STEP LOGIC has developed a detailed methodology for categorising critical information infrastructure objects

Moscow, October 30, 2018. The specialists of the Information and Network Security Department at STEP LOGIC have developed a methodology for categorising critical information infrastructure objects in accordance with the requirements of Federal Law No. 187-FZ of July 26, 2017 “On the Security of Critical Information Infrastructure of the Russian Federation”. The document contains a detailed action plan, practical examples, a series of questions and answers, as well as templates of necessary documents that will help organisations independently determine the significance category of the CII objects and fulfil part of legal requirements. The methodology is distributed free of charge and can be downloaded by clicking this link.

The Law “On the Security of Critical Information Infrastructure of the Russian Federation” entered into force on January 1, 2018 and defined the concepts of objects and subjects of critical information infrastructure (CII) and responsibilities for ensuring the security of CII objects. The CII subjects, to which the requirements of the law apply, are state and commercial institutions operating in 13 areas that form the basis of the functioning of the state. They include the transport, communication, banking sector, the fuel and energy complex, the defence industry, the rocket and space industry, health care, science, etc. In accordance with the requirements of the law, enterprises and organisations should categorise their IP, ITS and ACS and notify the Federal Service for Technical and Export Control of the Russian Federation about the results.

“Currently, the issue of meeting the requirements of Federal Law No. 187 is particularly acute for our customers and the whole information security industry. In 2018, we have received and continue to receive hundreds of various questions regarding the implementation of the requirements of this law. At the same time, some companies and enterprises do not understand both how to categorise and whether they fall within the scope of this Federal Law. We have developed a detailed methodology for categorising CII objects to help organisations that are subjects of the CII. It includes answers to frequently asked questions and is distributed free of charge. We are not aware of any similar public documents in the market. I am sure that, having studied our document, companies' managers and specialists in information security can both get answers to current questions and solve the issue of compliance with some of the requirements of the law on their own,” says Nikolay Zabusov, Head of Information and Network Security at STEP LOGIC.

The developed categorisation methodology is based on the requirements of the laws and the experience of STEP LOGIC that was obtained in cooperation with organisations operating in areas that are subject to the requirements of the laws. The methodology contains information necessary for the independent collection of data, their analysis and making decisions on categorising CII objects. This will allow companies and enterprises to:

‒ fulfil part of the legal requirements on their own, saving the budget;

‒ consciously take responsibility for the CII objects, as required by the law;

‒ more accurately determine the budget and deadlines for the next stages, understanding the list and categories of objects to be protected;

‒ implement the requirements for categorising on time, due to the absence of the need to conclude additional contracts, surveys by third-party companies, etc.

You can download the methodology for categorising CII objects by filling in the feedback by clicking this link.