Document from CIS Legislation database © 2003-2022 SojuzPravoInform LLC

ORDER OF THE MINISTER OF DIGITAL DEVELOPMENT, DEFENSE AND AEROSPACE INDUSTRY OF THE REPUBLIC OF KAZAKHSTAN

of June 3, 2019 No. 111/Tax Code

About approval of technique and rules of carrying out testing of objects of informatization of "the electronic government" and the information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security

(as amended on 28-09-2020)

In compliance with the subitem 5) article 7-1 of the Law of the Republic of Kazakhstan of November 24, 2015 "About informatization" and the subitem 1) article 10 of the Law of the Republic of Kazakhstan of April 15, 2013 "About the state services" PRIKAZYVAYU:

1. Approve:

1) the Technique of carrying out testing of objects of informatization of "the electronic government" and the information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security according to appendix 1 to this order;

2) Rules of carrying out testing of objects of informatization of "the electronic government" and information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security according to appendix 2 to this order.

2. Declare invalid the order of the Minister of the defense and aerospace industry of the Republic of Kazakhstan of March 14, 2018 No. 40/Tax Code "About Approval of Technique and Rules of Carrying Out Testing of Service Software Product, Information Communication Framework of " the Electronic Government ", Internet Resource of State Body and Information System on Compliance to Requirements of Information Security" (it is registered in the Register of state registration of regulatory legal acts for No. 16694, it is published on April 12, 2018 in Reference control bank of regulatory legal acts of the Republic of Kazakhstan).

3. To provide to committee on information security of the Ministry of digital development, defense and aerospace industry of the Republic of Kazakhstan in the procedure established by the legislation:

1) state registration of this order in the Ministry of Justice of the Republic of Kazakhstan;

2) within ten calendar days from the date of state registration of this order the direction it in the Republican state company on the right of economic maintaining "Institute of the legislation and legal information of the Republic of Kazakhstan" the Ministries of Justice of the Republic of Kazakhstan for official publication and inclusion in Reference control bank of regulatory legal acts of the Republic of Kazakhstan;

3) placement of this order on Internet resource of the Ministry of digital development, the defense and aerospace industry of the Republic of Kazakhstan after its official publication;

4) within ten working days after state registration of this order in the Ministry of Justice of the Republic of Kazakhstan submission to Legal department of the Ministry of digital development, the defense and aerospace industry of the Republic of Kazakhstan of data on execution of the actions provided by subitems 1), 2) and 3) of this Item.

4. To impose control of execution of this order on the supervising vice-minister of digital development, the defense and aerospace industry of the Republic of Kazakhstan.

5. This order becomes effective after ten calendar days after day of its first official publication.

Minister of digital development, defense and aerospace industry of the Republic of Kazakhstan

A. Zhumagaliyev

It is approved

Committee of homeland security of the Republic of Kazakhstan

"___" ____________ 2019

 

Appendix 1

to the Order of the Minister of digital development, the defense and aerospace industry of the Republic of Kazakhstan of June 3, 2019 No. 111/Tax Code

Technique of carrying out testing of objects of informatization of "the electronic government" and the information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security

Chapter 1. General provisions

1. This Technique of carrying out testing of objects of informatization of "the electronic government" and the information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security (further - the Technique) is developed in compliance with the subitem 5) of article 7-1 of the Law of the Republic of Kazakhstan of November 24, 2015 "About informatization".

2. In this Technique the following basic concepts and reducings are used:

1) the supplier - the public technical service or accredited test laboratory;

2) the public technical service – the joint-stock company created according to the decision of the Government of the Republic of Kazakhstan;

3) vulnerability - the shortcoming of the software causing possibility of violation of its working capacity, or accomplishment of any unauthorized actions bypassing the permissions established in the software;

4) the applicant - the owner or the object owner of testing, and also the physical person or legal entity authorized by the owner or the object owner of testing who submitted the request for carrying out testing of object of informatization for compliance to requirements of information security;

5) the confidential channel - means of interaction between safety features of objects of testing (further - FBO) and remote confidential product of information technologies, providing necessary degree of confidence in maintenance of security policy of objects of testing;

6) confidential route - the means of interaction between the user and FBO providing confidence in maintenance of security policy of objects of testing;

7) object of testing - object of informatization concerning which works on conformity testing to requirements of information security are carried out;

8) the circle of regular operation – the target set of the server hardware, network infrastructure, the system software used at stage of trial operation (pilot project) and intended for application at stage of commercial operation of object of informatization.

3. Carrying out testing includes:

1) analysis of source codes;

2) testing of functions of information security;

3) load testing;

4) inspection of network infrastructure;

5) inspection of processes of information security support.

Chapter 2. Analysis of source codes

4. The analysis of source codes of objects of testing is carried out for the purpose of identification of shortcomings of the software (further - software).

5. The analysis of source codes is carried out for software listed in the table of the subitem 11) of Item 5 of the questionnaire questionnaire on characteristics of object of testing of appendix 2 to Rules of carrying out testing of objects of informatization of "the electronic government" and information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security (further - Rules).

6. If when carrying out testing need of carrying out the repeated analysis of source codes before the termination of term of testing comes to light, the applicant makes inquiry to the supplier and the supplementary agreement about carrying out the repeated analysis of source codes according to Item 26 of Rules is signed.

7. Identification of shortcomings of software is carried out with use of the software intended for the analysis of the source code based on the source codes provided by the applicant.

8. The analysis of source codes includes:

1) identification of shortcomings of software;

2) fixing of analysis results of the source code.

9. Identification of shortcomings of software is performed in the following procedure:

1) preparation of basic data (loading of source codes of objects of informatization of "the electronic government" and the information systems carried to crucial objects of information and communication infrastructure (further - OI), the choice of scanning mode is carried out (dynamic and/or static), setup of characteristics of scanning modes);

2) the software intended for identification of shortcomings of software is started;

3) the analysis of program reports on availability of false operations is carried out;

4) the report including the list of the revealed software shortcomings with indication of their description, route (way to the file) and to risk degree is created (high, average, low).

10. Amount of works is determined by the analysis of the source code by the size of the source code.

11. Analysis results of source codes are fixed by the executive in charge of this work type of the supplier, in the protocol of the analysis of source codes (any form) with application of a copy of the questionnaire questionnaire about characteristics of object of testing according to appendix 2 to Rules and the delivery-acceptance certificate of source codes of object of testing according to appendix 5 to Rules.

The protocol of the analysis of source codes with appendices and the report is stitched with end-to-end numbering of pages and sealed by seal of the supplier.

12. On the termination of the analysis of source codes, on condition of its positive result, source codes of object of testing are marked and given in sealed type on safe custody in archive of the supplier.

13. The supplier provides preserving the received source codes with respect for their confidentiality at least three years after completion of testing.

Chapter 3. Testing of functions of information security

14. Assessment of functions of objects of informatization on compliance to requirements of information security (further - testing of functions of information security) is performed for the purpose of assessment of their compliance to requirements of technical documentation, regulatory legal acts of the Republic of Kazakhstan and standards existing in the territory of the Republic of Kazakhstan in the field of information security.

15. Testing of functions of information security includes:

1) assessment of conformity of safety features to requirements of technical documentation, regulatory legal acts of the Republic of Kazakhstan and the standards existing in the territory of the Republic of Kazakhstan in the field of information security, including using software (if necessary);

2) fixing of results of testing in the report with indication of results of observation, assessment of conformity or mismatch and the recommendation about correction of the revealed discrepancies (if necessary).

16. The list of functions of information security is given in appendix 1 to the Technique.

17. Testing of functions of information security are carried out by servers and virtual resources listed in tables of the subitem 1) and the subitem 4) of Item 5 of the questionnaire questionnaire on characteristics of object of testing of appendix 2 to Rules.

18. Results of testing of functions of information security are fixed by the executive in charge of this work type of the supplier in the test report of functions of information security (any form) with application of a copy of the questionnaire questionnaire about characteristics of object of testing.

The test report of functions of information security with appendices and the report is stitched with end-to-end numbering of pages and sealed by seal of the supplier.

Chapter 4. Load testing

19. Load testing is carried out for the purpose of assessment of respect for availability, integrity and confidentiality of object of testing.

20. Load testing is carried out with use of specialized software based on automatic scripts, in the environment of regular operation of object of testing in which personal data are replaced with dummy.

21. Parameters of load testing are provided by the applicant tables of the subitem 9) and the subitem 10) of Item 5 of the questionnaire questionnaire on characteristics of object of testing of appendix 2 to Rules.

When carrying out load testing comes to light parameters of the actual output capability of object of testing.

22. Load testing is performed in the following procedure:

1) preparation for testing is carried out;

2) testing is carried out;

3) results of testing are fixed.

23. Preparation for testing includes:

1) determination of the script of testing;

2) determination of temporary and quantity characteristics of testing;

3) approval of time of carrying out testing of the customer.

24. Carrying out testing includes:

1) setup of configuration and the script of testing in specialized software;

2) start of specialized software;

3) registration of load of object of testing;

4) forming and issue of the report of load testing with indication of recommendations about increase or decrease in real handling capacity of object of testing.

25. Works on carrying out stress testing are carried out for one object of testing by quantity of options of points of connections of users and options of connection points of integration interaction of object of the testing specified in tables of the subitem 9) and the subitem 10) of Item 5 of the questionnaire questionnaire on characteristics of object of testing of appendix 2 to Rules.

26. Results of load testing are fixed by the executive in charge of this work type of the supplier in the protocol of load testing (any form) with application of a copy of the questionnaire questionnaire about characteristics of object of testing.

The protocol of load testing with appendices and the report is stitched with end-to-end numbering of pages and sealed by seal of the supplier.

Chapter 5. Inspection of network infrastructure

27. Examination of network infrastructure is conducted for the purpose of assessment of safety of network infrastructure.

28. Inspection of network infrastructure includes:

Warning!!!

This is not a full text of document! Document shown in Demo mode!

If you have active License, please Login, or get License for Full Access.

With Full access you can get: full text of document, original text of document in Russian, attachments (if exist) and see History and Statistics of your work.

Get License for Full Access Now

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info

Effectively work with search system

Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system

Get help

If you cannot find the required document, or you do not know where to begin, go to Help section.

In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.

You also may open the section Frequently asked questions. This section provides answers to questions set by users.

Search engine created by SojuzPravoInform LLC. UI/UX design by Intelliants.