ORDER OF THE MINISTRY OF INFORMATION TECHNOLOGIES AND BONDS OF THE REPUBLIC OF MOLDOVA

of December 20, 2010 No. 106

About approval of Technical regulations

Based on the Law on technical regulation No. 420-XVI of 22.12.2006 and in pursuance of the Order of the Government "About Some Measures of Implementation of National Strategy of Creation of Information Society — " Electronic Moldova " in 2007" No. 606 of 1:06. 2007, and also the Orders of the Government "About Approval of Distribution of Fund on Implementation of the National Program of Development of Technical Regulations" No. 564 of 21.05.2007 I ORDER:

1. Approve technical regulations:

a) Ensuring information security of information infrastructure for bodies of the public power. Technical requirements. According to Appendix No. 1.

b) Ensuring information security of databases by provision of electronic public services. Technical requirements. According to Appendix No. 2.

2. The technical regulations mentioned in the first Item will become effective within three months from the date of publication in "Monitorul Oficial al Republicii Moldova".

3. To impose control over the implementation of this order on Management of technical regulation and standardization.

 

Appendix №1

to the Order No. 106 of December 20, 2010

Technical regulation

Ensuring information security of databases by provision of electronic public services.

 

Technical requirements

1. Scope

Access to official information and provision of electronic public services to citizens and business community are performed on the basis of these databases (D) located in bodies of the public power. It requires ensuring information security of DB for effective and reliable process of functioning of bodies of the public power and for exchange of information with citizens and the entrepreneurial circle in the course of provision of public services.

The purpose of these regulations is determination of procedure for ensuring information security of the DB providing and supporting process of functioning of bodies of the public power.

These regulations establish approaches and requirements to ensuring information security of DB of bodies of the public power. Also this document establishes requirements for implementation of risk analysis, connected with DB, taking into account the main potential hazards and vulnerabilities of DB in the course of provision of public services.

These regulations extend to all types of DB of the bodies of the public power providing process of provision of public services irrespective of nature of stored information, method of data storage or from structure of data structure.

These regulations are developed on the basis of the following legislative and regulations of the Republic of Moldova:

- Law "About Trade Secret" No. 171-XIII of 6.07.1994;

- Law "About Information Access" No. 982-XIV of 11.05.2000;

- Law "About Informatization and the State Information Resources" No. 467-XV of 21.11.2003;

- Law "About Technical Regulation" No. 420-XVI of 22.12.2006;

- Law "About Personal Data Protection" No. 17-XVI of 15.02.2007;

- Law "About Registers" No. 71-XVI of 22.03.2007;

- Law "About Electronic Communications" No. 241-XVI of 15.11.2007;

- Law "About the State Secret" No. 245-XVI of 27.11.2008.

In these regulations the following terms are applied:

External key - crucial element of the subordinate table which value matches with value of primary key of the main table.

Primary key - the main crucial element which is unambiguously identifying line in the table.

Backup of databases - the means providing recovery of databases in case of refusal of system.

Administration of databases - the management of the database including complex of the actions providing the accuracy, consistency, completeness, protection and availability of data in the necessary form, in the right place and in due time.

Subject of the database - the database element having certain properties and definitely reacting to certain external events.

The owner of subjects of the database - the subject which is performing ownership and use of the specified objects, and also having complete powers over object.

Recovery of the database - reduction of the database in the condition existing shortly before its refusal.

Management systems the database - complex of the software intended for the organization and maintaining the database for creation of structure of new base, filling by its content, editing content and information visualization.

2. Requirements to the purposes of ensuring information security of databases

DB constitute important component of information infrastructure of bodies of the public power by means of which functions of processing, storage and manipulation are performed by information. Proceeding from the fact that DB contain valuable information it is necessary to ensure information security of DB, that is confidentiality, integrity and availability.

Ensuring information security of DB shall be directed to achievement of the following purposes:

- protection of the valuable information containing in DB against its disclosure, loss, leakage, misstatement and destruction, proceeding from confidentiality, integrity, availability;

- protection of structure of DB against its violation and unauthorized change;

- to fix ensuring the observability aimed at possibility information security system any activities connected with transactions of DB of users and processes and also use of passive objects for the purpose of fraud;

- ensuring anonymity and checkability (possibility of check of the correct use of information and efficiency of security measures of DB).

3. Requirements to tasks of ensuring information security of databases

For achievement of effective objectives of ensuring information security of DB the following tasks shall be carried out:

- identification and forecasting of sources of the threats, vulnerabilities and corresponding risks arising as a result of changes in the information and control circle;

- implementation of risks assessment of information security of DB;

- forming of single policy and plan of safety of DB and development of mechanisms of its realization;

- implementation of mutual approval of measures of ensuring information security of DB;

- use technical and the software conforming to safety requirements DB;

- implementation of incident management process, connected with violation of information security of databases;

- ensuring knowledge of violations of safety of DB and realization of agreed measures for mitigation of consequences in case of safety violation;

- implementation of the measures and security aids corresponding to levels of the found risks and threats.

Ensuring information security of DB shall be based on the principles considered in the following Technical regulations:

- "Provision of electronic public services. Technical requirements" Item 4.6 Process of Management of Information Security;

- "Ensuring information security by provision of electronic public services. Technical requirements" Item 4.3 Principles of ensuring information security.

4. Requirements to approaches of ensuring information security of databases

The following approaches shall be applied to goal achievement of ensuring information security of DB:

- the process approach to ensuring information security;

- system approach to ensuring information security;

- approach of structurization to ensuring information security;

- the selective and obligatory approaches to ensuring information security.

Application of the specified approaches to ensuring information security of DB shall provide the following results:

- confidentiality, completeness and accuracy of the data containing in DB;

- confirmation that transactions are precisely executed and documented;

- adequate magazines of audit of transactions/access;

- required level of security of services for users of DB;

- effective accounting and analysis of detection of the attacks to DB, and also their prevention.

The concept of the process approach is considered in the technical regulation "Ensuring information security by provision of electronic public services. Technical requirements". Requirements to ensuring information security of DB within the process approach are determined in Section 5.

1) System approach to ensuring information security of databases

System approach which shall determine requirements of information security shall be applied to ensuring information security of DB:

- to DB objects;

- to main types of risks of DB;

- to the main vulnerabilities of DB.

2) Approach of structurization to ensuring information security of databases

Structurization approach which shall determine requirements to the following main measures and means of ensuring of information security of DB shall be applied to ensuring information security of DB:

- identification, authentication and authorization in DB;

- management of access to DB;

- management of the database management systems (DMS) from the point of view of lifecycle of information resource;

- management of backup and recovery of DB;

- protection of DB against viruses and malicious code;

- control of integrity of DB;

- enciphering of data in DB;

- audit and monitoring of DB;

- distribution of responsibility for ensuring information security of DB;

- personnel training to questions of ensuring information security of DB.

3) the Selective and obligatory approaches to ensuring information security of databases

For ensuring information security of the DB this for objects where treat objects of DB both all DB entirely, and any object in DB, two general approaches shall be applied: the selective approach and obligatory approach.

In case of the selective approach certain user shall have different rights (privileges or powers) during the work with DB objects.

In case of obligatory approach some classification level shall be appropriated to each object of DB, and each user shall have some tolerance level.

For ensuring complete and reliable safety of DB it is necessary to adhere to flexibility in case of the choice and maintenance of measures and security aids. These approaches to ensuring information security consist in the following:

- finding of easily administered and managed hardware technical solutions for protection of the DB conforming to requirements of specific body of the public power, avoiding excessive binding to one program platform or to one supplier;

- application of the most effective and reliable security measures of DB in case of simultaneous minimization of their cost, and also control and management of them.

5. Requirements to ensuring information security of databases within the process approach

1) Requirements of information security to risk management

For ensuring information security of DB risk management process shall include set of consecutive stages:

- determination of subjects to protection of DB;

- determination and analysis of threats;

- assessment of vulnerabilities;

- risks assessment;

- determination of requirements for protection of DB;

- determination of measures and safety controls of DB;

- implementation of measures and safety controls of DB;

- carrying out monitoring of system of ensuring information security of DB and its improvement.

2) Requirements to stage of determination of subjects to protection of databases

For ensuring information security of DB, this stage shall be directed to allocation of the objects containing in DB which need to be protected from undesirable impact or not to allow the information leakage which is in the identified objects.

During this stage the list of the following events shall be carried out:

- stay, creation of lists and determination of characteristics of data and objects of DB;

- delimitation and fields of carrying out risk analysis of DB;

- determination of criticality of data and objects of DB, based on criteria of confidentiality, integrity and availability.

As a result of identification of all objects of DB categorization from the point of view of the following criteria shall be carried out them:

- confidentiality - categories of data shall correspond to the level of security of information from its unauthorized disclosure according to requirements for the following principles of classification of information:

a) on privacy degrees according to the Law of the Republic of Moldova No. 245-XVI of 27.11.2008 "About the state secret";

b) on categories of personal data according to the Law of the Republic of Moldova No. 17-XVI of 15.02.2007 "About personal data protection";

c) on objects of trade secret in compliance the Law of the Republic of Moldova "About trade secret" No. 171-XIII of 6.07.1994;

d) on access to official information according to the Law of the Republic of Moldova "About information access" No. 982-XIV of 11.05.2000;

e) on information access, created, processed, stored in special systems, according to the Order of the Government No. 735 of 11.06.2002; - integrity:

a) "high" - objects of DB which unauthorized modification can lead to causing significant direct loss to bodies of the public power which integrity shall be provided with the guaranteed methods according to mandatory requirements of the current legislation shall belong to this category;

b) "low" - DB objects shall belong to this category, unauthorized modification or removal of which can lead to drawing minor or consequential damage to bodies of the public power or employees;

c) "there are no requirements" - objects of DB to which ensuring integrity requirements are not shown shall belong to this category; - availability:

a) "free availability" - access to objects of DB shall be provided at any time, object shall be provided constantly, the delay of receipt of result shall not exceed several seconds or minutes;

b) "high availability" - access to objects of DB shall be provided without essential temporary delays (the maximum of period during which information is not available, shall not exceed 2-4 hours);

c) "average availability" - access to objects of DB can be provided with essential temporary delays (once in several days), the delay of receipt of result shall not exceed several days and it does not involve violations of normal functioning of bodies of the public power;

d) "low availability" - temporary delays in case of access to DB objects are almost not limited, the admissible delay of receipt of result - and it does not involve several weeks violations of normal functioning of bodies of the public power.

For each type of objects depending on category of information access different access rights shall be established.

At stage of determination of subjects to protection of DB shall be determined:

- objects which need to be protected;

- subjects for which these objects, and time during which objects are necessary are necessary;

- degree of complexity of structure of DB;

- the principles used for value assessment of the data stored in DB;

- legislative and social responsibility for safety of DB;

- measures and the safety controls necessary for data protection in DB according to certain category of confidentiality, integrity and availability.

Risks which shall be without fail identified and on which it is necessary to take measures for their decrease shall include:

- lack of the formalized responsibility of database administrators;

- availability of organizational and vulnerable aspects in the organization of functioning of the components of information infrastructure connected with DB;

- accidental disclosure or loss of data DB;

- the wrong and misleading information;

- lack of the established standards of safety of DB.

3) Requirements to stage of determination and analysis of threats

For ensuring information security of DB risk analysis shall be carried out, that is the possible threats menacing to the inspected DB shall be identified. Determination of the potential hazards directed to DB and their sources constitutes the main objective of activities for determination and the analysis of threats.

Within this stage the list of the following events shall be carried out:

- the employees having access to the DB vulnerable resources shall be determined;

- persons bearing responsibility for change of information in DB shall be determined;

- verification of presence of the formalized processes of monitoring procedure of the employees having access to DB shall be performed;

- check of level of documentation and implementation of procedures shall be performed;

- verification of presence of the program of preparation and the personnel training having access to the DB resources shall be performed.

Also the analysis of controls safety of DB which were implemented or planned for minimization or elimination of probability of realization of threats, such as shall be carried out:

- preventive and detective controls safety of DB:

a) prophylactics of safety management of DB - shall include controls access, enciphering and establishment of authenticity;

b) detective controls of DB - shall include means of maintaining logs, methods of detection of invasions and checksums;

- technical and nontechnical methods of kontroly:

a) technical methods - shall include controls access, identification and mechanisms of authentication, enciphering methods, the software of detection of invasions;

b) nontechnical methods - shall include policy and plans of safety, operational procedures, personnel.

Risks which shall be without fail identified and on which it is necessary to take measures for their decrease shall include:

- lack of access control to information containing in DB;

- lack of the following profiles of access to DB:

a) profile of the managed access - methods of the organization of safety of DB, such as discrete method of access, methods of password authentication shall be formalized;

b) the profile of levels of security - profile of the managed access shall extend, adding category of information access;

- lack of conscientious attitude to levels of security of DB in all organization;

- absence or insufficient study of policy and procedures of safety of DB;

- inefficient implementation of the training program in the field of protection of DB.

4) Requirements to evaluation stage of vulnerabilities

For determination of possible vulnerable points of the DB and resources interacting with DB by means of which threats can be realized assessment of vulnerabilities in case of the available set of threats and channels of data leakage from DB shall be carried out.

Within this stage the following events shall be held:

- the list of vulnerabilities of the DB and resources interacting with DB through which threats can be realized shall be constituted;

- vulnerabilities shall be determined by each possible threat;

- analysis results of compliance of the used measures and safety controls of DB to the established safety requirements shall be used;

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info