1. Overview of GOST R 57580.1-2017 requirements
Sergei Borisov
Diana Leychuk
Subscribe to DeepL Pro to translate larger documents.
Visit www.DeepL.com/pro for more information.

2. Presenters of the fourth edition
Sergei Borisov
Deputy Head of IS at the Krasnodar
branch office of UCSB
Working in IS - 15 years
Blog: https://sborisov.blogspot.com
Diana Leychuk
Audit manager
UCSB Analytical Centre
Yekaterinburg
Working in IS - 8 years
CISM
2

3. Plan
Overview of GOST R 57580.1-2017
Recommendations for the implementation of priority
actions
Discussion of complex activities Roadmap for
implementing the requirements
3

4. GOST P 57580.1-2017
The basis for an effective data protection system
A set of best practices
✓ uniform terminology
✓ catalogue of 408 data protection measures
✓ a strapping which will help to identify the objects of protection, determine the required
the level of protection, choose protection measures and how to implement them
✓ a methodology to help assess the selection and implementation of protection
measures in the organisation, the final level of compliance
✓ recommendations for the implementation of individual measures*

5. Safety loops and protection levels
Safety circuit
A set of information objects, defined by the
scope of this standard, used to implement
business processes and (or) technological
processes of a financial institution of a single
degree of criticality (importance), for which a
single policy (regime) of information protection
(a single set of requirements for information
protection) is applied by a financial institution
Level of information protection
A defined set of information protection
measures included in the information protection
system and the information protection
organisation and management system, applied
jointly within the security contour to implement
an information protection policy (regime)
appropriate to the criticality of the protected
information of the business processes and/or
technological processes of a financial
organisation
5

6. Requirements of Bank of Russia regulations
683-П All credit financial institutions
Implementing enhanced or standard level of protection
Conducting security level compliance assessment Ensure
compliance level at least three Ensure compliance level at least
four
с 01.01.2021
с 01.01.2023
684-П Non-credit financial institutions
Implementing enhanced or standard level of protection
Conducting security level compliance assessment Ensure
compliance level at least three Ensure compliance level at least
four
с 01.01.2021
с 01.01.2022
с 01.07.2023
672-П
Members of the Bank of Russia payment
system
Implementing enhanced or standard level of protection
Conducting a security level compliance assessment Ensure a
level of compliance of at least level 4
с 01.07.2021
с 06.04.2019
Order
№321 Banks when connecting to the EBS Implementing a standard level of protection с 01.07.2021
6

7. 7
Requirements from the NAP to provide a level of protection in accordance with GOST
57580.1
683-П 684-П
382-П
(new)
672-П
Order
Ministry of
Communications
№321
Automated systems
+ + + + +
Software
provision + + + + +
Computer hardware
+ + + + +
Telecommunications
equipment + + + + +
.. Used and operated
for the purpose of
Banking Financial
Money
transfers
Money
transfers
Identifications
using biometrics

8. Example of a protection measure from GOST R 57580.1-2017
NWI
measure
Level of
protection
of
information
3 2 1
UZP.21 Implement logical access rights management rules to ensure that one logical access subject is
not able to overlap the following functions:
• The operation and/or control of the operation of the access resource, including the AS,
simultaneously with the intended use of the access resource as part of the implementation of
the financial institution's business process;
• The creation and/or upgrading of the access resource, including the AS. at the same time
as the intended use of the access resource in the implementation of the business process
of the financial institution;
• operation of information protection tools and systems at the same time as monitoring
the operation of information protection tools and systems;
• management of logical access subject accounts at the same time as
managing the rights of subjects of logical access
Н О Т
Measures:
H - not applicable to the level
A - organisational

9. T - technical
8

10. Objects and access resources
Access object
is recommended as a minimum to be
considered:
✓ User workstations
✓ Maintenance personnel
workstation
✓ server hardware
✓ network equipment
✓ SAN
✓ HSM
✓ Printing and copying
devices
✓ facilities in public places
(ATMs, payment
terminals)
Access resource
is recommended as a minimum
Consider:
✓ AC
✓ databases
✓ network file shares
✓ virtual machines with server
components
✓ virtual machines with ARMs
users
✓ email services
✓ WEB services

11. Structuring information protection measures
CI processes Directions of the
FOI
Selection Planning Implementa
tion
Monitoring
Improveme
nt
Ensuring the protection of information in
access control
UZP, RD,
FD, UI
FTI RHI KZI FTI
Ensuring the protection of computer networks SME, WSA,
WSA, WSB,
WSB
FTI RHI KZI FTI
Monitoring the integrity and security of the
information infrastructure
FTI FTI RHI KZI FTI
Protection against malicious code ZVK FTI RHI KZI FTI
Preventing information leaks PUI FTI RHI KZI FTI
Information security incident management
IAU, RI FTI RHI KZI FTI
Protecting the virtualisation environment FOI
A
FTI RHI KZI FTI
Information security in remote logical access using
mobile (portable) devices
ZUD FTI RHI KZI FTI
Protection in the lifecycle stages of automated systems and applications HC

12. (Recommended) Organisational measures related to the processing of personal
data
Б

13. Structuring information protection measures
Processes
Sub-processes
Groups
Measures
Group of measures FIS measure
Level of
protection
of
information
3 2 1
PUI.33
Registration of information security events
related to the implementation of information
leakage prevention protection
Registration of erasure events
of information from the MSI О О О

14. Selection of protection measures from GOST R 57580.1-2017
1 Selection of the basic composition of the measures
Adapting the chosen mix of measures to
2 Threat models and structural and functional
characteristics
3 Exclusion of measures not related to the information
technology used
4 Complementing the measures with the requirements
set out
other NAPs
5 Application of measures
12

15. Circuit protection level
Threat model
Characteristics of objects
Automation Evaluation of the feasibility of
implementation
Risk assessment
The information used by the object of information
technologies
Other NAPs

16. Levels of compliance with GOST 57580.2
Process evaluation Level of compliance
Е = 0 Zero
0< E <=0,5 First
0,5< E <=0,7 Second
0,7< E <=0,85 Third
0,85< E <=0,9 Fourth
13

17. Plan
Overview of GOST R 57580.1-2017
Recommendations for the implementation of priority
actions
Discussion of complex activities Roadmap for
implementing the requirements
14

18. Threat model
Current threat model
Covers the protection circuits
Correspondence between current threats and protection measures from GOST R 57580.1-2017
Used when choosing protection measures or justifying the application of compensatory protection measures
The need for certified FIS
Identification of the threats that require certified FIS to neutralise
15

19. Regulation on the applicability of measures from GOST R 57580.1-2017
List of safety circuits
The levels of protection required for them
Selection of measures for the circuits indicated
Rationale for the choice: availability in the core set of measures, adaptation, exclusion, addition
Identification of measures that are not technically feasible/expedient to implement
Justification of impossibility or economic impracticability
Definition of compensatory measures
Justification for the application of the compensatory measure
Definition of certified means of protection
Record the measures that require the use of certified information security features
(when necessary to neutralise current threats)
Implementation of measures in the area of "Information security planning"
(FTI.1-FTI.4)
16

20. Regulation on the applicability of measures from GOST R 57580.1-2017
17

21. Implementation plan for the first phase of protection measures
For each measure of information protection
List of safety circuits
For which a measure is necessary
Choosing how to implement the measure
By the application of organisational or technical measures, built-in or overhead PPE, a specific
tool
Responsible for implementation
Justification of impossibility or economic impracticability
Implementation period
Justification for the application of the compensatory measure
Planned outcome
Record the measures that require the use of certified information security features (where necessary to neutralise current
threats)
18

22. Implementation plan for the first phase of protection measures
19

23. Plan
Overview of GOST R 57580.1
Recommendations for the implementation of priority
actions
Discussion of complex activities Roadmap for
implementing the requirements
20

24. П1. Ensuring information security in access control
Technical measures
⮚ 2FA
⮚ IDM and/or Application Management System
for resource access and/or EDI
⮚ SSO
⮚ SIEM
⮚ Video surveillance system
⮚ IT resource accounting system and/or CMDB
built-in features
⮚ AC
⮚ OS
⮚ DBMS
⮚ Network equipment
⮚ File services
⮚ Virtualisation systems
⮚ AD and/or LDAP
⮚ BIOS and/or UEFI
21
Organisational measures
⮚ Regulation on logical access management
⮚ Order appointing resource owners
⮚ Regulation on physical access management
⮚ Accounting for access resources

25. П2. Securing computer networks
Technical measures
⮚ FW (L3 and L7)
⮚ IPS
⮚ VPN
⮚ Mail GW
⮚ AntiDDoS
⮚ SIEM
⮚ CMDB
built-in features
⮚ Network equipment
⮚ Email systems
⮚ Network management system
⮚ AC
⮚ OS
⮚ DBMS
⮚ File services
22
Organisational measures
⮚ Regulation on working with removable data carriers (monitoring
The content of the information as it is transferred between security loop segments with
using alienable media)

26. П3. Controlling the integrity and security of the information
infrastructure
Technical measures
⮚ VM
⮚ Pentest service
⮚ Software update management system
⮚ Intrusion and/or Endpoint protection
⮚ AV
⮚ SIEM
built-in features
⮚ AC
⮚ OS
⮚ PGO
⮚ Browser
⮚ DBMS
⮚ Network equipment
23
Organisational measures
⮚ Vulnerability management regulation
⮚ Updating the software (software)
⮚ Availability of software reference copies and restore capability
⮚ List of approved software for installation

27. П4. Protection against malicious code
Technical measures
⮚ AV or Endpoint protection
⮚ NGFW
⮚ Web GW
⮚ Mail GW
⮚ SIEM
built-in features
⮚ OS
⮚ Browser
⮚ AD
24
Organisational measures
⮚ Regulation on anti-virus protection
⮚ Procedures for carrying out pre-tests for software to be installed or modified
⮚ Prohibit uncontrolled opening of self-extracting archives and executable files obtained from
the Internet

28. П5. Prevention of information leakage
Technical measures
⮚ DLP
⮚ Web GW
⮚ Mail GW
⮚ Endpoint Protection
⮚ Failure to comply
⮚ A means of erasing information
⮚ SIEM
built-in features
⮚ email systems
25
Organisational measures
⮚ Regulations on the handling of removable data carriers (RMI)
⮚ Prohibiting the processing of sensitive information at sites connected to the Internet
⮚ Recording the erasure of information from the MSI

29. П6. Information security incident management
Technical measures
⮚ SIEM
⮚ VPN
⮚ Failure to comply
⮚ NTP
⮚ Incident management system
built-in features
⮚ AC
⮚ OS
⮚ network management systems
⮚ service monitoring systems
26
Organisational measures
⮚ Regulation on information security incident management
⮚ Formation of an information security incident response team with a list of roles

30. П7. Protecting the virtualisation environment
Technical measures
⮚ Virtualisation environment
failsafe
⮚ FW (L3 and L7)
⮚ 2FA
built-in features
⮚ Virtualisation environments
⮚ SAN
⮚ Networking equipment
⮚ AD and/or LDAP
27
Organisational measures
⮚ Regulation on virtual infrastructure protection

31. П8. Information security for logical remote access from mobile devices
Technical measures
⮚ MDM
⮚ 2FA
⮚ VPN
⮚ FW
built-in features
⮚ AC
⮚ OS
⮚ DBMS
⮚ Network equipment
⮚ File services
28
Organisational measures
⮚ Regulation on remote access to resources

32. M&E in the life cycle phases of a nuclear power plant
Technical measures
⮚ All FIS
built-in features
⮚ AC
Organisational measures
⮚ List of protected information to be processed in the AS
⮚ Composition and application of organisational and technical protection measures
⮚ Prohibit the use of protected information in the development and testing segments
⮚ Regulations for monitoring the application of protection measures
⮚ Maintenance of technical protection measures for the duration of their use (technical
support contracts)
⮚ Vulnerability Management Regulation / Procedures for the prompt elimination of
detected vulnerabilities
29

33. Difficult to implement technical measures
1. Two-factor authentication
✓ P.1 WP.4 Operational identification and multi-factor authentication
staff
✓ P.1 EP.28 Registration of personification, issuance (transfer) and destruction of personal
technical authentication devices implementing multifactor
authentication
✓ P.1 OPC.26 Recording of information security events related to actions and monitoring
the actions of operating personnel with rights to
management of technical measures implementing multi-factor authentication
✓ R.7 CCTV.9 Control and logging of maintenance staff access to server virtualisation and
storage components with implementation
two-factor authentication
✓ O.8 SUD.5 Identification, two-factor authentication and authorisation of subjects of
access after secured network communication is established, execution
Authentication required by measures MDS.2 and MDS.4
30

34. Difficult to implement technical measures
2. Account data management systems (IDM)
✓ OLA.9 monitoring the consistency of actual logical access rights with the reference
information on the logical access rights granted
✓ UZP.13 Logical access termination control and blocking
accounts when the logical access period (period) expires
✓ LLA.14 Determination of the failure of logical access subjects to exercise their logical
access rights over a period of time
a set period of time
✓ EPC.17 implementation of the ability to define the composition of the logical access
rights granted for a specific access resource
✓ OLA.18 realising the possibility of defining the composition of entitlements
logical access for a specific logical access subject
✓ KPP.19 and 20 define roles, implement logical access rights management rules to ensure that one
entity does not overlap logical access
access to specific roles
31

35. Difficult to implement technical measures
3. Internal network firewalling (L3 and L7)
✓ safety loop segments
✓ development and testing segments
✓ segments for ATMs and payment terminals
✓ wireless network segments
✓ segments of the virtualisation system
✓ segment for checking removable media
✓ mobile segment
✓ other internal segments
4. Detection of malicious code in internet traffic
32

36. Statistics on the participation of individual types of FIS in the implementation of
measures
Firewall (FW) 35
IS event management system (SIEM) 32
Anti-malware (AV) tools 25
Virtualisation environment failsafe 20
Email protection gateway (Mail GW) 19
Web traffic filtering system (Web GW) 17
An account management system (IDM) 17
Two-factor authentication system (2FA) 17
Next generation firewall (NGFW) 15
Software update management system 10
Failure to comply 10
Incident management system (IRP) 8

37. IPS 6
33

38. Implementing organisational protection measures
NWI
measure
Level
of protection
of
information
3 2 1
RD.26 Keep copies of the authentication data of the operating personnel on
allocated by the MSI or on paper
О О О
RD.27 Implement protection of copies of authentication data of operating personnel against
unauthorised access when stored on MSI or hard copy
О О О
FD.6 Assignment to all premises of the physical access manager О О О
FD.7 Granting independent physical access rights at the discretion of the physical access manager
О О О
RZI.10 Ensuring that technical information security measures can be maintained throughout their
lifetime
Н О О
WBC.8 Use of compliance-certified application software
information security, or for which a vulnerability analysis has been carried out
on the estimated confidence level requirements no lower than LSG 4
in accordance with the requirements of GOST R ISO/IEC 15408-3
Н О О

39. 34

40. Implementing organisational protection measures
FIS
measure
Level of
protection
of
information
3 2 1
RI.9 Highlight the following main roles within GRIZI:
• The Head of GRIZI, whose main functional responsibility is to provide operational
management of the response to information security incidents:
• GRIZI Dispatcher Operator, whose main functional responsibility is to ensure the
collection and recording of information on information protection incidents:
• The GRIZI Analyst, whose main functional responsibilities include direct response to
an information security incident:
• GRIZI secretary, whose main functional responsibilities include documenting the results
of information security incident response, generating analytical reports of materials
Н О О

41. 35

42. Plan
Overview of GOST R 57580.1
Recommendations for the implementation of priority
actions
Discussion of complex activities Roadmap for
implementing the requirements
36

43. Roadmap for the implementation of GOST R 57580.1-2017
1-2 months
Choosing Planning Implementation Monitoring Improvement
1. Threat modelling
2. Regulation on the applicability of
measures from GOST R 57580.1-2017
3. IS policy
37

44. Roadmap for the implementation of GOST R 57580.1-2017
1-2 months 1-2 months
Choosing Planning Implementation Monitoring Improvement
1. Self-assessment and GAP analysis
2. Plans for the implementation of the first phase of measures
38

45. Roadmap for the implementation of GOST R 57580.1-2017
1-2 months 1-2 months 1-6 months
Choosing Planning Implementation Monitoring Improvement
Implementation of the first phase of measures
39

46. Roadmap for the implementation of GOST R 57580.1-2017
1-2 months 1-2 months 1-6 months
01.01.2021
2-3 months
Choosing Planning Implementation Monitoring Improvement
Conduct an assessment of the level of compliance
with the involvement of FSTEC
Russia's licensees
40

47. Our offers for financial institutions
41

48. About us
Experience
UCSB specialists have been carrying out information security projects for more than 10 years
Certifications
Project team - staff with higher professional education in the field
The training programme is based on the 090100 "Information Security" and has certificates:
⮚ Certified Information Systems Auditor (CISA);
⮚ Certified Information Systems Security Professional (CISSP);
⮚ Certified Information Security Manager (CISM);
⮚ Cisco Certified Internetwork Expert (CCIE);
⮚ Ethical Hacking and Penetration Testing (CEH);
⮚ Computer Hacking Forensic Investigator (CHFI);
⮚ Offensive Security Certified Professional (OSCP);
⮚ Offensive Security Certified Expert (OSCE);
42

49. Kouce'eHyHH
The Urals Centre for Systemic Security (UCSS) is an expert company in the safe use of information technology.
Since 2007, the company has been growing steadily, building up its competencies and carrying out increasingly
complex projects.
Nninformation technology
Information
security
Co-existence of security
engineering and technical
equipment
Infrastructures for
infrastructures
23, Tkachey St., Ekaterinburg, b 620100,
Ekaterinburg, 23, Tkachey St.
Analysis Service
of security service
Industrial safety
automation and control systems
Thea.: +7 (343) 379-98-34,
e-mail: iЛfO@мѕѕс.гм
43
About us

50. QUESTIONS
?
THANK YOU FOR YOUR
ATTENTION!
THANK YOU FOR YOUR
ATTENTION!
QUESTIONS?
Borisov Sergey
Branch office in Krasnodar
sborisov@ussc.ru
Leychuk Diana
Analytical centre
dleichuk@ussc.ru
44