Information security and information security international and Russian standards. International legal norms in the field of personal data protection International information protection standards

V this section are given general information and texts of national standards of the Russian Federation in the field of information security GOST R.

An up-to-date list of modern GOSTs developed in recent years and planned for development. Certification system for information security tools according to information security requirements No. ROSS RU.0001.01BI00 ( FSTEC of Russia). STATE STANDARD OF THE RUSSIAN FEDERATION. Data protection. PROCEDURE FOR CREATING AUTOMATED SYSTEMS IN PROTECTED PERFORMANCE. General provisions. Moscow STATE STANDARD OF THE RUSSIAN FEDERATION. Facilities computer science. Protection against unauthorized access to information. General technical requirements. Introduction date 1996-01-01 National standard of the Russian Federation. Data protection. Basic terms and definitions. protection of information. Basic terms and definitions. Introduction date 2008-02-01 STATE STANDARD OF THE RUSSIAN FEDERATION. DATA PROTECTION. SYSTEM OF STANDARDS. BASIC PROVISIONS (SAFETY OF INFORMATION. SYSTEM OF STANDARDS. BASIC PRINCIPLES) STATE STANDARD OF THE RUSSIAN FEDERATION. Data protection. TESTING SOFTWARE FOR COMPUTER VIRUSES. Sample manual (Information security. Software testing for the existence of computer viruses. The sample manual). Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 1. General Provisions Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels Information technology. Methods and means of ensuring security. Guidance for developing protection profiles and security targets Automatic identification. Biometric identification. Performance tests and test reports in biometrics. Part 3. Features of testing for various biometric modalities Information technology. Methods and means of ensuring security. Methodology for assessing information technology security GOST R ISO/IEC 15408-1-2008 Information technology. Methods and means of ensuring security. Criteria for evaluating information technology security. Part 1. Introduction and general model (Information technology. Security techniques. Evaluation criteria for IT security. Part 1. Introduction and general model) GOST R ISO/IEC 15408-2-2008: Information technology. Methods and means of ensuring security. Criteria for evaluating information technology security. Part 2. Security functional requirements (Information technology. Security techniques. Evaluation criteria for IT security. Part 2. Security functional requirements) GOST R ISO/IEC 15408-3-2008 Information technology. Methods and means of ensuring security. Criteria for evaluating information technology security. Part 3. Security assurance requirements (Information technology. Security techniques. Evaluation criteria for IT security. Part 3. Security assurance requirements) GOST R 53109-2008 Public communication network information security system. Information security communications organization passport. Information security of the public communications network providing system. Passport of the organization communications of information security. Date of entry into force 30.09.2009. GOST R 53114-2008 Information security. Ensuring information security in the organization. Basic terms and definitions. protection of information. Information security provision in organizations. Basic terms and definitions. Date of entry into force 30.09.2009. GOST R 53112-2008 Information security. Complexes for measuring the parameters of spurious electromagnetic radiation and pickups. Technical requirements and test methods. information protection. Facilities for measuring side electromagnetic radiation and pickup parameters. technical requirements and test methods. Date of entry into force 30.09.2009. GOST R 53115-2008 Information security. Testing of technical means of information processing for compliance with the requirements of security from unauthorized access. Methods and means. information protection. Conformance testing of technical information processing facilities to unauthorized access protection requirements. Methods and techniques. Date of entry into force 30.09.2009. GOST R 53113.2-2009 Information technology. Protection of information technologies and automated systems from information security threats implemented using covert channels. Part 2. Recommendations for organizing the protection of information, information technologies and automated systems from attacks using covert channels. information technology. Protection of information technology and automated systems against security threats posed by use of covert channels. Part 2. Recommendations on protecting information, information technology and automated systems against covert channel attacks. Effective date 01.12.2009. GOST R ISO/IEC TO 19791-2008 Information technology. Methods and means of ensuring security. Safety assessment of automated systems. information technology. security techniques. Security assessment of operational systems. Date of entry into force 30.09.2009. GOST R 53131-2008 Information security. Recommendations for disaster recovery services of information and telecommunications technology security functions and mechanisms. General provisions. information protection. Guidelines for recovery services of information and communications technology security functions and mechanisms. general. Date of entry into force 30.09.2009. GOST R 54581-2011 Information technology. Methods and means of ensuring security. Fundamentals of trust in IT security. Part 1. Overview and basics. information technology. security techniques. A framework for IT security assurance. Part 1. Overview and framework. Date of entry into force 01.07.2012. GOST R ISO/IEC 27033-1-2011 Information technology. Methods and means of ensuring security. Network security. Part 1. Overview and concepts. information technology. security techniques. network security. Part 1. Overview and concepts. Date of entry into force 01.01.2012. GOST R ISO/IEC 27006-2008 Information technology. Methods and means of ensuring security. Requirements for bodies carrying out audit and certification of information security management systems. information technology. security techniques. Requirements for bodies providing audit and certification of information security management systems. Date of entry into force 30.09.2009. GOST R ISO/IEC 27004-2011 Information technology. Methods and means of ensuring security. Information security management. Measurements. information technology. security techniques. information security management. measurements. Date of entry into force 01.01.2012. GOST R ISO/IEC 27005-2010 Information technology. Methods and means of ensuring security. Information security risk management. information technology. security techniques. information security risk management. Date of entry into force 01.12.2011. GOST R ISO/IEC 31010-2011 Risk management. Risk assessment methods (Risk management. Risk assessment methods). Date of entry into force: 01.12.2012 GOST R ISO 31000-2010 Risk management. Principles and guidelines (Risk management. Principles and guidelines). Date of entry into force: 31.08.2011 GOST 28147-89 Information processing systems. Cryptographic protection. Cryptographic transformation algorithm. Effective date: 06/30/1990. GOST R ISO/IEC 27013-2014 “Information technology. Methods and means of ensuring security. Guide sharing ISO/IEC 27001 and ISO/IEC 20000-1” – Effective September 1, 2015 GOST R ISO/IEC 27033-3-2014 “Network security. Part 3. Reference network scenarios. Threats, Design Methods, and Management Issues” – Effective November 1, 2015 GOST R ISO/IEC 27037-2014 “Information technology. Methods and means of ensuring security. Guidelines for the identification, collection, receipt and storage of evidence in digital form” - effective November 1, 2015. GOST R ISO/IEC 27002-2012 Information technology. Methods and means of ensuring security. Code of norms and rules of information security management. information technology. security techniques. Code of practice for information security management. Date of entry into force 01.01.2014. OKS code 35.040. GOST R 56939-2016 Information security. Development of secure software. General requirements (Information protection. Secure Software Development. General requirements). Date of entry into force 06/01/2017. GOST R 51583-2014 Information security. The order of creation of automated systems in protected execution. General provisions. information protection. Sequence of protected operational system formation. general. 09/01/2014 GOST R 7.0.97-2016 System of standards for information, librarianship and publishing. Organizational and administrative documentation. Documentation requirements (System of standards on information, librarianship and publishing. Organizational and administrative documentation. Requirements for presentation of documents). Date of entry into force 01.07.2017. OKS code 01.140.20. GOST R 57580.1-2017 Security of financial (banking) transactions. Protection of information of financial organizations. The basic composition of organizational and technical measures - Security of Financial (banking) Operations. Information Protection of Financial Organizations. Basic Set of Organizational and Technical Measures. GOST R ISO 22301-2014 Business continuity management systems. General requirements - Business continuity management systems. requirements. GOST R ISO 22313-2015 Business continuity management. Implementation Guide - Business continuity management systems. Guidance for implementation. GOST R ISO/IEC 27031-2012 Information technology. Methods and means of ensuring security. Guidance on Information and Communication Technology Readiness for Business Continuity - Information technology. security techniques. Guidelines for information and communication technology readiness for business continuity. GOST R IEC 61508-1-2012 Functional safety of electrical, electronic, programmable electronic systems related to safety. Part 1. General requirements. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 1. General requirements. Introduction date 2013-08-01. GOST R IEC 61508-2-2012 Functional safety of electrical, electronic, programmable electronic systems related to safety. Part 2. Requirements for systems. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 2. Requirements for systems. Introduction date 2013-08-01. GOST R IEC 61508-3-2012 FUNCTIONAL SAFETY OF ELECTRICAL, ELECTRONIC, PROGRAMMABLE ELECTRONIC SYSTEMS RELATED TO SAFETY. Software requirements. IEC 61508-3:2010 Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 3: Software requirements (IDT). GOST R IEC 61508-4-2012 FUNCTIONAL SAFETY OF ELECTRICAL, ELECTRONIC, PROGRAMMABLE ELECTRONIC SYSTEMS RELATED TO SAFETY Part 4 Terms and definitions. Functional safety of electrical, electronic, programmable electronic safety-related systems. Part 4. Terms and definitions. Introduction date 2013-08-01. . GOST R IEC 61508-6-2012 Functional safety of electrical, electronic, programmable electronic systems related to safety. Part 6. Guidelines for the application of GOST R IEC 61508-2 and GOST R IEC 61508-3. IEC 61508-6:2010. Functional safety of electrical/electronic/programmable electronic safety-related systems - Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 (IDT). GOST R IEC 61508-7-2012 Functional safety of electrical systems, Functional safety of electrical, electronic, programmable electronic systems related to safety. Part 7. Methods and means. Functional safety of electrical electronic programmable electronic safety-related systems. Part 7. Techniques and measures. Introduction date 2013-08-01. GOST R 53647.6-2012. Business continuity management. Management system requirements personal information to ensure data protection

One of the most important problems and needs modern society is the protection of human rights in terms of involving him in the processes information exchange including the right to protection of personal (personal) information in the processes of automated information processing.

I. N. Malanych, 6th year student of VSU

The institution of personal data protection today is no longer a category that can be regulated only by national law. The most important feature of modern automated information systems is the “supranationality” of many of them, their “exit” beyond the borders of states, the development of publicly accessible world information networks such as the Internet, the formation of a single information space within the framework of such international structures.

Today in the Russian Federation there is a problem not only of introducing into the legal field the institution of personal data protection within the framework of automated information processes, but also its correlation with existing international legal standards in this area.

There are three main trends in the international legal regulation of the institution of personal data protection, related to the processes of automated information processing.

1) Declaration of the right to protection of personal data, as an integral part of fundamental human rights, in acts of a general humanitarian nature adopted within the framework of international organizations.

2) Consolidation and regulation of the right for the protection of personal information in regulatory acts of the European Union, the Council of Europe, partly the Commonwealth of Independent States and some regional international organizations. This class of norms is the most universal and directly concerns the rights to the protection of personal data in the processes of automated information processing.

3) Inclusion of norms on the protection of confidential information (including personal information) in international treaties.

The first method - historically appeared earlier than the others. V modern world information rights and freedoms are an integral part of fundamental human rights.

The 1948 Universal Declaration of Human Rights proclaims: “No one shall be subjected to arbitrary interference with his private and family life, arbitrary attacks on ... the secrecy of his correspondence” and further: “Everyone has the right to the protection of the law against such interference or such attacks.” The International Covenant on Civil and Political Rights of 1966 repeats the declaration in this part. The 1950 European Convention details this right: “Everyone has the right to freedom of expression. This right includes freedom to hold opinions and to receive and impart information and ideas without interference from public authorities and regardless of frontiers.”

The specified international documents fix information rights of the person.

Currently, a stable system of views on human information rights has been formed at the international level. In general terms, this is the right to receive information, the right to privacy in terms of protecting information about it, the right to protect information both from the point of view of state security and from the point of view of business security, including financial activities.

The second way - more detailed regulation of the right to the protection of personal information is associated with the ever-increasing intensity of personal information processing in recent years using automated computer information systems. In recent decades, within the framework of a number of international organizations, a number of international documents have been adopted that develop basic information rights in connection with the intensification of cross-border information exchange and the use of modern information technologies. Such documents include the following:

The Council of Europe in 1980 developed the European Convention for the Protection individuals in matters relating to the automatic processing of personal data, which entered into force in 1985. The Convention defines the procedure for collecting and processing personal data, the principles for storing and accessing this data, and ways of physical data protection. The Convention guarantees the observance of human rights in the collection and processing of personal data, the principles of storage and access to these data, methods of physical protection of data, and also prohibits the processing of data on race, political views, health, religion without appropriate legal grounds. Russia joined the European Convention in November 2001.

In the European Union, personal data protection issues are regulated by a whole range of documents. In 1979, the Resolution of the European Parliament "On the protection of individual rights in connection with the progress of informatization" was adopted. The resolution invited the Council and Commission of the European Communities to develop and adopt legal acts on the protection of personal data in connection with technological progress in the field of informatics. In 1980, the Recommendations of the Organization for Cooperation of the Member States of the European Union "On guidelines for the protection of privacy in the interstate exchange of personal data" were adopted. Currently, the issues of personal data protection are regulated in detail by the directives of the European Parliament and the Council of the European Union. These are Directives No. 95/46 / EC and No. 2002/58 / EC of the European Parliament and of the Council of the European Union of October 24, 1995 "On the protection of the rights of individuals with regard to the processing of personal data and on the free movement of such data", Directive No. 97/66 /EC of the European Parliament and of the Council of the European Union of December 15, 1997, concerning the use of personal data and the protection of privacy in the field of telecommunications and other documents.

The acts of the European Union are characterized by a detailed study of the principles and criteria for automated data processing, the rights and obligations of subjects and holders of personal data, issues of their cross-border transfer, as well as liability and sanctions for causing damage. In accordance with Directive No. 95/46/EC, the European Union has established Working group on the protection of individuals with regard to the processing of their personal data. It has the status of an advisory body and acts as an independent structure. The working group shall consist of a representative of the body established by each Member State for the purpose of supervising compliance on its territory with the provisions of the Directive, a representative of the body or bodies established for Community institutions and structures, and a representative of the European Commission.

Within the framework of the Organization for Economic Co-operation and Development (OECD), the “Guidelines for the protection of privacy and international exchanges of personal data” are in force, which was adopted on September 23, 1980. The preamble of this Directive states: “…OECD member countries have found it necessary to develop Basic Provisions that could help to unify national privacy laws and, while ensuring respect for relevant human rights, at the same time would not allow blocking of international data exchanges…”. These provisions apply in both the public and private sectors to personal data which, either in connection with the procedure for their processing or in connection with their nature or context of their use, poses a risk of violating privacy and individual freedoms. It defines the need to provide personal data with appropriate mechanisms to protect against the risks associated with their loss, destruction, alteration or disclosure, unauthorized access. Russia, unfortunately, does not participate in this organization.

Interparliamentary Assembly of States - Members of the CIS October 16, 1999 the Model Law “On Personal Data” was adopted.

According to the law "Personal data" - information (fixed on a material carrier) about a specific person, which is identified or can be identified with him. Personal data includes biographical and identification data, personal characteristics, information about family, social status, education, profession, official and financial status, health status, and others. The law also lists the principles of legal regulation of personal data, forms state regulation operations with personal data, rights and obligations of subjects and holders of personal data.

It seems that the considered second method of normative regulation of the protection of personal data in international legal acts is the most interesting for analysis. The norms of this class not only directly regulate public relations in this area, but also contribute to bringing the legislation of the member countries to international standards, thereby ensuring the effectiveness of these norms on their territory. Thus, the guarantee of the informational rights enshrined in the Universal Declaration of Human Rights in the sense of the “right to the protection of the law from ... interference or ... encroachments” declared in Article 12 of the latter is also ensured.

The third way to consolidate the rules on the protection of personal data is to secure their legal protection in international treaties.

Articles on the exchange of information are included in international treaties on legal assistance, on the avoidance of double taxation, on cooperation in a certain public and cultural sphere.

According to Art. 25 of the Treaty between the Russian Federation and the United States on the avoidance of double taxation and the prevention of tax evasion with respect to taxes on income and capital, states are required to provide information constituting professional secrecy. The Treaty between the Russian Federation and the Republic of India on Mutual Legal Assistance in Criminal Matters contains Article 15 “Confidentiality”: the requested party may require confidentiality of the transferred information. The practice of concluding international treaties shows the desire of the contracting states to comply with international standards for the protection of personal data.

It seems that the most effective mechanism for regulating this institution at the international legal level is the publication of special regulatory documents within the framework of international organizations. This mechanism not only contributes to the appropriate internal regulation of those mentioned at the beginning of the article actual problems protection of personal information within these organizations, but also has a beneficial effect on the national legislation of the participating countries.

International Standards

• BS 7799-1:2005 - British Standard BS 7799 part one. BS 7799 Part 1 - Code of Practice for Information Security Management describes 127 controls needed to build information security management systems(ISMS) organizations, identified on the basis of the best examples of world experience (best practices) in this area. This document serves as a practical guide to setting up an ISMS
• BS 7799-2:2005 - British Standard BS 7799 second part of the standard. BS 7799 Part 2 - Information Security management - specification for information security management systems defines the specification for an ISMS. The second part of the standard is used as criteria in the official certification procedure for an organization's ISMS.
• BS 7799-3:2006 - British Standard BS 7799 third part of the standard. The new standard in information security risk management
• ISO/IEC 17799:2005 - Information technology - Security technologies - Information security management practices. International standard based on BS 7799-1:2005.
• ISO/IEC 27000 - Vocabulary and definitions.
• ISO/IEC 27001:2005 - Information technology - Security practices - Information security management systems - Requirements. International standard based on BS 7799-2:2005.
• ISO/IEC 27002 - Now: ISO/IEC 17799:2005. "Information Technology - Security Technology - Information Security Management Practices". Release date - 2007.
• ISO/IEC 27005 - Now: BS 7799-3:2006 - Guidance on information security risk management.
• German Information Security Agency. IT Baseline Protection Manual - Standard security safeguards.

State (national) standards of the Russian Federation

• GOST R 50922-2006: Information security. Basic terms and definitions.
• R 50.1.053-2005: Information technologies. Basic terms and definitions in the field technical protection information.
• GOST R 51188-98: Information security. Testing software for the presence of computer viruses. Model guide.
• GOST R 51275-2006: Information security. Informatization object. Factors affecting information. General provisions.
• GOST R ISO/IEC 15408-1-2008: Information technology. Methods and means of ensuring security. Criteria for evaluating information technology security. Part 1. Introduction and general model.
• GOST R ISO/IEC 15408-2-2008: Information technology. Methods and means of ensuring security. Criteria for evaluating information technology security. Part 2: Security functional requirements.
• GOST R ISO/IEC 15408-3-2008: Information technology. Methods and means of ensuring security. Criteria for evaluating information technology security. Part 3: Security Assurance Requirements.
• GOST R ISO / IEC 15408 - "General Criteria for Information Technology Security Assessment" - a standard that defines the tools and methodology for assessing the security of information products and systems; it contains a list of requirements against which the results of independent safety assessments can be compared - thanks to which the consumer makes a decision about the safety of products. The scope of application of the "General Criteria" is the protection of information from unauthorized access, modification or leakage, and other methods of protection implemented by hardware and software.
• GOST R ISO / IEC 17799 - “Information technologies. Practical rules of information security management”. Direct application of the international standard with the addition of ISO/IEC 17799:2005.
• GOST R ISO / IEC 27001 - “Information technologies. Security methods. Information security management system. Requirements". Direct application of the international standard - ISO/IEC 27001:2005.
• GOST R 51898-2002: Safety aspects. Rules for inclusion in standards.

Guidance Documents

• RD SVT. Protection against unauthorized access. Security indicators from UA to information - contains a description of the security indicators of information systems and requirements for security classes.

see also

• Undeclared Capabilities

External links

Wikimedia Foundation. 2010 .

See what "Information Security Standards" is in other dictionaries:

Information security audit system process obtaining objective qualitative and quantitative assessments of the current state of the company's information security in accordance with certain criteria and security indicators ... ... Wikipedia

GOST R 53114-2008: Information security. Ensuring information security in the organization. Basic terms and definitions- Terminology GOST R 53114 2008: Information security. Ensuring information security in the organization. Basic terms and definitions original document: 3.1.19 automated system in protected execution; Speakers in a protected version: ... ... Dictionary-reference book of terms of normative and technical documentation

SAFETY STANDARDS- documents in which, for the purpose of voluntary reuse, product safety characteristics, rules for safe implementation and characteristics of the processes of production, operation, storage, transportation, sale ... Russian encyclopedia of labor protection

Contents 1 Security policy definition 2 Assessment methods 3 ... Wikipedia

National Security Agency / Central Security Service ... Wikipedia

Audit Types of audit Internal audit External audit Tax audit Environmental audit Social audit Fire audit Due diligence Basic concepts Auditor Material ... Wikipedia

State standards for products, works and services- State standards are developed for products, works and services of cross-industry significance and must not contradict the legislation of the Russian Federation. State standards should contain: requirements for products, works ... ... Vocabulary: accounting, taxes, business law

Ministry of Emergency Situations of Ukraine (LGUBZhD, LDU BZD) ... Wikipedia

It has been classically believed that ensuring the security of information consists of three components: Confidentiality, Integrity, Availability. The application points of the information security process to the information system are Hardware... Wikipedia

Books

• Information security standards. Protection and processing of confidential documents. Textbook, Sychev Yuri Nikolaevich. It is impossible for specialists working in the field of information security to do without knowledge of international and national standards and guidance documents. The need to use...
• International bases and standards of information security of financial and economic systems. Textbook, Yulia Mikhailovna Beketnova. The publication is intended for students studying in the specialty Information security undergraduate and graduate, as well as researchers, teachers, graduate students, ...

Information security refers to a set of measures aimed at ensuring the security of information subjected to the processes of collection, processing, transmission and storage. On the application of the same measures, information protection is based, protected from the destructive effects of the external environment using the properties of confidentiality, signal secrecy and integrity.

At the state level, information security is understood as all types of organizational, legal and technical methods for the prevention and elimination of threats to information security. The priority tasks of such activities are the identification and elimination of harmful sources, factors and situations that adversely affect valuable information. In the same vein, it is considered state system ensuring the protection of information data, related to the problem of the safe development of the whole world.

At the level of activities of departmental institutions, information security is carried out through the following measures:

• threat prevention - preventive measures taken to prevent information leakage or its collapse;
• threat identification - systematic analysis and control of real and potential hazards;
• detection of threats - work to identify existing threats and ongoing illegal actions;
• localization of illegal actions - elimination of threats and specific illegal actions;
• liquidation of consequences of threats and information crimes.

All measures taken to ensure information security are aimed at confidentiality, copyright protection and protection of information from unauthorized encroachment, disclosure and violation of integrity.

International information security standards

The best-known and most effective information security standard at the international level is ISO/IEC 17799:2000, which is a new generation of information security standard. The concept of information security is defined by ISO/IEC 17799:2000 as ensuring the confidentiality, safety and availability of information arrays. This standard is focused on solving the problem of information security of institutions and contains the following areas of activity:

• continuous provision of information protection;
• development and improvement of the categorical apparatus of the information security system;
• organization of information security policy of the institution;
• work on the management of corporate information resources;
• management of business projects of the organization through the prism of information security;
• physical security of information;
• operation and maintenance of information security requirements of corporate information resources.

The international standard "European Information Technology Security Criteria" has gained wide popularity, which has had a huge impact on information legislation and the certification process in many countries. A huge contribution to the international system of information security was made by German colleagues who published the "Green Book" and considered in a complex the problem of accessibility, integrity and confidentiality of information data. The translation of these standards served as the basis for many aspects of Russian information legislation.

Standardization of information security in Russia

From the whole variety of domestic information security standards, it is necessary to single out documents regulating relations in the field of security open systems. These include:

• GOST R ISO 7498-2-99;
• GOST R ISO/IEC 9594-8-98;
• GOST R ISO/IEC 9594-9-9.

These GOSTs formulate provisions on the architecture of information security, the basics of authentication and duplication.

A number of the following standards aim to protect state secrets:

• GOST R 50739-95;
• GOST 28147-89;
• GOST R 34.10-94;
• GOST R 34.11-94.

The list of the latest standards regulates cases of unauthorized access to information, the organization of cryptographic protection, procedures for verifying an electronic signature and hashing.

All Russian standards governing information protection, in their structure are multi-level, and therefore can be used only for a certain level of destination. So, for example, for a comprehensive assessment of the encryption system and the quality of an electronic signature, GOST of the corresponding purpose is used. In the course of protecting information channels, it is customary to use the TLS protocol, and in cases of protecting transactional operations, the SET protocol is used, which includes lower-level standards.

The system of industry standards of domestic information security includes banking standards that ensure the protection of banking data.

V.V. Tikhonenko Head of the Union of Specialists-Experts in Quality (Kyiv, Ukraine), Ph.D., General Director of ECTC "VATT"

The article provides a description of the main international and national security standards. The definitions of the terms "safety", "danger", "risk" are considered. Assumptions are made about the possibility of using Heisenberg's uncertainty principles and Bohr's complementarity principles to describe dangers.

What is "security"?

Ensuring safety is one of the most important requirements that everyone, everywhere and always, must fulfill, since any activity is potentially dangerous. Security is associated with risk (they are interdependent). Consider the definitions of these concepts given in the standards.

Safety— no unacceptable risk.

Danger is a potential source of damage.

Risk- the effect of the uncertainty of goals.

Thus, security is characterized not by the absence of risk at all, but only by the absence of unacceptable risk. The standards define tolerable risk as "the optimal balance between safety and the requirements that a product, process or service must satisfy, as well as factors such as user benefit, cost effectiveness, custom, etc." The standard, often used by enterprises, defines tolerable (acceptable) risk as "a risk reduced to a level that an organization can tolerate, given its legal obligations and its own policy in the field of occupational health and safety."

The standards regulate ways to reduce risk (in order of priority):

• development of a safe project;
• protective devices and personal protective equipment (these are collective and individual protective equipment - ed.);
• installation and application information;
• education.

Types of security standards

According to the following types of security standards can be:

• fundamental, including fundamental concepts, principles and requirements related to the main aspects of security. These standards apply to a wide range of products, processes and services;
• group, containing safety aspects applicable to several types or to a family of related types of products, processes or services. These documents make reference to fundamental safety standards;
• product safety standards that include safety aspects of a particular type or family of products, processes or services. These documents make reference to fundamental and group standards;
• product standards containing, but not limited to, safety aspects. They should make reference to the fundamental and group safety standards. The table provides examples of International Standards related to the listed types. You can recommend to read the table. 1 of the standard, which specifies international, European and Russian regulatory documents containing requirements for the characteristics of the safety function.

The setting of safety requirements in regulations/standards should be based on an analysis of the risk of harm to people, property or the environment, or a combination of them, as the standards say. The figure schematically shows the main risks of the enterprise, indicating the risk management standards.

It is possible that Dirac's delta functions and Heaviside's functions could be used to describe and analyze hazards and risks, since the transition from acceptable to unacceptable risk is abrupt.

Security principles and means

Theoretically, the following security principles can be distinguished:

• managerial (adequacy, control, feedback, responsibility, planning, stimulation, management, efficiency);
• organizational (protection by time, information, redundancy, incompatibility, rationing, recruitment, consistency, ergonomics);
• technical (blocking, vacuuming, sealing, distance protection, compression, strength, weak link, phlegmatization, shielding);
• orienting (activities of the operator, replacement of the operator, classification, elimination of danger, consistency, risk reduction).

Let us dwell in more detail on the principle of classification (categorization). It consists in dividing objects into classes and categories according to signs associated with hazards. Examples: sanitary protection zones (5 classes), categories of production (premises) for explosion hazard (A, B, C, D, E), categories / classes according to ATEX directives (3 categories of equipment, 6 zones), waste hazard classes (5 classes - in Russia, 4 classes - in Ukraine), hazard classes of substances (4 classes), hazard classes for the transport of dangerous goods (9 classes), etc.

Information

According to Heinrich's calculations, for one fatal accident, there are about 30 injuries with less serious consequences and about 300 other incidents that can go almost unnoticed. At the same time, the indirect economic costs of eliminating the consequences are four times higher than the direct ones.

reference

about 20% of all adverse events are associated with equipment failures, and 80% - with human error, of which 70% of errors were due to hidden organizational weaknesses (errors were hidden, there was no response to them), and about 30% were associated with an individual worker .

Rice. Company risks (example) and applicable standards

Notes:

ECO - European Valuation Standards (European Group of Appraisers TEGoVA);

IVS - International Valuation Standards (Property);

IFRS - International Financial Reporting Standards (IFRS);

BASEL II - agreement "International Convergence of Capital Measurement and Capital Standards: New Approaches" of the Basel Committee on Banking Supervision;

BRC - The British Retail Consortium Global standards (Standards of the British Trade Consortium);

COBIT - Control Objectives for Information and Related Technology ("Problems of information and related technologies" - a package of open documents, about 40 international and national standards and guidelines in the field of IT management, audit and IT security); COSO - Committee of Sponsoring Organizations of the Treadway Commission (standard of the Committee of Sponsoring Organizations of the Treadway Commission);

FERMA - Federation of European Risk Management Associations (standard of the Federation of European Risk Management Associations); GARP - Global Association of Risk Professionals (standard of the Association of Risk Professionals);

IFS - International Featured Standards (International standards for the production and sale of food products);

ISO / PAS 28000 - Specification for security management systems for the supply chain (Supply chain security management systems. Specifications);

NIST SP 800-30 - Risk Management Guide for Information Technology Systems.

Table. Safety standards (examples)

Security equipment is divided into collective protection equipment (SKZ) and individual protection equipment (PPE). In turn, SKZ and PPE are divided into groups depending on the nature of the hazards, design, scope, etc.

Basic Safety Standards

In the European Union, occupational risk assessment requirements are contained in:

• Directive 89/391/EEC (requirements for the introduction of occupational risk assessment in EU Member States);
• individual EU directives on safety at work (89/654/EEC, 89/655/EEC, 89/656/EEC, 90/269/EEC, 90/270/EEC, 1999/92/EC, etc.) and on the protection of workers from chemical, physical and biological risks, carcinogens and mutagens (98/24/EC, 2000/54/EC, 2002/44/EC, 2003/10/EC, 2004/40/EC, 2004/37/EC etc.) ATEX EU directives also occupy a special place in the field of safety - one for manufacturers and the other for equipment users:
• "ATEX 95 equipment" (Directive 94/9/EC) - equipment and protective systems intended for use in potentially explosive atmospheres;
• "ATEX 137 workplace" (Directive 1999/92/EC) - minimum requirements to improve the safety, health and safety of workers potentially at risk from explosive atmospheres.

Considering the importance of occupational risk assessment for occupational safety in the workplace, the European Agency for the Health and Safety of Workers published Guidance on risk assessment at work in 1996 and continually adds many useful examples for identifying hazards in the assessment professional risks.

In general, the requirements of the European REACH Directive are also aimed at ensuring safety. This system is based on the management of risks associated with substances contained in chemical compounds and, in some cases, in products.

An important place is occupied by the standards of the system of safe work (GOST SSBT). These are documents of a well-built system that exists in a few countries in the world. So the safety of process equipment must comply with GOST 12.2.003, safety technological processes- GOST 12.3.002. And if hazardous substances are produced, stored and used, then the safety requirements are determined in accordance with GOST 12.1.007. Security systems (devices, elements) must comply with GOST 12.4.011, and in case of fire and explosion - also with GOST 12.1.004.

Requirements for the safety of buildings/structures are determined by building codes and regulations.

Medical standards and regulations are also of great importance (GMP - Good Manufacturing Practice, GLP - Good Laboratory Practice, GDP - Good Distribution Practice, GPP - Good Pharmacy Practice, etc.).

Food safety standards are determined by the Codex Alimentarius Commission. There are also safety regulations in veterinary medicine, crop production.

The development of astronautics and nuclear energy, the complication of aviation technology has led to the fact that the study of system safety has been singled out as an independent separate area of ​​\u200b\u200bactivity (for example, the IAEA published a new structure of safety standards: GS-R-1 "Legislative and government infrastructure for nuclear and radiation safety, radioactive waste safety and transportation”). Back in 1969, the US Department of Defense adopted the MILSTD-882 "Systems, Subsystems, and Equipment Reliability Program" standard. It sets out the requirements for all industrial contractors for military programs.

Important documents are material safety data sheets (MSDS cards - Material safety data sheets). MSDSs typically contain the following sections: product details, hazardous constituents, potential health effects (skin contact, ingestion exposure, dose limits, irritant effect, stimulant effect, mutually reinforcing effect in contact with other chemicals , short-term exposure, long-term exposure, effects on reproduction, mutagenicity, carcinogenicity), first aid procedure (in case of contact with skin, eyes, stomach, inhalation), fire and explosion hazard (flammability / flammability - under what conditions, methods fire fighting procedures, hazardous combustion products), reactivity data (chemical stability, reactive conditions, hazardous decomposition products), spill/leak response (including waste disposal, degradation/toxicity to aquatic life, soil, air), the fight against the effects of substances and personal protective equipment (technical protective equipment, gloves, respiratory and eye protection, safety shoes, protective clothing), requirements for storage and handling of the substance (storage, handling, transportation), physical characteristics of the substance, environmental, regulatory, additional information. Such MSDS-cards are prepared by the manufacturer and handed over to the user/consumer. Data from MSDS-cards must be included in the instructions for production and labor protection.

Facts

Examples of product recalls due to their danger

• Apple recalled iPod nano 1G players in 2009 due to the risk of battery explosions (http://proit.com.ua/print/?id=20223).
• McDonald's in 2010 recalled 12 million collectible glasses with the symbols of the Shrek cartoon in the United States due to the fact that cadmium was found in the paint with which they were painted (www.gazeta.ru/news/lenta/... /n_1503285.shtml).
• In 2008, thousands of babies in China ended up in hospitals after being poisoned with formula milk that was found to contain melamine. Sanlu issued a formal apology to its consumers, stating that milk suppliers added toxic substances to their products (http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/hi/russian/ international/newsid_7620000/7620305.stm).
• The French Office for the Safety of Medical Products required the recall of one of the types of prostheses (silicone implants) from April 1, 2010, as it did not pass the necessary test (http://www.newsru.co.il/health/01apr2010/pip301.html ).
• Thule recently discovered that its roof rack kit is not strong enough (for products manufactured between January 1, 2008 to February 28, 2009) due to the fragility of the included bolt. After internal testing by the company, it was determined that the bolt in the base did not meet the company's safety standards. Due to the high level of risk to consumers (possible failure of the bolt under load could cause the rack and weight to come off while driving) Thule has decided to immediately withdraw the product from circulation (http://www2.thulegroup.com/en/Product-Recall /Introduction2/).

Conclusion

Professionals who develop safety standards need to pay more attention to the harmonization of regulations applied in various areas. For example, use the approaches outlined in Heisenberg's uncertainty principles and Bohr's complementarity. In addition, do not forget about human errors and the elimination of organizational weaknesses. The introduction of risk management in enterprises will help increase the level of security. In recent years, risk management standards have been actively developed, for example. The study and application of these documents also contributes to the improvement of safety culture.

Of course, in the field of security, standards, regulations, norms, rules, instructions are necessary, but their implementation is no less important.

To ensure security, you need to know the answers to the questions:

1. What is the likelihood of an incident occurring?

2. What will be the negative consequences?

3. How to minimize them?

4. How to continue activities during and after an incident?

5. What are the recovery priorities and timeframes?

6. What, how, when and for whom needs to be done?

7. What preventive measures should be taken to prevent / minimize negative consequences?

References

1. GOST 12.1.007-76 (1999). SSBT. Harmful substances. Classification and general safety requirements.

2. GOST 12.1.004-91. SSBT. Fire safety. General requirements.

3. GOST 12.2.003-91. SSBT. Production equipment. General safety requirements.

4. GOST 12.3.002-75 (2000). SSBT. Manufacturing processes. General safety requirements.

5. GOST 12.4.011-89. SSBT. Means of protection for workers. General requirements and classification.

6. GOST R 51898-2002. Aspects of security. Rules for inclusion in standards.

7. GOST R 12.1.052-97. SSBT. Information on the safety of substances and materials (Safety Data Sheet). Basic provisions.

8. GOST R ISO 13849-1-2003. Equipment safety. Elements of control systems related to safety. Part 1. General design principles.

9. BS 31100:2008. Risk management - Code of practice.

10. BS OHSAS 18001:2007. Occupational health and safety management systems. requirements.

11. CWA 15793:2008. Laboratory biorisk management standard.

12. ISO/IEC 51:1999. Safety aspects - Guidelines for their inclusion in standards.

13. ISO/IEC Guide 73:2009. Risk management - Vocabulary - Guidelines for use in standards.

14. ISO 31000:2009. Risk management - Principles and guidelines.

15. IEC/ISO 31010:2009. Risk management - risk assessment techniques.

16.ISO 15190:2003. Medical laboratories - Requirements for safety.

17. Reason J. Human error. - New York: Cambridge University Press, 1990. - 316 p.

18. Regulation (EC) No 1907/2006 of the European Parliament and the Council of 18 December 2006 concerning the Registration, Evaluation, Authorization and Restriction of Chemicals (REACH), establishing a European Chemicals Agency, amending Directive 1999/45/EC and repealing Council Regulation (EEC) No. 793/93 and Commission Regulation (EC) No. 1488/94 as well as Council Directive 76/769/EEC and Commission Directives 91/155/EEC, 93/67/EEC, 93/105/EC and 2000/21/EC.