The Federal Service for Technical and Export Control (hereinafter referred to as the "FSTEC") has prepared a draft methodological document "Activities and measures to protect information contained in Information Systems" (hereinafter referred to as the "Draft Methodological Document").
The Draft methodological document defines the basic requirements within the framework of the FSTEC Order No. 117 dated 11.04.2025 "On Approval of Requirements for the Protection of Information Contained in State Information Systems, Other Information Systems of state bodies, state unitary Enterprises, and state institutions", and, among other things, sets out the general approaches, composition and content of measures and measures for information protection, contained in information systems, automated control systems, and information and telecommunications networks of bodies and organizations operating in information and telecommunications infrastructures.
In addition, the Draft methodological document details the measures that are to be implemented in the body or organization to achieve the goals of information protection and ensuring the security of significant objects of critical information infrastructure, and also defines the content of information protection (security) measures taken in information systems and significant objects of critical information infrastructure.
As stated in the text of the Draft Methodological Document, it should be applied in the course of:
-
organization of information protection activities in the body or organization, creation of a system for protecting the information of the body or organization and its management;
-
creation of information systems, operation of such information systems and maintenance of the necessary level of security;
-
assessment of the effectiveness of information security activities and management of the information security system of the body or organization;
-
certification of information systems for compliance with information security requirements, conducting other forms of assessment of information systems compliance with information security requirements and the adequacy of information security measures taken.
Also, the factors that affect the state of protection of information contained in information systems and the principles of creating information systems are fixed. So, these principles include:
-
differentiation of the significance levels of protected information resources depending on their impact on the protection goals and granting access to them based on checks of the access level of access subjects;
-
setting minimum access rights to the appropriate level of significance of information resources;
-
minimizing the interfaces of information systems available to access subjects, in accordance with the functions of the information system;
-
segmentation (micro-segmentation) of information systems, taking into account the significance levels of protected information resources, and access control to selected segments based on the access level of access subjects;
-
registration and analysis of actions of subjects when accessing segments of the information system and information resources.