize as invalid some decisions of the Government of the Republic of Kazakhstan in accordance with the appendix to this resolution.
3. This resolution shall be enforced upon expiry of ten calendar days after the date of its first official publication.
Paragraph 140 of the uniform requirements is valid until January 1, 2018.
|of the Republic of Kazakhstan||B. Sagintayev|
|Order No. 832 of the Government|
|of the Republic of Kazakhstan|
|dated December 20, 2016|
Uniform requirements in the field of information and communication technologies and information security
Chapter 1. General Provisions
1. Uniform requirements in the field of information and communication technologies and information security (hereinafter - UR) were developed in accordance with subparagraph 3) of article 6 of the Law of the Republic of Kazakhstan dated November 24, 2015 On Informatization (hereinafter - the Law) and define requirements in the field of information and communication technologies and information security.
2. UR provisions related to information security shall be mandatory for application by state bodies, local executive bodies, state legal entities, quasi-public sector entities, owners and holders of non-state information systems, integrated with information systems of state bodies or intended for the formation of state electronic information resources, also owners and holders of critical information and communication infrastructure facilities.
3. The UR provisions shall not apply to:
1) relations arising during performance by the National Bank of the Republic of Kazakhstan and organizations in its structure of the work on creation or development, operation of Internet resources, information systems not integrated with the information and communication infrastructure facilities of the "electronic government", local networks and telecommunications networks, also in the procurement of goods, works and services in the field of informatization;
2) shelter information systems, classified as state secrets in accordance with the legislation of the Republic of Kazakhstan on state secrets, also special-purpose telecommunications networks and / or government, classified, encrypted and coded communications.
4. The purpose of the UR is to establish requirements in the field of information and communication technologies and information security that are binding to state bodies, local authorities, state legal entities, quasi-public sector entities, owners and holders of non-state information systems integrated with information systems of state bodies or intended for the formation of state electronic information resources, also to the owners and holders of critical information and communication infrastructure facilities.
5. The UR objectives are:
1) to determine the principles of organization and management of informatization of state bodies to address current and strategic tasks of state governance;
2) to define uniform principles for the provision and management of information security of informatization objects of the "electronic government";
3) to establish requirements for unification of the information and communication infrastructure elements;
4) to establish requirements for structuring of the information and communication infrastructure and organization of server rooms;
5) to establish mandatory application of recommendations of the standards in the field of information and communication technologies and information security at all stages of the informatization objects life cycle;
6) enhance security level of state and non-state electronic information resources, software, information systems and the information and communication infrastructure supporting them.
6. The following definitions shall be used for these UR purposes:
1) marking of an asset associated with information processing means - drawing conventional symbols, letters, numbers, graphic signs or inscriptions on an asset, with a view to its further identification (recognition), indication of its properties and characteristics;
2) data encryption tools (hereinafter - DET) - software or hardware-software complex that implements cryptographic transformation algorithms, generation, formation, distribution, or management of encryption keys;
3) assets associated with information processing facilities (hereinafter - the asset) - a tangible or intangible object that is information or that contains information, or serves to process, store, transmit information and that is of value to the organization in the interests of achieving goals and continuity of its activities;
4) technical documentation on information security (hereinafter -IS TD) - documentation that establishes policy, rules, protective measures relating to processes of IS of informatization objects and (or) organizations;
5) software robot - search engine or monitoring system software that automatically and / or on predetermined schedule browses web pages, reads and indexes their contents by following the links found on web pages;
6) unloaded (cold) equipment redundancy (backup ) - the use of additional server and telecommunication equipment and software prepared for operation and inactive mode for the purpose of operational recovery of information system or electronic information resource;
7) loaded (hot) equipment redundancy - the use of additional (redundant) server and telecommunication equipment, software and maintaining them in an active mode in order to flexibly and promptly increase the throughput, reliability and fault tolerance of an information system, electronic information resource;
8) workstation - a stationary computer within the local network, designed to solve applied problems;
9) system software - a set of software to ensure computing equipment operation;
10) coded communication - secure communication using documents and coding techniques;
11) multifactor authentication - a way to authenticate a user by a combination of various parameters, including generating and entering passwords or authentication signs (digital certificates, tokens, smart cards, one-time password generators and biometric identification tools);
11-1) cross-premises (telecommunications closet) - a telecommunications room intended for accommodation of connecting, distribution points and devices;
12) application software (hereinafter -AS) - a set of software for solving an applied problem of a particular class of the subject area;
13) classified communication - secure communication with the use of classifying (encrypting) equipment;
14) scalability - the ability of software for performance improvement as the processed information size and (or) the number of simultaneously working users grows;
15) event logging - the process of recording information on software or hardware events in an event log;
16) server room - a room intended for accommodation of server, active and passive network (telecommunication) equipment and structured cable systems equipment;
17) local area network of external circuit (hereinafter - external circuit LAN )- is the local area network of the state body, referred to the external circuit of the SB’s telecommunications network, having an Internet connection, access to which is provided for SB by telecom operators only through a single Internet access gateway;
18) terminal system - a thin or zero client for work with applications in a terminal environment or thin client software in a client-server architecture;
19) time source infrastructure - hierarchically connected server hardware using the network time synchronization protocol, performing the task of synchronizing the internal clocks of servers, workstations and telecommunication equipment;
20) government communication - special secure communications for the needs of government administration;
20-1) organization - a state legal entity, a quasi-public sector entity, owner and holder of non-state information systems that are integrated with information systems of state bodies or intended to form state electronic information resources, as well as the owner and holder of critical information and communication infrastructure objects;
21) federated identification - a set of technologies enabling the use of a single username and authentication identifier to access electronic information resources in the systems and networks that established trust relationships;
22) encrypted communication - secure communication using manual ciphers, encryption machines, line encryption devices and special computer hardware;
23) local area network of internal circuit (hereinafter -internal circuit LAN) – is the local area network of SB, referred to the internal circuit of the SB telecommunication network, having a connection with the unified transport medium of state bodies (hereinafter -SB UTM);
24) external gateway of "electronic government" (hereinafter - EGEG) - a subsystem of the gateway of "electronic government", intended to ensure the interaction of information systems contained in the UTM of SB with information systems outside the SB UTM;
25) internal audit of information security - an objective, documented process of monitoring the qualitative and quantitative characteristics of the current condition of information security of informatization objects in an organization, carried out by the organization itself in its interests.
7. For the purposes of these URs, the following abbreviations shall be used:
1) HSC – hardware and software complex;
2) IS - information security;
3) IS - information system;
4) ICI - information and communication infrastructure;
5) ICT - information and communication technologies;
6) SW- software;
7) LEB - local executive bodies;
8) FS –free software;
9) UIAG- unified Internet access gateway;
10) IR – Internet resource;
11) SB - the central executive body, the state body directly subordinate and accountable to the President of the Republic of Kazakhstan, territorial units of the department of the central executive body;
12) SB UTM - unified transport medium of state bodies;
13) SB UPIR – unified platform of Internet resources of state bodies;
14) SSP - service software product;
15) EIR - electronic information resources;
16) EG ICP - information and communication platform of "electronic government";
17) EDS - electronic digital signature.
Chapter 2. Requirements for organization and management of informatization and information security
Paragraph 1. Requirements for informatization of a state body
8. Informatization of SBs shall be carried out in accordance with the SB architecture, developed and approved in accordance with articles 23 and 24 of the Law, and in the absence thereof, in accordance with the positive conclusion of the expert council in the field of informatization, issued upon consideration of the SB request on the needs of computerization and optimization of SB activities.
8-1. Data on the SB architecture shall be transferred to third parties only by agreement with the heads of information security and information technology departments of the SB, or persons replacing them in accordance with the approved IS policy.
9. The SB shall provide:
1) planning of costs for informatization and information security in accordance with the approved SB architecture, and in its absence - according to the decisions of the expert council in the field of informatization;
2) computerization of state functions and provision of public services arising from them in compliance with the requirements of these UR;
3) posting of information about informatization objects, plans, processes and budget in the field of informatization on the architectural portal of the "electronic government" in accordance with the rules for registering information systems of state bodies, accounting for information on informatization objects of the "electronic government" and placement of electronic copies of the technical documentation of the informatization objects of the "electronic government" approved by the authorized body in accordance with subparagraph 30) of article 7 of the Law.
10. Development of the "electronic government" architecture shall be carried out in accordance with the requirements for development of architecture of "electronic government" approved by the authorized body in accordance with subparagraph 10) of article 7 of the Law.
11. When developing the standard architecture of the "electronic akimat", approved in accordance with subparagraph 18) of article 7 of the Law regarding description of the requirements for information and communication infrastructure, the local executive bodies (LEB) shall takes into account these UR requirements.
12. When implementing the service model of informatization, the SB and LEBs shall be guided by the rules for implementation of the service model of informatization, requirements for development of the "electronic government" architecture approved by the authorized body in accordance with subparagraphs 4) and 10) of article 7 of the Law and requirements of these UR.
13. Provision of SB and LEB with goods, works and services in the field of informatization shall be carried out by:
1) procurement, in the presence of a positive conclusion of the expert council in the field of informatization;
2) acquisition of information and communication services from the catalog of IC services of the IC infrastructure operator.
14. Informatization tasks in the SB or LEB shall be implemented by the information technology unit, which shall:
1) monitor and analyze the ICT use;
2) participate in accounting and analysis of the ICT assets use;
3) develop proposals to the SB strategic plan on informatization;
4) coordinate works on the creation, maintenance and development of the "electronic government" software;
5) control the provision by suppliers of the quality of informatization services stipulated by the agreements;
6) provide registration of the IS of the SB or LEB on the architectural portal of "electronic government";
7) post, update and monitor the safety on the electronic portal of the "electronic government" of the data on the SB or LEB informatization objects, reference copies of software, source software codes (if any), set up the licensed software, electronic copies of the technical documentation of informatization objects of the "electronic" government ";
8) maintain interaction with the service integrator, operator, SB, LEB and organizations regarding implementation of the projects in the field of informatization when creating the SB architecture and in the implementation of the service model of informatization;
9) fulfill requirements for information security.
15. The workspace in the SB and LEB shall comply with sanitary and epidemiological requirements for the maintenance and operation of residential and other premises, public buildings, approved by the authorized body in the field of consumer protection and sanitary and epidemiological welfare of the population in accordance with paragraph 6 of Article 144 of the Code of the Republic of Kazakhstan dated September 18, 2009 On Public Health and Health Care System.
16. The workplace of a SB and LEB servant shall be equipped with regard to his functional responsibilities and comprise:
1) a workstation or a unified workstation or terminal system connected to the LAN internal circuit of the SB or LEB. It shall be allowed to equip the workplace with an extra monitor if necessary;
2) a set of multimedia equipment (headphones, microphone and webcam) for working with multimedia EIR or video conferencing system, if necessary;
3) telephone or IP telephony device.
17. Requirements for a unified work station or terminal system of the SB and LEB shall be approved by the authorized body.
18. When choosing models of procured workstations, the following rules shall be complied with:
1) the hardware characteristics of workstations meeting or exceeding the system requirements recommended by the developer (manufacturer) of the software used;
2) workstation configurations are unified to ensure general level of services;
3) centralized automated distribution of software updates is organized for workstations;
4) to improve the quality and speed of administration, the number of different hardware-software configurations of workstations is reduced to three types:
workstation for working with application software;
high-power workstation for working with graphic packages, modeling software packages and others, used for applications with developed graphics, high requirements for processor performance, random access memory (RAM) and video subsystems amount;
laptop for mobile users.
19. For specification of technical requirements, the following key parameters of workstations shall be distinguished:
1) performance, including:
processor fast performance parameters;
the necessary amount of RAM;
Internal data bus speed;
graphics subsystem performance;
performance of input / output devices;
monitor matrix parameters;
2) reliability provided through the use of fault-tolerant hardware and software, determined basing on the average no failure operating time;
3) scalability provided by the architecture and design of the personal computer due to the possibility of increasing:
processor numbers and performance;
RAM and external memory volumes;
capacity of internal drives.
20. To ensure information security:
1) the technical documentation on information security shall define:
ways of placing workstations of SB and LEB servants;
ways to protect workstations against failures in the power supply system and other breaches caused by failures in the utilities;
procedures and frequency of workstations maintenance to ensure continuous accessibility and integrity;
ways to protect the workstations of mobile users outside the SB or LEB, factoring in various external risks;
methods for guaranteed destruction of information during reuse of workstations or decommissioning of data storage media;
rules for moving workstations outside the workplace;
2) accounting of workstations shall be regularly maintained with configurations checked;
3) installation and use at the workstations of remote control software or hardware outside the internal LAN circuit shall be excluded. Remote control inside the LAN internal circuit shall be allowed in cases explicitly provided for in the SB or LEB legal act;
4) unused input-output ports of workstations and mobile computers of SB and LEB servants shall be disabled or blocked, with the exception of workstations of IS unit staff.
21. The issue of input-output operations with the use of external electronic data storage media at the workstations of SB and LEB servants shall be regulated in accordance with the IS policy adopted by the SB or LEB.
22. To optimize equipment placement at the SB and LEB servant’s work station, the use of specialized equipment shall be permitted that ensures the use of one unit of a monitor, a manual manipulator (mouse) and a keyboard for several workstations, without using network interfaces.
23. To use the services of the EG ICP, the workstation connected to the internal circuit LAN of the SB or LEB shall be provided with a network connection to the EG ICP infrastructure.
24. The processing and storage of the SB and LEB service information shall be carried out at workstations that are connected to the internal circuit LAN of the SB and LEB and that do not have an Internet connection.
25. Access to the Internet shall be provided to SB and LEB servants from the workstations connected to the external circuit LAN of the SB and LEB, located outside the restricted access premises, determined in accordance with the Security Instruction of the Republic of Kazakhstan.
25-1. When organizing access to the Internet from local area networks of the external circuit, availability of anti-virus tools and updates of the operating systems at workstations connected to the Internet is mandatory.
26. Telephone service:
1) shall be both based on digital telephone networks for general use, and IP-telephony technology;
2) shall provide user switching with telephone network subscribers via the following channels:
the use of subscriber connections through the existing local network of internal and external circuits and departmental data transmission network;
the use of communication services of public telephony operator on the E1 stream;
the use of mobile operators;
the use of long-distance and international call services.
27. For conferences, presentations, meetings, teleconference bridges, the SB and LEB conference room shall be equipped with:
1) sound amplification conference system, with a microphone, loudspeaker at the participant’s place, and light indicator of the participant’s request and presentation.
2) information input-output device.
To organize a teleconference with geographically distributed participants who are in other cities or countries, the conference system can be optionally supplemented by the audio and video conferencing system of the EG ICI operator.
28. Printing service:
1) is implemented by means of printing, copying and scanning equipment connected to the local network of the SB internal circuit using a network interface or direct connection to the print server;
2) is provided by software that carries out:
centralized user and device management;
accounting of printed documents, copies, e-mailed faxes and scans by user identification numbers with the possibility of distributing costs between departments and users;
a system of reports graphically illustrating print, copy, and scan activity;
user identification before the print service use;
authorization of the SB servant on the printing device in the ways regulated in the IS technical documentation;
forming a print queue that prints using a single print queue with the ability to receive printed documents on an available print device.
Paragraph 2. Requirements for information security organization
29. Organizing, providing and managing IS in a SB, LEB or organization, shall be governed by provisions of the standard of the Republic of Kazakhstan IISO / IEC 27002: 2005 Information Technology - Security Techniques - Code of Practice for Information Security Management.
30. In order to differentiate responsibilities and functions in the field of information security, an information security division shall be established, which is a structural unit separate from other structural units, engaged in the creation, maintenance and development of computerization facilities, or a servant responsible for providing information security shall be identified.
The requirement of this paragraph to create a separate IS unit shall not apply to special state bodies.
The IS unit or the servant responsible for IS maintenance shall perform:
1) control of the fulfillment of IS TD requirements;
2) control over the information security documenting;
3) control over asset management in the part of information security maintenance;
4) control over proper use of the software;
5) control over risk management in the field of ICT;
6) control over IS events logging;
7) internal audit of IS;
8) control over organization of the external audit of IS;
9) control over ensuring the continuity of business processes using ICT;
10) control over compliance with IS requirements in human resources management;
11) control over the state of information security of the informatization facility of the "electronic government".
31. The IS TD shall be established in the form of a four-level system of documented rules, procedures, practices or guidelines that the SB, LEB or organization are guided by in its activities.
IS TD shall be developed in the Kazakh and Russian languages, approved by the legal act of the SB, LEB or organization and communicated to all the staff.
IS TD shall be reviewed with the aim of analyzing and updating the information contained in them at least once every two years.
32. The IS policy of the SB, LEB or organization is a first-level document and it shall define goals, objectives, guidelines and practical methods in the field of IS maintenance.
33. The list of the second level documents shall comprise the documents detailing the requirements of the IS policy of SB, LEB, or organization, including:
1) methodology for assessing information security risks;
2) rules of identification, classification and labeling of assets associated with information processing facilities;
3) rules of ensuring continuous operation of assets relating to information processing facilities;
4) rules of inventory and certification of the hardware, telecommunications equipment and software;
5) rules of conducting IS internal audit;
6) rules of using data encryption tools;
7) rules of differentiation of access rights to electronic information resources;
8) rules of using Internet and email;
9) rules of organizing authentication procedure;
10) rules of organizing anti-virus control;
11) rules of using mobile devices and data storage media;
12) rules of organizing safeguards of information processing facilities and safe environment for the information resources operation.
34. Third level documents shall contain description of the processes and procedures for ensuring information security, including:
1) a catalog of IS threats (risks);
2) action plan on processing the IS threats (risks);
3) regulations on the information backup and recovery;
4) action plan on ensuring continuous operation and restoration of the operability of assets associated with information processing facilities;
5) the administrator's guide on maintenance of the informatization object;
6) instruction on the procedure for users to respond to IS incidents and emergency (crisis) situations.
35. The list of fourth level documents shall comprise work forms, logs, requests, protocols and other documents, including electronic ones, used to register and confirm the procedures and work performed, including:
1) a log file of information security incidents and emergency situations;
2) a log of visits to server rooms;
3) report on the assessment of network resources vulnerability;
4) cabling connection log;
5) a log of backup accounting (backup, recovery), backup testing;
6) a log of accounting for changes in the configuration of equipment, testing and accounting for changes in the free software (FS) and application software (AS) of IS, registration and elimination of software vulnerabilities;
7) a log of tests of the diesel generator sets and uninterruptible power supplies for the server room;
8) a log of tests of microclimate support systems, video surveillance, fire extinguishing of server rooms.
36. To ensure the assets security, the following actions shall be taken:
1) inventory of assets;
2) classification and labeling of assets in accordance with the classification system adopted by the SB or LEB;
3) assignment of assets to servants and defining the range of their responsibilities in the IS assets management;
4) regimentation in the IS TD of:
the use and return of assets;
identification, classification and labeling of assets.
37. For risks management in the field of ICT in SB or LEB, the following actions shall be taken:
1) choice of risk assessment methodology in accordance with recommendations of the standard of the Republic of Kazakhstan ST RK 31010-2010 Risk Management. Risk Assessment Methods and Development of Risk Analysis Procedure;
2) risk identification apropos the list of identified and classified assets, including:
identification of IS threats and their sources;
identification of vulnerabilities that could lead to the threats happening;
identification of information leakage channels;
formation of an intruder model;
3) selection of criteria for acceptance of identified risks;
4) formation of a catalog of threats (risks) of information security, including:
assessment (reassessment) of identified risks in accordance with the requirements of the standard of the Republic of Kazakhstan ST RK ISO / IEC 27005-2013 Information Technology. Security Practices. Information Security Risk Management;
identification of potential damage;
5) development and approval of a plan for processing threats (risks) of information security, containing measures to neutralize or reduce them.
38. For the purpose of monitoring the IS breach occasions in the SB, LEB or organization the following actions shall be carried out:
1) monitoring of IS breaches occasions and analysis of the monitoring results;
2) logging of events related to the IS condition, and detection of breaches by analyzing event logs, including:
operating system events logs;
database management system events logs;
anti-virus protection events logs;
AS events logs;
telecommunication equipment events logs;
event logs of systems for detecting and preventing attacks;
content management system events logs;
3) time synchronization of event logs with the time source infrastructure;
4) storing of event logs for a period specified in the IS TD, but not less than three years and keeping them in operational access for at least two months;
5) maintaining logs of events on the software that is being created in accordance with the formats and types of records defined in the Rules of conducting monitoring of the information security of informatization objects of the “electronic government” and critical information and communication infrastructure facilities approved by the authorized body;
6) protection of event logs against interference and unauthorized access. System administrators shall not be allowed to change, delete, or disable the logs. Confidential information systems require creation and maintenance of a backup log storage;
7) implementation of formalized procedure for reporting information security incidents and responding to information security incidents.
39. To protect critical processes of SB, LEB or organizations against internal and external threats:
1) an action plan shall be developed, tested and implemented to ensure continuous operation and restoration of the operability of assets associated with information processing facilities;
2) instruction shall be communicated to the SB and LEB or organization servants on the procedure for users to respond to IS incidents and in emergency (crisis) situations.
The action plan for ensuring continuous operation and restoring operability of assets associated with information processing facilities shall be regularly updated.
40. The functional responsibilities for ensuring IS and obligations to fulfill the requirements of the IS TD for SB and LEB or organization’s servants shall be included in their work descriptions and (or) the employment contract terms.
Obligations in the IS maintenance, which are in force after termination of the employment contract, shall be fixed in the labor contract of the SB and LEB or organization’s servants.
41. In the event of involving third-party organizations in maintaining the information security of EIR, information systems, ICI, their owner or holder shall enter into agreements that establish conditions for the operation, access or use of these facilities, and also liability for their violation.
42. Content of the procedures in dismissal of the SB and LEB or organization’s servants who have obligations in the field of IS maintenance, shall be defined in the IS TD.
43. When dismissing a servant or amending the employment contract terms, the access right of a SB and LEB or organization’s servant to information and information processing tools, including physical and logical access, access identifiers, subscriptions, documentation that identifies him as a current SB and LEB or organization’s servant, shall be annulled after his employment contract termination or shall be changed when amending the employment contract terms.
44. The human resources service shall organize and maintain records on the SB and LEB or organization’s servant’s training in the field of informatization and IS maintenance.
45. When initiating creation or development of informatization facilities of the first and second classes in accordance with the informatization objects classifier approved by the authorized body in informatization in accordance with subparagraph 11) of Article 7 of the Law (hereinafter - the classifier), as well as confidential information systems, protection profiles for composite components and security target shall be developed in accordance with requirements of the standard of the Republic of Kazakhstan ST RK GOST R ISO / IEC 15408-2006 Information Technology. Security Techniques. Evaluation Criteria for IT Security.
46. To ensure IS during the operation of informatization facilities, requirements shall be established for:
1) authentication techniques;
2) applied data encryption tools (DET);
3) availability and fault tolerance techniques;
4) monitoring of IS maintenance, protection and safe operation;
5) the use of IS tools and systems;
6) registration certificates of certification centers.
47. When accessing the informatization facilities of the first and second classes in accordance with the classifier, multifactor authentication shall be applied, including with EDS use.
48. To protect the restricted service information, confidential information systems, confidential EIR and the EIR containing personal data of limited access, data encryption tools (software or hardware) shall be applied with parameters meeting the requirements of the cryptographic information protection system in accordance with the standard of the Republic of Kazakhstan ST RK 1073-2007 Means of Cryptographic Protection of Information. General Technical Requirements for Informatization objects of:
first class in accordance with the classifier - the third level of security;
second class in accordance with the classifier - the second level of security;
third class in accordance with the classifier - the first level of security.
49. To ensure availability and fault tolerance, the owners of EG informatization objects shall provide:
1) own or leased backup server room for EG informatization objects of the first and second classes in accordance with the classifier;
2) backup of hardware and software for data processing, data storage systems, components of data storage networks and data transmission channels, including for EG informatization objects of:
first class in accordance with the classifier - loaded (hot) in the backup server room;
second class, in accordance with the classifier - not loaded (cold) in the backup server room;
third class in accordance with the classifier - storage in a warehouse close to the main server room.
50. EG informatization objects of the first and second classes in accordance with the classifier shall be connected to the system of IS monitoring, protection and safe operation no later than one year after they are put into operation.
51. SB, LEB shall monitor:
actions of users and personnel;
use of information processing tools.
52. In SB, LEB within the monitoring of the actions of users and personnel:
1) when detecting abnormal activity and malicious user actions, these actions:
shall be recorded (logged), blocked and the administrator for the EG first-class informatization objects in accordance with the classifier shall be promptly notified;
shall be recorded and blocked for second-class of EG informatization objects in accordance with the classifier;
recorded for EG third-class informatization objects in accordance with the classifier;
2) the actions of maintenance personnel shall be recorded and controlled by the IS unit.
53. IS events identified as critical for confidentiality, accessibility and integrity, according to the information security events monitoring and event log analysis:
1) shall be defined as IS incidents;
2) shall be accounted for in the catalog of information security threats (risks);
3) shall be registered in the computer incident response service of the state technical service.
54. At the stage of the informatization facilities operational testing, the following tools and systems shall be applied:
detection and prevention of malware;
IS incident and event management;
detection and prevention of intrusions;
monitoring and management of information infrastructure.
54-1. It shall be allowed to use data leak prevention (DLP) systems in local networks. This shall provide for:
visual notification of the user about the ongoing control of actions;
obtaining of written consent of the user to monitor his actions;
placement of the control center and servers of the data leak prevention system within the local network.
55. The registration certificates of the Root Certification Authority of the Republic of Kazakhstan are subject to recognition in trusted lists of software products of world software manufacturers for authentication purposes in accordance with the standards of ST RK ISO / IEC 14888-1-2006 Information Technology. Information Protection Methods. Digital Signatures with Appendix. Part 1. General Provisions, ST RK ISO / IEC 14888-3-2006, Information Technology. Security Techniques, Digital Signatures with Appendix. Part 3. Certificate-Based Mechanisms, GOST R ISO / IEC 9594-8-98, Information Technology. Open Systems Interconnection. The directory. Part 8: Authentication Framework.
56. Certification authorities of the Republic of Kazakhstan, excepting the Root Certification Authority of the Republic of Kazakhstan, are recognized in trusted lists of software products of world software manufacturers by accreditation of the certification authority in accordance with the rules of accreditation of certification authorities.
Certification authorities of the Republic of Kazakhstan shall place their registration certificate with a trusted third party of the Republic of Kazakhstan to ensure verification of EDS of the citizens of the Republic of Kazakhstan in foreign countries.
Chapter 3. Requirements for informatization objects
Paragraph 1. Requirements for electronic information resources and Internet resources
57. Owner and (or) holder of EIR shall:
1) carry out identification of EIR, form and post a description of metadata (use, description, plan of events, event chronicles, relationships), if necessary, in accordance with the standard of the Republic of Kazakhstan ST RK ISO 23081-2-2010 Information and Documentation. Managing Metadata for Records. Part 2. Conceptual and Implementation Issues (IDT) in the EIR catalog, approved by the SB or organization’s legal act;
2) determine the class of EIR in accordance with the rules for informatization objects classification and informatization objects classifier, approved by the authorized body, and record the class of EIR in the technical documentation and catalog of EIR;
3) maintain the EIR catalog in a real state;
4) carry out storage of EIR and its metadata. The form and method of storage shall be determined independently.
58. Requirements for creation or development of IR shall be defined in the technical specification for the acquisition of goods, works and services in the field of informatization.
59. The owner and (or) holder of the IR shall provide creation of publicly available IR in the Kazakh, Russian and, if necessary, in other languages, with the possibility for the user to choose the interface language.
60. Creation or development of IR shall be carried out with regard to requirements of the standards of the Republic of Kazakhstan ST RK 2190-2012 Information Technologies. Web Sites of State Bodies and Organizations. Requirements, ST RK 2191-2012 Information Technologies. Availability of Internet for Physically Challenged People, ST RK 2192-2012 Information technologies. Web Site, Web Portal, Intranet Portal. General Descriptions, ST RK 2193-2012 Information Technologies. Recommended Practice of Development of Portable Web-Applications, ST RK 2199- 2012 Information Technologies. Safety Requirements for Web-based Applications in State Bodies.
61. Preparation, placement, updating of EIR on the IR of SB or LEB shall be carried out in accordance with the rules of content and requirements for the maintenance of IR of the SB, approved by the authorized body.
62. The IR of the central executive body, structural and territorial units of the central executive body, local executive body shall be placed on the SB UPIR and registered with the gov.kz and мем.қаз. domain zones.
SB UPIR shall be placed on the EG ICP.
63. IR management, placement and updating of EIR of the central executive body, structural and territorial units of the central executive body, local executive body shall be carried out from the external circuit of the EG ICI local network by the operator on the basis of a request from the owner and (or) holder of the IR.
63-1. Industrial operation of IR of SB and LEB shall be allowed provided that there is an act with a positive test result for compliance with information security requirements and a certificate of compliance with information security requirements, with the exception of cases provided for in Article 66 of the Law of the Republic of Kazakhstan On Informatization.
64. When decommissioning Information system, software or SSP, the owner and (or) holder of the EIR shall ensure preservation of the structure and content of the database through the built-in functionality of the database management system of the decommissioned information system with the preparation of instructions for EIR restoring.
The method of storing the structure and contents of the database shall be determined by the owner independently.
65. In the event of EIR non-use, the SB or LEB shall ensure its transfer into the archive in the manner established by the Law of the Republic of Kazakhstan dated December 22, 1998 On National Archival Fund and Archives.
66. To ensure IS of IR, the following actions shall be applied:
1) registration of certificates for authentication of the domain name and cryptographic protection of the contents of the communication session with the use of DET;
2) content management system (content), performing:
authorization of operations of EIR placement, change and deletion;
registration of authorship when placing, changing and deleting EIR;
checking of downloaded EIR for malware;
security audit of executable code and scripts;
integrity control of the placed EIR;
maintaining of a log of EIR changes;
monitoring of anomalies in users and software robots activity.
Paragraph 2. Requirements for developed or acquired application software
67. At the stage of initiating creation or development of application software (AS), the software class shall be determined and recorded in the project documentation in accordance with the rules for classifying informatization objects and informatization objects classifier, approved by the authorized body in accordance with subparagraph 11) of article 7 of the Law.
68.Requirements for the information system AS that is being created or developed shall be defined in the technical project (requirement) created with reference to the standard of the Republic of Kazakhstan ST RK 34.015-2002 Information Technology. Set of Standards for Automated Systems. Technical Project on Creation of the Automated System on these UR and rules for making and consideration of the technical projects (requirements) for the creation or development of information systems of state bodies, approved by the authorized body in agreement with the authorized body in the field of information security maintenance.
69. Requirements for the SSP being created or being developed shall be defined in the specification for the design of information and communication services created in accordance with these UR and rules for implementation of the informatization service model approved by the authorized body.
69-1. Industrial operation of a service software product shall be allowed in the presence of an act with a positive test result for compliance with information security requirements, a test report with the aim of quality assessment in accordance with the requirements of the software documentation, standards in informatization area, and report on software documentation examination that are in effect in the Republic of Kazakhstan, with the exception of cases provided for by Article 66 of the Law of the Republic of Kazakhstan On Informatization.
70. Requirements for AS that is being acquired shall be defined in the technical specifications for the purchase of goods, works and services in informatization area, with regard to requirements of these UR.
71. In the purchase of off-the-shelf AS the priority of free software (FS) shall be taken into account, provided that its characteristics are identical with commercial software.
72. When forming requirements for development or acquisition of software, the EIR class and information of the EIR catalog shall be taken into account.
73. Developed or acquired off-the-shelf AS shall:
1) provide a user interface, input, processing and output of data in Kazakh, Russian and other languages, if necessary, with the possibility to select a user interface language;
2) take into account the requirements such as:
ease of use;
3) provide full-functional virtualization technology support;
4) support clustering;
5) shall be provided with technical documentation for operation in the Kazakh and Russian languages.
74. Creation (development) or acquisition of software shall be provided with technical support and maintenance.
Planning, implementation and documentation of technical support and software maintenance shall be carried out in accordance with the specifications of the manufacturer, supplier or the IS TD requirements.
75. The process of creating (developing) AS:
creation of an information base of algorithms, source codes and software tools;
testing of software modules;
typing of algorithms, programs and information security tools that provide information, technological and software compatibility;
use of licensed development tools;
2) includes AS acceptance procedures, providing for:
transfer by the developer of the source codes of the programs and other objects necessary for creating AS to the owner and (or) holder;
control compilation of the transmitted source code, with creation of a fully functional AS version;
running of a test case on this software version.
76. Control over authorized changes to the software and access rights to it shall be carried out with participation of the SB or LEB servants of information technology unit.
77. AS development shall require:
consideration of the features provided for by the rules for implementing the service model of informatization;
regulation of IS issues in software development agreements;
risk management in the process of AS developing.
78. In order to ensure IS:
1) at the software development stage, recommendations shall be taken into account of the standard of the Republic of Kazakhstan ST RK GOST R 50739-2006 Computers Technique. Information Protection against Unauthorised Access to Information. General Technical Requirements;
2) requirements for the AS that is being developed or acquired shall include the use of tools such as:
identification and authentication of users, if necessary, EDS and registration certificates;
logging of user actions that affect information security;
online transaction protection;
cryptographic protection of information using DET of confidential information systems in storage, processing;
logging of critical software events;
3) IS TD shall determine and apply during operation:
rules for installing, updating and deleting software on servers and workstations;
management procedures of change and analysis of AS in the event of a change in the system software;
4) licensed software shall be used and acquired only in the availability of a license.
79. Measures to control proper use of software are defined in the IS TD, and shall be carried out at least once a year and include:
defining of actually used software;
determination of the software use rights;
comparison of actually used software and available licenses.
80. The AS carries out verification of validity of the EDS public key and registration certificate of the person who signed the electronic document in accordance with the electronic digital signature authentication rules approved by the authorized body in accordance with subparagraph 10) of paragraph 1 of Article 5 of the Law of the Republic of Kazakhstan dated January 7 2003 On Electronic Document and Electronic Digital Signature.
Paragraph 3. Requirements for information and communication infrastructure
81. Requirements for ICI shall be formed with regard to the facilities comprised in it, in accordance with subparagraph 25) of Article 1 of the Law.
82. UR establish requirements for the following ICI facilities:
1) information system;
2) technological platform;
3) hardware-software complex;
4) telecommunication networks;
5) systems of uninterrupted operation of technical facilities and information security.
Paragraph 4. Information System Requirements
83. Information system of SB or LEB shall be created and developed in the manner specified by paragraph 1 of Article 39 of the Law, and with regard to requirements of Article 38 of the Law.
Mandatory requirements for the means of processing, storage and backup of EIR in the information system of SB or LEB are determined by Article 42 of the Law.
84. Before starting a trial operation by the developer:
1) a set of tests, test scripts and test methods shall be created for all functional components of the information system;
2) bench tests of the information system shall be carried out;
3) for the staff:
of information system of SB or LEB of the first class, training is mandatory in accordance with the classifier;
of information system of SB or LEB of the second class - creation of video, - multimedia training materials in accordance with the classifier;
for information system of SB or LEB of the third class - creation of a help system and (or) operating instructions in accordance with the classifier.
85. The trial operation of the information system of the SB or LEB shall comprise:
documentation of trial operation procedures;
information security compliance test;
optimization and elimination of identified defects and deficiencies with their subsequent correction;
execution of the act on completion of trial operation of the information system.
86. Before putting the information system into commercial operation in the SB or LEB or organizations, acceptance criteria for the created information system or new versions and updates of the information system shall be determined, agreed, and documented.
87. Putting of the information system of SB or LEB into industrial operation shall be carried out in accordance with the requirements of technical documentation subject to a positive completion of the trial operation, existence of an act with a positive test result for compliance with IS requirements, a certificate of compliance with IS requirements and the act of putting the information system into commercial operation signed by the acceptance commission with participation of representatives of the authorized body, concerned SB, LEB and organizations.
88. Submission for accounting and storage to the electronic government’s service integrator the developed software, source software codes (if available) and a set of settings for licensed software of the information system of the SB, LEB or organizations, is mandatory and shall be carried out in accordance with the procedure determined by the authorized body.
Modification, disclosure and (or) use of source software codes, software products and software shall be carried out with the permission of its owner.
89. In the industrial operation of the information system, the SB or LEB shall provide:
1) safety, protection, restoration of EIR in the event of failure or damage;
2) backupping and control over EIR timely updating;
3) automated accounting, security and periodic archiving of information on calls to the information system of the SB or LEB;
4) monitoring of the IS events of the SB or LEB information system and transfer of the results to the monitoring system for ensuring the information security of the state technical service;
5) recording of changes in configuration settings of software, server and telecommunication equipment;
6) control and regulation of the functional characteristics of productivity;
7) Information system support;
8) technical support of the used licensed software of the information system;
9) warranty maintenance by the information system developer, including elimination of the information system errors and shortcomings identified during the warranty period. Warranty maintenance shall be provided for no less than one year from the date of putting the information system into commercial operation;
10) connection of users to the information system. And information system interaction shall be carried out with the use of domain names.
90. Integration of the SB or LEB information system, including with SB or LEB information system, which is in trial operation, shall be carried out in accordance with the requirements specified in Article 43 of the Law.
Integration of non-state information system with SB or LEB information system shall be carried out in accordance with the requirements defined by Article 44 of the Law.
90-1. At the fulfillment of functions of integration interaction of informatization facilities or components of informatization facilities through a gateway, integration bus, integration component or integration module, the following actions shall be provided:
1) registration and verification of sources (connection points) of legitimacy requests;
2) verification of the legitimacy of requests for:
password or EDS;
presence of connection blocking;
permitted types of requests defined in the regulation on integration interaction;
the allowed request frequency defined in the regulation on integration interaction;
presence in requests of signs of information security violations;
presence of malicious code on signatures;
3) connection blocking upon detection of violations in the messaging protocols in the events of:
absence of connection during the time defined in the regulation on integration interaction;
excess of the allowed frequency of requests for the time specified in the regulation of integration interaction;
presence in requests of signs of information security violations;
excess in the number of authentication errors defined in the regulation of integration interaction;
detection of anomalous user activity;
detection of attempts to upload data arrays;
4) regular change of connection passwords according to the duration of time defined in the regulation of integration interaction;
5) replacement of the login when identifying IS incidents;
6) concealment of internal circuit LAN addressing;
7) event logging, including:
recording of events of transmission / receipt of information messages;
recording of file transfer / receipt events;
recording of service messages transfer / receipt events;
the use of IS incident and event management system for monitoring of event logs;
automation of procedures for analyzing event logs for the presence of IS events;
storage of event logs on a specialized log server, accessible for administrators only for viewing;
separate event logging (if necessary) by:
a) the current day;
b) connection (communication channel);
c) to a state body (legal entity);
d) integrable informatization objects;
8) provision of time synchronization service for integrable informatization objects;
9) software and hardware cryptographic protection of connections made through data transmission networks;
10) storage and transmission of encrypted passwords;
11) automation of notifying the responsible persons of integrated informatization objects of IS incidents.
91. Warranty service of the information system at the industrial operation stage with involvement of third parties shall require:
IS regulation in warranty service agreements;
ICT risk management in the process of warranty service.
92. Management of software and hardware of the SB or LEB information system shall be carried out from the internal circuit of the information system owner’s LAN.
The hardware and software of the SB or LEB information system and non-state information system integrated with the SB or LEB information system shall be placed on the territory of the Republic of Kazakhstan, with the exception of cases associated with interstate information exchange carried out with the use of national gateway, in the framework of international treaties ratified by the Republic of Kazakhstan.
92-1. To organize the work of the SB or LEB information system, it shall be allowed to use cloud services (hardware and software systems, information system providing resources with the use of virtualization technology), the control centers and servers of which are physically situated on the territory of the Republic of Kazakhstan.
92-2. The hardware and software of the information system of critical informatization facilities and ICI containing personal data of citizens of the Republic of Kazakhstan shall be placed on the territory of the Republic of Kazakhstan.
93. The owner or holder of the SB or LEB information system shall make a decision on the termination of the information system operation in the absence of the need for its further use.
The service integrator shall be notified of the cessation of operation of the SB or LEB information system, with the publication on the architectural portal of the "electronic government" of the informatization subjects whose information systems are integrated with the decommissioned information system of SB or LEB, and the SB or LEB that are users of this information system.
94. The SB or LEB shall draw up a plan for decommissioning of the SB or LEB information system operations and coordinate it with the SB or LEBs that are users of the information system of the SB or LEB.
95. Upon the information system decommissioning, the SB or LEB shall transfer to the departmental archive the electronic documents, technical documentation, logs and archived database of the decommissioned information system of the SB or LEB in accordance with the rules for receipt, storing, recording and using the documents of the National Archival Fund and other archival documents by departmental and private archives approved by the authorized body in the field of culture in accordance with subparagraph 2-4) of article 18 of the Law of the Republic of Kazakhstan dated December 22, 1998 On National Archival Fund and Archives.
96. Upon receipt of an application for terminating operation of the SB or LEB information system, the service integrator shall cancel the electronic registration certificate of the SB or LEB information system and place the relevant information on the architectural portal of the "electronic government".
97. Withdrawal and (or) disposal of the decommissioned information system of the SB or LEB shall be carried out in accordance with the legislation of the Republic of Kazakhstan on accounting and financial reporting.
If the operation of the information system of the SB or LEB is terminated, but the information system of the SB or LEB is not withdrawn in the prescribed manner, this information system shall be considered to be in conservation.
After decommissioning the information system of the SB or LEB shall not be used.
98. To maintain IS:
1) at the stages of bench tests, acceptance tests and test operation the following actions shall be carried out:
testing of information system software based on developed test suites configured for specific classes of programs;
full-scale testing of programs under extreme loads with simulated exposure to active defects (stress testing);
testing of the information system’s software to identify possible defects;
bench tests of the information system’s software to determine unintended software design errors, identify potential problems for performance;
Identification and elimination of vulnerabilities in software and hardware;
development of protection tools against unauthorized exposure;
2) before putting the information system into trial operation, it shall be required to provide:
control of adverse effects of the new information system on the functioning information systems and components of the EG ICI, especially during maximum loads;
analysis of the new information system impact on the condition of the information system of the EG ICI;
organization of staff training for the operation of the new information system;
3) separation of the environments of the pilot or industrial operation of the information system from the environments of development, testing or bench testing. The following requirements shall be implemented:
transfer of the information system from the development phase to the testing phase shall be recorded and documented;
transfer of the information system from the testing phase to the trial operation phase shall be recorded and documented;
transfer of the information system from the pilot operation phase to the industrial operation phase shall be recorded and documented;
development tools and tested software of the information system shall be located in different domains;
compilers, editors and other development tools in the operating environment shall not be located or shall not be available for use from the operating environment;
the test environment of the information system shall correspond to the operating environment in terms of hardware and software and architecture;
for tested information systems, it shall not be allowed to use real user accounts of the systems that are in industrial operation;
data from the information system in industrial operation shall not be subject to copying into the test environment;
4) during the information system decommissioning the following steps shall be provided:
archiving of information contained in the information system;
destruction (erasing) of data and residual information from computer storage media and (or) destruction of computer storage media. Upon decommissioning of machine storage media on which information was stored and processed, physical destruction of these storage media shall be carried out with execution of the relevant act.
Paragraph 5. Technology platform requirements
99. In the choice of technology platform, the equipment able to support virtualization technology shall be prioritized.
100. In the choice of equipment that implements virtualization technology, the need to ensure the following functions shall be taken into account:
computing resources distributed between virtual machines;
many applications and operating systems coexisting on the same physical computing system;
virtual machines completely isolated from each other, and an emergency failure of one of them not affecting the others;
data is not transferred between virtual machines and applications, except when using shared network connections;
applications and OS are provided with computing resources of equipment that implements virtualization technology.
101. EG ICP shall be placed on the equipment located in the server center of the SB.
EG ICP shall ensure:
automated provision of IC services with a single entry point for their management;
virtualization of computing resources of server equipment with the use of various technologies;
uninterrupted and fault-tolerant functioning of the provided IC services with utilization ratio of at least 98.7%;
exclusion of a single point of failure at the logical and physical levels by the means of used equipment, telecommunications and software;
separation of computing resources at the hardware and software levels.
Reliability of the virtual infrastructure is provided by the built-in virtualization software and virtual environment management software.
101-1. Industrial exploitation of ICP shall be allowed subject to existence of an act with a positive test result for compliance with information security requirements and a certificate of compliance with information security requirements, with the exception of cases provided for in article 66 of the Law of the Republic of Kazakhstan On Informatization.
102. To maintain IS using virtualization technology, the following measures shall be implemented:
1) identity management requiring:
authentication of IC services clients and privileged users;
federated user identification within the same technology platform;
saving of authentication information after deleting the user ID;
the use of control tools for the procedures of assigning the user authority profiles;
2) access control requiring:
separation of powers of the information system administrator and the virtualization environment administrator;
restrictions on access rights of the virtualization environment administrator to the IC service user data. Access rights are limited to the specific procedures defined in the SB TD and the service agreement for maintenance, and shall be subject to regular updating;
multi-factor authentication for privileged and critical operations;
restrictions on the use of roles with full authority. Information system administrator profile settings shall exclude access to the virtualization environment components;
definition of minimum privileges and implementation of the role-based access control model;
remote access via secure gateway or the list of allowed network addresses of the senders;
3) encryption key management, requiring:
control of access restrictions to data on encryption keys of data encryption tools (DET);
control over organization of the root directory and key subscription;
blocking of compromised keys and their safe destruction;
4) conducting an audit of IS events, requiring:
obligatory and regular procedures defined in the IS TD;
conducting audit procedures for all the operating systems, client virtual machines, network components infrastructure;
maintaining an event log and storing in a storage system inaccessible to the administrator;
checking the correct operation of the event logging system;
determining duration of the event logs storage in the IS TD;
5) registration of IS events, requiring:
logging of administrators’ actions;
applying a system for monitoring incidents and IS events;
alerting based on automatic detection of a critical event or information security incident;
6) IS incident management, requiring:
determining the formal process of detecting, identifying, evaluating and responding to IS incidents with updating once every six months;
reporting at the intervals specified in the IS TD, based on the results of detection, identification, evaluation and response to IS incidents;
notifications of responsible persons of the SB, LEB or organizations about IS incidents;
recording of IS incidents in the computer incident response Service of the State technical service;
7) applying protective measures of hardware and software components of the virtualization environment infrastructure that carry out:
physical shutdown or blocking of unused physical devices (removable drives, network interfaces);
disabling of unused virtual devices and services;
monitoring of the interaction between guest operating systems;
control of virtual and physical devices association (mapping);
the use of certified hypervisors;
8) physical separation of operating environments from development and testing environments;
9) definition in the IS TD of change management procedures for informatization objects;
10) determination in the IS TD of the recovery procedures after failures and malfunctioning of the equipment and software;
11) implementation of network and system administration procedures requiring:
provision of the safety of virtual machine images, monitoring of integrity of the operating system, applications, network configuration, software and data of the SB or organization for the presence of malicious signatures;
separation of the hardware platform from the operating system of the virtual machine in order to exclude access of external users to the hardware;
logical isolation between various functional areas of the virtualization environment infrastructure;
physical isolation between EIR and information system virtualization environments of various classes according to the IS level.
Paragraph 6. Requirements for hardware-software complex
103. Requirements for configuration of server equipment of the HSC are determined in the requirements specification for creation or development of the information system and (or) technical specifications for the purchase of goods, works and services in the field of informatization.
104. The HSC server equipment of typical configuration shall be selected with regard to priority of servers:
1) with multiprocessor architecture;
2) enabling scaling of resources and increase of productivity;
3) supporting virtualization technology;
4) including controls, changes and redistribution of resources;
5) compatible with the used information and communication infrastructure.
105. To ensure high availability of the server, the embedded systems shall be used:
1) hot-swappable redundant fans, power supplies, drives and I / O adapters;
2) dynamic clearance and redistribution of memory pages;
3) dynamic redistribution of processors;
4) alerts about critical events;
5) supporting continuous monitoring of critical components and measuring monitored indicators.
106. Acquired server hardware shall be provided with technical support of the manufacturer. Discontinued server hardware shall not be acquirable.
107. To ensure IS on a regular basis, as defined in the TD IS, an inventory of server equipment shall be carried out with a check of its configuration.
108. To ensure security and quality of service, the following HSC server equipment of informatization facilities shall be placed:
of first class - only in the server center of the SB;
second and third classes in the server center of the SB or the server room of the SB or LEB, equipped in accordance with the requirements for server rooms established in these URs.
109. Requirements for data storage systems shall be defined in the requirements specification for creation or development of the information system and (or) technical specifications for the purchase of goods, works and services in the field of informatization.
110. The data storage system shall provide support for:
single tools for data replication;
scalability by data storage volume.
111. For highly loaded information systems, requiring high availability, the following shall be applied:
1) data storage networks;
2) data storage systems that support virtualization system and (or) tiered data storage.
112. To ensure high availability, the storage systems shall include embedded systems:
1) hot-swappable redundant fans and power supplies;
2) hot-swap drives and I / O adapters;
3) alerts about critical events;
4) active controllers (at least two controllers);
5) storage network interfaces (at least two ports per controller);
6) support for continuous monitoring of the critical components status and measurement of monitored indicators.
113. The data storage system shall be provided by a backup system.
114. To maintain IS, safe storage and data recovery capabilities:
1) cryptographic protection shall be applied of the stored service information of limited use, information of confidential information systems, confidential EIR and EIR containing personal data of limited access with the use of DET in accordance with paragraph 48 of these URs;
2) a dedicated server shall be used for secure storage of encryption keys with a security level not lower than the security level of the used DET established for cryptographic keys in the rules for using data encryption tools;
3) recording and testing of backups shall be provided in accordance with the backup regulations defined in the IS TD.
115. When decommissioning storage media used in confidential information systems, confidential EIR and EIR containing personal data of limited access, software and hardware for guaranteed destruction of information shall be used.
116. When choosing the system software of server equipment and workstations, the following shall be taken into account:
1) requirements set in the technical specifications for development of the information system’s AS or specification for the design of information and communication services developed by the service integrator of the "electronic government";
2) Compliance with the type of operating systems (client or server systems);
3) compatibility with the used application software;
4) support for network services operating in the telecommunications network;
5) multitasking support;
6) availability of regular means of receiving and installing critical updates and security updates issued by the operating systems manufacturer;
7) availability of diagnostic, auditing and event logging tools;
8) support for virtualization technologies.
117. Acquisition of the system software shall be carried out with regard to priority of:
1) a licensing model that ensures decrease in the purchase cost, also aggregate cost of the license for the operation period;
2) software provided with technical support and maintenance.
118. To maintain IS, the system software shall enable:
1) access control with the use of:
identification, authentication and user password management;
recording of successful and failed accesses;
recording of the use of system privileges;
restriction of the connection time, if necessary, and blocking the session if the time limit is exceeded;
2) exceptions for users and restrictions for administrators in the use of system utilities that are able to bypass control mechanisms of the operating system.
119. Free software (FS) distribution shall be gratis, without licensing restrictions, which prevent the use in the SB with observance of the copyright law requirements.
120. FS shall be provided with open source code.
121. FS used in the SB shall be updated taking into account the support of information interaction formats through the EG external gateway (EGEG).
122. To maintain IS in the use of FS:
FS supported by the community of FS developers or through examination and certification of software code shall be permitted;
FS versions that were used shall be saved.
Paragraph 7. Requirements for telecommunication networks
123. Departmental (corporate) telecommunication networks shall be organized by integrating local networks held by one owner through dedicated private or leased communication channels.
Dedicated communication channels designed for integrating local networks shall be organized with the use of channel and network layer protocols.
124. When organizing a departmental (corporate) network by integrating several local networks, a radial or radial-node network topology is applied. At the anchor connection points, dedicated channels are connected to one border gateway. Cascading (serial) LAN connection is not used.
125. During designing, a documented scheme of a departmental (corporate) telecommunication network is created and maintained in operation.
126. The staff maintaining a dedicated communication channel shall have physical access to equipment for communication channels organization.
The equipment is operated by the EG ICI operator that provides a dedicated channel.
Unused ports shall be blocked in the hardware setup.
127. The input of the communication channel lines into the building and their laying in the building shall be carried out in accordance with the state standard SN RK 3.02-17-2011 Structured Cabling Networks. Design Standards.
128. In order to ensure IS:
1) when organizing a dedicated communication channel integrating local networks, software and hardware tools for protecting information, including cryptographic encryption, shall be applied with the use of DET;
2) dedicated communication channel is connected to the local network via an edge (border) gateway with prescribed routing rules and security policies. The border gateway shall provide the following minimum set of functions:
centralized authorization of network nodes;
administrator privilege level configuration;
logging of administrators’ actions;
network addresses static translation;
protection against network attacks;
monitoring of physical and logical ports status;
filtering of incoming and outgoing packets on each interface;
cryptographic protection of transmitted traffic using DET;
3) when connecting a departmental (corporate) telecommunications network and local networks of the SB or LEB among themselves, the following shall be used:
means of separation and isolation of information flows;
equipment with components that provide information security and safe management;
firewalls dedicated and integrated with access equipment installed at each connection point in order to protect the SB UTM perimeter.
When the server is connected to the SB UTM and the local network, security is ensured through firewalls and separate access gateways installed at the junction points with the SB UTM and the local network;
4) when connecting a departmental (corporate) telecommunications network and local networks to the Internet through UIAG of SB, LEB, or organization, services shall be used of the ICI operator or another communication operator that has reserved communication channels on the UIAG equipment;
5) in the operational electronic information exchange (official correspondence) when performing their official duties, the servants of SB, LEB, state organizations, quasi-public sector entities, as well as owners of critical ICI objects shall use only departmental:
instant messaging service and other services.
Departmental e-mail of the central executive body, structural and territorial units of the central executive body, local executive body shall be placed in the gov.kz and мем.қаз.domain zones.
6) interaction of departmental e-mail of SB and LEB with external electronic mail systems shall be carried out only through a single email gateway.
129. Connection of SB and LEB to the SB UTM shall be carried out in accordance with the procedure for connecting to SB UTM and providing access to the intranet resource of the SB or LEB through the SB UTM, as determined by the authorized body.
130. In SB or LEB it shall be allowed to use devices for organizing wireless access only to publicly available EIRs of the "electronic government" and places permitted for SB or LEB visitors staying in the "guest zone".
131. Connection shall not be allowed to the SB UTM, the SB or LEB local network, as well as the technical facilities that are part of the SB UTM, the SB or LEB local network, devices for organizing remote access via wireless networks, wireless access, modems, radio modems, modems of mobile operators networks, mobile subscriber devices and other wireless network devices.
132. At the SB or LEB request, the EG ICI operator shall carry out:
distribution, registration and re-registration of IP-addresses of SB and LEB local networks, connected to the SB UTM, at the SB or LEB request;
registration of domain names in the domain zones of the Internet gov.kz and мем.қаз at the request of SB or LEB;
registration of domain names in the SB UTM network at the request of SB or LEB;
provision of DNS service in the SB UTM network.
133. SB or LEB shall annually:
1) request from the state technical service a list of Internet resources categories used on UIAG equipment;
2) select from the above list the categories of Internet resources, access to which is limited for SB or LEB servants by means of UIAG, and compile their list;
3) direct to the state technical service the above list and lists of network addresses of information and communication networks of the SBs and their territorial units, LEBs that gained access to the Internet, for use on the UIAG equipment.
134. The State technical service shall carry out delegation (maintenance) of gov.kz and мем.қаз domain zones with provision of the service on the Internet.
135. Requirements for the created or developed local network shall be defined in the technical specification for the purchase of goods, works and services in the field of informatization.
When designing a cabling system for a local network, requirements shall be observed of the state standard SN RK 3.02-17-2011 Structured Cabling Networks. Design Standards.
136. During the design, a documented scheme of the local network shall be created, which is kept up to date during operation.
137. All the cabling system elements shall be subject to marking in accordance with requirements of paragraph 13.1.5 of the State standard SN RK 3.02-17-2011 Structured Cabling Networks. Design Standards.
All the cabling connections shall be recorded in the cabling connection log.
138. Active equipment of local networks shall be fed with electric power from uninterruptible power supplies.
139. To ensure IS:
1) unused ports of the cabling system of the local network shall be physically disconnected from the active equipment;
2) IS TD shall be developed and approved, including the rules of:
use of networks and network services;
connections to international (territorial) data transmission networks;
connections to Internet and (or) telecommunication networks, communication networks that have access to international (territorial) data transmission networks;
the use of wireless access to network resources;
3) service information of limited distribution, information of confidential information systems, confidential EIR and EIR containing personal data of limited access, shall not be transmitted through insecure wired communication channels and radio channels that are not equipped with the corresponding DET.
Transmission of limited service information shall be carried out in compliance with special requirements for restricted information protection, in accordance with the Rules for classifying information as restricted service information and working with it established by the Government of the Republic of Kazakhstan;
4) tools shall be applied for:
identification, authentication and user access control;
protection of diagnostic and configuration ports;
physical segmentation of the local network;
logical segmentation of the local network;
network connection management;
hiding the internal address space of the local network;
control over integrity of data, messages and configurations;
cryptographic protection of information in accordance with paragraph 48 of these UR;
physical protection of data transmission channels and network equipment;
logging of IS events;
monitoring and analysis of network traffic;
5) local networks of SB and of LEB shall interact only via SB UTM, with the exception of telecommunications networks for special purposes and / or government, classified, encrypted and coded communications;
6) local networks of the central executive state body and its territorial divisions shall interact with each other only through the SB UTM, with the exception of special-purpose telecommunication networks and / or government, classified, encrypted and encoded communications;
7) interfacing of the internal circuit LAN and the external circuit LAN of SB and of LEB shall be excluded;
8) connection of the internal circuit LAN and the external circuit LAN of SB and of LEB to the Internet shall be excluded;
9) connection of the external circuit LAN of SB and LEB to the Internet shall be made only through the UIAG. Connection to the Internet in any other way shall not be allowed, with the exception of special and law enforcement SB for operational purposes. Interaction of the EGEG with the Internet shall be carried out through the UIAG;
10) SB or LEB information system, realizing information interaction via the Internet, shall be placed in the selected segment of the external circuit LAN of the SB or LEB, and interaction with the SB or LEB information system located in the internal circuit LAN of the SB or LEB, shall be carried out through the EGEG;
11) information interaction of the information systems placed on the Internet with the SB or LEB information systems placed in the internal circuit LAN of SB or LEB shall be carried out only through the EGEG.
The EGEG functioning shall comply with the procedure approved by the authorized body in the field of informatization;
12) the servers of the infrastructure of the top-level time source are synchronized with the time and frequency standard reproducing the national coordinated universal time scale UTC (kz).
Exact time infrastructure servers provide access to clients for time synchronization.
140. The requirements provided for in subparagraphs 10), 11) of paragraph 139 of the UR shall not apply to the information systems of SB and LEB, put into commercial operation before January 1, 2016 and shall not be subject to development until January 1, 2018.
The procedure of information interaction of the information systems’ data of SB and LEB with non-state information systems shall be governed by the Rules for integration of informatization objects of the “electronic government”, approved by the authorized body in the field of informatization in accordance with subparagraph 13) of Article 7 of the Law.
Paragraph 8. Requirements for systems of uninterrupted functioning of technical facilities and information security
141. Server equipment of HSC and data storage systems shall be placed in the server room.
142. The server room shall be located in separate, closed to admissions premises without windows. If there are window openings, they must be closed or sealed with non-combustible materials.
For the surface of walls, ceilings and floors, materials are used that do not emit and do not accumulate dust. For flooring, antistatic materials are used. The server room shall be protected from contaminants.
The walls, doors, ceiling, floor and partitions of the server room shall provide hermetic state of the premises.
143. The doors of the server room must be at least 1.2 meters wide and 2.2 meters high, open outward or move apart. The door frame must be without a threshold and a central pillar.
144. The server room must have a false floor and (or) false ceiling to accommodate cable systems and utility lines.
145. Laying of any transit communications through the server room shall be excluded. Routes of ordinary and fire water supply, heating and sewage shall be withdrawn from the server room and shall not be located above the server room on the upper floors.
146. Installation of communication channels for laying power and low-current cable networks of a building is carried out in separate or separated by partitions cable trays, ducts or pipes spaced from each other. Low-current and power cabinets shall be installed separately and locked.
Cables through inter-floor covering, walls, partitions are laid in sections of fireproof pipes, and are hermetically sealed by non-combustible materials.
147. The server room shall be reliably protected from external electromagnetic radiation.
148. When placing the equipment:
1) rules shall be observed for the technical operation of electrical installations of consumers, approved by the authorized body in the energy sector in accordance with subparagraph 27) of article 5 of the Law of the Republic of Kazakhstan dated July 9, 2004 On Electric Power Industry;
2) requirements of the equipment suppliers and (or) the manufacturer shall be met for installation, load on the floors and false floors, taking into account the weight of the equipment and communications;
3) availability of free service passages for servicing of the equipment shall be ensured;
4) organization of air flows of the microclimate support system shall be taken into account;
5) organization of the system of false floors and false ceilings shall be taken into account.
149. In technical support of the equipment installed in the server room, the following shall be documented:
1) equipment maintenance;
2) elimination of problems arising during the operation of hardware and software complex (HSC);
3) facts of failures and malfunctions, also restoration work results;
4) post-warranty service of critical equipment after the warranty service period expiry.
The form and method of documentation shall be determined independently.
150. Maintenance of critical equipment shall be performed by certified engineering staff.
151. In close proximity to the server room, a warehouse of spare parts for critical equipment shall be created, containing a stock of components and equipment for operational replacement during remedial measures.
152. Intervention in the work of equipment in operation shall be possible only with the permission of the head of the information technology unit or of a person replacing him.
153. The main and backup server rooms have to be located at a safe distance in the buildings that are remote from each other. Requirements for redundant (backup) server rooms are identical to the requirements for primary server rooms.
154. In order to ensure IS, fault tolerance and reliability of operation:
1) in the server room, methods of equipment location are used to ensure that risks of threats, dangers and unauthorized access are reduced;
2) in the server room placement shall be excluded in one environment, one server equipment, one wiring closet or EIR stand, of the IR, SSP, Information systems, belonging to different classes in accordance with the classifier of informatization objects;
3) the list of persons authorized to provide support for ICI facilities installed in the server room shall be kept up to date;
4) the server room shall be equipped with systems of:
access control and management;
guaranteed power supply;
5) fault tolerance of the server room infrastructure shall be at least 99.7%.
155. The access control and management system shall provide authorized entry into the server room and authorized exit from it. The blocking devices and design of the front door shall prevent the possibility of transmitting access identifiers in the opposite direction through the front door.
The central control device of the access control and management system shall be installed in separate service rooms, premises of the security post, protected from access by unauthorized persons. Access of the security personnel to the software of the access control and management system that influences the system’s operating modes shall be excluded.
Power supply to the access control and management system is provided from a free group of standby lighting panels. Access control and management system shall be provided with redundant power supply.
156. The microclimate support system shall include air conditioning, ventilation and microclimate monitoring systems. The microclimate systems of the server room are not connected with other microclimate systems installed in the building.
Temperature in the server room shall be maintained in the range from 20°C to 25°C with a relative humidity of 45% to 55%.
The power of the air conditioning system must exceed the total heat emission of all the equipment and systems. The air conditioning system shall be backed up. The power for the server room air conditioners is fed from the guaranteed power supply system or uninterruptible power supply system.
The ventilation system provides fresh air flow with filtration and heating of the incoming air in the winter time. In the server room, the pressure must be excessive to prevent the entry of contaminated air from neighboring rooms. Protective valves controlled by a fire extinguishing system are installed on the air ducts of the supply and exhaust ventilation.
Air conditioning and ventilation systems are automatically switched off by a fire alarm.
The climate monitoring system controls the climatic parameters in the server cabinets and telecommunication racks, such as:
air flow rate;
opening (closing) of cabinet doors.
157. The security system of the server room shall be separate from the building security systems. Alerts are displayed in the premises of the round-the-clock security on a separate display console. All the inlets and outlets of the server room, as well as the internal volume of the server room, are subject to control and protection. The alarm system has its own redundant power supply.
158. Location of the video surveillance system cameras shall be selected with regard to control of all the entrances and exits to the server room, the space and passages near the equipment. The viewing angle and resolution of cameras must enable face recognition. The image from the cameras is displayed on a separate remote control in a 24-hour security room.
159. The fire alarm system of the server room shall operate separate from the fire alarm of the building. Two types of sensors shall be installed in the server room: of temperature and smoke.
The sensors control the total space of the server room and the volumes formed by the false floor and / or false ceiling. Alerts of the fire alarm system are displayed on the remote control in round-the-clock security premises.
160. The server room fire extinguishing system shall be supplied with an automatic gas fire extinguishing installation, independent of the building fire extinguishing system. A special non-toxic gas is used as a fire extinguisher in an automatic gas fire extinguishing installation. Powder and liquid fire extinguishers shall not be used. The gas fire extinguishing installation shall be located directly in or near the server room in a cabinet specially equipped for this purpose. The fire extinguishing system is launched from sensors of early fire detection, which react to the emergence of smoke, also from hand sensors located at the premises exit. The delay time for the extinguisher release shall be no more than 30 seconds. Alert on the fire extinguishing system actuation comes up on the display, placed inside and outside the room. The fire extinguishing system issues commands to close the protective valves of the ventilation system and turn off the power to the equipment. A server room with a fire extinguishing system shall be provided with exhaust ventilation to air away the extinguishing gas.
161. The guaranteed power supply system shall comprise two power supply inputs from different external power sources the voltage of ~ 400 / 230V, frequency of 50 Hz and an autonomous generator. All the electricity sources are fed to the power-transfer relay, which automatically switches to the backup power input when the main power input is interrupted or stopped. The parameters of the power lines and the core section are determined issuing from the planned total power consumption of the equipment and subsystems of the server room. Power lines are in a five-wire circuit.
The guaranteed power supply system shall provide for the power supply of equipment and systems of the server room through uninterruptible power sources. The power and configuration of uninterruptible power sources is calculated taking into account all the powered equipment and stock for perspective development. Run time from uninterruptible power supplies is calculated taking into account the needs, as well as the necessary time to switch to the backup lines and the time for the generator to start up in operating mode.
162. The grounding system of the server room shall be separate from the protective grounding of the building. All the metal parts and structures of the server room are grounded with a common grounding bar. Each cabinet (rack) with equipment is earthed by a separate conductor connected to a common grounding bar. Open conductive parts of information processing equipment are connected to the main grounding terminal of the electrical installation.
Grounding conductors connecting surge voltage protection devices to the main grounding bar have to be the shortest and straightest (without corners).
In building and operating of the grounding system, the following shall be complied with:
Rules of electrical installations establishment, approved by the order of the authorized body in the field of energy in accordance with subparagraph 19) of article 5 of the Law of the Republic of Kazakhstan dated July 9, 2004 On Electric Power;
standard of the Republic of Kazakhstan ST RK IEC 60364-5-548-96 Electrical Installations of Buildings. Part 5. Selection and Erection of Electrical Equipment. Section 548 Earthing Arrangements and Equipotential Bonding for Information Technology Installations;
standard of the Republic of Kazakhstan ST RK IEC 60364-7-707-84 Electrical Installations of Buildings. Part 7. Requirements for Special Installations. Section 707 Earthing Requirements for the Installation of Data Processing Equipment;
standard of the Republic of Kazakhstan ST RK GOST 12.1.030-81 SSBT. Electrical Safety. Protective Grounding, Neutral Grounding;
standard of the Republic of Kazakhstan ST RK GOST 464-79 Grounding for Stationary Wire Communication, Radio Relay and Radio Transmission Stations of Wired Radio and CATV Antennas. Resistance Norms.
163. Telecommunication network switchgears are located in a cross room. The cross room is located closer to the center of the work area it serves.
The size of the cross room shall be chosen issuing from the size of the serviced work area and the equipment that is being installed.
The cross room shall comply with the following requirements:
availability of free service passages for equipment maintenance;
absence of powerful sources of electromagnetic interference (transformers, electrical panels, electric motors, etc.);
absence of pipes and water valves;
availability of fire safety systems;
absence of combustible materials (wooden racks, cardboard, books, etc.);
availability of a separate power line from a separate device for connecting the cabinet according to the project;
availability of alarm systems, access control;
availability of air conditioning.
|to Order No. 832 of the Government|
|of the Republic of Kazakhstan|
|dated December 20, 2016|
List of certain orders of the Government of the Republic of Kazakhstan that lost force
1. Subparagraphs 5) and 6) of paragraph 1, paragraphs 2-1 and 2-2 of Order No. 965 of the Government of the Republic of Kazakhstan dated September 14, 2004 "On some measures to ensure information security in the Republic of Kazakhstan".
2. Order No. 244 of the Government of the Republic of Kazakhstan dated March 14, 2013 "On introducing amendments to Order No. 965 of the Government of the Republic of Kazakhstan dated September 14, 2004 "On some measures to ensure information security in the Republic of Kazakhstan ".
3. Order No. 706 of the Government of the Republic of Kazakhstan dated June 26, 2014 "On introducing amendments to Order No. 965 of the Government of the Republic of Kazakhstan dated September 14, 2004 "On some measures to ensure information security in the Republic of Kazakhstan".