About the Trusted Software Registry of Kazakhstan

On May 21, 2020, by the Order of the Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan No. 206/NK, the information system for electronic document management and business process automation "Documentolog" was included in the Trusted Software Registry.

We wondered how this Registry works and how it can help domestic IT products? The General Director of Documentolog, Baizhan Kanafin, explains:

1. What is the Trusted Software Registry and what is its purpose?

According to the Law of the Republic of Kazakhstan "On Informatization" dated November 24, 2015, No. 418-V ZRK, Article 1, Subparagraph 52-1) the trusted software and electronic industry products registry is a list of software and electronic industry products that meet information security requirements, created to ensure the defense of the country and state security.

2. How to get into the Trusted Software Registry?

To include software in the Registry, the developing company must have:

• An industrial certificate (a document confirming the applicant's presence in the registry of domestic producers of goods, works, and services). Issued by the NPP "Atameken".

• A certificate of compliance with information security requirements of at least level 4 trust for software in accordance with ST RK ISO/IEC 15408-3 "Information technology. Security methods and tools. Criteria for IT security evaluation. Part 3. Requirements for protection" (hereinafter - ST RK ISO/IEC 15408-3) or a report on the results of testing for compliance with information security requirements issued by the authorized body in the field of information security assurance.

3. Who is the software included in the Registry intended for?

In paragraph 2 of Article 54 of the ZRK, it is stated that owners or holders of information systems of the "electronic government" and critically important objects of information and communication infrastructure (hereinafter - KVOIKI) are obliged to take measures to ensure the information security of the infrastructure. In paragraph 3-1 of Article 54 of the ZRK "On Informatization", it is established that the acquisition of goods to meet the requirements for ensuring information security for the defense of the country and state security is carried out from the Registry.

4. What are KVOIKI and who does it include?

Article 1, Subparagraph 24) critically important objects of information and communication infrastructure are objects of information and communication infrastructure, including the information and communication infrastructure of the "electronic government", the disruption or cessation of the functioning of which leads to an emergency of social and/or technological nature or to significant negative consequences for defense, security, international relations, the economy, individual sectors of the economy, the infrastructure of the Republic of Kazakhstan, or for the livelihoods of the population residing in the relevant territory; (hereinafter - KVOIKI). According to Articles 6 and 7-1 of the ZRK "On Informatization", the approval of the list of KVOIKI falls under the competence of the Government of the Republic of Kazakhstan in the field of informatization, and the development of the list of KVOIKI falls under the competence of the authorized body in the field of information security assurance.

In short, the state has singled out from all information systems in the country the objects "KVOIKI" that have value and importance for national security, to which special attention is paid regarding security. At the same time, not all infrastructure of the owning company may relate to KVOIKI, but only certain objects. The companies themselves are the owners of KVOIKI objects. The document containing the list of KVOIKI objects is classified and cannot be publicly available. However, information about the names of the companies that own KVOIKI objects is publicly accessible.

Documentolog officially sent a request to the Committee for Information Security of the Ministry of Digital Development, Innovations and Aerospace Industry and received a list of companies that own KVOIKI objects: this includes almost all large state and private industrial and financial companies in Kazakhstan. For example, companies that are part of the group of JSC "SFB "Samruk-Kazyna", JSC "NUH "Baiterek", all our banks, and other large companies. The list can be requested from the KIB.

5. Responsibility of KVOIKI owners

Article 54 of the ZRK "On Informatization" defines the measures that must be ensured by the owners or holders of KVOIKI. They are also obliged to apply and comply with the provisions of the Unified Requirements in the field of information and communication technologies and information security assurance (hereinafter - UR). In paragraph 29-1 of the UR, approved by the Resolution of the Government of the Republic of Kazakhstan dated December 20, 2016, No. 832, it is also established that the acquisition of goods to meet the requirements for ensuring information security for the defense of the country and state security is carried out from the registry of trusted software and electronic industry products in accordance with the legislation of the Republic of Kazakhstan on public procurement.

The responsibility of the owner or holder of KVOIKI in case of non-compliance with the requirements established by law:

According to subparagraph 2) of paragraph 1 of Article 641 of the Code of Administrative Offenses, a violation of the legislation of the Republic of Kazakhstan on informatization, committed in the form of violation of the unified requirements in the field of information and communication technologies and information security assurance, entails a fine for individuals in the amount of ten, for officials, small business entities, or non-profit organizations - in the amount of fifteen, for medium-sized business entities - in the amount of thirty, for large business entities - in the amount of one hundred monthly calculation indicators.

If the actions contain signs of a criminal nature, and they are committed in relation to critically important objects of information and communication infrastructure, then according to paragraph 1 of Article 187 of the Criminal Procedure Code of the Republic of Kazakhstan, preliminary investigation may be carried out by the national security agency.

Conclusions.

Since the list of companies that own KVOIKI objects is very large, it makes sense for domestic software development companies to go through the procedures to get into the Registry.

Officials working in companies that own KVOIKI objects are obliged to comply with the requirements of the ZRK "On Informatization". Otherwise, administrative and criminal liability is provided for violations.