Verification and compliance with the requirements of regulatory legal acts and standards of the Republic of Kazakhstan
Preparation for GTS tests
Testing of informatization objects for compliance with information security requirements
In what cases do you need to prepare for GTS tests?
• for objects of informatization subject to mandatory tests in accordance with Article 49 of the Law of the Republic of Kazakhstan "On Informatization" of November 24, 2015 No. 418-V.
Preparation for the GTS tests consists in: Analysis of the state of the information security system:
- * Survey of information security processes.
- * Testing of information security features.
- • Network infrastructure survey.
- * Source code analysis.
- * Load test.
Getting the results of non-compliance with the requirement, closing the inconsistencies.
Preparation and submission of the application and the required documentation for passing.
Advantages of conducting an information security audit:
- * full preparation for GTS tests;
- * compliance with information security standards for organizations and information systems;
- * ability to get an assessment of the state of the information security;
- * consultation (get recommendations for improving the organization's information security and information systems);
- * mismatch correction;
Preparation for GTS tests:
1. Selecting the type of work during testing:
- * Load test source code analysis
- • Network infrastructure survey
- * Survey of information security processes
- * Testing information security features
2. Study of the test object:
- * Terms of reference
- * List of software and hardware
- • General functional and local schema
- * TD policy on Information security
3. Determining the state:
- * rules of information security management processes;
- * asset management organizations;
- * ensure personnel-related security;
- * physical protection of equipment and environmental safety;
- * ensuring the proper and safe operation of information processing tools;
- * organizations that manage access to information resources;
- * processes of development, implementation and maintenance of certification objects;
- * information security incident management organizations;
- * business continuity management;
- * degree of compliance with legal requirements;
- • protection systems against unauthorized access to information in accordance with ST RK GOST R 50739-95-2006.
4. Source code Analysis
Includes static and dynamic analysis of the software for the presence of "shortcomings" using software tools designed to analyze the source code
5. Load test
Includes an assessment of compliance with the availability, integrity and confidentiality of the test object, identifies the parameters of the actual load capacity of the test object, is carried out using specialized software based on automatic scenarios, in an environment of regular operation of the test object, in which personal data is replaced with fictitious
6. Setting up information security tracking (SIEM system)
Setting up a system for managing security information and information security events.
7. Resolving inconsistencies:
- * technical documentation for the requirements of the NPA and standards;
- • IB processes, IB functions, and network infrastructure source code
8. Sending an application for passing the GTS
- * preparation of 16 documents including information security policy;
- * filling out the questionnaire about the characteristics of the test object;
- • owner-approved terms of reference or technical specification;
- * source codes of components and modules of the test object with libraries and files; copies of the approved technical documentation on information security of the test object;
- * a document authorizing the applicant by the owner or owner to submit a test application (if necessary);
- * sending an application for passing the GTS tests.