ORDER OF THE MINISTER OF DIGITAL DEVELOPMENT, DEFENSE AND AEROSPACE INDUSTRY OF THE REPUBLIC OF KAZAKHSTAN

of June 3, 2019 No. 111/Tax Code

About approval of technique and rules of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure on compliance to requirements of information security

According to the subitem 5) of article 7-1 of the Law of the Republic of Kazakhstan "About informatization" and the subitem 52) of Item 15 of the Regulations on the Ministry of the artificial intelligence and digital development of the Republic of Kazakhstan approved by the order of the Government of the Republic of Kazakhstan of October 9, 2025 No. 846, I ORDER:

1. Approve:

1) the Technique of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure on compliance to requirements of information security according to appendix 1 to this order;

2) Rules of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure on compliance to requirements of information security according to appendix 2 to this order.

2. Declare invalid the order of the Minister of the defense and aerospace industry of the Republic of Kazakhstan of March 14, 2018 No. 40/Tax Code "About Approval of Technique and Rules of Carrying Out Testing of Service Software Product, Information and Communication Platform of " the Electronic Government ", Internet Resource of State Body and Information System on Compliance to Requirements of Information Security" (it is registered in the Register of state registration of regulatory legal acts for No. 16694, it is published on April 12, 2018 in Reference control bank of regulatory legal acts of the Republic of Kazakhstan).

3. To provide to committee on information security of the Ministry of digital development, defense and aerospace industry of the Republic of Kazakhstan in the procedure established by the legislation:

1) state registration of this order in the Ministry of Justice of the Republic of Kazakhstan;

2) within ten calendar days from the date of state registration of this order the direction it in the Republican state company on the right of economic maintaining "Institute of the legislation and legal information of the Republic of Kazakhstan" the Ministries of Justice of the Republic of Kazakhstan for official publication and inclusion in Reference control bank of regulatory legal acts of the Republic of Kazakhstan;

3) placement of this order on Internet resource of the Ministry of digital development, the defense and aerospace industry of the Republic of Kazakhstan after its official publication;

4) within ten working days after state registration of this order in the Ministry of Justice of the Republic of Kazakhstan submission to Legal department of the Ministry of digital development, the defense and aerospace industry of the Republic of Kazakhstan of data on execution of the actions provided by subitems 1), 2) and 3) of this Item.

4. To impose control of execution of this order on the supervising vice-minister of digital development, the defense and aerospace industry of the Republic of Kazakhstan.

5. This order becomes effective after ten calendar days after day of its first official publication.

Appendix 1

to the Order of the Minister of digital development, the defense and aerospace industry of the Republic of Kazakhstan of June 3, 2019 No. 111/Tax Code

Technique of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure on compliance to requirements of information security

Chapter 1. General provisions

1. This Technique of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure on compliance to requirements of information security (further – the Technique) is developed according to the subitem 5) of article 7-1 of the Law of the Republic of Kazakhstan "About informatization" and the subitem 52) of Item 15 of the Regulations on the Ministry of the artificial intelligence and digital development of the Republic of Kazakhstan approved by the order of the Government of the Republic of Kazakhstan of October 9, 2025 No. 846.

2. In this Technique the following basic concepts and reducings are used:

1) program bookmark – it is reserved brought in the software (further – ON) the functional object providing unauthorized access and (or) impact to object of informatization;

2) backdoor – malicious software for receipt of unauthorized access to the software by authentication bypass, and also other standard methods and security technologies;

3) not declared opportunities (further – NDV) – the functionality ON which is not reflected or not corresponding described in technical documentation;

4) manual testing for penetration – legitimate assessment of security of objects of informatization using the safe and controlled attacks, detection of vulnerabilities and attempts of their operation without the actual damage of activities of the applicant;

5) the supplier – the public technical service or accredited test laboratory;

6) the public technical service – the joint-stock company created according to the decision of the Government of the Republic of Kazakhstan;

7) vulnerability – lack of object of informatization which use can lead to violation of integrity and (or) confidentiality, and (or) availability of object of informatization;

8) the applicant – the owner or the owner of object of testing, and also the physical person or legal entity authorized by the owner or the owner of object of testing who submitted the request for carrying out testing of object of informatization for compliance to requirements of information security;

9) the confidential channel – means of interaction between functions of safety of objects of testing (further – FBO) and remote confidential product of information technologies, providing necessary degree of confidence in maintenance of security policy of objects of testing;

10) confidential route – the means of interaction between the user and FBO providing confidence in maintenance of security policy of objects of testing;

11) object of testing – object of informatization concerning which works on conformity testing to requirements of information security are carried out;

12) segment of network (subnet) of object of testing – logically allocated segment of network of object of testing;

13) functional object – the element (the procedure, function, branch or other of component) ON performing operations on realization of the finished program algorithm fragment;

14) route of accomplishment of functional objects – the sequence of the carried-out functional objects determined by algorithm;

15) the circle of regular operation – the target set of the server hardware, network infrastructure, the system software used at stage of trial operation (pilot project) and intended for application at stage of commercial operation of object of informatization;

16) the SYNAQ Internet portal – the Internet portal of the public technical service intended for automation of process of rendering service in testing of objects of informatization the owner (owner) and (or) the customer of which is state body on compliance to requirements of information security.

3. Carrying out testing includes:

1) analysis of initial codes;

2) testing of functions of information security;

3) load testing;

4) inspection of network infrastructure;

5) inspection of processes of ensuring information security.

Chapter 2. Analysis of initial codes

4. The analysis of initial codes of objects of testing is carried out for the purpose of detection of vulnerabilities ON according to the international classifications of vulnerabilities (Common Weakness Enumeration, Open Web Application Security Project Top 10, Open Web Application Security Project Mobile Top 10, Open Web Application Security Project Application Programming Interface Top 10), the international databases of vulnerabilities (Common Vulnerabilities and Exposures, National Institute of Standards and Technology) and the standard of the Republic of Kazakhstan 15408-3 "Information technologies. Methods and safety controls. Criteria for evaluation of safety of information technologies. Part 3. Requirements to ensuring protection".

The analysis of initial codes of objects of testing, the owner (owner) and (or) the customer of which is state body is carried out for the purpose of identification of NDV and vulnerabilities ON according to the international classifications (Common Weakness Enumeration, Open Web Application Security Project Top 10, Open Web Application Security Project Mobile Top 10, Open Web Application Security Project Application Programming Interface Top 10), the international databases of vulnerabilities (Common Vulnerabilities and Exposures, National Institute of Standards and Technology) and the standard of the Republic of Kazakhstan 15408-3 "Information technologies. Methods and safety controls. Criteria for evaluation of safety of information technologies. Part 3. Requirements to ensuring protection".

5. The analysis of initial codes is carried out for ON, the subitem listed in tables 11) and the subitem 12) of Item 5 of the questionnaire questionnaire on characteristics of object of testing of appendix 2 to Rules of carrying out testing of objects of informatization of "the electronic government" and crucial objects of information and communication infrastructure, on compliance to requirements of information security (further – Rules).

6. If when carrying out testing need of carrying out the repeated analysis of initial codes before the termination of term of testing comes to light, the applicant makes inquiry to the supplier and the supplementary agreement about carrying out the repeated analysis of initial codes according to Item 26 of Rules is signed.

7. Detection of vulnerabilities ON is carried out with use of the software intended for the analysis of the source code based on the initial codes provided by the applicant.

Detection of vulnerabilities ON objects of testing, the owner (owner) and (or) the customer of which is state body is carried out by manual method of the analysis of the source code and with use of the software intended for the analysis of the source code based on the initial codes provided by the applicant.

8. Identification of NDV ON objects of testing, the owner (owner) and (or) the customer of which is state body is carried out by manual method of the analysis of the source code with detailed viewing of the source code and carrying out search of backdoors in libraries with open source code.

9. The analysis of initial codes includes:

1) detection of vulnerabilities ON;

2) identification of NDV for objects of testing, the owner (owner) and (or) the customer of which is state body;

3) fixing of analysis results of the source code.

10. Detection of vulnerabilities ON is performed in the following procedure:

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info