Bodies of information and state security - Newspaper Kommersant No. 12 (7457) dated 01/24/2023

Bodies of information and state security - Newspaper Kommersant No. 12 (7457) dated 01/24/2023



The Federal Service for Technical Export Control (FSTEC) proposed extending the information security requirements for the public sector to commercial companies that organize the protection of government data. To do this, the regulator has prepared a draft presidential decree. Most cybersecurity market participants work for the public sector in one way or another, experts say, and if a project is adopted based on it, additional requirements may appear for these companies, which will increase the burden on business.

"Kommersant" got acquainted with the draft presidential decree, developed by the FSTEC and posted on the portal of legal acts on January 23. It establishes the rules for protecting information in Russian organizations, and also establishes the creation of a state organizational system for protecting information. The system, as conceived by the FSTEC, will consist of "bodies and organizations that perform the functions of protecting information, and the means of protection used by them." The order also establishes six categories of participants in the system, including security agencies - the FSTEC and the FSB, organizations that have the authority to certify protective equipment, and companies that provide services in the field of protecting state information.

We are not talking about all market participants, but about those who work with government information, which the document calls “information owned by the Russian Federation and its subjects,” explains Vladimir Ulyanov, head of the Zecurion analytical center: “That is, the requirements will apply to contractors to ensure the security of state information systems”. The FSTEC did not answer “Kommersant”.

The project seriously expands the range of companies that are subject to the requirements of the FSTEC, clarifies the interlocutor of Kommersant on the market: “In Russia, almost all organizations in the field of information security work either directly with the public sector or with organizations that deal with information whose ultimate owner is the state ". Also, according to him, before the requirements for certification of information security and certification of security extended only to systems that have the status of state. The decree expands the list of objects for which certification and attestation become mandatory. In addition, the source "Kommersant" adds, the list of systems in respect of which it is necessary to conduct a security analysis is expanding.

Since the outbreak of hostilities in Ukraine in 2022, Russian IT infrastructure, including the public sector, has been subjected to large-scale cyberattacks. Back in the spring, the President signed Decree No. 250 “On additional measures to ensure the information security of the Russian Federation”, which applies to enterprises with state participation (from departments to state funds), strategic enterprises, backbone organizations and critical infrastructure entities (see “Kommersant” dated May 1, 2022 ).

The FSTEC project "streamlined the current state of affairs and fixed what became objectively necessary, for example, the definition of unacceptable events for each Russian company and the responsibility of deputy heads of organizations," says one of Kommersant's interlocutors in the cybersecurity market. No less important, in his opinion, is the mandatory annual assessment of security. If the order is adopted, Vladimir Ulyanov notes, additional documents will appear on its basis that specify the requirements.

Moscow Digital School teacher Alexei Muntyan believes that the order will ensure a uniform level of protection of state-owned information, but at the same time "will increase the burden on responsible deputy heads of companies, as it will entail more reporting and approvals with the regulator." Moreover, Mr. Ulyanov believes, other obligations may appear for the organizations mentioned in the document in the future.

Tatyana Isakova



Source link