Man
Professional
- Messages
- 3,087
- Reaction score
- 627
- Points
- 113
The Federal Service will create a rating of vulnerable objects.
The Federal Service for Technical and Export Control (FSTEC) will begin to maintain a rating of critical information infrastructure (CII) facilities in terms of information security. This rating will include companies with a low level of protection that have allowed hacks or data leaks. This was announced by Vitaly Lyutikov, Deputy Director of FSTEC, at SOC-Forum 2024.
Lyutikov stressed that the service plans to automate this process and provide managers with the ability to see their current assessment in real time. At the moment, the rating will be advisory in nature, that is, sanctions for inclusion in it are not provided.
According to Lyutikov, the rating will be compiled on the basis of a coefficient that is assigned to companies based on the results of state control or data on computer incidents. FSTEC analyzed about 100 government agencies and CII facilities using this methodology, and it turned out that the minimum level of protection was provided only in 10% of cases. In all other cases, organizations are beyond the minimum protected state, he added.
Lyutikov added that in the absence of a minimum level of security, "it is pointless to talk about countering violators with higher capabilities, such as special services or coordinated groups." At the same time, he did not specify what this "minimum level" includes.
The FSTEC has already sent more than 170 recommendations to state authorities and CII entities to improve the security of their infrastructure. These recommendations include remediating vulnerabilities, logging information security events, backing up data, blocking foreign search bots, and neutralizing threats.
The service also plans to make the calculation of this indicator mandatory to assess the state of protection of each data operator and in the future to introduce it into the performance indicators of managers responsible for information security.
Market experts note that at present, the security of companies is checked by assessing the vulnerability, during which the number of vulnerabilities and the priority of their elimination in the system are determined. Usually, this process is controlled by the company's internal information security department, but this practice is not implemented in all organizations.
The minimum security requirements for companies include the availability of qualified employees, ensuring a security loop, meeting incident response deadlines, complying with regulations, and the availability of certified software and hardware. However, according to experts, security often remains only on paper.
Experts believe that the recommendatory nature of the rating is aimed at forming the right approach to the cyber protection of critical information infrastructure facilities. They believe that the state provides another opportunity for organizations to independently increase the level of security without external pressure. However, in the event of a transition to mandatory implementation of recommendations, this may include audits, improvement of security systems, staff training and other measures.
In addition, even in the absence of cyber incidents, the FSTEC or the FSB can apply sanctions to organizations for non-compliance with the security requirements of CII facilities. Regulatory authorities have the right to restrict access to information resources or suspend the activities of the facility, as well as issue instructions to improve protection. Failure to comply with these requirements may result in further liability.
Source
The Federal Service for Technical and Export Control (FSTEC) will begin to maintain a rating of critical information infrastructure (CII) facilities in terms of information security. This rating will include companies with a low level of protection that have allowed hacks or data leaks. This was announced by Vitaly Lyutikov, Deputy Director of FSTEC, at SOC-Forum 2024.
Lyutikov stressed that the service plans to automate this process and provide managers with the ability to see their current assessment in real time. At the moment, the rating will be advisory in nature, that is, sanctions for inclusion in it are not provided.
According to Lyutikov, the rating will be compiled on the basis of a coefficient that is assigned to companies based on the results of state control or data on computer incidents. FSTEC analyzed about 100 government agencies and CII facilities using this methodology, and it turned out that the minimum level of protection was provided only in 10% of cases. In all other cases, organizations are beyond the minimum protected state, he added.
Lyutikov added that in the absence of a minimum level of security, "it is pointless to talk about countering violators with higher capabilities, such as special services or coordinated groups." At the same time, he did not specify what this "minimum level" includes.
The FSTEC has already sent more than 170 recommendations to state authorities and CII entities to improve the security of their infrastructure. These recommendations include remediating vulnerabilities, logging information security events, backing up data, blocking foreign search bots, and neutralizing threats.
The service also plans to make the calculation of this indicator mandatory to assess the state of protection of each data operator and in the future to introduce it into the performance indicators of managers responsible for information security.
Market experts note that at present, the security of companies is checked by assessing the vulnerability, during which the number of vulnerabilities and the priority of their elimination in the system are determined. Usually, this process is controlled by the company's internal information security department, but this practice is not implemented in all organizations.
The minimum security requirements for companies include the availability of qualified employees, ensuring a security loop, meeting incident response deadlines, complying with regulations, and the availability of certified software and hardware. However, according to experts, security often remains only on paper.
Experts believe that the recommendatory nature of the rating is aimed at forming the right approach to the cyber protection of critical information infrastructure facilities. They believe that the state provides another opportunity for organizations to independently increase the level of security without external pressure. However, in the event of a transition to mandatory implementation of recommendations, this may include audits, improvement of security systems, staff training and other measures.
In addition, even in the absence of cyber incidents, the FSTEC or the FSB can apply sanctions to organizations for non-compliance with the security requirements of CII facilities. Regulatory authorities have the right to restrict access to information resources or suspend the activities of the facility, as well as issue instructions to improve protection. Failure to comply with these requirements may result in further liability.
Source
