Act of classification of individual workers. Personal data (classification of personal data)

"Budget organizations: accounting and taxation", 2009, N 12

From January 1, 2010, personal data information systems in all organizations, including budgetary institutions, must be brought into compliance with the requirements of the Law “On Personal Data”<1>. A number of by-laws were adopted to this Law, and as a result, there are now different interpretations of the responsibilities of state and municipal institutions in relation to the information systems they have. This article analyzes the provisions of the current legislation and highlights the mandatory requirements.

<1>Federal Law of July 27, 2006 N 152-FZ.

According to Art. 1 of the Law “On Personal Data”, this Federal Law regulates relations related to the processing of personal data carried out by federal government bodies, government bodies of constituent entities Russian Federation, other government agencies, organs local government, not included in the system of local self-government bodies, municipal bodies, legal and individuals using automation tools or without the use of such tools, if the processing of personal data without the use of such tools corresponds to the nature of the actions (operations) performed with personal data using automation tools.

Such attention to the issues of automation of personal data processing entails the need to comply with special legislative norms regarding the use of information technology. At the same time, it is necessary to carefully study the regulatory framework, which currently can be interpreted very ambiguously, especially in terms of presenting requirements for information systems.

The concept of "information system" in current legislation

In accordance with the Federal Law "On Information, Information Technologies and Information Protection"<2> Information system- a set of information contained in databases and information technologies and technical means that ensure its processing. Based on this definition, we can conclude that there are no information systems without the use computer equipment and related software.

<2>Federal Law of July 27, 2006 N 149-FZ.

However, in Art. 3 of the Law “On Personal Data” provides a broader definition information system: this is a collection of personal data contained in the database, as well as information technologies and technical means that allow the processing of such personal data with or without the use of automation tools.

Let us analyze the components of this definition, the definitions of which can be found in the Federal Law “On Information, Information Technologies and Information Protection”, other laws and in regulations of the Government of the Russian Federation.

Under database is understood as a set of organized interconnected data on machine-readable media (Temporary Regulations on State Accounting and Registration of Databases and Data Banks<3>). However, in part four of the Civil Code of the Russian Federation (paragraph 2, paragraph 2, article 1260), a more detailed definition is given Database: this is a set of independent materials presented in an objective form (articles, calculations, regulations, court decisions and other similar materials), systematized in such a way that these materials can be found and processed using electronic computer(COMPUTER).

<3>Approved by Decree of the Government of the Russian Federation of February 28, 1996 N 226.

Information Technology- processes, methods of searching, collecting, storing, processing, providing, distributing information and methods of implementing such processes and methods (Federal Law “On Information, Information Technologies and Information Protection”).

Under technical means that allow the processing of personal data are understood as means computer technology, information and computing complexes and networks, means and systems for transmitting, receiving and processing personal data (means and systems for sound recording, sound amplification, sound reproduction, meeting rooms and television devices, means of production, replication of documents and others technical means processing of speech, graphic, video and alphanumeric information), software ( OS, database management systems and the like), information security tools used in information systems (Regulations on ensuring the security of personal data during their processing in personal data information systems<4>).

<4>Approved by Decree of the Government of the Russian Federation of November 17, 2007 N 781.

Thus, the technical means include both copiers and software, but the key concept in defining a personal data information system is the concept of “database”. From this definition it follows that the database is processed using a computer (the media must be machine readable). If processing is carried out without the use of a computer and a database (machine-readable media), then formally there is no information system. In addition, without technical means allowing the processing of personal data, the database also cannot be recognized as an information system. In addition, information systems are not just a collection of computer equipment and certain programs that process information from databases; they may or may not use automation tools.

What is meant by automation tools?

There is a point of view according to which the use of automation means any computer processing or processing with electronic devices. If the database is stored on a computer (for example, spreadsheet or accounting program) or, for example, in notebook cell phone, then this is already automated processing of personal data and is subject to notification to Roskomnadzor. In addition, some experts believe that processing without the use of automation tools can only be carried out on paper (in journals filled out by hand, in handwritten lists).

In accordance with Part 3 of Art. 4 of the Law “On Personal Data”, the specifics of the processing of personal data carried out without the use of automation tools may be established by federal laws and other regulatory legal acts of the Russian Federation, taking into account the provisions of this Federal Law.

Decree of the Government of the Russian Federation dated September 15, 2008 N 687 approved the Regulations on the specifics of processing personal data carried out without the use of automation tools. According to paragraph 1 of the said Regulations The processing of personal data contained in the personal data information system or extracted from such a system (hereinafter referred to as personal data) is considered to be carried out without the use of automation tools (non-automated), if such actions with personal data as use, clarification, distribution, destruction of personal data in in relation to each of the subjects of personal data, are carried out with the direct participation of a person.

Let's reverse Special attention to the fact that, according to clause 2 of the Regulations on the specifics of processing personal data carried out without the use of automation tools, the processing of personal data cannot be recognized as carried out using automation tools only on the basis that they are contained in the information system or were extracted from it.

Thus, it can be stated that from the point of view of the definitions available in current legislation, the vast majority of information systems in state and municipal institutions can formally be considered as implemented without the use of automation tools (including a significant part of accounting software). After all, all face cards in these systems are edited manually in the appropriate windows. To destroy face cards, it is also necessary to select them in the list by the operator and press special key to delete data. Even archiving is carried out special program, which is launched by a person.

And here various programs, allowing you to reformat data (including from the format accounting program in a format, for example, a program Pension Fund) and implementing them automatic input and further transfer without referring to each specific employee record may be classified as automated data processing. At the same time, the processing of personal data (including last name, first name, patronymic, pension certificate number, etc.) is an integral part of such programs.

At the same time, if the transfer of data to other programs (including for tax accounting purposes) is not carried out completely automatically, but with the help of a person involved in the processing of personal data, then such processing also cannot be considered automated.

In this regard, the recommendations of the Federal Agency for Education, set out in Letter No. 17-110 of July 29, 2009 “On ensuring the protection of personal data,” have a rather limited application in practice. In order to automate the processing of personal data in questionnaires, Rosobrazovanie recommends additionally indicating the internal an identification number(personal code) of the subject of personal data, assigned for the entire period of study or work. This allows you to anonymize databases if they do not contain other personal data, and significantly reduce the cost of protecting information.

However, to automate management activities in a state or municipal institution, at least the last names, first names, patronymics of employees, students, etc., as well as a number of other personal data (for employees, for example, information about their income for accounting and tax purposes) are required. . Appeal to personal codes contained in the leaflets (questionnaires), the rest of the data processing using software will look at least strange, reducing the effectiveness of the implementation of modern information technologies. Moreover, depending on the form of the questionnaires used, they can be recognized as part of the information system (as being an integral part of the database), which will completely deprive the meaning of additional coding (such coding is required if it is advisable to depersonalize data, for example, for statistical research).

Processing of personal data without the use of automation tools

So, as discussed above, despite the computerization of activities, in most cases the processing of personal data in state and municipal institutions is carried out without the use of automation tools (non-automated) and, accordingly, is regulated by the Regulations on the specifics of the processing of personal data carried out without the use of automation tools<5>.

<5>Approved by Decree of the Government of the Russian Federation of September 15, 2008 N 687.

Persons carrying out such processing (including employees of the operator organization or persons working under an agreement with the operator) must be informed about the fact of their processing of personal data without the use of automation tools, the categories of personal data processed, as well as about the features and rules for carrying out such processing established by regulatory legal acts of federal executive authorities, executive authorities of constituent entities of the Russian Federation and local acts of an educational institution.

Personal data, when processed without the use of automation tools, must be separated from other information, in particular, by recording them on separate tangible media, in special sections or in the fields of forms (forms).

At the same time, it is not allowed to record personal data on one material medium if the purposes of their processing are obviously incompatible. In this case, a separate tangible medium must be used for each category of personal data.

And therefore, processing must be carried out in such a way that for each category of personal data there is:

storage locations have been determined and a list of persons processing data or having access to it has been established;
Separate storage of personal data (tangible media) is ensured, the processing of which is carried out for various purposes;
conditions have been met to ensure the safety of personal data and prevent unauthorized access to it.

The list of measures necessary to ensure such conditions, the procedure for their adoption, as well as the list of persons responsible for the implementation of these measures, are established by the educational institution in accordance with the requirements of regulatory legal acts on the protection of personal data.

If the purposes of processing personal data recorded on one material medium are incompatible, if it does not allow them to be processed separately from other personal data recorded on the same medium, measures must be taken to ensure separate processing, in particular:

if it is necessary to use or distribute certain personal data separately from others located on the same material medium, the data that is subject to distribution or use is copied in a manner that precludes simultaneous copying of data that is not subject to distribution and use, and a copy of the personal data is used (distributed);
if it is necessary to destroy or block part of the personal data, the material medium is destroyed or blocked with preliminary copying of information that is not subject to destruction or blocking, in a manner that precludes simultaneous copying of personal data subject to destruction or blocking.

Destruction or depersonalization of part of personal data, if permitted by a tangible medium, can be carried out in a way that precludes further processing of this personal data, while maintaining the possibility of processing other data recorded on a tangible medium (deletion, erasure).

Clarification of personal data when processing them without the use of automation tools is carried out by updating or changing the data on a tangible medium, and if this is not allowed technical features material carrier- by recording on the same medium information about changes made to them or by producing a new material medium with updated personal data.

Processing of personal data using automation tools

The Regulations on ensuring the security of personal data during their processing in personal data information systems establishes requirements for ensuring the security of personal data during their processing in personal data information systems, which are a set of personal data contained in databases, as well as information technologies and technical means.

As follows from paragraph 1 of this Regulation, the term “information systems” refers only to information systems that allow the processing of personal data using automation tools, therefore, the requirements of this Regulation do not apply to information systems in which data processing is carried out without the use of automation tools.

If a state or municipal institution carries out automated processing of personal data, then the following requirements must be met.

According to the Regulations on ensuring the security of personal data during their processing in personal data information systems, the security of personal data is achieved:

by excluding unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, distribution of personal data;
by excluding other unauthorized actions.

The security of personal data during their processing in information systems is ensured using personal data protection systems, including:

organizational measures;
information security tools;
information Technology.

Information security measures include:

encryption (cryptographic) means;
means of preventing unauthorized access;
means of preventing information leakage through technical channels;
means of preventing software and hardware impacts on technical means of processing personal data.

To ensure the security of personal data during their processing in information systems, protection is carried out speech information and information processed by technical means, as well as information presented in the form of informative electrical signals, physical fields, media on paper, magnetic, magneto-optical and other bases.

Requests from users of the information system to obtain personal data, as well as the facts of providing data on these requests, must be recorded by automated means of the information system in the electronic log of requests. At the same time, the content electronic journal requests must be periodically verified by the relevant officials (employees) of the operator or authorized person.

If violations of the procedure for providing personal data are detected, the operator or authorized person shall immediately suspend the provision of personal data to users of the information system until the causes of the violations are identified and eliminated.

Hardware and software must meet the requirements established in accordance with the legislation of the Russian Federation to ensure the protection of information. At the same time, methods and methods for protecting information in information systems are established by the Federal Service for Technical and export controls(FSTEC) and the Federal Security Service (FSB) within the limits of their powers.

The security of personal data when processed in the information system is ensured by the operator or the person to whom, on the basis of an agreement, the operator entrusts the processing of personal data. Persons whose access to personal data processed in the information system is necessary to perform official (labor) duties are allowed access to the relevant personal data on the basis of a list approved by the operator or authorized person. An essential condition of the contract is the obligation of the authorized person to ensure the confidentiality and security of personal data when processed in the information system.

Information security tools used in information systems, in in the prescribed manner undergo a conformity assessment procedure. The exchange of personal data during their processing in information systems is carried out through communication channels, the protection of which is ensured through the implementation of appropriate organizational measures and (or) through the use of technical means.

At the same time, information systems are classified by state bodies, municipal bodies, legal entities or individuals organizing and (or) carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data, depending on the volume of personal data processed by them and security threats to vital interests individuals, society and state.

The procedure for classifying information systems is established jointly by the Federal Service for Technical and Export Control, the Federal Security Service and the Ministry of Information Technologies and Communications. This Procedure is determined by Order of the FSTEC of Russia, the FSB of Russia, the Ministry of Information and Communications of Russia dated February 13, 2008 N 55/86/20.

In addition, the requirements for premises and their security are outlined. According to clause 8 of the Regulations on ensuring the security of personal data during their processing in personal data information systems, the placement of information systems, special equipment and security of premises in which work with personal data is carried out, the organization of a security regime in these premises must ensure the safety of personal data carriers and information security means, and also exclude the possibility of uncontrolled entry or stay in these premises unauthorized persons.

To do this, state and municipal institutions must install additional alarms in the specified premises, and in doorways - additional locks or metal doors.

Measures to ensure the security of personal data during their processing in information systems include:

a) identification of threats to the security of personal data during their processing, formation of a threat model based on them;

b) development, based on the threat model, of a personal data protection system that ensures the neutralization of alleged threats using methods and methods for protecting personal data provided for the corresponding class of information systems;

c) checking the readiness of information security tools for use with drawing up conclusions on the possibility of their operation;

d) installation and commissioning of information security means in accordance with operational and technical documentation;

e) training of persons using information security tools used in information systems on the rules of working with them;

f) accounting of the information protection means used, operational and technical documentation for them, personal data carriers;

g) accounting of persons authorized to work with personal data in the information system;

h) control over compliance with the conditions for the use of information security tools provided for in the operational and technical documentation;

i) investigation and drawing up conclusions on facts of non-compliance with the storage conditions of personal data carriers, the use of information security measures that may lead to a violation of the confidentiality of personal data or other violations leading to a decrease in the level of security of personal data, development and adoption of measures to prevent possible dangerous consequences of such violations ;

j) description of the personal data protection system.

Persons who have access to information databases with personal data, sign obligations on non-disclosure of confidential information (such an obligation may also be included in the employment contract). Only after this does the educational institution allow them to process personal data.

When processing personal data in the information system, the educational institution must ensure:

a) carrying out measures aimed at preventing unauthorized access to personal data and (or) their transfer to persons who do not have the right to access such information;

b) timely detection of facts of unauthorized access to personal data;

c) preventing impact on technical means automated processing personal data, as a result of which their functioning may be disrupted;

d) the possibility of immediate restoration of personal data modified or destroyed due to unauthorized access to it;

e) constant monitoring of ensuring the level of security of personal data.

To develop and implement measures to ensure the security of personal data during their processing in the information system, an operator or authorized person may appoint a structural unit or official (employee) responsible for ensuring the security of personal data.

You should also pay special attention to the fact that, according to clause 17 of the Regulations on ensuring the security of personal data during their processing in personal data information systems, the implementation of requirements for ensuring information security in information security tools is assigned to their developers.

Adequacy measures taken to ensure the security of personal data during their processing in information systems is assessed during state control and supervision.

Classification of personal data information systems

Classification of personal data information systems that allow processing of this data using automation tools is carried out by the educational institution - operator in accordance with the Procedure for classifying personal data information systems<6>depending on the category of data being processed and its quantity.

<6>Approved by Order of the FSTEC of Russia, the FSB of Russia, the Ministry of Information and Communications of Russia dated February 13, 2008 N 55/86/20.

The following four categories of personal data are established:

personal data relating to race, nationality, political views, religious and philosophical beliefs, health, intimate life;
personal data that allows you to identify the subject of personal data and obtain additional information about him, with the exception of personal data belonging to the first category;
personal data allowing identification of the subject of personal data;
anonymized and (or) publicly available personal data.

In any university you can find on public stands various lists students, including a combination of full name. student, course, group, which allow you to uniquely identify the student. As a result, such a combination of personal data forces them to be classified as personal data of the third category; The placement of this data in a publicly accessible place formally requires the student’s consent.

An employee’s personal card (form T-2), a student’s personal file belongs to the second category, since this is personal data that allows not only to identify the subject of personal data, but also to obtain additional information about him.

Personal data information systems are divided into standard and special. Typical systems include those that only require the confidentiality of personal data. All other systems are classified as special.

Special information systems should also include:

information systems in which personal data relating to the health status of the subjects of personal data are processed;
information systems that provide for the adoption, based solely on automated processing of personal data, of decisions that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests.

Based on the above classification, it can be stated that any medical data, as well as personnel records containing the column “nationality” (and these are almost all valid questionnaires and personal sheets personnel records currently used) must be classified in the first category.

Based on the results of the analysis of available data, a typical information system is assigned one of the four classes specified in the Procedure for Classifying Personal Data Information Systems.

The class of a special information system is determined based on a model of threats to the security of personal data based on the results of the analysis of source data in accordance with the methodological documents of the FSTEC.

FSTEC has issued the following DSP documents, which can only be obtained by contacting this body:

Main activities for organizing and technical support security of personal data processed in personal data information systems, dated February 15, 2008;
Basic model of threats to the security of personal data during their processing in personal data information systems dated February 15, 2008;
Methodology for identifying current threats to the security of personal data during their processing in personal data information systems dated February 15, 2008;
Recommendations for ensuring the security of personal data during their processing in personal data information systems dated 02/15/2008.

These methodological documents contain numerous requirements, which are extremely difficult for most state or municipal institutions to fulfill for reasons of both organizational and financial nature.

Declaration, certification (attestation) and licensing of activities for the protection of personal data

The FSTEC methodological documents listed above establish the following procedure for assessing compliance of the degree of security of information systems with security requirements:

for information systems of the first and second class, compliance of the degree of security with security requirements is established through mandatory certification (attestation);
for information systems of the third class, compliance with security requirements is confirmed by certification (certification) or (at the operator’s choice) declaration of conformity carried out by the personal data operator;
For information systems of the fourth class, conformity assessment is not regulated and is carried out at the discretion of the personal data operator.

Declaration of conformity- this is a confirmation of the compliance of the characteristics of the personal data information system with the requirements established by law, governing and regulatory documents of the FSTEC and the FSB.

Declaration of conformity can be carried out on the basis of one’s own evidence or evidence obtained with the participation of involved organizations that have the necessary licenses. List of bodies (organizations) for certification of the information security certification system for information security requirements that can be contacted educational institutions and educational authorities that do not have the necessary specialists and licenses, as well as State Register certified information security tools are posted on the FSTEC website. The cost of such procedures is quite high and amounts to hundreds of thousands of rubles.

In the case of a declaration based on its own evidence, the operator independently generates a set of documents, such as: technical documentation, other documents and the results of his own research, which served as a motivated basis for confirming the compliance of the personal data information system with all necessary requirements required for third grade.

Attestation (certification) tests are carried out by organizations that have the necessary FSTEC licenses. At the same time, certification is understood as a set of measures that make it possible to bring an information system into compliance with the information security requirements for the declared class, set out in the regulatory and methodological documents of the FSTEC.

Attestation (certification) tests contain an analysis of personal data information systems already available at the facility, as well as newly adopted decisions to ensure information security and include verification of:

organizational and regulatory measures to ensure information security;
security of information from leaks through technical channels (PEMIN);
security of information from unauthorized access.

Based on the results of certification tests, a decision is made to issue a certificate of compliance of the information system with the declared class of information security requirements. The certificate is issued for a period of three years.

The methodological documents of FSTEC also establish Additional requirements on the availability of licenses to conduct activities to protect personal data. Without the appropriate licenses, such events are only possible for third- and fourth-class information systems.

To carry out measures to ensure the security of personal data for special information systems, first and second class systems and distributed (including those connected to the Internet) third class systems, operators are required to obtain FSTEC license for activities on technical protection confidential information.

The legality of the requirements for carrying out declaration, certification (attestation) and licensing procedures by state and municipal institutions on the basis of FSTEC methodological documents raises serious doubts.

Regulations on the procedure for handling official information of limited distribution in federal executive authorities<7>(clause 1.2) classifies as proprietary information of limited distribution unclassified information relating to the activities of organizations, restrictions on the distribution of which are dictated by official needs. The establishment of responsibilities for licensing the activities of organizations cannot in any way be recognized by the DSP information.

<7>Approved by Decree of the Government of the Russian Federation of November 3, 1994 N 1233.

Responsibilities for licensing certain types of activities, including activities for the technical protection of confidential information, are determined by the Federal Law "On Licensing of Certain Types of Activities"<8>. The procedure for licensing activities for the technical protection of confidential information carried out by legal entities And individual entrepreneurs, determined by Decree of the Government of the Russian Federation of August 15, 2006 N 504.

<8>Federal Law of 08.08.2001 N 128-FZ.

Neither the Regulations on licensing activities for the technical protection of confidential information, nor the Procedure for classifying personal data information systems establish obligations for licensing activities for the technical protection of confidential information depending on the class of the information system. These requirements are established in the document DSP - Basic measures for the organization and technical support of the security of PD processed in the ISPD.

The regulation on ensuring the security of personal data during their processing in personal data information systems only determines that:

information security tools used in information systems undergo a conformity assessment procedure in the prescribed manner (clause 5) - that is, it is not the operator who is subject to certification, but the information security tool, and it is carried out by the manufacturer of this tool (including computer program on information protection);
the results of conformity assessments and (or) case studies of information security tools designed to ensure the security of personal data during their processing in information systems are assessed during an examination carried out by the Federal Service for Technical and Export Control and the Federal Security Service within the limits of their powers.

In accordance with Part 3 of Art. 15 of the Constitution of the Russian Federation, all laws, as well as any regulations affecting the rights, freedoms and duties of man and citizen, must be officially published for public information, that is, made public. Unpublished normative legal acts are not applied and do not entail legal consequences as they have not entered into force.

Since May 15, 1992, by Decree of the Government of the Russian Federation dated 05/08/1992 N 305 "On state registration departmental normative acts" state registration of normative acts of ministries and departments affecting the rights and interests of citizens and of an interdepartmental nature was introduced.

Issues of state registration and entry into force of departmental regulatory legal acts are regulated by Decree of the President of the Russian Federation N 763<9>and Decree of the Government of the Russian Federation N 1009<10>.

<9>Decree of the President of the Russian Federation of May 23, 1996 N 763 “On the procedure for publication and entry into force of acts of the President of the Russian Federation, the Government of the Russian Federation and normative legal acts of federal executive authorities.”
<10>Decree of the Government of the Russian Federation of August 13, 1997 N 1009 “On approval of the Rules for the preparation of regulatory legal acts of federal executive authorities and their state registration.”

According to clause 10 of the Rules for the preparation of normative legal acts of federal executive authorities and their state registration, normative legal acts affecting the rights, freedoms and responsibilities of an individual and a citizen, establishing the legal status of organizations of an interdepartmental nature, regardless of the period of their validity, are subject to state registration. including acts containing information constituting a state secret or information of a confidential nature.

State registration of normative legal acts is carried out by the Ministry of Justice, which maintains the State Register of normative legal acts of federal executive authorities.

State registration of a normative legal act includes:

legal examination of the compliance of this act with the legislation of the Russian Federation, including checking for the presence of provisions in it that contribute to the creation of conditions for corruption;
making a decision on the need for state registration of this act;
assignment of registration number;
entry into the State Register of normative legal acts of federal executive authorities.

Regulatory legal acts affecting the rights, freedoms and responsibilities of man and citizen, establishing the legal status of organizations or having an interdepartmental nature are subject to official publication in the prescribed manner, except for acts or their individual provisions containing information constituting a state secret or information of a confidential nature,

An act recognized by the Ministry of Justice as not requiring state registration is subject to publication in the manner determined by the federal executive body that approved the act. At the same time, the procedure for the entry into force of this act is also determined by the federal executive body that issued it.

Therefore, in the author’s opinion, state and municipal institutions that carry out automated processing of personal data, in the event of demands for obtaining licenses, carrying out declarations or certification (attestation), can appeal such requirements in court (especially if the means of protecting personal data used have already been certified their manufacturer).

A.Bethlehemsky

director

Nizhny Novgorod center

economics of education

Registration No. 11462

In accordance with paragraph 6 of the Regulations on ensuring the security of personal data during their processing in personal data information systems, approved by Decree of the Government of the Russian Federation of November 17, 2007 N 781 “On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems "(Collected Legislation of the Russian Federation, 2007, No. 48, Part II, Art. 6001), we order:

Approve the attached Procedure for the classification of personal data information systems.

Director

Federal service

on technical and export control

S. Grigorov

Director of the Federal Security Service

Russian Federation

N. Patrushev

Minister of Information Technologies and Communications of the Russian Federation

L. Reiman

The procedure for classifying personal data information systems

1. This Procedure determines the classification of personal data information systems, which are a set of personal data contained in databases, as well as information technologies and technical means that allow the processing of such personal data using automation tools (hereinafter referred to as information systems)1.

2. The classification of information systems is carried out by state bodies, municipal bodies, legal entities and individuals who organize and (or) carry out the processing of personal data, as well as determining the purposes and content of the processing of personal data (hereinafter referred to as the operator)2.

3. The classification of information systems is carried out at the stage of creating information systems or during their operation (for previously put into operation and (or) modernized information systems) in order to establish methods and means of protecting information necessary to ensure the security of personal data.

4. Carrying out the classification of information systems includes the following steps:

collection and analysis of initial data on the information system:

assignment of the appropriate class to the information system and its documentation.

5. When classifying an information system, the following initial data are taken into account:

volume of personal data processed (number of personal data subjects whose personal data is processed in the information system) - X npd;

security characteristics of personal data processed in the information system specified by the operator;

information system structure;

Availability of connections of the information system to communication networks common use and (or) networks of international information exchange;

personal data processing mode;

mode of delimiting access rights of users of the information system;

location of technical means of the information system.

6. The following categories of personal data processed in the information system (XPD) are defined:

7. X npd can take the following values:

1 - the information system simultaneously processes personal data of more than 100,000 personal data subjects or personal data of personal data subjects within a constituent entity of the Russian Federation or the Russian Federation as a whole;

2 - the information system simultaneously processes personal data from 1,000 to 100,000 personal data subjects or personal data of personal data subjects working in the economic sector of the Russian Federation, in a government body, living within a municipality;

3 - the information system simultaneously processes data of less than 1000 personal data subjects or personal data of personal data subjects within a specific organization.

8. According to the security characteristics of personal data processed in the information system specified by the operator, information systems are divided into standard and special information systems.

Typical information systems are information systems that require only ensuring the confidentiality of personal data.

Special information systems are information systems in which, regardless of the need to ensure the confidentiality of personal data, it is necessary to ensure at least one of the security characteristics of personal data other than confidentiality (security from destruction, modification, blocking, as well as other unauthorized actions).

Special information systems should include:

information systems in which personal data relating to the health status of the subjects of personal data are processed;

information systems that provide for the adoption, based solely on automated processing of personal data, of decisions that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests.

9. According to their structure, information systems are divided into:

into autonomous (not connected to other information systems) complexes of technical and software devices intended for processing personal data (automated workstations);

to complexes of automated workstations, united into a single information system by means of communication without the use of technology remote access(local information systems);

to complexes of automated workstations and (or) local information systems, combined into a single information system by means of communication using remote access technology (distributed information systems).

10. Based on the presence of connections to public communication networks and (or) international information exchange networks, information systems are divided into systems with connections and systems without connections.

11. According to the mode of processing personal data in the information system, information systems are divided into single-user and multi-user.

12. Based on the delimitation of user access rights, information systems are divided into systems without delimitation of access rights and systems with delimitation of access rights.

13. Information systems, depending on the location of their technical means, are divided into systems, all technical means of which are located within the Russian Federation, and systems, the technical means of which are partially or entirely located outside the Russian Federation.

14. Based on the results of the analysis of source data, a typical information system is assigned one of the following classes:

class 1 (K1) - information systems for which violation given characteristics the security of personal data processed therein may lead to significant negative consequences for the subjects of personal data;

class 2 (K2) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;

class 3 (K3) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;

class 4 (K4) - information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data.

15. The class of a typical information system is determined in accordance with the table.

16. Based on the results of the analysis of source data, the class of a special information system is determined on the basis of a model of threats to the security of personal data in accordance with methodological documents developed in accordance with paragraph 2 of the Decree of the Government of the Russian Federation of November 17, 2007 N 781 “On approval of the Regulations on ensuring security personal data when processed in personal data information systems"3.

17. If subsystems are identified within an information system, each of which is an information system, the information system as a whole is assigned a class that corresponds most high class subsystems included in it.

18. The results of the classification of information systems are documented in the corresponding act of the operator.

19. The information system class can be revised:

by decision of the operator based on his analysis and assessment of threats to the security of personal data, taking into account the characteristics and (or) changes of a specific information system;

based on the results of measures to monitor compliance with the requirements for ensuring the security of personal data during their processing in the information system.

1Paragraph one of paragraph 1 of the Regulations on ensuring the security of personal data during their processing in personal data information systems, approved by the Decree of the Government of the Russian Federation of November 17, 2007.

N 781 (Collection of Legislation of the Russian Federation, 2007, N 48, part II,

2Paragraph one of clause 6 of the Regulations.

3Collected legislation of the Russian Federation 2007, N 48, part II,Art. 6001.

One of the key elements at the initial stage of provision information security is the process of classifying the protected system according to information security requirements. This process It is quite well described and regulated, but it has its own subtleties. In the previous article, we examined the concept of classification of systems, the main, frequently encountered classification criteria, determined the composition of documents on the basis of which systems are classified according to information security requirements, and clarified individual issues on the classification of information systems and accounting objects. In this article we will look at general order carrying out the classification of information systems according to information security requirements using the example of an abstract state information system, as well as a number of main points when carrying out the classification.

Before you begin, you need to be very clear about the following basic points:

1. By classification we will understand the division of a general set of objects into subsets - classes, grouped according to the most essential characteristics, while by class we will understand a set of objects that have certain characteristics of commonality, which, in turn, will be a characteristic - a criterion for classification.

2. Multiple classification according to information security requirements is not erroneous.

3. The choice of classification procedure is carried out based on the goals of creating the system, the composition of information to be processed and analyzed, regulatory, methodological and other documentation to which the classified system must comply.

4. The result of classification is the act of classification.

5. The classification results are not final and may be subject to revision.

6. Classification is carried out by the owner of the information.

Questions 1 to 5 were discussed in some detail in the previous article, so we will omit them and look at the others in more detail.

Let's start with a simple one: “The result of classification is the act of classification.” This fact established by the requirements of clause 14.2, which establishes the requirements for any state information system.

One of the common mistakes when drawing up an act relates to cases where multiple classifications of systems are carried out. In this case, it is necessary to carry out the classification independently, without relying on the results of previous classifications (if this does not contradict the classification order), and the result should be formalized in separate acts of classification.

It is worth noting that there is no strict requirement for the presence of separate classification acts. All information based on the results of multiple classification can be reflected in a single act. However, this often leads to unnecessary confusion and inconvenience for further work with the document. That is why we recommend that classification acts be drawn up in separate acts.

Let's move on to point 5: "The classification results are not final and may be revised." This statement follows based on the formal logic of the process itself, because the operating conditions of the classification object, its goals, objectives and other aspects may change. The classification criteria themselves may change or transform. In addition, the document establishing the classification procedure often contains information about the procedure for revising the classification results. Thus, according to clause 14.2 of the order of the FSTEC of Russia dated February 13, 2013 No. 17, the security class of an information system is subject to revision when the scale of the information system or the significance of the information processed in it changes. The procedure for revising classification results is practically no different from the classification process itself.

Let's move on to the last statement: “Classification is carried out by the owner of the information.” First, let’s determine who the “owner of information” is. According to Art. 2 of the Federal Law of the Russian Federation dated July 27, 2006 “On information, information technologies and information protection” No. 149-FZ “the owner of information is a person who independently created information or has received, on the basis of a law or agreement, the right to permit or restrict access to information determined for any reason." The rights of the information owner are established in Article 6 of the above law:

"1. The owner of the information, unless otherwise provided by federal laws, has the right:

allow or restrict access to information, determine the procedure and conditions for such access;
use the information, including disseminating it, at your own discretion;
transfer information to other persons under a contract or on other grounds established by law;
protect your rights by legal means in case of illegal receipt of information or its illegal use other persons;
carry out other actions with information or authorize such actions.

When exercising his rights, the owner of information is obliged to:

respect the rights and legitimate interests of other persons;
take measures to protect information;
restrict access to information if such an obligation is established by federal laws.”

Based on the definition of the information owner and his rights, it becomes obvious that he is the one who has the right to carry out classification, since classification is an integral part of the formation of requirements for the protection of information contained in the information system, which in turn is part of the work to ensure information security at its initial stage. stage. Often, many people lose sight of this nuance, which leads to the appearance of erroneous documents, on the basis of which there are, among other things, further work on information security, which is a direct violation of the legislation of the Russian Federation. A number of regulatory bodies, to clarify this point, clearly indicate this in their regulatory documents, for example, in paragraph 14 of the order of the FSTEC of Russia dated February 13, 2013 No. 17. In addition, it should be understood that the owner of the information has the right to delegate his responsibilities if this does not contradict legal or other requirements. In this case, the very fact of transfer this right, for example, a subordinate institution, must be recorded properly. Separately, it should be noted that the classification of an information system according to information security requirements in the absence legal right simply makes no sense.

Now let's move on to the immediate procedure for performing classification. When carrying out classification, it is recommended to adhere to the following procedure:

1. By order of the head (authorized deputy) of the organization that is the legal owner of the information processed in the classified information system, appoint a commission to carry out the classification. The order should reflect:

composition of the commission indicating the full name, position and functional role of each member of the commission;
name of the classified system (or several systems);
documents in accordance with which classification should be made;
timing of classification.

2. Familiarize all members of the commission with the order.

3. Set the time for the commission meeting.

4. Commissions under the protocol in set time meetings to determine:

the procedure for carrying out classification in accordance with the requirements of the document on the basis of which the classification is carried out;
determine the composition classification characteristics, significant during classification;
determine the values of classification characteristics for the system being classified;
set the information system class.

5. Based on the minutes of the meeting of the classification commission, record the final result of the classification in the classification act.

6. In accordance with the established procedure, submit the classification act for approval to the head (authorized deputy) of the organization.

Let us consider in detail the process of holding a meeting of the classification commission. We will carry out classification in accordance with the requirements of the following documents:

Decree of the Government of the Russian Federation dated November 1, 2012 “On approval of requirements for the protection of personal data during their processing in personal data information systems” No. 1119.

The classification procedure in these documents is clearly stated, as are the main classification criteria:

the level of significance of information, which is determined by the degree of possible damage to the owner of the information (customer) and (or) operator from violation of confidentiality (illegal access, copying, provision or distribution), integrity (illegal destruction or modification) or availability (illegal blocking) of information. The state information system may have one of next levels significance:

CL 1, if for at least one of the information security properties (confidentiality, integrity, availability) a high degree of damage is determined;
PL 2, if for at least one - the average degree of damage is determined and there is not a single property for which a high degree of damage is determined;
Level 3, if for all - low degrees of damage are determined.

In this case, the degree of possible damage is determined by the owner of the information and (or) the operator independently using expert or other methods and can be:

high if, as a result of violation of one of the information security properties (confidentiality, integrity, availability), significant negative consequences are possible in social, political, international, economic, financial or other areas of activity and (or) the information system and (or) the operator (information holder) ) cannot perform the functions assigned to them;
medium, if as a result of violation of one of the information security properties (confidentiality, integrity, availability), moderate negative consequences are possible in social, political, international, economic, financial or other areas of activity and (or) the information system and (or) the operator (information holder) ) cannot perform at least one of the functions assigned to them;
low if, as a result of violation of one of the information security properties (confidentiality, integrity, availability), minor negative consequences are possible in social, political, international, economic, financial or other areas of activity and (or) the information system and (or) the operator (information holder) ) may perform the functions assigned to them with insufficient efficiency or the performance of functions is possible only with the involvement of additional forces and means.

system scale:

Federal, if it operates on the territory of the Russian Federation (within federal district) and has segments in constituent entities of the Russian Federation, municipalities and (or) organizations;
Regional, if it operates on the territory of a constituent entity of the Russian Federation and has segments in one or more municipalities and (or) subordinate and other organizations;
Object-based, if it operates at the facilities of one federal government body, a government body of a constituent entity of the Russian Federation, a municipal entity and (or) organization and does not have segments in territorial bodies, representative offices, branches, subordinate and other organizations.

type of current threats:

Type 1 threats - relevant for an information system if threats associated with the presence of undocumented (undeclared) capabilities in the system are relevant for it software used in the information system;
Type 2 threats - relevant to an information system if threats associated with the presence of undocumented (undeclared) capabilities in the application software used in the information system are relevant to it;
Type 3 threats - relevant to an information system if threats that are not related to the presence of undocumented (undeclared) capabilities in the system and application software used in the information system are relevant to it.

category of personal data processed:

special categories of personal data;
biometric personal data;
others;
public.

number of subjects whose personal data is processed:

more than 100,000;
less than 100,000.

affiliation of personal data subjects:

operator's employees;
not the operator's employees.

belonging to the subjects of personal data (not the operator’s employees). Here it is important to understand that if there is at least one PD subject whose personal data is processed in the system and he is not an employee of the operator, then we can accept this value by default;
number of personal data subjects: for our system this number will not exceed 100,000;
category of personal data: for example, for our system - other personal data. When determining this parameter, it is enough to understand exactly what information belongs to what category of PD. If information from different categories, then the system should select the value of the characteristic according to the highest indicator, namely:

special categories of personal data if information about race, nationality, political views, religious or philosophical beliefs, health status, intimate life of the subjects of personal data is processed;
biometric personal data, if, firstly, information related to special categories of personal data is not processed, and secondly, if it processes information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established and which is used by the operator to establish the identity of the subject of personal data;
publicly available personal data, if it processes personal data of subjects of personal data obtained only from publicly available sources of personal data created in accordance with Article 8 of the Federal Law of July 27, 2006 “On Personal Data” No. 152-FZ;
others, if it does not process the personal data specified above.

by type of threats to the security of personal data. It is no coincidence that we left this parameter for last, because it depends on the Personal Data Security Threat Model, which must indicate current threats. Let these be type 3 threats for our system.

Definition process final values each of the classification characteristics is determined by expert means, usually as a result of a consolidated expert opinion, so let’s move on immediately to defining these characteristics for our abstract state information system on a federal scale. Thus, in accordance with the order of the FSTEC of Russia dated February 13, 2013 No. 17, we will determine the maximum damage from a violation of one of the safety properties. When determining it, it is enough to refer to the full set of functions implemented by the system; violation of a specific property will lead to the impossibility of performing at least one of them. We consider each one, evaluate the consequences, find the maximum indicator and compare it with the list of KZ values. In our example, the degree of maximum damage will be average, then KZ 2 is the desired level of information significance.

After determining the values of the specified classification characteristics, all we have to do is establish the security class of our system in accordance with the logic of the documents discussed above and correctly reflect the result of the commission’s activities, first in the protocol, and then in the classification act.

Thus, in this article we examined the general procedure for classifying information systems according to information security requirements using the example of an abstract state information system, considered a number of main points and hidden pitfalls when carrying out classification. In the next article we will look at the registration procedure standard documents when carrying out the classification (the order to create a commission, the minutes of the commission meeting and the classification act), we will fill them out for our abstract system and prepare standard template forms.

Document text:

Order On approval of the procedure for classifying personal data information systems

Approve the attached Procedure for the classification of personal data information systems.

Director

Federal service

on technical

and export controls

S.I.GRIGOROV

Director

Federal Security Service

Russian Federation

N.P.PATRUSHEV

information technology and communications

Russian Federation

L.D.REIMAN

Approved

By order

FSTEC of Russia,

FSB of Russia,

Ministry of Information and Communications of Russia

ORDER

CLASSIFICATION OF INFORMATION SYSTEMS

PERSONAL DATA

4. Carrying out the classification of information systems includes the following steps:

collection and analysis of initial data on the information system;

assignment of the appropriate class to the information system and its documentation.

5. When classifying an information system, the following initial data are taken into account:

volume of personal data processed (number of subjects

personal data, the personal data of which is processed in

information system) - X;

security characteristics of personal data processed in the information system specified by the operator;

information system structure;

availability of connections of the information system to public communication networks and (or) international information exchange networks;

personal data processing mode;

mode of delimiting access rights of users of the information system;

location of technical means of the information system.

6. The following categories of processed information are defined:

7. X can take the following values:

3 - the information system simultaneously processes data of less than 1000 personal data subjects or personal data of personal data subjects within a specific organization.

Typical information systems are information systems that require only ensuring the confidentiality of personal data.

Special information systems should include:

information systems in which personal data relating to the health status of the subjects of personal data are processed;

9. According to their structure, information systems are divided into:

for autonomous (not connected to other information systems) complexes of hardware and software designed for processing personal data (automated workstations);

to complexes of automated workstations integrated into a single information system by means of communication without the use of remote access technology (local information systems);

11. According to the mode of processing personal data in the information system, information systems are divided into single-user and multi-user.

12. Based on the delimitation of user access rights, information systems are divided into systems without delimitation of access rights and systems with delimitation of access rights.

14. Based on the results of the analysis of source data, a typical information system is assigned one of the following classes:

class 1 (K1) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data;

15. The class of a typical information system is determined in accordance with the table.

17. If subsystems are identified within an information system, each of which is an information system, the information system as a whole is assigned a class corresponding to the highest class of its subsystems.

18. The results of the classification of information systems are documented in the corresponding act of the operator.

19. The information system class can be revised:

based on the results of measures to monitor compliance with the requirements for ensuring the security of personal data during their processing in the information system.

An ISPD classification act, as a rule, is a confidential document and must have a confidentiality stamp (“Confidential”, “DSP”, “Trade Secret”) and an account number.

To carry out the classification, a commission must be created at the enterprise. The commission must include a person responsible for the protection of personal data. The commission must be appointed by order of the head and carry out its activities on the basis of the Regulations on the classification commission. Based on the classification results, an act must be drawn up. The ISPD classification act must be approved by the chairman of the commission and signed by all members of the commission.

How to draw up an ISPD classification act

A classification report is drawn up for each identified ISPD. Based on the data received from each ISPD, the required level of protection of personal data is determined. This is necessary in order to establish requirements to ensure the protection of the personal data information system. The level of security of personal data is determined in accordance with the Decree of the Government of the Russian Federation of November 1, 2012 No. 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems.”

The act states:

personal data processed in the system;
volume of personal data processed;
type of current threats to ISPD;
information system structure;
availability of connections to public communication networks and (or) international information exchange networks;
mode of processing personal data in the system;
differentiation of user access rights;
ISPDn location;
PD security level.

The ISPD classification act may include systems that store the following data:

special categories of personal data - information relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life of the subjects of personal data;
biometric personal data – information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established and which is used by the operator to establish the identity of the subject of personal data;
publicly available personal data – information obtained only from publicly available sources of personal data created in accordance with Article 8 of the Federal Law “On Personal Data”.

It is quite rare to find systems in which category 3 personal data is processed. This is due to the fact that for real tasks we need not only data identifying the subject (full name, passport details), but also Additional Information about him (for example, salary information).

The most common information systems are those in which category 2 personal data is processed. For example, employee payroll systems.

The volume of processed personal data determines the number of subjects whose personal data is processed in the system. The following gradation applies:

more than 100,000 personal data subjects;
less than 100,000 personal data subjects.

Types of threats to the security of personal data

Type of current threats for ISPD:

Type 1 threats are relevant to an information system if, among other things, threats associated with the presence of undocumented (undeclared) capabilities in the system software used in the information system are relevant to it;
Type 2 threats are relevant to an information system if, among other things, threats associated with the presence of undocumented (undeclared) capabilities in the application software used in the information system are relevant to it;
Type 3 threats are relevant to an information system if threats that are not related to the presence of undocumented (undeclared) capabilities in the system and application software used in the information system are relevant to it.

By type, personal data information systems described in the ISPD classification act are divided into standard and special. Typical ISPD are information systems in which it is required to ensure only the confidentiality of PD. Special ISPD are information systems in which, in addition to confidentiality, it is necessary to ensure at least one more characteristic of the security of personal data (integrity, availability).

In addition, special systems include all ISPDs that process data on the health of subjects, and ISPDs that provide for the adoption of decisions that generate legal consequences for the subject based on automated processing.

Most existing ISPDs are special. This is due to the fact that in addition to confidentiality, it is also important that personal data are always available for processing, integrity and reliability. For all special systems it is necessary to develop " Private model current threats."

Classification of personal data information systems by structure:

Autonomous. Represents one automated workplace(computer).
Local. Automated workstations (AWS), united in a local network.
Distributed. Automated workstations or local networks, interconnected using remote access technologies.

According to the mode of processing personal data in the ISPD system, they are divided into single-user and multi-user. Single-user systems are a rarity. As a rule, at least two people work even at one autonomous workplace (in case of vacations and illnesses).

Classification of multi-user ISPDs are divided into:

Without differentiation of access rights. In such systems, all users have access to all information.
With differentiation of access rights. Each user has access to a strictly defined part of the information in the system.

Based on the location of the ISPD, they are divided into: