B
B
busidoway2019-02-21 08:23:33
Information Security
busidoway, 2019-02-21 08:23:33

Is there a document confirming the security of the information product?

There is a website that contains some information in a database. The information is visible only to registered users. For the client, it is necessary to prepare a certain document that would confirm that this site is safe, all information on the site and in the database is protected, confidentiality is respected. Does anyone know if there is anything similar, any "official" confirmation?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
A
Alexander, 2019-02-21
@NeiroNx

I think you need a certificate
base.garant.ru/10103678/95ef042b11da42ac166eeedeb9...
received on a voluntary basis
base.garant.ru/12129354/b5dae26bebf2908c0e8dd3b8a6...
well, a bunch of offices like sevtest.com/sertifikaciya-informacionnyx-sistem
that issue certificates, here it is necessary to study the market in detail.

A
athacker, 2019-02-21
@athacker

There are no such certificates. There is a program and methodology for certifying the compliance of an information system with CERTAIN REQUIREMENTS. In Russia, such certificates can be issued by the FSTEC (in relation to information security measures) and the FSB (in relation to cryptographic information protection tools). The certification procedure according to the requirements of the FSB / FSTEC is long, complicated and expensive. In reality, it is required only if you work with government agencies.
If you plan to work with commercial enterprises... Well, you can order an audit from some organization that audits information security, and then show their conclusion to clients. But judging by your question, I give a 100% guarantee that your information system will not pass such an audit. Especially considering that you don't even have HTTPS - this clearly shows the level of development.
But in any case, the certificate only confirms the compliance of your system and its operation/development procedures with certain information security standards. There are several standards - at least there are Russian requirements, such as21 the FSTEC order and documents supplementing it, 152-FZ (law on the protection of personal data). There are European ISO 27000 standards, there are American NIST 800 series or FIPS 140-2.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question