Document from CIS Legislation database © 2003-2024 SojuzPravoInform LLC

ORDER OF THE MINISTER OF DIGITAL DEVELOPMENT, DEFENSE AND AEROSPACE INDUSTRY OF THE REPUBLIC OF KAZAKHSTAN

of June 3, 2019 No. 111/Tax Code

About approval of technique and rules of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure on compliance to requirements of information security

(as amended on 30-04-2024)

According to the subitem 5) article 7-1 of the Law of the Republic of Kazakhstan "About informatization" PRIKAZYVAYU:

1. Approve:

1) the Technique of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure on compliance to requirements of information security according to appendix 1 to this order;

2) Rules of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure on compliance to requirements of information security according to appendix 2 to this order.

2. Declare invalid the order of the Minister of the defense and aerospace industry of the Republic of Kazakhstan of March 14, 2018 No. 40/Tax Code "About Approval of Technique and Rules of Carrying Out Testing of Service Software Product, Information Communication Framework of " the Electronic Government ", Internet Resource of State Body and Information System on Compliance to Requirements of Information Security" (it is registered in the Register of state registration of regulatory legal acts for No. 16694, it is published on April 12, 2018 in Reference control bank of regulatory legal acts of the Republic of Kazakhstan).

3. To provide to committee on information security of the Ministry of digital development, defense and aerospace industry of the Republic of Kazakhstan in the procedure established by the legislation:

1) state registration of this order in the Ministry of Justice of the Republic of Kazakhstan;

2) within ten calendar days from the date of state registration of this order the direction it in the Republican state company on the right of economic maintaining "Institute of the legislation and legal information of the Republic of Kazakhstan" the Ministries of Justice of the Republic of Kazakhstan for official publication and inclusion in Reference control bank of regulatory legal acts of the Republic of Kazakhstan;

3) placement of this order on Internet resource of the Ministry of digital development, the defense and aerospace industry of the Republic of Kazakhstan after its official publication;

4) within ten working days after state registration of this order in the Ministry of Justice of the Republic of Kazakhstan submission to Legal department of the Ministry of digital development, the defense and aerospace industry of the Republic of Kazakhstan of data on execution of the actions provided by subitems 1), 2) and 3) of this Item.

4. To impose control of execution of this order on the supervising vice-minister of digital development, the defense and aerospace industry of the Republic of Kazakhstan.

5. This order becomes effective after ten calendar days after day of its first official publication.

Minister of digital development, defense and aerospace industry of the Republic of Kazakhstan

A. Zhumagaliyev

It is approved

Committee of homeland security of the Republic of Kazakhstan

"___" ____________ 2019

 

Appendix 1

to the Order of the Minister of digital development, the defense and aerospace industry of the Republic of Kazakhstan of June 3, 2019 No. 111/Tax Code

Technique of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure on compliance to requirements of information security

Chapter 1. General provisions

1. This Technique of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure on compliance to requirements of information security (further – the Technique) is developed according to the subitem 5) of article 7-1 of the Law of the Republic of Kazakhstan "About informatization".

2. In this Technique the following basic concepts and reducings are used:

1) program tab – it is reserved entered to the software (further – software) the function object providing illegal access and (or) impact on object of informatization;

2) backdoor – malicious software for receipt of illegal access to the software by authentication bypass, and also other standard methods and security technologies;

3) not declared opportunities (further – NDV) – the functionality of software which is not reflected or not corresponding described in technical documentation;

4) manual testing on penetration – legitimate assessment of security of objects of informatization using the safe and controlled attacks, detection of vulnerabilities and attempts of their operation without the actual damage of activities of the applicant;

5) the supplier – the public technical service or accredited test laboratory;

6) the public technical service – the joint-stock company created according to the decision of the Government of the Republic of Kazakhstan;

7) vulnerability – lack of object of informatization which use can lead to violation of integrity and (or) confidentiality, and (or) availability of object of informatization;

8) the applicant – the owner or the object owner of testing, and also the physical person or legal entity authorized by the owner or the object owner of testing who submitted the request for carrying out testing of object of informatization for compliance to requirements of information security;

9) the confidential channel – means of interaction between safety features of objects of testing (further – FBO) and remote confidential product of information technologies, providing necessary degree of confidence in maintenance of security policy of objects of testing;

10) confidential route – the means of interaction between the user and FBO providing confidence in maintenance of security policy of objects of testing;

11) object of testing – object of informatization concerning which works on conformity testing to requirements of information security are carried out;

12) network segment (subnet) of object of testing – logically selected network segment of object of testing;

13) function object – element (the procedure, function, branch or other of component) software performing operations on realization of the finished program algorithm fragment;

14) route of accomplishment of function objects – the sequence of the carried-out function objects determined by algorithm;

15) the circle of regular operation – the target set of the server hardware, network infrastructure, the system software used at stage of trial operation (pilot project) and intended for application at stage of commercial operation of object of informatization;

16) the SYNAQ Internet portal – the Internet portal of the public technical service intended for automation of process of rendering service in testing of objects of informatization the owner (owner) and (or) the customer of which is state body on compliance to requirements of information security.

3. Carrying out testing includes:

1) analysis of source codes;

2) testing of functions of information security;

3) load testing;

4) inspection of network infrastructure;

5) inspection of processes of information security support.

Chapter 2. Analysis of source codes

4. The analysis of source codes of objects of testing is carried out for the purpose of detection of vulnerabilities of software.

The analysis of source codes of objects of testing, the owner (owner) and (or) the customer of which is state body is carried out for the purpose of identification of NDV and vulnerabilities of software.

5. The analysis of source codes is carried out for software listed in tables of the subitem 11) and the subitem 12) of Item 5 of the questionnaire questionnaire on characteristics of object of testing of appendix 2 to Rules of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure on compliance to requirements of information security (further – Rules).

6. If when carrying out testing need of carrying out the repeated analysis of source codes before the termination of term of testing comes to light, the applicant makes inquiry to the supplier and the supplementary agreement about carrying out the repeated analysis of source codes according to Item 26 of Rules is signed.

7. Identification of shortcomings of software is carried out with use of the software intended for the analysis of the source code based on the source codes provided by the applicant.

Identification of shortcomings of software of objects of testing, the owner (owner) and (or) the customer of which is state body is carried out by manual method of the analysis of the source code and with use of the software intended for the analysis of the source code based on the source codes provided by the applicant.

8. Identification of NDV software of objects of testing, the owner (owner) and (or) the customer of which is state body is carried out by manual method of the analysis of the source code with detailed viewing of the source code and carrying out search of backdoors in libraries open source.

9. The analysis of source codes includes:

1) detection of vulnerabilities of software;

2) identification of NDV for objects of testing, the owner (owner) and (or) the customer of which is state body;

3) fixing of analysis results of the source code.

10. Detection of vulnerabilities of software is performed in the following procedure:

1) preparation of basic data (loading of source codes of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure, the choice of scanning mode is carried out (dynamic and/or static), setup of characteristics of scanning modes);

2) the manual method of the analysis of the source code and preparation of basic data is carried out (loading of source codes of objects of testing by the owner (owner) and (or) customer of which is state body), the choice of scanning mode (static, the analysis of dependences and/or dynamic), setup of characteristics of scanning modes);

3) software, intended for detection of vulnerabilities of software is started;

4) the analysis of program reports on availability of false operations is carried out;

5) the report including the list of the revealed vulnerabilities of software with indication of their description, route (way to the file) and to risk degree is created (high, average, low).

11. Identification of NDV is performed in the following procedure:

1) the analysis of technical documentation on object of testing, including the specification on creation (development) of object of informatization, regarding data on its assignment, scope, the applied methods, class of solvable tasks, restrictions in case of application, the minimum configuration of technical means, the circle of functioning and operating procedure;

2) carrying out analysis of the source code by manual method of object of testing:

studying of modular and logical structure of software, and also separate modules and comparison of these structures with provided in technical documentation;

studying of route of accomplishment of function objects and verification of the processing data;

Warning!!!

This is not a full text of document! Document shown in Demo mode!

If you have active License, please Login, or get License for Full Access.

With Full access you can get: full text of document, original text of document in Russian, attachments (if exist) and see History and Statistics of your work.

Get License for Full Access Now

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info

Effectively work with search system

Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system

Get help

If you cannot find the required document, or you do not know where to begin, go to Help section.

In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.

You also may open the section Frequently asked questions. This section provides answers to questions set by users.

Search engine created by SoyuzPravoInform LLC.