Improvement of the Regulatory Framework of Information Security for Terminal Access Devices of the State Information System

The aim of the study is to increase the effectiveness of information security management for state information systems (SIS) with terminal access devices by improving regulatory legal acts that should be logically interconnected and not contradict each other, as well as use a single professional thesaurus that allows understanding and describe information security processes.

Currently, state information systems with terminal access devices are used to ensure the realization of the legitimate interests of citizens in information interaction with public authorities [1].

One of the types of such systems are public systems [2]. They are designed to provide electronic services to citizens, such as paying taxes, obtaining certificates, filing of applications and other information. The processed personal data may belong to special, biometric, publicly available and other categories [3]. Various categories of personal data, concentrated in a large volume about a large number of citizens, can lead to significant damage as a result of their leakage, which means that this creates information risks.

There are several basic types of architectures of state information systems: systems based on the “thin clientpeer-to-peer network systems; file server systems; data processing centers; systems with remote user access; the use of different types of operating systems (heterogeneity of the environment); use of applications independent of operating systems; use of dedicated communication channels [4]. Such diversity and heterogeneity of state information systems, on the one hand, and the need for high-quality state regulation in the field of information security in these systems, on the other hand, require the study and development of legal acts that take into account primarily the features of systems that have a typical modern architecture of “thin customer".

Materials and research methods. The protection of the state information system is regulated by a large number of legal acts that are constantly being improved with changes and additions to the content. At the substantive level, it includes many stages, such as the formation of SIS requirements, the development of a security system, its implementation, and certification. The protected information is processed in order to enforce the law and ensure the functioning of the authorities. The need to protect confidential information is determined by the legislation of the Russian Federation [5, 6]. Therefore, to assess the quality of the regulatory framework of information security for terminal access devices of the state information system, the analysis of the main regulatory legal acts is carried out and on the basis of it, proposals are developed by analogy to improve existing regulatory documents in the field of information security.

Results. The paper has developed proposals for improving the regulatory framework of information security for terminal access devices of the state information system

- for uniformity and unification, the terms with corresponding definitions are justified for their establishment in the documents of the Federal Service for Technical and Export Control (FSTEC) or Rosstandart;

- rules for the formation of requirements for terminals, which should be equivalent requirements for computer equipment in the “Concept for the protection of computer equipment and automated systems from unauthorized access to information ".

Conclusion. General recommendations on information protection in state information systems using the “thin client" architecture are proposed, specific threats that are absent in the FSTEC threat bank are justified, and directions for further information security for the class of state information systems under consideration are identified. Due to the large number of stakeholders involved in the coordination and development of unified solutions, a more specific consideration of the problems and issues raised is possible only with the participation of representatives of authorized federal executive bodies and business representatives for discussion.

1. Bolgarskiy A.I. Information protection in state information systems. Vestnik UrFO. Bezopasnost’ v informatsionnoy sfere = Bulletin of the Urals Federal District. Security in the information field. 2011; 2: 48-50. (In Russ.)

2. Sabanov A.G., Mel’nichenko P.A. Providing secure access to mass use information systems in the provision of public services in electronic form. Vestnik Rossiyskoy tamozhennoy akademii= Bulletin of the Russian Customs Academy. 2011; 3: 73-78. (In Russ.)

3. On approval of requirements for the protection of personal data during their processing in personal data information systems: approved. Government Decree Ros. Federation of November 1, 2012 No. 1119. Rossiyskaya gazeta = Russian newspaper; N 256, 07.11.2012. (In Russ.)

4. Draft guidance document. Methodology for identifying threats to information security in information systems [Internet]. Federal’naya sluzhba po tekhnicheskomu i eksportnomu kontrolyu Rossii = Federal Service for Technical and Export Control of Russia. Available from: https://fstec.ru/component/attachments/download/812. (In Russ.)

5. On information, information technology and information protection (as amended on April 23, 2018): Federal Law of the Russian Federation of July 27, 2006 No. 149-F3. Rossiyskaya gazeta = Russian newspaper; N 165, 29.07.2006. (In Russ.)

6. On requirements for the procedure for the creation, development, commissioning, operation and decommissioning of state information systems and the further storage of information contained in their databases (as amended on May 11, 2017): approved by the Government of the Russian Federation on July 6, 2015 g. No. 676. Sobraniye zakonodatel’stva Rossiyskoy Federatsii, N 28, 13.07.2015, st.4241 = Meeting of the legislation of the Russian Federation, N 28, 07/13/2015, Art. 421. (In Russ.)

7. On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems (as amended on March 23, 2017): we approve by order of the FSTEC of February 18, 2013 No. 21. Rossiyskaya gazeta = Russian newspaper; N 107, 22.05.2013. (In Russ.)

8. On approval of the requirements for the protection of information not constituting state secrets contained in state information systems (as amended on February 15, 2017): approved by order of the FSTEC of February 11, 2013 No. 17. Rossiyskaya gazeta = Russian newspaper; N 136, 26.06.2013. (In Russ.)

9. Mery zashchity informatsii v gosudarstvennykh informatsionnykh sistemakh. Metodicheskiy dokument FSTEK Rossii ot 11 fevralya 2014 g = Information security measures in state information systems. Methodological document of the FSTEC of Russia dated February 11, 2014. (In Russ.)

10. Lemke Ye.A., Lubkin I.A. Creating a secure terminal system. Reshetnevskiye chteniya = Reshetnev readings. 2013; 2; 17: 306-308. (In Russ.)

11. Tishchenko Ye.N., Butsik K.A., Derevyashko V.V. The model of trusted network load of the «thin client» with the neutralization of the «internal intruder». Izvestiya YUFU. Tekhnicheskiye nauki = News of SFU. Technical science. 2015; 5 (166): 3747. (In Russ.)

12. Rukovodyashchiy dokument Kontseptsiya zashchity sredstv vychislitel’noy tekhniki i avtomatizirovannykh sistem ot nesanktsionirovannogo dostupa k informatsii Utverzhdena resheniyem Gosudarstvennoy tekhnicheskoy komissii pri Prezidente Rossiyskoy Federatsii ot 30 marta 1992 g = Guiding document The concept of protecting computer equipment and automated systems from unauthorized access to information Approved by the decision of the State Technical Commission under the President of the Russian Federation of March 30, 1992. [Internet]. Available from: https://fstec.ru/component/attachments/download/299. (In Russ.)

13. Gatchin YU.A., Teploukhova O.A. Authentication algorithm for information interaction participants when remotely loading the operating system on a thin client. Nauchno-tekhnicheskiy vestnik informatsionnykh tekhnologiy, mekhaniki i optiki = Scientific and Technical Bulletin of Information Technologies, Mechanics and Optics. 2016; 16; 3: 497-505. (In Russ.)

14. Malinichev D.M., Yermashov A.V. Ensuring the protection of information in the company from unauthorized access using domestic products of information protection. Colloquium-journal = Colloquium-journal. 2019; 11-1 (35): 101-103. (In Russ.)