Answer the question
In order to leave comments, you need to log in
P
P
Pavel2021-07-29 16:59:44
Pavel, 2021-07-29 16:59:44
How to determine the type of threat to personal data?
There was a need to normalize the relationship with personal data in a certain company. There is no problem with paper work. But the papers are highly dependent on the technical side of the issue. And the technique rests on the Decree of the Government of the Russian Federation No. 1119 dated 11/01/2012, where in order to determine the required level of security, it is first necessary to determine the type of threat.
Quote.
Угрозы 1-го типа актуальны для информационной системы, если для нее в том числе актуальны угрозы, связанные с наличием недокументированных (недекларированных) возможностей в системном программном обеспечении, используемом в информационной системе.
Угрозы 2-го типа актуальны для информационной системы, если для нее в том числе актуальны угрозы, связанные с наличием недокументированных (недекларированных) возможностей в прикладном программном обеспечении, используемом в информационной системе.
Угрозы 3-го типа актуальны для информационной системы, если для нее актуальны угрозы, не связанные с наличием недокументированных (недекларированных) возможностей в системном и прикладном программном обеспечении, используемом в информационной системе
Угрозы 2-го типа актуальны для информационной системы, если для нее в том числе актуальны угрозы, связанные с наличием недокументированных (недекларированных) возможностей в прикладном программном обеспечении, используемом в информационной системе.
Угрозы 3-го типа актуальны для информационной системы, если для нее актуальны угрозы, не связанные с наличием недокументированных (недекларированных) возможностей в системном и прикладном программном обеспечении, используемом в информационной системе
The problem is that you have to define this type yourself. But how to do this is not described. What needs to be done to achieve a level of security is described in detail. What about the type?
From my non-professional point of view, everything should be type 1. Because these are threats from the OS. Everything revolves around the OS. Of course, this conclusion is wrong. But I did not find the correct conclusion of the normative. I met a mention of the need for software certification from the FSTEC. Including the Toaster . But it's not written anywhere. Yes, and I don’t really understand why certification is needed for licensed Windows officially sold through official dealers.
Colleagues, tell me what and where to dig.
2 answer(s)
@SelectVim
U
Uncle Seryozha, 2021-07-30 @SelectVim
If you use licensed software downloaded from official sites, and not repacks, you do not install software developed by the government of another country, in general you use widespread software whose developer constantly updates it, software developed by third-party companies is developed for you under an agreement with nda, you perform testing such software, you are not of interest to other states, then write that type 2 threats are not relevant to you.
If you use and update system software (OS, BIOS, microcode of microcontrollers), do not use no-name network equipment (you use proven Cisco equipment), etc., or vice versa, use only software in which a conditionally limited set of legal entities is sold, then write that type 1 threats are not relevant to you
It turns out that threats of the 3rd type are relevant to you.
Similar questions
N
V
C
N
K
KOLANICH2015-11-03 23:03:43
How to check for the presence of a stagefright exploit in a file?
0Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question