ORDER OF THE GOVERNMENT OF THE REPUBLIC OF KAZAKHSTAN

of December 20, 2016 No. 832

About approval of single requirements in the field of information and communication technologies and information security support

According to the subitem 3) of article 6 of the Law of the Republic of Kazakhstan of November 24, 2015 "About informatization" the Government of the Republic of Kazakhstan DECIDES:

1. Approve the enclosed single requirements in the field of information and communication technologies and information security support (further – single requirements).

2. Recognize invalid some decisions of the Government of the Republic of Kazakhstan according to appendix to this resolution.

3. This resolution becomes effective after ten calendar days after day of its first official publication.

Item 140 of single requirements is effective till January 1, 2018.

Approved by the Order of the Government of the Republic of Kazakhstan of December 20, 2016 No. 832

Single requirements in the field of information and communication technologies and information security support

Chapter 1. General provisions

1. Single requirements in the field of information and communication technologies and information security support (further – ET) are developed according to the subitem 3) of article 6 of the Law of the Republic of Kazakhstan "About informatization" (further – the Law) and determine requirements in the field of information and communication technologies and information security support.

2. The provisions ET relating to the sphere of information security support are obligatory for application by state bodies, local executive bodies, the state legal entities, subjects of the quasi-public sector, owners and owners of the non-state information systems integrated with information systems of state bodies or intended for forming of the state electronic information resources and also owners and owners of crucial objects of information and communication infrastructure.

3. Provisions ET do not extend on:

1) the relations arising when implementing by National Bank of the Republic of Kazakhstan and the organizations incoming its structure, works on creation or development, operation of Internet resources, the information systems which are not integrated with objects of information and communication infrastructure of "the electronic government", local area networks and networks of telecommunications and also carrying out purchases of goods, works and services in the field of informatization;

2) the information systems in the protected execution carried to the state secrets according to the legislation of the Republic of Kazakhstan on the state secrets, and also network of telecommunications of special purpose and/or the presidential, governmental, secret, encoded and coded communication;

3) the relations arising when implementing by authorized body on regulation, control and supervision of the financial market and the financial organizations of works on creation or development of the information systems integrated with information systems of National Bank of the Republic of Kazakhstan which are not integrated with objects of information and communication infrastructure of "the electronic government";

4) the organizations in cases when execution of such provisions leads to violation of item 4 of article 50 of the Law of the Republic of Kazakhstan "About banks and banking activity in the Republic of Kazakhstan".

4. The purpose of ET is establishment of requirements, obligatory for execution, in the field of information and communication technologies and information security support by state bodies, local government bodies, the state legal entities, subjects of the quasi-public sector, owners and owners of the non-state information systems integrated with information systems of state bodies or intended for forming of the state electronic information resources and also owners and owners of crucial objects of information and communication infrastructure.

5. Tasks of ET are:

1) determination of the principles of the organization and management of informatization of state bodies for the solution of the current and strategic tasks of public administration;

2) determination of the single principles of providing and information security management of objects of informatization of "the electronic government";

3) establishment of requirements for unification of components of objects of information and communication infrastructure;

4) establishment of requirements for structurization of information and communication infrastructure and organization of server rooms;

5) establishment of obligation of application of recommendations of standards in the field of information and communication technologies and information security at all stages of lifecycle of objects of informatization;

6) increase in level of security of the state and non-state electronic information resources, the software, information systems and the information and communication infrastructure supporting them.

6. For the purposes of these ET in them the following determinations are used:

1) means of cryptographic information protection (further - SKZI) - the software or the hardware and software realizing algorithms of cryptographic conversions, generation, forming, distribution or management of encrypting keys;

2) the assets connected with means of information processing (further - asset), - material or non-material object which is information or contains information or serves for processing, storage, information transfer and has value for the organization for the benefit of goal achievement and continuity of its activities;

3) marking of the asset connected with means of information processing - drawing conventional signs, letters, digits, graphical signs or texts on asset for the purpose of its further identification (recognition), specifying of its properties and characteristics;

4) technical documentation on information security (further - IB TD) - documentation establishing policy governed, the protective measures concerning processes of providing IB of objects of informatization and (or) the organization;

5) threat of information security - set of the conditions and factors creating premises to emergence of incident of information security;

6) monitoring of events of information security (further - monitoring of events of IB) - permanent observation of object of informatization for the purpose of identification and identification of events of information security;

7) monitoring system of information security support - the organizational and technical actions directed to carrying out monitoring of safe use of information and communication technologies;

8) operational Information Security Center - the legal entity or structural division of the legal entity performing activities for protection of electronic information resources, information systems, networks of telecommunications and other objects of informatization;

9) internal audit of information security - the objective, documentary process of control of quality and quantity characteristics of current status of information security of objects of informatization in the organization performed by the organization in the interests;

10) the program robot - the software of search engine or monitoring system which is carrying out automatically and (or) according to the set schedule web browsing, reading out and indexing them content, following according to the references found on web pages;

11) system of prevention of data leakage (DLP) - the information security product intended for prevention of leakages of electronic information resources of limited access;

12) the loaded (hot) reservation of the equipment - use of the additional (excessive) server and telecommunication hardware, the software and their maintenance in active mode for the purpose of flexible and operational increase in handling capacity, reliability and fault tolerance of information system, electronic information resource;

13) not loaded (cold) reservation of the equipment - use of the additional server and telecommunication hardware prepared for work and being in the inactive mode, the software for the purpose of operational recovery of information system or electronic information resource;

14) fire-wall - the hardware-software or program complex functioning in information and communication infrastructure, exercising control and filtering network traffic according to the set rules;

15) the workstation - the desktop computer as a part of local area network intended for the solution of applied tasks;

16) the system software - set of the software for ensuring operation of the computing equipment;

17) the Internet browser - the application software intended for visual display of content of Internet resources and interactive interaction with it;

18) the coded communication - secure communication with use of documents and technology of coding;

19) multifactor authentication - method of check of authenticity of the user by means of combination of different parameters, including generation and input of passwords or authentication signs (digital certificates, tokens, smart cards, generators of one-time passwords and means of biometric identification);

20) the cross room - the telecommunication room intended for placement of connecting, distribution points and devices;

21) application software (further - PPO) - software complex for the solution of applied task of certain class of data domain;

22) secret communication - secure communication with use of the coding equipment;

23) scalability - capability of object of informatization to provide possibility of increase in the performance in process of growth of amount of the processed information and (or) the number of at the same time working users;

24) the server center of state bodies (further - the GO server center) - the server room (data-processing center) which owner and the owner is the operator of information and communication infrastructure of "the electronic government", intended for placement of objects of informatization of "the electronic government";

25) journalizing of events - process of data recording about the program or hardware events happening to object of informatization in the log of registration of events;

26) vulnerability - lack of object of informatization which use can lead to violation of integrity and (or) confidentiality, and (or) availability of object of informatization;

27) the proxy server - the intermediate server participating in Internet connection between computers/servers via which there is information exchange for the purpose of its protection against network attacks;

28) the server room (data-processing center) - the room intended for placement of the server, active and passive network (telecommunication) hardware and the equipment of the structured cable systems;

29) the registration certificate (further - the digital certificate) - the electronic document issued by the certification center for confirmation of conformity of the electronic digital signature to requirements established by the Law of the Republic of Kazakhstan "About the electronic document and the electronic digital signature";

30) local area network of external circuit (further - LAN of external circuit) - the local area network of the subjects of informatization determined by authorized body, carried to external circuit of telecommunication network of subjects of informatization, having connection with the Internet, access to which for subjects of informatization is provided by telecom operators only via the single gateway of Internet access;

31) terminal system - the thin or zero client for work with appendices in the terminal circle or programs - thin clients in the client-server architecture;

32) time source infrastructure - hierarchically connected server hardware which is using the network protocol of time synchronization, carrying out task of synchronization of the internal clock of servers, workstations and the telecommunication equipment;

33) the subjects of informatization determined by authorized body - state bodies, their subordinated organizations and local government bodies, and also other subjects of informatization using the single transport circle of state bodies for interaction local (except for the local area networks having Internet access), departmental and corporate networks;

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info