Certification of IT Security solutionsfor compliance with Russian securitystandardsValentin TsirlovPh.D., CISSP, AMBCI
Certification of software in RussiaTesting for compliance with Russiansecurity standardsMay be guided by FSTEC, Ministry ofDefense, FSB, etc.In most cases we mean FSTEC – FederalService for Technical and Export Control2
Why is it necessary?Certification is mandatory• For personal data protection systems (Federal law#152)• For systems containing state-owned informationOr it is generally recommended• In major corporations• In financial structures• …3
In FSTEC: what exactly isrequired?• Black box testing to ensurethat it works as it shouldCertification of thefunctionality• Testing of source code forthe absence of softwarevulnerabilitiesCertification for theabsence of non-declared functions(NDF)4In most cases, both types are necessary!
Some legal issuesCertification may only be initiated (orclaimed for) by a Russian legal entity• So you need a local representative or you mayuse one of your local partnersClaimer for certification needs aspecial FSTEC license5
NDF testing: it’s not that difficult!Access to source code is necessary• And yes, this is what everybody is worried about. But:All tests may be provided at developers premises• And under full control of your security specialists.Code is never transferred anywhereAll reports may be reviewed by your security specialists before they aretaken away.6
Who takes part in the certificationprocess?Developer ClaimerCertificationlaboratoryCertificationauthorityFSTEC7
OK, what should we do?Choose aclaimerChoose acertificationlaboratoryProvide accessto source codeHelp infunctionaltestingTranslatedocumentationinto Russian8Laboratory will do the rest!
So, certification laboratory is anentry pointIt will actually provide all tests• So choose a reliable oneIt should help you to organize the whole processIt should be able to help you with finding aclaimer, obtaining corresponding licenses, etc.9
How to choose a laboratory?It must have all necessary licenses and accreditationsIt should have enough experts to provide all tests in parallelIt will help a lot if it has experience in certification offoreign productsAnd the best laboratories are always those that areaccredited to act as certification authorities as well10
So why should you probablychoose Echelon?The biggest and most experienced laboratory inRussia: 300 successful projectsLots of satisfied international customers:Symantec, McAfee, IBM, SAP AG, Trend Micro,ESET, Huawei, Siemens, OpenTextAnd not least – our experts speak English!11