Main / Testing of electronic government informatization objects for compliance with information security requirements

Testing of electronic government informatization objects for compliance with information security requirements

Testing of electronic government informatization objects for compliance with information security requirements

The service “Testing of electronic government informatization objects for compliance with information security requirements” (hereinafter referred to as Tests) is provided by JSC “State Technical Service” (hereinafter referred to as JSC STS) on the basis of subparagraph 7) of paragraph 1 of Article 14 of the Law of the Republic of Kazakhstan “On Informatization” dated November 24, 2015 (hereinafter referred to as the Law), performed as a type of activity in the field of informatization, attributed to the state monopoly.

The tests include work on assessing the compliance of test objects with the requirements of technical documentation, regulatory legal acts of the Republic of Kazakhstan and standards in the field of information security in force on the territory of the Republic of Kazakhstan and are carried out in the environment of regular operation of the test object.


1. The list of objects of informatization of “electronic government” for which Tests are mandatory and are carried out by JSC STS

In accordance with paragraph 2 of Article 49 of the Law of the Republic of Kazakhstan “On Informatization” dated November 24, 2015, Tests are mandatory and are carried out for the following informatization objects:

1) service software product;
2) information and communication platform of “electronic government”;
3) Internet resource of a state body (hereinafter – SB);
4) information system of civil defense;
5) information system of civil defense, classified as critical objects of information and communication infrastructure;
6) a non-state information system designed for the formation of state electronic information resources, the implementation of state functions and the provision of public services.

Note:  Tests for compliance with the information security requirements of a non-state information system classified as critical information and communication infrastructure objects (with the exception of those that are informatization objects of the “electronic government”), and other that are not related to the informatization objects of the “electronic government” are carried out by accredited test laboratories in accordance with the Law and the legislation of the Republic of Kazakhstan in the field of technical regulation.


2. Applicable regulatory legal acts and standards:

1. Law of the Republic of Kazakhstan “On informatization” dated 24 November 2015 № 418-V. (http://adilet.zan.kz/rus/docs/Z1500000418);
2. Law of the Republic of Kazakhstan “On access to information” dated November 16 2015 No. 401-V. (http://adilet.zan.kz/eng/docs/Z1500000401)
3. Decree of the Government of the Republic of Kazakhstan “On approval of uniform requirements in the field of information and communication technologies and information security” dated December 20, 2016 № 832. (http://adilet.zan.kz/rus/docs/P1600000832);
4. Order of the Minister of Digital Development, Defense and Aerospace Industry of the Republic of Kazakhstan dated June 3, 2019 No. 111/НҚ “On approval of the methodology and rules for testing the objects of informatization of the “electronic government” and information systems classified as critical objects of information and communication infrastructure for compliance with information security requirements” (hereinafter referred to as the Rules) (http://adilet.zan.kz/rus/docs/V1900018795).
The methodology for testing the informatization objects of “electronic government” and information systems classified as critical objects of information and communication infrastructure for compliance with information security requirements establishes  the composition and content  of the Tests.
The rules for testing the informatization objects of “electronic government” and information systems classified as critical objects of information and communication infrastructure for compliance with information security requirements establishthe procedure for conducting Tests.

5. ПOrder acting Minister for Investment and Development of the Republic of Kazakhstan dated January 28, 2016 No. 135 “On Approval of the Rules for the Classification of Informatization Objects and the Classifier of Informatization Objects” (http://adilet.zan.kz/rus/docs/V1600013349);

6. Order of the Minister of Defense and Aerospace Industry of the Republic of Kazakhstan dated March 28, 2018 No. 52/НҚ “On approval of the rules for monitoring the information security of the objects of informatization of the “electronic government” and critical objects of information and communication infrastructure” (http://adilet.zan.kz/rus/docs/V1800017019);
7. Order acting Minister of Information and Communications of the Republic of Kazakhstan dated March 29, 2018 No. 123 “On Approval of the Rules for the Integration of Informatization Objects of the “Electronic Government” (http://adilet.zan.kz/rus/docs/V1800016777);
8. Standard of the Republic of Kazakhstan ISO / IEC 15408-2-2017 “Information technology. Methods and means of ensuring security. Criteria for evaluating information technology security. Part 2. Functional security requirements”;
9. Standard of the Republic of Kazakhstan ISO / IEC 13335-5-2008 “Methods and means of ensuring security. Management of protection of information and communication technologies. Part 5. Network Security Management Guide”;
10. Standard of the Republic of Kazakhstan ISO / IEC 27001-2015 “Methods and means of ensuring security. Information security management systems”;
11. Standard of the Republic of Kazakhstan ISO / IEC 27002-2015 “Methods and means of ensuring security. Code of Practice for Information Security Management Tools.


3. Scope of work during testing (according to paragraph 2 of the Rules, with the exception of the service software product)

Tests consist of the following works (clause 7 of the Rules):
1) Analysis of source codes – includes conducting a static and dynamic analysis of software for the presence of “shortcomings” using software tools designed to analyze the source code;

2) Testing information security functions – includes checking the compliance of the security functions of servers and virtual resources (the composition and content of the functions are presented in Appendix 1 to the Methodology) of technical documentation, regulatory legal acts of the Republic of Kazakhstan and standards in the field of information security in force on the territory of the Republic of Kazakhstan, including with the use of software (if necessary);

3) The load test includes an assessment of the availability, integrity and confidentiality of the test object, identifies the parameters of the actual load capacity of the test object, is carried out using specialized software based on automatic scenarios, in the standard operation of the test object in which personal data is replaced by fictitious;

4) Survey of the network infrastructure includes verification of compliance of network infrastructure protection functions with the requirements of technical documentation, regulatory legal acts of the Republic of Kazakhstan and operating standards in the Republic of Kazakhstan in the field of information security, scanning for software vulnerabilities, examination of the applicant’s network infrastructure, including including software tools if necessary (the composition and content of functions are presented in Annex 2 to the methodology);

5) Survey of information security processes includes checking the compliance of information security processes (the composition and content of functions are presented in Appendix 3 to the Methodology) with the requirements of regulatory legal acts and standards in the field of information security, scanning servers, virtual resources and network equipment with software means for the presence of known vulnerabilities and the formation of recommendations for their elimination (if necessary).

According to the test results for each type of work, a protocol is formed.


4. The testing of the service software product includes:

1) analysis of source codes;
2) testing of information security functions;
3) load test (clause 9 of the Rules).


5. The testing of the information and communication platform “electronic government” includes:

1) analysis of source codes;
2) testing of information security functions;
3) survey of network infrastructure;
4) examination of information security processes;


6. Cost of the service

The price for the service “Testing the informatization objects of the “electronic government” for compliance with information security requirements” is set by the order of the Chairman of the National Security Committee of the Republic of Kazakhstan dated October 23, 2018 No. ensuring information security” and are:

Source code analysis For 1 MB 9 654 tenge
Information security functions inspection For 1 inspection object (systems/subsystems) 840 255 tenge
Load testing For 1 option of the method (protocol) of connecting users and the method (protocol) of connecting integration interaction 528 371 tenge
Network infrastructure inspection For 1 telecommunications network (subnet) 924 405 tenge
Examination of information security processes For 1 inspection object (systems/subsystems) 845 855  tenge 

In order to receive a price offer (calculation of the cost) of the Testing service, the applicant sends an official request to GTS JSC with an attached questionnaire-questionnaire approved by the owner or owner of the test object on the characteristics of the test object in accordance with paragraph 29 of the Rules.

If, when submitting an application for the Testing, the applicant needs to receive a price offer (calculation of the cost) of the Testing service, the applicant must send an official request about this to STS JSC.


7. Inspection Procedure


List of documents attached to the application submitted in step 1

For testing, the applicant with a cover letter submits an application for testing (hereinafter referred to as the application) on paper to JSC “State Technical Service” in the form, in accordance with Appendix 1 to the Rules, with the provision of the following documents (clause 15 of the Rules):

1) a copy of the power of attorney for a person authorized to sign contracts or a document on the appointment of the head of a legal entity (for legal entities);

2) a questionnaire on the characteristics of the test object in accordance with Appendix 2 to the Rules, approved by the owner or owner of the test object on paper;

3) approved by the owner or owner of the terms of reference or technical specification for the object of informatization or the task for designing an information and communication service (for a service software product) on a CD;

4) the source codes of the components and modules of the test object with the libraries and files necessary for successful compilation, on a CD (if necessary);

5) copies of the approved list of technical documentation on the information security of the test object, in accordance with Appendix 3 to the Rules in electronic form on a CD (if necessary);

6) a document authorizing the applicant by the owner (owner) to apply for testing (if necessary).


8. The procedure for obtaining an act based on the results of tests for compliance with information security requirements

An act on the results of testing for compliance with information security requirements in the form in accordance with Appendix 4 to the Rules (hereinafter referred to as the test certificate) is issued by the Information Security Committee of the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan (hereinafter referred to as the contributor, authorized body).

To obtain a test certificate, the applicant (hereinafter referred to as the service recipient, applicant) sends to the service provider in paper form or through the e-government web portal (hereinafter referred to as the portal) an application in the form in accordance with Appendix 7 to the Rules with a full set of protocols specified in paragraphs 7-11 of the Rules with the application of a questionnaire on the characteristics of the test object in accordance with Appendix 2 to the Rules, approved by the owner or owner of the test object.

At the same time, the validity period of the protocol for a separate type of test for inclusion in the test report does not exceed one year from the date of issue of the protocol.

If the results of the test reports are positive, the application is considered within ten working days from the date of its registration. Based on the full set of test reports specified in clauses 7-11 of the Rules, the service provider, within seven working days, examines the test report and establishes discrepancies in the data of the questionnaire on the characteristics of the test object submitted to the service provider with the data of the questionnaires on the characteristics of the test object attached to test reports.

1) on the issuance of a test report;

2) on refusal to issue a test report.

If a positive decision is made to issue a test certificate:

In the event of a decision to refuse to issue a test report:

when submitting an application in paper form, the service provider sends a reasoned response to the service recipient about the refusal to issue a test certificate in paper form;

when submitting an application through the portal, the service provider sends the service recipient a reasoned response to the refusal to issue a test certificate to the “personal account” in the form of an electronic document signed by an electronic digital signature (hereinafter – EDS) of an authorized person of the service provider.


9. In the absence of the source code of the test object or the impossibility of conducting another type (s) of tests
, the decision on the optional analysis of the source code or other (their) type (s) of tests of the test object at the request of the applicant is established by the CIS of the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan.


10. In case of integration
(current or planned) of the test object with another informatization object, tests are carried out with the inclusion of components that provide integration (integration module, integration subsystem, integration bus or other) into the test object (clause 14 of the Rules).


Contacts for consultations

For testing questions, please contact the contact persons of STS JSC by phone 1400, +7 (7172) 559999 (int. numbers: 319, 398, 420), e-mail synaq@sts.kz.

Frequently asked questions

Should a non-governmental information system undergo inspections for compliance with information security requirements?

A non-governmental information system is subject to mandatory inspections for compliance with information security requirements in cases where it:

1) it is intended for the formation of state electronic resources, the implementation of state functions and public services;

2) classified as critically important objects of information and communication infrastructure.

Who conducts the inspection of non-state information systems?

Inspection of a non-governmental information system intended for the formation of state electronic resources, the implementation of state functions and public services is carried out in JSC «STS».

Inspections of other non-governmental information systems, including information systems classified as critical objects of information and communication infrastructure, but not being the object of informatization of «electronic government” are carried out in inspection laboratories accredited in accordance with the Law of the Republic of Kazakhstan “On Technical Regulation”.

How do I get a price offer for an inspection?

According to paragraph 29 of the Rules for the Inspection of a service software product, an «electronic government» information and communication platform, an internet resource of a state body and an information system for compliance with information security requirements approved by the Order of the Minister of digital development, innovations and aerospace industry of the Republic of Kazakhstan dated 03.06.2019 No.111/нқ (hereinafter – Inspection Rules) for calculating the applicant sends a questionnaire about the characteristics of the inspection object to JSC “STS”., approved by the proprietor or owner of the inspection object.

The cost of the inspection is calculated taking into account the tariffs approved by the Order of the Chairman of the National Security Committee of the Republic of Kazakhstan dated October 23, 2018 No.86/қе and the characteristics of the inspection object specified in the questionnaire.

What is the procedure for transferring the source codes of the inspection object?

The source codes of the components and modules of the inspection object with the libraries and files necessary for successful compilation are sent to JSC “STS” on a CD-ROM with the act of receiving and transmitting the source codes in accordance with Annex 5 to the Inspection Rules.

What documents do I need to submit for inspection?

To conduct an inspection, the applicant with a cover letter submits an application for inspection (hereinafter – application) on paper to JSC “State Technical Service” in the form, according to Annex 1 to the Rules, with the provision of the following documents (paragraph 15 of the Rules):

1) a copy of a power of attorney for a person authorized to sign contracts or a document on the appointment of the head of a legal entity (for legal entities);

2) questionnaire on the characteristics of the inspection object on the characteristics of the inspection object according to Annex 2 to the Rules, approved by the proprietor or owner of the inspection object on paper;

3) approved by the proprietor or the owner of the terms of reference or technical specification for the object of informatization or the task for the design of information and communication services (for a service software product) on a CD-ROM;

4) source codes of components and modules of the inspection object with libraries and files necessary for successful compilation on a CD (if necessary);

5) copies of the approved list of technical documentation on the information security of the inspection facility, according to Annex 3 to the Rules in electronic form on a CD (if necessary);

6) a document authorizing the applicant by the proprietor (owner) to submit an application for inspection (if necessary).

Which objects of informatization are subject to mandatory inspections?

According to paragraph 4 of the Inspection Regulations, the inspection objects subject to mandatory inspection for compliance with information security requirements include:

1) service software product;

2) information and communication platform of “electronic government”;

3) web sites of state bodies;

4) information system of state bodies;

5) information system classified as a critically important object of information and communication infrastructure;

6) non-governmental information system intended for the formation of state electronic information resources, the implementation of state functions and the provision of public services.

Are there any restrictions on the deadline for submitting an application for testing?

Restrictions on the deadline for submitting applications are defined in paragraph 16 of the Inspection Regulates for applicants who make purchases through the public procurement web portal. In this case, the application for inspecting is accepted no later than November 1 of the current year. At the same time, if the applicant purchases through the public procurement web portal, and has not sent a public procurement contract to the state technical service by November 15 via the public procurement web portal, the application is canceled and returned to the applicant.

What is the procedure and terms for concluding a inspection contract?

The procedure and terms for concluding the contract are defined in paragraphs 17-19 of the Inspection Regulations.

JSC “STS” within three business days from the date of receipt of the application must verify the completeness of the documents sent with the application for inspection according to the list defined in paragraph 15 of the Inspection Regulations.

In case of inconsistency of the application and the attached documents, the application is returned to the applicant with an indication of the reasons for the return. In the presence of a full package of documents, JSC “STS” sends to the applicant within three business days:

1) draft technical specification to the test contract, if the applicant makes purchases through the public procurement web portal. The applicant, within three business days from the date of receipt of the draft technical specification, places on the public procurement web portal a draft public procurement contract using a single source method by directly concluding a public procurement contract;

2) two copies of the test contract, if the applicant makes purchases without using the public procurement web portal. The applicant, within five business days from the date of receipt of two copies of the above agreement, signs them and returns one copy of the agreement to JSC “STS”.

Duration of the Inspections.

According to paragraph 21 of the Inspections Regulations, the inspection period is agreed with the applicant and depends on the scope of work on the inspections and the classification characteristics of the inspection object.

If it is impossible to agree on the timing of the inspection, the application is returned to the applicant without addressing, indicating the possibility of contacting the authorized body to determine the timing of the inspections.

What time is allotted for the elimination of inconsistencies and what is the deadline for repeated inspections?

According to paragraph 37 of the Inspection Regulations, the applicant is given twenty business days from the date of receipt of the inspection reports on the work carried out to eliminate the identified comments. After their elimination, the applicant must send to JSC “STS” a request for repeated inspections with the application of a comparative table with the results of correcting the identified inconsistencies.
 JSC “STS” on a gratuitous basis within fifteen business days from the date of receipt of the notification from the applicant conducts repeated inspections for these types of work with the preparation of relevant documents.

How and by whom is the IS class calculated?

Classification of informatization objects is carried out in accordance with the Regulations of Classification of informatization objects approved by the Order of the Minister for investment and development of the Republic of Kazakhstan dated 28.01.2016 No. 135 (hereinafter referred to as the Classification Regulations).
According to paragraph 4 of the Classification Regulations, when classifying objects of informatization of state bodies, they are provided with consulting and practical assistance by the service integrator of “electronic government”. 
Paragraph 10 of the Classification Regulations establishes that the classification of non-state objects of informatization is carried out by their owners (owners).

What works are included in the IS inspections?

According to paragraph 7 of the Inspection Regulations, the inspections of the inspection object include the following types of work:
1) Source code analysis;
2) Information security functions inspection;
3) Load testing;
4) Network infrastructure inspection;
5) Examination of information security processes.

What is the validity period of the inspection certificate?

According to paragraph 47 of the Inspection Regulations, the validity period of the inspection certificate with a positive result is limited to the period of industrial operation of the inspection object, withq the exception of the information and communication platform “electronic government”, or until the start of modernization of the inspection object.

The inspection certificate of the electronic government information and communication platform is issued with a validity period of one year.

In what cases does it become necessary to undergo repeated IS inspections?

In accordance with paragraph 48 of the Regulations, in case of changes in the conditions of functioning and functionality of the informatization object, the owner or owner of the informatization object, after completion of the work that led to the changes, sends a notification to the service provider (authorized body) with a description of all the changes made and an updated questionnaire on the characteristics of the inspection object approved by the owner or owner of the inspection object.

Who decides on the need for repeated inspections?

ISC MDDIAI RK within no more than five business days decides whether or not to revoke the inspection certificate.

Which document determines the cost of inspection?

The cost of the inspections is established by the order of the National Security Committee Chairman of the Republic of Kazakhstan dated October 23, 2018 No. 86/ қе “On approval of prices for services sold by a state monopoly entity in the fields of informatization, information security” and is:

1) Source code analysis – 9,654 tenge per 1 MB;
2) Information security functions inspection – 840 255 tenge for one test object (fixed cost);
3) Load testing – 528 371 tenge for one variant of the method (protocol) of connecting users and one variant of the method (protocol) of integration interaction;
4) Network infrastructure inspection – 924,405 tenge for one telecommunications subnet;
5) Examination of information security processes – 845,855 tenge for 1 test object (systems/subsystems).

Who can apply for the inspections?

According to subparagraph 9) of paragraph 2 of the Inspection Regulations, the applicant for inspections may be the owner or owner of the inspection object, as well as an individual or legal entity authorized by the owner or owner of the inspection object, who submitted an application for inspection the informatization object for compliance with information security requirements.

Who issues the Inspection certificate?

According to paragraph 40 of the Inspection Regulations, an act on the results is issued by the authorized body in the field of information security – ISC MDDIAI RK.

Are there any restrictions on the validity of inspection reports?

The validity period of the protocol is set out in paragraph 42 of the Inspection Regulations and for a separate type of inspection to be included in the inspection report does not exceed one year from the date of issue of the protocol.

Which actions should the applicant take to obtain the inspection certificate?

To obtain a inspection certificate, the applicant sends to the service provider in paper form or through the “electronic government” web portal an application in the form according to Appendix 7 to the Regulations with a full set of protocols defined in paragraphs 7-11 of the Regulations with a questionnaire on the characteristics of the inspection object in according to Appendix 2 to the Regulation, approved by the owner or owner of the inspection object.

Which actions can the applicant take in case of disagreement with the inspection results?

In case of negative results of one or more inspection reports, the application is considered within fifteen business days from the date of its registration.

To resolve the differences that have arisen, the Information Security Committee of the Ministry of digital development, innovation and aerospace industry of the Republic of Kazakhstan invites representatives of the applicant and the supplier (suppliers) for discussion and in their presence makes a final decision on issue of a inspection certificate.