Okpdtr - decoding and its use Industry classifier of professions
History of adoption OKPDTR was adopted by the Decree of the State Standard of the Russian Federation dated December 26 of the year No. 367) and came into force on 1...
Below is an example (sample) of a project document " Explanatory note to technical project to create an automated system", based on guidelines RD 50-34.698-90. This document is generated by an IT specialist at the stage technical design of information system.
As an example of the development of an information system, a project for introducing an information and analytical system was used "Corporate data warehouse".
The page below shows contents of the explanatory note of the technical project in accordance with GOST, within each section briefly The content requirements and the text of the filling example are given.(distinguished by a vertical line).
Sections of the explanatory note:
General provisions
Main technical solutions
Decisions on the structure of the system, subsystems, means and methods of communication for information exchange between system components
Solutions for interconnecting the speaker system with related systems and ensuring its compatibility
Decisions on operating modes, diagnosing system operation
Decisions on personnel and their work modes
Information on ensuring the consumer characteristics of the system specified in the technical specifications, which determine its quality
Composition of functions, sets of tasks implemented by the system
Composition and placement of technical equipment complexes
An example of an “Explanatory Note” (P2), developed for an automated measurement and information system commercial accounting electricity (AIIS KUE) according to the document. by i. Revision dated June 20, 2018.
Created 03/25/2014 11:48:18
Attention! Technical requirements wholesale electricity market (WEM), links to points of which are contained in examples of documents for automated measurement and information systems for commercial electricity metering (AIIS KUE), change quite often, but not by us, but by the administrator trading system(PBX). Please be understanding about this
All documents combat, which have passed many tests, including examinations at the Federal State Unitary Enterprise “All-Russian Research Institute of Standardization and Certification in Mechanical Engineering” (VNIIMASH) of ROSSTANDART, therefore there is no doubt.
For getting free an abbreviated version of any in the form of *.pdf is enough to click on the title page. The document will open in the browser with the option to. Full versions documents are paid, they can be obtained in format for a certain amount by using. Any document can be modified over a period of time to meet the specific requirements of the customer. Conditions are being discussed.
As a rule, the Explanatory Note is the most complex document on software, sometimes causing a lot of controversy and discussion around its content. Why does this happen?
We have already said that in software development this is one of the important stages. It should contain a description of your system taking into account the selected technologies, as GOST 34 requires of us. And the document Explanatory Note to the Technical Project, or, in short, PZ, is one of the main documents of this stage. And, I must say, most often it is the Explanatory Note that is the most complex document on software, sometimes causing a lot of controversy and discussion around its content.
The explanatory note to the technical project includes sections such as:
– Introduction. This section provides the full name of the system and the topic of development, as well as a list of documents that served as the basis for the work on the project.
– Purpose and scope. It describes the goals and objectives that will be solved using the system, as well as the scope of its use.
– Specifications . This section is usually divided into subsections that describe: setting the task for creating a program; the mathematical apparatus used; software operation algorithm; structure of input and output data; composition of hardware and software. It is also necessary to provide calculations and analysis results to justify the choice of exactly those solutions mentioned in the document.
– Expected technical and economic indicators. The section assumes economic justification development taking into account its technical indicators.
– Sources used in development. The section is a list of documents, articles and publications that were referenced in the text.
The composition of the sections is determined by GOST 19.404, however, the standard allows these sections to be combined, if necessary, and also to add new ones. In the case of using GOST series 34, a document should be developed in accordance with RD 50-34.698. However, the document must remain within the requirements common standards, such as, for example, GOST 19.105.
How can you create a program document at the lowest cost that is most useful for your project, which:
– on the one hand, clearly and intelligibly presents all the necessary (and sometimes tedious) information, including complex technical details;
[from clause 2.2.1 RD 50-34.698-90]
In the “General Provisions” section they provide:
[from clause 2.2.2 RD 50-34.698-90]
In the section “Description of the activity process” they reflect the composition of the procedures (), taking into account the interrelation and compatibility of processes and activities, form the organization of work in the plant [from clause 2.2.3 RD 50-34.698-90]
In the section “Main technical solutions” they give:
The section provides illustrations of other documents that may be included in accordance with GOST 34.201 [from clause 2.2.4 of RD 50-34.698-90]
In the section “Preparatory measures for putting the system into operation” the following is given:
27.10.2016 09:57:23
This article discusses the technical project stage related to one of the stages of the system life cycle information security(SIB) - the “design” stage, which, in accordance with the domestic standard GOST 34.601-90, immediately follows the development of the Terms of Reference for the information security system.
Life cycle of an information security system (hereinafter - ISS) in general view consists of the following steps:
This article discusses the stage of the technical project, which belongs to the “design” stage and, in accordance with the domestic standard GOST 34.601-90, immediately follows the development of the Terms of Reference for the information security system.
The answer to this question should be considered in two planes: in the plane of the owner information resources(for the protection of which the NIB is created) and in the plane of the immediate developer of the NIB.
For the owner of information resources, it is important to obtain the result in the form of a functioning information security system that reduces the risks of compromising restricted access information in the organization. The technical project in this case serves to develop the fundamental principles of the future system, namely, it includes a description of how the ISS will be built and function, what measures and means will ensure information protection, what are the possibilities for developing and improving the system. Upon completion of the development of a technical project for an information security system, the Customer receives a comprehensive set of documentation for the information security system, describing all technical nuances future system.
For the direct executor, at the stage of the technical project, it is necessary to lay down the most suitable NIB architecture, and also make right choice measures and means of protecting information in the organization. It is also important to ensure that the characteristics and properties of the system match technical specifications, or justify, with the participation and consent of the Customer, the adjustment of the requirements specified in the technical specifications in order to increase the efficiency of the created system.
Thus, as a result of the development of technical design documentation, the Customer will have answers to the following questions:
In the process of developing technical project documentation, the contractor will receive the following results:
The development of a technical project for an information security system is most often carried out on the basis of relevant standards and guidance documents. And for government agencies their use is mandatory, but recommended for commercial ones. On practice commercial organizations also use state standards when developing technical project documentation for the following reasons:
To develop documentation for the technical project (TP) stage of the NIB, state standards and guidance documents of the 34 series are used:
It is important to understand that according to the 34 series of standards, technical design is a stage of creating a system, and not just a set of documents. In practice, this stage is often combined with the preliminary design stage, which serves to develop several preliminary solutions and justify the most suitable one. Such a combination is allowed by the standard, but it must be taken into account that this does not negate the need to achieve the goals of the preliminary design stage.
Most often, the preliminary design stage is developed in the case when the requirements of the technical specifications for the system can be implemented in several fundamentally different ways, and also when among these methods there are no clearly preferable ones.
However, it is worth noting that the above standards are too general and mainly implement design and general structural functions. To develop the substantive part of the technical project stage documents, designers use information from the following sources:
Current regulatory documents (RLA) regulating the requirements for the protection of certain restricted access information. These regulatory legal acts provide requirements for measures to protect information in information systems, the nuances of implementing these measures and additional strengthening measures are described. Among the current legal acts are the following:
Requirements for the protection of restricted access information and lists of protective measures vary for information systems of different levels/classes of security. If the information in the organization is not protected in accordance with federal laws RF (for example, official secret), then the owner of this information can use the approaches proposed in these regulatory legal acts for building a corporate ISS.
Russian and foreign standards describing various approaches to ways of implementing the stages of the life cycle of building an ISS, including the technical design stage:
Manufacturer's operational documentation for information security equipment and auxiliary equipment. These documents contain comprehensive technical information about the tools used in the construction of information security systems, including those directly related to the implementation of information security measures not related to, for example, servers, data storage systems, virtualization tools and others. The general set of such documents varies from manufacturer to manufacturer and depends, among other things, on the implementation of a particular tool (hardware/software). Below is standard set operational documentation for information security tools, used to develop documents at the technical project stage:
General information about existing SIS architectures, best practices in terms of building ISS, guidelines for security and integration of information security systems with each other, information about problems in the interaction of certain information security systems. Examples of such information may include the following documents:
The development of documents at the technical project stage for ISS is most often carried out by integrators of these services and is implemented mainly in accordance with the following plan:
Determining the list of documents to be developed - this information is indicated in the technical specifications for the ISS. In some cases, the document developer, in agreement with the Customer, may expand or reduce this list, if this possibility is provided for in the technical specifications;
Development of document templates for the TP stage - the structure is used in accordance with RD 50-34.698-90 and GOST 2.106 (for some documents), formatted in accordance with GOST 2.105-95;
Development of the substantive part of documents. Requirements for the system are established in the technical specifications for the NIB. In accordance with these requirements, a list of protective technical and organizational measures required for implementation in the system is determined. Protection measures can be determined in the relevant regulations (depending on the type of information being protected), corporate standards and information security policies, as well as based on the presence of current security threats identified during the development of the organization's threat model. Based on the list of protection measures, the ISS developer selects appropriate information security means and develops the functional structure of the information security system (subsystems, components). Further, the technical design documents describe the practical implementation of protection measures based on the selected security protection or organizational measures in the organization's infrastructure.
Coordination of the developed documentation and the solutions presented in it with the Customer of the system.
When developing technical project documentation, most often it is not necessary to develop a complete list of documents specified in GOST 34.201-89, since this standard is outdated and some of the documents do not take into account the development trends and technologies of modern information systems. The minimum set of documents required to describe the information security system is as follows:
At the Customer’s request or in the event that the ISS is a complex multi-component system, the following documents can also be additionally developed:
It should be noted that GOST 34.201-89 allows for an expansion of the range of documents at the TP stage, but in practice there are more than enough of these documents.
Technical design sheet
Designation: TP.
This document is intended to describe the list of documents developed at the technical project stage. The number of pages of each of the developed documents is also indicated.
Explanatory note to the technical project
Designation: P2.
This document is the main one for the TP stage and includes a description of the ISS architecture, technical and organizational measures, ISS functions, software and hardware systems, and other things. According to the standard, it consists of four main sections:
Functional structure diagram
Designation: C2.
This document describes the logical structure of the ISS, namely:
Structural diagram of a complex of technical means
Designation: C1.
This document includes a description of the following elements of the ISS:
Organizational chart
Designation: C0.
This document describes organizational structure organizations in terms of ISS management, namely:
List of purchased items
Designation: VP.
This document includes a list of all software and hardware, as well as licenses used to create an information security system. Developed in accordance with GOST 2.106.
Note. It is also worth noting here that the guidance document RD 50-34.698-90 allows for the addition of any document at the TP stage (the inclusion of sections and information different from those proposed), the merging of sections, as well as the exclusion of some individual sections. Decisions about this are made by the developer of documents at the TP stage and are based on the features of the created NIB.
Explanatory note to the technical project:
The Internet contains a huge amount of information that, to one degree or another, can help in the development of technical project documentation. Key resources are presented in the table below.
Table. SIS Technical Design Resources
Resource type | Information | Examples of resources |
---|---|---|
Internet portals of federal executive authorities | Regulations, guidelines, registers (including certified information security systems), databases (including databases of vulnerabilities and threats) | fstec.ru clsz.fsb.ru minsvyaz.ru/ru/ |
Internet portals of information security manufacturers, distributors of information security solutions | Description of information security solutions, operational documentation for information security, analytical materials and articles | securitycode.ru kaspersky.ru/ drweb.ru/ ptsecurity.ru/ infowatch.ru/ infotecs.ru/ cisco.com/c/ru_ru/index.html checkpoint.com altx-soft.ru |
Specialized information security resources | Comparison of information security solutions, review articles on information security solutions, tests of information security solutions, in-depth technical information about information security technologies | anti-malware.ru bis-expert.ru safe.cnews.ru securitylab.ru/ vulners.com/ csrc.nist.gov itsecurity.com owasp.org sans.org |
To understand the requirements for the content of documentation at the TP stage, below are examples of filling out the main documents (sections of documents).
The explanatory note is a fairly voluminous document, so here is an example of the content of the section “Main technical solutions” in part of one of the SIS subsystems - the security analysis subsystem.
ISS security analysis subsystem
Structure and composition of the subsystem
The security analysis subsystem (SAS) is designed to systematically monitor the security status of automated workstations (AWS) of personnel and organization servers. The basis of the ESD is the “Test” software tool produced by Information Security LLC. SZI Test has a certificate of FSTEC of Russia for compliance technical specifications(TU) on information security and on the 4th level of control over the absence of undeclared capabilities.
The ESD includes the following components:
A description of the subsystem components is presented in the table below.
Table. ESD components
Component | Description |
---|---|
Test Server Management Server | Provides management of scanning tasks, performs functions of monitoring the security status of the workstation and the organization's servers. Scanning parameters are set by the information security administrator on the Test Server management server. All collected information about scan results is stored in the Test Server server storage based on the Microsoft SQL Server 2008 database management system |
Test Console | Allows the information security administrator to connect to the Test Server, view and change its configuration, create and modify scanning tasks, view information about the progress of tasks and the results of their execution. The management console is installed on the information security administrator's workstation |
Providing functions
The ESD provides the following functions:
Solution for a complex of hardware and software tools
The list of used ESD software and hardware is given in the table below.
Table. ESD software and hardware
ESD control server
Technical means
The physical server used as an ESD management server must meet the technical requirements for the software and OS installed on it, given in the table below.
Table. OS and software requirements for the ESD control server
Software | Technical requirements | |
---|---|---|
CPU | RAM, MB | |
Microsoft Windows Server 2008 R2 | 3000 MHz, 4 cores | 8192 |
Microsoft SQL Server 2008 R2 | ||
Test Server software |
Software
Management server OS
Windows 2008 R2 OS is installed on the management server in the normal manner from a boot distribution.
The management server OS is managed both locally from the console and via the RDP protocol.
Management server DBMS
The Microsoft SQL Server 2008 R2 database is installed under an account with local administrator rights using the standard installation wizard from the distribution kit supplied by the product developer.
Test Server software
Test Server software is installed on the management server using the standard installation wizard.
The initial setup and subsequent management of Test Server software in normal mode is carried out using the Test Console management console installed on the IS administrator's workstation.
IS administrator's workstation
Technical means
The existing workstation of an employee of the organizational unit responsible for providing information security, running the Microsoft Windows family of operating systems, is used as a platform.
The technical means of the information security administrator's workstation must have the following hardware configuration characteristics (at least recommended):
Software
Test Console software
The information security administrator's workstation on which the Test Console software is installed must operate under one of the following OS:
In addition, for the Test Console management console software to work correctly, Microsoft .NET Framework version 3.5 SP1 or higher must be installed on the information security administrator's workstation, and the security settings of the operating system used must allow access to the Test Server.
Installation of Test Console software on the ESD administrator's workstation is carried out using the standard Test Server software installation wizard with the selected option to install the Test Console management console and other default settings.
Interaction with adjacent systems
For ESD, adjacent are:
To ensure network interaction with adjacent systems and directly between the ESD components themselves, the passage of the necessary network traffic must be organized.
To ensure the ability to receive updates to the knowledge base and Test software modules for the Test Server scanner, it is necessary to provide access to the update.com web server of the Information Security LLC company via port 443/tcp.
When scanning in PenTest mode, interaction between the Test Server scanner and the workstation and the organization's servers is carried out via the IP protocol. When scanning in Audit and Compliance modes, remote management protocols WMI, RPC, etc. are used. To scan hosts on devices with firewall functions, you must allow connections from the Test Server to the scanned hosts via IP. Accordingly, the Test Server must be provided with access to the network ports of the scanned nodes using the appropriate remote control protocols.
Since ESD, when scanning in Audit and Compliance modes, uses remote control protocols for analysis, Test software scanning tools must undergo authentication and authorization on the scanned node. In ESD, to scan nodes in the Audit and Compliance modes, accounts with administrative privileges are used in each type of node (workstation, server, application systems, DBMS, etc.).
All registered information security events are stored in the Microsoft SQL DBMS. These events can be sent to the information security event monitoring subsystem using special connectors.
Operation and maintenance of ESD
Subsystem users
Operation and maintenance of ESD tools is carried out by employees of the organization with the functional role of “IS administrator”.
An information security administrator is defined as a specialist whose tasks include:
System operating modes
Normal operating mode
In normal operation, the ESD operates 24 hours a day, 7 days a week.
In normal operation, the information security administrator performs:
Emergency operation
If the performance of the safety equipment is disrupted, the functioning of the subsystem is disrupted. Failure to operate ESD equipment does not affect the functioning of the organization's automated workstations and servers.
Functional diagrams can be developed for the entire information security system or for part of it, for example, a subsystem or component.
An example of a general functional diagram of an ISS is shown in the figure below.
1.6.3. Structural diagram of a complex of technical means
The block diagram of a complex of technical means can be developed both for the entire ISS and for its parts - subsystems and components. The feasibility of developing diagrams for parts of the information security system is determined by the scale of the system and the required detail.
Example block diagram The complex of technical means of the NIB is presented in the figure below.