ORDER OF THE MINISTER OF DIGITAL DEVELOPMENT, DEFENSE AND AEROSPACE INDUSTRY OF THE REPUBLIC OF KAZAKHSTAN

of June 3, 2019 No. 111/Tax Code

About approval of technique and rules of carrying out testing of objects of informatization of "the electronic government" and the information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security

In compliance with the subitem 5) article 7-1 of the Law of the Republic of Kazakhstan of November 24, 2015 "About informatization" and the subitem 1) article 10 of the Law of the Republic of Kazakhstan of April 15, 2013 "About the state services" PRIKAZYVAYU:

1. Approve:

1) the Technique of carrying out testing of objects of informatization of "the electronic government" and the information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security according to appendix 1 to this order;

2) Rules of carrying out testing of objects of informatization of "the electronic government" and information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security according to appendix 2 to this order.

2. Declare invalid the order of the Minister of the defense and aerospace industry of the Republic of Kazakhstan of March 14, 2018 No. 40/Tax Code "About Approval of Technique and Rules of Carrying Out Testing of Service Software Product, Information Communication Framework of " the Electronic Government ", Internet Resource of State Body and Information System on Compliance to Requirements of Information Security" (it is registered in the Register of state registration of regulatory legal acts for No. 16694, it is published on April 12, 2018 in Reference control bank of regulatory legal acts of the Republic of Kazakhstan).

3. To provide to committee on information security of the Ministry of digital development, defense and aerospace industry of the Republic of Kazakhstan in the procedure established by the legislation:

1) state registration of this order in the Ministry of Justice of the Republic of Kazakhstan;

2) within ten calendar days from the date of state registration of this order the direction it in the Republican state company on the right of economic maintaining "Institute of the legislation and legal information of the Republic of Kazakhstan" the Ministries of Justice of the Republic of Kazakhstan for official publication and inclusion in Reference control bank of regulatory legal acts of the Republic of Kazakhstan;

3) placement of this order on Internet resource of the Ministry of digital development, the defense and aerospace industry of the Republic of Kazakhstan after its official publication;

4) within ten working days after state registration of this order in the Ministry of Justice of the Republic of Kazakhstan submission to Legal department of the Ministry of digital development, the defense and aerospace industry of the Republic of Kazakhstan of data on execution of the actions provided by subitems 1), 2) and 3) of this Item.

4. To impose control of execution of this order on the supervising vice-minister of digital development, the defense and aerospace industry of the Republic of Kazakhstan.

5. This order becomes effective after ten calendar days after day of its first official publication.

It is approved Committee of homeland security of the Republic of Kazakhstan "___" ____________ 2019

Appendix 1

to the Order of the Minister of digital development, the defense and aerospace industry of the Republic of Kazakhstan of June 3, 2019 No. 111/Tax Code

Technique of carrying out testing of objects of informatization of "the electronic government" and the information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security

Chapter 1. General provisions

1. This Technique of carrying out testing of objects of informatization of "the electronic government" and the information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security (further – the Technique) is developed according to the subitem 5) of article 7-1 of the Law of the Republic of Kazakhstan "About informatization".

2. In this Technique the following basic concepts and reducings are used:

1) the supplier – the public technical service or accredited test laboratory;

2) the public technical service – the joint-stock company created according to the decision of the Government of the Republic of Kazakhstan;

3) vulnerability – the shortcoming of the software causing possibility of violation of its working capacity, or accomplishment of any unauthorized actions bypassing the permissions established in the software;

4) the applicant – the owner or the object owner of testing, and also the physical person or legal entity authorized by the owner or the object owner of testing who submitted the request for carrying out testing of object of informatization for compliance to requirements of information security;

5) the confidential channel – means of interaction between safety features of objects of testing (further – FBO) and remote confidential product of information technologies, providing necessary degree of confidence in maintenance of security policy of objects of testing;

6) confidential route – the means of interaction between the user and FBO providing confidence in maintenance of security policy of objects of testing;

7) object of testing – object of informatization concerning which works on conformity testing to requirements of information security are carried out;

8) network segment (subnet) of object of testing – logically selected network segment of object of testing;

9) the circle of regular operation – the target set of the server hardware, network infrastructure, the system software used at stage of trial operation (pilot project) and intended for application at stage of commercial operation of object of informatization;

10) the SYNAQ Internet portal – the Internet portal of the public technical service intended for automation of process of rendering service in testing of objects of informatization of "the electronic government" and the information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security.

3. Carrying out testing includes:

1) analysis of source codes;

2) testing of functions of information security;

3) load testing;

4) inspection of network infrastructure;

5) inspection of processes of information security support.

Chapter 2. Analysis of source codes

4. The analysis of source codes of objects of testing is carried out for the purpose of identification of shortcomings of the software (further - software).

5. The analysis of source codes is carried out for software listed in the table of the subitem 11) of Item 5 of the questionnaire questionnaire on characteristics of object of testing of appendix 2 to Rules of carrying out testing of objects of informatization of "the electronic government" and information systems carried to crucial objects of information and communication infrastructure on compliance to requirements of information security (further - Rules).

6. If when carrying out testing need of carrying out the repeated analysis of source codes before the termination of term of testing comes to light, the applicant makes inquiry to the supplier and the supplementary agreement about carrying out the repeated analysis of source codes according to Item 26 of Rules is signed.

7. Identification of shortcomings of software is carried out with use of the software intended for the analysis of the source code based on the source codes provided by the applicant.

8. The analysis of source codes includes:

1) identification of shortcomings of software;

2) fixing of analysis results of the source code.

9. Identification of shortcomings of software is performed in the following procedure:

1) preparation of basic data (loading of source codes of objects of informatization of "the electronic government" and the information systems carried to crucial objects of information and communication infrastructure (further - OI), the choice of scanning mode is carried out (dynamic and/or static), setup of characteristics of scanning modes);

2) the software intended for identification of shortcomings of software is started;

3) the analysis of program reports on availability of false operations is carried out;

4) the report including the list of the revealed software shortcomings with indication of their description, route (way to the file) and to risk degree is created (high, average, low).

10. Amount of works is determined by the analysis of the source code by the size of the source code.

11. Analysis results of source codes are fixed by the executive in charge of this work type of the supplier, in the protocol of the analysis of source codes (any form) with application of a copy of the questionnaire questionnaire about characteristics of object of testing according to appendix 2 to Rules and the delivery-acceptance certificate of source codes of object of testing according to appendix 5 to Rules.

The protocol of the analysis of source codes with appendices and the report issued:

1) accredited laboratory, it is stitched with end-to-end numbering of pages and sealed by seal (in the presence);

2) the public technical service, takes place in electronic form in personal account of the applicant on the SYNAQ Internet portal.

12. On the termination of the analysis of source codes, on condition of its positive result, source codes of object of testing are marked and given in sealed type on safe custody in archive of the supplier.

13. The supplier provides preserving the received source codes with respect for their confidentiality at least three years after completion of testing.

Chapter 3. Testing of functions of information security

14. Assessment of functions of objects of informatization on compliance to requirements of information security (further - testing of functions of information security) is performed for the purpose of assessment of their compliance to requirements of technical documentation, regulatory legal acts of the Republic of Kazakhstan and standards existing in the territory of the Republic of Kazakhstan in the field of information security.

15. Testing of functions of information security includes:

1) assessment of conformity of safety features to requirements of technical documentation, regulatory legal acts of the Republic of Kazakhstan and the standards existing in the territory of the Republic of Kazakhstan in the field of information security, including using software (if necessary);

2) fixing of results of testing in the report with indication of results of observation, assessment of conformity or mismatch and the recommendation about correction of the revealed discrepancies (if necessary).

16. The list of functions of information security is given in appendix 1 to the Technique.

17. Testing of functions of information security are carried out by servers and virtual resources listed in tables of the subitem 1) and the subitem 4) of Item 5 of the questionnaire questionnaire on characteristics of object of testing of appendix 2 to Rules.

18. Results of testing of functions of information security are fixed by the executive in charge of this work type of the supplier in the test report of functions of information security (any form) with application of a copy of the questionnaire questionnaire about characteristics of object of testing.

The test report of functions of information security with appendices and the report issued:

1) accredited laboratory, it is stitched with end-to-end numbering of pages and sealed by seal (in the presence);

2) the public technical service, takes place in electronic form in personal account of the applicant on the SYNAQ Internet portal.

Results of scanning by software on availability of updates and the analysis of configuration join in the Test report of functions of information security.

Results of scanning by software on compliance to standards in the field of information security support do not join in the Test report of functions of information security, are placed in personal account of the applicant on the SYNAQ Internet portal and have advisory nature.

Chapter 4. Load testing

19. Load testing is carried out for the purpose of assessment of respect for availability, integrity and confidentiality of object of testing.

20. Load testing is carried out with use of specialized software based on automatic scripts, in the environment of regular operation of object of testing in which personal data are replaced with dummy.

21. Parameters of load testing are provided by the applicant tables of the subitem 9) and the subitem 10) of Item 5 of the questionnaire questionnaire on characteristics of object of testing of appendix 2 to Rules.

When carrying out load testing comes to light parameters of the actual output capability of object of testing.

22. Load testing is performed in the following procedure:

1) preparation for testing is carried out;

2) testing is carried out;

3) results of testing are fixed.

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info