When a company plans to do business in the Russian IT market, worth $18.4 billion in 2017*, certain requirements need to be met. One of them is gaining certification from the FSTEC (Federal Service for Technical and Export Control). Russian authorities require that a company’s source code be reviewed by independent testing centers and that the company complies with a set of requirements for FSTEC approval. From 1996 till date, only less than 50 Western companies have taken this step**. SER now is one of them and by this a certified member of the Russian IT sector.
Source code review
Despite some criticism, the FSTEC certification is a crucial asset for businesses operating in Russia. The source code reviews are conducted by independent testing centers in special laboratories which are controlled by the company to which the source code belongs. This ensures that no software data can be transferred or altered, and thus keeps the risk of economic espionage to a minimum. Russia is known to be very cautious in this regard, as the source code reviews were established to ensure that there are no back doors hidden in the source code which allow other nations to infiltrate Russian systems. Here, firewalls, anti-virus applications and software containing encryption are assessed before these products are allowed to be imported and sold in the country.
To gain FSTEC certification, companies need to meet several requirements. Here are some of the primary ones:
It is essential to have a proper and secure user rights management system in place to allow for the identification and authentication of users who are employed by the organization which operates the software solution. Moreover, user rights management has to cover the creation, activation, deactivation and deletion of internal and external user accounts.
A stringent access control methodology is crucial. It defines the methods, types (e.g. read-only, write, and edit rights) and rules for access and access rights management.
According to FSTEC, a separation of roles is mandatory. In most cases, roles for internal users, external users and administrators are created according to access control methodologies. The roles are assigned different types of access rights to the information system.
Access to the information system
The information system needs to have special protection in place to prevent unauthorized access from outside of the user groups.
Companies must ensure that mobile access is protected from unauthorized access and access attempts. Content and data must be secured.
The system must ensure that no unauthorized software and/or components are installed. All security measures must be logged.
Further details can be found here .
The FSTEC certification proves once again that our Doxis4 suite fulfills the highest security standards and that it complies with international standards
*According to International Data Corporation (IDC)