Personal data protection means. Protection of personal information

Local information security system NSD

SZI NSD is an abbreviation for a means of protecting information from unauthorized access. Used to prevent unauthorized actions by users who have access to ISPD workstations. They include mechanisms such as control of loading from removable media (CD/DVD drives, flash drives), device control (so that you cannot connect the left flash drive and leak information), implementation of mandatory access control (not required for ISPD). I will give only those tools that I have personally worked with:
1) Secret Net. It can be supplied with or without a load control board. It works through secpol.msc, so it may not work on Home versions (Home definitely doesn’t work on Windows XP, and I haven’t tested Vista and Windows 7 yet). Quite easy to use, has the best device control mechanism I have ever seen. There is a network version designed for integration into a domain structure.
2) Guardian NT. The best mechanism for mandatory access control. It is more difficult to operate (due to the fact that some of the protective mechanisms cannot be disabled). There is no online version.
3) Dallas Lock. It loses in all the parameters discussed earlier, except for the possibility of normal deployment of the network option in a domainless network.
As the name implies, these funds are used to local machines. Nothing to add here.

Firewalls

The purpose, I think, is clear. In addition, if one ISPD is divided into two parts by a firewall, then they can rightfully be called two different ISPD. For what? If you fall into the first class precisely by the number of personal data subjects processed, then by dividing the ISPD into two parts, you will reduce the number of subjects processed in each ISPD and will no longer get K1, but K2. There are currently several certified firewalls on the market:
1) VipNet Personal Firewall. Just a personal firewall, without any special frills. Managed locally only. Mechanism centralized management No. To start it requires a password, if you do not enter it, it will not start.
2) VipNet Office Firewall. Same thing, but supports multiple network cards, which allows you to install it on a gateway and use it for ISPD segmentation.
3) SSPT-2. The software and hardware complex runs on FreeBSD, but no one will let you get to the OS itself. It works quickly and supports filtering by many parameters. It has unpleasant feature- rules are applied in a list from top to bottom, and rules located at the top have higher priority. This is not reflected in the documentation; it was discovered experimentally. Managed both from the local console and via the web interface.
4) APKSh "Continent". In general, this is not a firewall, but a crypto router, but with firewall functions. Architecturally similar to SSPT-2, but there is no control from the local console - only through a special administrator console. Moreover, during the initial setup you must specify the interface to which the administrator’s computer will be connected.
In addition, Security Code released two more products - ITU+ HIPS "Security Studio Endpoint Protection" and Trust Access, a distributed firewall system that combines firewalling and segmentation using Kerberos authentication. Since I have not had to work with these products, I will only provide links to their descriptions:
TrustAccess
SSEP
In addition, the production of another product was certified - Stonegate Firewall/VPN. Product of the Finnish company Stonesoft. It also comes with a CryptoPRO encryption module attached to it, which allows you to use it as a certified VPN solution.

CIPF

They are also means of cryptographic protection. In addition to the already mentioned Stonegate Firewall/VPN, there are two more VPN solutions:
1) VipNet Custom. It is a complex of VipNet Administrator - a management program, VipNet Coordinator - a VPN server with firewall functions, and VipNet Client - a VPN client and firewall. The management program is used only to generate keys and certificates; managing firewall settings is only possible locally. Only the built-in RDP can help with administration. This includes internal messenger and internal mail. The only advantage is that it is clean software solution, which can be easily integrated into existing infrastructure.
2) APKSh "Continent". In principle, I have already spoken about him. I will only add that the latest version of the client (Continent-AP) now has firewall functions, and there is even a client for Linux. The crypto gateways themselves are managed only from the administrator console, but remotely. The features also include the fact that starting setup(that is, transferring the network configuration and keys to the crypto gateway) is done locally, by feeding it a flash drive with all the necessary information. If you made a mistake when creating the configuration and have already sent the crypto gateway to remote point- then you won’t be able to connect to it remotely and fix anything; you’ll have to generate the configuration again and somehow transfer it to a remote point.

Basically, here is a short description of all the certified protection products that I know of. I hope this information will be useful to the community.

January 19, 2009 3:59 pm

Andrey Shcherbakov

After the publication of Decree of the Government of the Russian Federation No. 781 “On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems” dated November 17, 2007 and a joint order Federal service for technical and export control, the FSB of the Russian Federation and the Ministry of Information Technologies and Communications of the Russian Federation dated February 13, 2008 No. 55/86/20 “On approval of the procedure for classifying personal data information systems” (hereinafter referred to as the “Procedure ...") to the development and operation services information systems (IS) processing personal data, two almost Hamlet-like questions arose:

● how to classify IP intended to protect personal data;

● how to choose information security tools to protect personal data in these systems.

“The Procedure...” states that “the classification of information systems is carried out by state bodies, municipal bodies, legal entities and individuals who organize and (or) carry out the processing of personal data, as well as determining the purposes and content of the processing of personal data.” This means that personal data (PD) classifies it owner, which is a serious help for the objective choice of methods and means of protecting personal data and creates an objective basis for dialogue with inspection authorities about the sufficiency of the measures taken by the organization to protect personal data.

When classifying IP intended for processing personal data, the following initial data are taken into account:

● volume processed PD (number of subjects whose personal data is processed in the IS);

● security characteristics of personal data processed in the information system specified by the owner of the information system;

● structure of the information system;

● availability of IS connections to communication networks common use and (or) networks of international information exchange;

● PD processing mode;

● mode of delimiting access rights of users of the information system;

● location of technical information resources.

First of all, let’s define what constitutes personal data. This is information of a different nature about specific individuals. Note that we are talking only about information in electronic form entered, stored, processed and transmitted in the information system. This information is divided into four main categories:

For example, a separate surname is data of the 4th category, a combination of surname and address is the third, surname, address, insurance and card numbers are the second, and if an electronic medical record is added to this data, then the resulting personal data belongs exclusively to the first category.

Based on this classification, it can be stated that any medical data, as well as personnel records containing the column “nationality” (and these are almost all valid questionnaires and personal sheets personnel records currently used) must be classified in the first category. It is also clear that pieces of personal data almost always have a smaller category than their totality. Even details information about the health of an individual may be meaningless if his last name or other data that clearly links this information to the patient is unknown.

The volume of processed PD can take the following values:

1 - the information system simultaneously processes personal data of more than 100,000 entities or personal data of entities within the region of the Russian Federation or Russian Federation generally; ·

2 - the information system simultaneously processes personal data from 1,000 to 100,000 subjects or personal data of subjects working in the economic sector of the Russian Federation, in a government body, living within a municipality;

3 - the information system simultaneously processes data of less than 1000 subjects or personal data of subjects of a particular organization.

According to the security characteristics of personal data processed in the information system, information systems are divided into standard and special. The first are information systems that only require support privacy personal data.

The “confidentiality” characteristic means that only the person for whom it is intended can handle (enter, store, process and transfer) PD in electronic form. To ensure confidentiality when transmitting personal data over networks, including the Internet, it is necessary to use data encryption.

Special information systems are those information systems in which, regardless of the need to ensure confidentiality of personal data, it is required to ensure at least one of the security characteristics of personal data other than confidentiality (for example, integrity or availability). The “integrity” characteristic means that personal data should be changed only in a regulated manner, for example, changes to the electronic medical record file can only be made by an authorized doctor, and in any other cases the information in the medical record should not be changed. When transmitted over networks, integrity is ensured by the use of an electronic digital signature.

The “availability” characteristic means that work with PD must be provided for a given amount of data and users in compliance with established time regulations. In other words, “availability” is another formulation of system reliability. Note also that talking about accessibility in open networks is almost pointless - not a single provider will provide guaranteed access to data or its uninterrupted transmission.

Special information systems include: ·

● IP in which personal data relating to the health status of subjects is processed; ·

● IP that provides for the adoption, based solely on automated processing of personal data, of decisions that give rise to legal consequences in relation to the subject or otherwise affect his rights and legitimate interests.

According to their structure, information systems for processing personal data are divided into: ·

● to autonomous (not connected to other IS) intended for processing personal data (automated workstations); ·

● for complexes of automated workstations, united into a single IS by means of communication without the use of technology remote access(local information systems); ·

● to complexes of automated workstations and (or) local information systems, combined into a single information system by means of communication using remote access technology (distributed information systems).

Based on the presence of connections to public communication networks and (or) international information exchange, information systems are divided into systems that have connections and those that do not have connections.

Based on the fact that in mandatory Data confidentiality is required; the necessary elements of the information system for processing personal data can be identified.

First of all, the information system must identify users and be able to establish individual authorities for user access to personal data, i.e., have systems for identification, authentication and access control.

Secondly, it is necessary to ensure the protection of personal data that may be alienated from the system. For example, the transfer of information to removable media should be controlled. It is very likely that in some cases it is necessary to take into account the possibility of theft and loss (loss) of computer equipment with personal data. In this case, encryption of PD stored on computer media is also mandatory.

If the system has connections to open networks or involves data exchange, it is mandatory to use data encryption and electronic digital signature, as well as provide protection against attacks from external networks, including anti-virus protection.

For encryption and electronic signatures, keys and certificates are used, which are generated by the users themselves and registered in the so-called certification authorities.

A very important point is the registration of actions with PD, which, on the one hand, makes it possible to identify those responsible for their leakage, and on the other, creates psychological motivation for correct work with them.

The information system for processing personal data can be assigned one of the following classes: ·

● class 1 (K1) - IP for which violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data;

● class 2 (K2) - IP for which violation of the specified security characteristics of PD processed in them may lead to negative consequences for the subjects of personal data;

● class 3 (K3) - IP for which violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;

● class 4 (K4) - IP for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data.

Table 1.

	IP class depending on the volume of processed data

Firstly, from “Order...” follows the existence categories personal data. It's logical to implement aggregation database in the IS containing PD into non-overlapping parts containing data of different categories. Also, the IS for processing PD must be divided into contours, containing data from only one category. This is quite possible to do, since individuals are uniquely identified by a passport number or TIN or a health insurance policy number, which allows medical databases and other arrays to be indexed unambiguously. Thus, it is necessary to follow the principle that in each IS circuit for processing personal data it is necessary to use certified products of one class, and the contours should be isolated from each other.

It can be stated that most information systems for processing personal data (especially for medical purposes) will special, i.e. they need to ensure not only confidentiality, but also integrity other safety and reliability characteristics are mandatory.

When distributed IP for the processing of personal data, even if it is necessary to ensure only privacy in accordance with the “Procedure...” will be required protection of transmitted and stored personal data. This fully complies with the current requirements of the FSB of the Russian Federation for automated information systems intended to protect confidential information that does not constitute a state secret, namely the provision that “all confidential information transmitted via communication channels must be protected; information transmitted over communication channels must be encrypted using cryptographic information protection tools (CIPF), or secure communication channels must be used for its transmission. Information recorded on alienated media must be protected.”

The last requirement is certainly applicable for isolated personal data information systems that do not have channels for transmitting personal data, i.e. for individual workstations processing personal data.

This means that in order to process personal data, information systems must be certified to a class not lower than AK2 in the classification of the FSB of the Russian Federation. For example, protected Windows XP with the Secure Pack Rus update package corresponds to this class. The security means must include cryptographic information protection means (CIPF) of class not lower than KS2.

Based on this, for any PD information system processing PD categories higher than the 4th (which will certainly include all systems for processing medical PD), it will be necessary to perform all AK2 class requirements in the classification of the FSB of the Russian Federation.

From the PD IS architecture, with a sufficiently large number of processed PDs (indicator 1 or 2), a server component will clearly stand out, which will also require protection. In this case, all confidential information stored on magnetic media of workstations and servers must be protected, which meets the requirements of class AK3.

Thus, we can propose a completely justified strategy for protecting personal data, which consists of the following: Table. 1 is filled in as follows (see Table 2).

Table 2.

IP class depending on the volume of processed data




Not lower than AK3	Not lower than AK3	Not lower than AK3

Note. “-” means that there are no requirements.

Thus, to protect personal data of the first category, which includes all medical data, it is necessary to use protection means of classes not lower than AK3 and cryptographic protection means of classes not lower than KS3.

For practical equipping of IP with security means, we can recommend products that are specially adapted for the protection of personal data and have the necessary permits (certificates and conclusions). This is primarily Secure Pack Rus and cryptographic protection tools of the CryptoPro family.

Let's now try to estimate the costs of equipping one workplace for processing PD. Without discounts, the price of the Secure Pack Rus package is approximately 2,000 rubles, while the cryptographic protection tools of the CryptoPro family are already included in this package. Further, to protect personal information stored on your computer, it is advisable to purchase one of the data protection packages CryptoPro EFS, Secure Pack Explorer or Crypto Explorer. The price of each of these products ranges from 600 to 1000 rubles. In total, protecting one workplace without taking into account installation and configuration will cost approximately 3,000 rubles, and installation and adaptation of programs will traditionally add 10-15% to the cost

Conventionally, we can distinguish “mystical ten steps on the path” to a secure system for processing personal data.

1. Identify those elements of your IP that need to be protected first. First, find out exactly what personal data needs to be protected and where it currently resides in your system. Then check whether each and every employee's workplace truly needs data protection. Perhaps it would be easier to allocate separate computers for working with personal information that needs to be protected especially reliably? Remember that a computer connected to the Internet is not the best place to store personal data!

2. Assess the current state of information security. How satisfactory is it? If possible, conduct an external security audit of your system. Classify your IP according to the guidelines above. Compare your findings with those of the external audit.

3. Determine who is in given time is responsible for ensuring IP protection. Is it possible to narrow the circle of persons on whom the reliability of this protection depends? At the same time, remember - safety cannot depend on one person! Be sure to appoint auditors; for example, the chief physician can supervise the work of specialists in filling out and moving PD.

4. Be critical of technicians' demands if they insist on installing security hardware. Please also note that using cryptographic tools is quite serious work. It is important to understand: will maintaining encryption tools and using a digital signature interfere with the core business of your company? Please also note that not every employee can or should encrypt data.

5. Get your clinic's security in order. Set a mode that will provide the required level information security, however, do not go too far. For example, you cannot deprive people of the opportunity to use mobile phones. It is also inappropriate to prohibit employees from accessing email and the Internet for personal purposes. At the same time, it is quite advisable to regulate the procedure for bringing flash media and your own laptops into the company’s territory, or use the one available in the Secure Pack Rus function disabling USB drives that are not authorized for use by the administrator

6. Require IT specialists to draw up a clear work plan for creating and configuring a security system. Ask to justify the need for purchases additional funds ensuring security. Insist on guarantees that security adjustments will not affect the basic operation of the system.

7. Monitor the implementation of the plan to create a security system.

8. Listen to the opinions of doctors and employees - do safety measures interfere with their work and core activities?

9. Maintain and check the state of PD security, and also strengthen the loyalty of employees involved in security.

10. Be calm about innovations in the field of security - healthy conservatism will save you money.

A set of measures of a different nature, carried out to actively counter possible unauthorized access to personal data, consisting of management measures, effective hardware protection, forms the basis of an effectively operating Personal Data Protection System (PDPS).

The goal of introducing a reliably working set of measures is:

Exact compliance with regulatory compliance requirements Federal Law“On the protection of personal data”, the provisions of approved by-laws ensuring the proper level of security for the personal data used;

Development of instructions prescribing the implementation of certain rules when converting used personal data, ensuring their protection.

Problems to be solved
Equipment used
Areas of application

The development and implementation of a personal data protection system (PDSDS) is a series of technical and managerial activities aimed at ensuring comprehensive protection information that is recognized by the Federal Law of July 27. 2006 N 152-FZ personal data.

The operator, which is government agencies and commercial enterprises that perform operations with personal data, are interested in their safe processing, thereby recognizing the need to implement a protection system.

Taking into account the experience accumulated during the implementation of projects to create SZPD, it seems possible to determine a number of important advantages from system implementation:

In the first place is a radical reduction in both legal and reputational risks that arise from non-compliance with current legislation regarding the safety of personal data.

The second important point is the fact that the scientifically based construction of the protection system allows you to process personal data of employees and clients without fear for their safety. This can become a powerful competitive advantage when working with confidential information of individuals and information intended only for official (internal) use. A well-built security protection system easily copes with the most common threats - blocks the effects of malware, prevents theft client bases data, which is often practiced by laid-off employees.

The third factor motivating the implementation of an effective PPSD is the creation of the company’s image of a reliable partner who can be trusted to ensure the confidentiality of personal data.

As analysts point out, frequent scandals related to the leakage of confidential information force one to pay attention to the security system when choosing a counterparty. Partnership agreements or tender conditions are becoming commonplace, requiring documented compliance of the SPD with current regulations.

We should not forget that an effective PPSD ensures the continuity of all business processes in the company itself, eliminates the likelihood of customer complaints, justified complaints from employees, and threatening orders from regulatory supervisory authorities.

Stages of work to bring into compliance with 152-FZ

1. Inventory, a full analysis of the state of information structures involved in the processing of personal data.

Such a pre-project audit provides objective information about the processes involved in the processing of personal data in the company and measures to protect them. Open Vision specialists are required to check all official documentation, the regularity of the activities carried out, designed to comply with the requirements of the legal framework regarding the security of restricted access data used in their work.

2. Creating a concept for a security system used to protect personal data, providing the customer with sound recommendations for optimizing the processing of personal data and ensuring the safety of confidential information.

At this stage of work, qualified specialists evaluate possible options implementation of the project, determine the starting points for its implementation, establish certain restrictions according to the scale of the project being implemented. The main problems are identified and the rationale for the proposed solutions is created. Clients receive a list of software and hardware elements of the information security system being developed, with a mandatory indication of the cost for each item.

3. Clarification of the real level of PD security

In the process of work, the possible type of threats to the protected personal data is determined, with reference to a specific information system, the expected composition of personal data, and the possible number of subjects are specified. Taking into account the entire volume of information received, the real state of the personal data security system is determined.

4. Model development possible threats for the PD security system, creating an attacker model

The document provided to the customer is a systematic list of possible threats to the security of personal data when working with them in personal data information systems (PDIS). Threats to the security of personal data (PDS) can arise as a result of malicious or accidental actions of individuals, the activities of foreign intelligence services or organizations specializing in espionage, specialized criminal groups preparing a hack of PD security that will affect the rights and freedoms of both society and the state or citizens .

5. Development of Terms of Reference for the construction of the SZPDn

A particular technical specification for the construction of a specific information structure of a data protection system determines its purpose, the goals pursued, requirements for technical and organizational support, a plan for the development and direct creation of a data protection system.

6. Creation of the SZPDn project

The project documentation created at this stage of implementation of the SPDn provides for work that takes into account the standards for the security of data with limited access prescribed by regulations.

7. Development of organizational and administrative documentation

The set of documents prescribing the rules for processing and protecting personal data consists of dozens of organizational and administrative regulations that are necessary to bring all processes for the work and safety of personal data into compliance with the standards of current legislation.

8. Supply of software and hardware information security tools

The client is supplied with software and hardware elements for the implementation of SPDn, which have been tested and comply with the requirements of the laws of the Russian Federation regarding information security measures.

9. Installation, configuration of information and information technology

On at this stage implementation of SZPDn, equipment is installed, software is installed, with appropriate settings. As a result of the work carried out, the customer receives a set of information protection systems compatible with the used information structure for working with PD.

10. Assessing the effectiveness of measures taken to create effective protection personal data

Determination of the effectiveness of the developed security measures for restricted data is carried out before the launch of the data protection system into operation. Control testing of a system operating in commercial structures is required to be carried out every 3 years.

11. Certification of used ISPD for compliance with modern information security requirements

ISPD certification includes a set of organizational and technical checks (certification tests) aimed at confirming compliance with information security requirements. Intended for government organizations.

One of the rapidly developing segments of the domestic IT market is online commerce, which is due to the technical simplicity of implementing this project and the transparency of business processes. Electronic commerce recognized as an effective and promising type of entrepreneurship.

Issues of information security for business on the Internet do not lose their relevance; on the contrary, an increase in the number hacker attacks on the largest financial institutions investing huge amounts of money in security systems requires timely action. Here's how to achieve this, and at an acceptable level of costs.

Many, especially at the initial stage, do not have the opportunity to snatch significant sums from turnover by investing in information security systems. New business, possible " underwater rocks» are not known, and the specifics of business on the Internet require constant changes.

As a result, a security system is created, but it is developed “through acquaintance” or an order is placed to a freelancer, in best case scenario officially registered web studio. Purchasing a ready-made solution also cannot be regarded as providing a serious level of security, since questions arise about integrating it into an existing IT infrastructure.

Or maybe we should think about whether similar systems provide the proper level of security? Does the entrepreneur himself have the necessary qualifications to determine the level of training of “Internet hacks”? Can such work minimize possible risks? Unfortunately, in most cases, the answer is no.

Although there are no particularly stringent requirements on the part of the consumer regarding the safety of the personal data that he transfers to the online store when making a purchase, this cannot serve as the main indicator for choosing methods for organizing the processing and storage of such confidential information. The buyer generally has no opportunity to assess how effectively the protection of his personal data is working. Yes, for the time being, this is not particularly a concern, since attractive prices, a beautifully written description of the product, and preferential delivery achieve their goal.

Most of the purchasing audience does not even wonder where they send their personal data. Either it is an individual entrepreneur or a private entrepreneur developing his own Internet business. Or is it the web division of a large retailer? consumer electronics. Naturally, the attitude towards information security in a large trading network more strict than that of an entrepreneur, who sometimes has to independently deliver goods to customers.

It is noteworthy that, despite the ever-increasing threat of theft of confidential information, confidence in online commerce is constantly growing. The buyer enters information about himself by filling out the order form, sometimes without even worrying about how the store employees will handle it. Or maybe it is not so in demand for existing business processes?

The resulting redundancy of the requested data is precisely subject to Federal Law-152, since there is a discrepancy between the nature and volume of the information received and the existing tasks of its processing for the business processes provided for in the online store.

Technical level of development modern internet trade makes it possible to assume the use of CRM systems, thanks to which it is possible to save data about the client for subsequent interaction with him and offering a new product. But is this necessary for the level of post-sale interaction with the buyer?

According to Federal Law 152, personal information can only be stored for the period of time necessary for its processing. After a purchase is made or a refusal is made, all personal data must be destroyed, since their storage does not correspond to the specifics of the business processes being carried out. Is there any doubt that practically no one is doing this.

Federal Law 152 contains provisions that threaten the very existence of online commerce. Any inspection body may require the owner of an online store to provide the citizen’s written permission to use his personal data in his work. Nobody similar permission in writing does not provide, at most they are limited to a note about familiarization with the store rules.

Since direct contact is not expected in online trading, excluding the buyer’s meeting with the courier to deliver the goods, compliance with Federal Law 152 can only be achieved by depersonalizing consumer personal data, and this requires adjustments to existing business processes.

Undoubtedly convenient tool Corporate portals are rightfully recognized as simplifying access to various company information services. With a developed network of branches and offices located from the head office at long distance For a significant number of business partners, the optimal means of communication is a connection via VPN channels that have the proper level of security. Choosing such a high-tech solution, however, is quite expensive and is not available to every company. In the absence of free funds for a secure connection, an easier way to work is an access point from the Internet.

A special feature of the corporate portal, even taking into account different level infrastructure, is the storage of both confidential information of employees, clients of the company and business partners of the legal entity, and the placement of financial information of the company itself, the disclosure of which could cause damage. The effective organization of all processes for working with personal data must take into account that the goals and methods of data processing for each subgroup of subjects are different. It is a differentiated approach to the transformation of restricted access data that should be included in the concept of corporate security.

There is no doubt that the financial position of the company creating corporate portal, makes it possible to hire experienced programmers or purchase a ready-made solution that has been tested many times. It should, however, not be forgotten that code security is not the only parameter that needs to be taken into account when developing effective system information security. By and large, information security should be recognized by company management as an integral part common system security.

Over the past few years, the number of users of popular social networks on the RuNet has increased at an unprecedented pace, exceeding the 50 million mark. The colossal amount of personal data accumulated on social networks requires appropriate control, which is what the norms of Federal Law-152 require.

Despite the first impression that the information available on social networks can be considered “publicly available,” every year an increasing amount of data is classified by law as “confidential personal data.”

Facts of theft of accounts from social networks are not uncommon abroad and in Russia. Hundreds of thousands of accounts become available to attackers. The number of hacker attacks on social networks is not decreasing; experts note the constant attention of cybercrime to this part of the Internet.

Socially oriented fraudulent schemes have great potential, using pharming attacks, spamming, and phishing for their purposes. This entire set of modern cybercrime tools can lead to data theft confidential, which is facilitated by the gullibility and inexperience of people. Social media administrators need to carry out constant monitoring, identifying incidents and eliminating their consequences.

The Internet banking service is becoming increasingly popular in the Russian banking industry; several dozen financial institutions fully provide such a service. This is due both to the lack of a unified integration platform and to the insufficient level of automation of many institutions.

Like common web applications, Internet banking services and electronic payment systems are based on a common client-server architecture. It is recognized that the “weak link” of such interaction is precisely the user and those devices using which he manages his own account.

Unfortunately, the consumer does not have the opportunity to objectively assess all the risks that inevitably arise when managing bank account on distance. Not to mention taking appropriate safety precautions. Therefore, banks must improve customer knowledge on these issues.

It is noteworthy that attackers pay their attention to Internet banking most often not for the purpose of stealing funds, since financial institutions provide maximum security for transactions, but in order to gain access to the client’s personal data. It is thanks to this that fraudulent schemes with bank cards, other methods of financial theft. Many experts are sure that on the “black” market simple entry about client accounts has its own value.

Statistics clearly show that the creation and operation of the Internet banking service in many structures does not comply with industry norms and rules. Most often, each financial institution developed it independently, and existing standards were only advisory in nature.

The entry into force of Federal Law No. 152 has created significant problems for many banks, as the regulator’s control over the safety of personal data is being tightened, which requires improvement. existing systems security. No matter how the association of banks tried to delay the start of Federal Law-152, it still became necessary to comply with its provisions.

After the publication of Decree of the Government of the Russian Federation No. 781 “On approval of the Regulations on ensuring the security of personal data during their processing in personal data information systems” dated November 17, 2007 and the joint order of the Federal Service for Technical and Export Control, the FSB of the Russian Federation and the Ministry of Information Technology and Communications of the Russian Federation dated February 13, 2008 No. 55/86/20 “On approval of the procedure for classifying information systems of personal data” (hereinafter referred to as the “Procedure ...”), two problems arose before the services for the development and operation of information systems (IS) processing personal data almost Hamlet's question:

how to classify IP intended to protect personal data;
how to choose information security tools to protect personal data in these systems.

“Procedure...” states that “the classification of information systems is carried out by state bodies, municipal bodies, legal entities and individuals who organize and (or) carry out the processing of personal data, as well as determining the purposes and content of the processing of personal data.” This means that personal data (PD) classifies it owner, which is a serious help for the objective choice of methods and means of protecting personal data and creates an objective basis for dialogue with inspection authorities about the sufficiency of the measures taken by the organization to protect personal data.

When classifying IP intended for processing personal data, the following initial data are taken into account: ·

category personal data processed in the information system; ·
volume processed PD (number of subjects whose personal data is processed in the IS); ·
security characteristics of personal data processed in the information system specified by the owner of the information system; ·
information system structure; ·
availability of IS connections to public communication networks and (or) international information exchange networks; ·
PD processing mode; ·
mode of delimiting access rights of users of the information system; ·
location of technical information systems.

category 1 - PD relating to race, nationality, political views, religious and philosophical beliefs, health status, intimate life; ·
category 2 - PD that allows you to identify the subject of personal data and obtain additional information about him, with the exception of personal data related to category 1; ·
category 3 - personal data allowing identification of the subject of personal data; ·
category 4 - anonymized and (or) publicly available PD.

Based on this classification, it can be stated that any medical data, as well as personnel records containing the column “nationality” (and these are almost all existing questionnaires and personal sheets for personnel records currently used), must be classified in the first category. It is also clear that pieces of personal data almost always have a smaller category than their totality. Even detailed information about the health of an individual may be meaningless if his last name or other data that clearly links this information to the patient is unknown.

The volume of processed PD can take the following values: ·

- the information system simultaneously processes personal data of more than 100,000 entities or personal data of entities within the region of the Russian Federation or the Russian Federation as a whole; ·
- the information system simultaneously processes personal data from 1,000 to 100,000 subjects or personal data of subjects working in the economic sector of the Russian Federation, in a government body, living within a municipality; ·
- the information system simultaneously processes data of less than 1000 subjects or personal data of subjects of a particular organization.

Special information systems are those information systems in which, regardless of the need to ensure confidentiality of personal data, it is required to ensure at least one of the security characteristics of personal data other than confidentiality (for example, integrity or availability). The “integrity” characteristic means that personal data should be changed only in a regulated manner, for example, only an authorized doctor can make changes to the electronic medical record file, and in any other cases the information in the medical record should not be changed. When transmitted over networks, integrity is ensured by the use of an electronic digital signature.

Special information systems include: ·

IP in which personal data relating to the health status of subjects is processed; ·
IP that provides for the adoption, based solely on automated processing of personal data, of decisions that give rise to legal consequences in relation to the subject or otherwise affect his rights and legitimate interests.

According to their structure, information systems for processing personal data are divided into: ·

to autonomous (not connected to other IS) intended for processing personal data (automated workstations); ·
to complexes of automated workstations combined into a single IS by means of communication without the use of remote access technology (local information systems); ·
to complexes of automated workstations and (or) local information systems, integrated into a single information system by means of communication using remote access technology (distributed information systems).

Based on the fact that it is mandatory to ensure data confidentiality, we can identify the necessary elements of the information system for processing personal data.

If the system has connections to open networks or involves data exchange, it is mandatory to use data encryption and electronic digital signatures, as well as provide protection against attacks from external networks, including anti-virus protection.

For encryption and electronic signatures, keys and certificates are used, which are generated by the users themselves and registered in the so-called certification authorities.

The information system for processing personal data can be assigned one of the following classes: ·

class 1 (K1) - IP for which violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data; ·
class 2 (K2) - IP for which a violation of the specified security characteristics of the PD processed in them may lead to negative consequences for the subjects of personal data; ·
class 3 (K3) - IP for which violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data; ·
class 4 (K4) - IP for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data.

Table 1

Category
Category

It can be stated that most information systems for processing personal data (especially for medical purposes) will special, i.e. they need to ensure not only confidentiality, but also integrity mandatory and other safety and reliability characteristics.

When distributed IP for the processing of personal data, even if it is necessary to ensure only privacy in accordance with the "Procedure..." it is mandatory to protection of transmitted and stored personal data. This fully complies with the current requirements of the FSB of the Russian Federation for automated information systems intended to protect confidential information that does not constitute a state secret, namely the provision that “all confidential information transmitted via communication channels must be protected; information transmitted over communication channels must be encrypted using cryptographic information protection tools (CIPF), or secure communication channels must be used for its transmission. Information recorded on alienated media must be protected.”

Thus, we can propose a completely justified strategy for protecting personal data, which consists of the following: Table. 1 is filled in as follows (see Table 2).

table 2

IP category	IP class depending on the volume of processed data
IP category



	Not lower than AK3	Not lower than AK3	Not lower than AK3

Note. “-” means that there are no requirements.

Conventionally, we can distinguish “mystical ten steps on the path” to a secure system for processing personal data.

Determine those elements of your IP that need to be protected first. First, find out exactly what personal data needs to be protected and where it currently resides in your system. Then check whether each and every employee's workplace truly needs data protection. Perhaps it would be easier to allocate separate computers for working with personal information that needs to be protected especially reliably? Remember that a computer connected to the Internet is not the best place to store personal data!
Assess the current state of information security. How satisfactory is it? If possible, conduct an external security audit of your system. Classify your IP according to the guidelines above. Compare your findings with those of the external audit.
Determine who is currently responsible for ensuring IP protection. Is it possible to narrow the circle of persons on whom the reliability of this protection depends? At the same time, remember - safety cannot depend on one person! Be sure to appoint auditors; for example, the chief physician can supervise the work of specialists in filling out and moving PD.
Be critical of specialists' demands if they insist on installing security hardware. Please also note that using cryptographic tools is quite serious work. It is important to understand: will maintaining encryption tools and using a digital signature interfere with the core business of your company? Please also note that not every employee can or should encrypt data.
Get your clinic's security in order. Set a regime that will ensure the required level of information security, but do not go too far. For example, people should not be deprived of the ability to use mobile phones. It is also inappropriate to prohibit employees from accessing email and the Internet for personal purposes. At the same time, it is quite advisable to regulate the procedure for bringing flash media and your own laptops into the company’s territory, or to use the function available in Secure Pack Rus to disable USB drives not authorized for use by the administrator
Require IT specialists to draw up a clear work plan for creating and configuring a security system. Ask to justify the need to purchase additional security equipment. Insist on guarantees that security adjustments will not affect the basic operation of the system.
Monitor the implementation of the plan to create a security system.
Listen to the opinions of doctors and employees - do safety measures interfere with their work and core activities?
Maintain and check the state of PD security, and also strengthen the loyalty of security employees.
Be calm about innovations in the field of security - healthy conservatism will save you money.

Adopted on July 27, 2006 Federal Law No. 152-FZ “On Personal Data” to ensure the protection of the rights and freedoms of man and citizen when processing his personal data, including the protection of the rights to privacy, personal and family secrets. One of the reasons for the adoption of this law was the numerous cases of theft of personal data databases in government and commercial structures and their widespread sale.

What does the term “personal data” mean?

The definition of personal data (PD) was also found before the adoption of the law, for example, in the “List of Confidential Information” approved Decree of the President of the Russian Federation No. 188 dated March 6, 1997:

Confidential information includes: information about the facts, events and circumstances of a citizen’s private life, allowing his identity to be identified (personal data), with the exception of information that is subject to dissemination in the media in cases established by federal laws.

However, the law supplemented it. Now, according to FZ-152, personal data - any information relating to an individual identified or determined on the basis of such information (subject of personal data), including his last name, first name, patronymic, year, month, date and place of birth, address, family, social, property position, education, profession, income, other information.

Thus, personal data is, first of all, passport data, information about marital status, information about education, TIN number, insurance certificate of state pension insurance, medical insurance, information about labor activity, social and property status, information about income. Almost every organization has such data.

When applying for a job, this is data from the employer’s HR department, which the employee indicates in his personal card, autobiography, and other documents filled out when concluding an employment contract.

When a child enters a kindergarten, school, institute, or other educational institutions, many questionnaires and forms are also filled out, which indicate the data of both the child (for example, birth certificate data) and his parents (up to the place of work, position held).

While undergoing treatment in medical institutions It is necessary to indicate not only passport data, but also information about benefits, medical insurance, information about previous treatments, and test results. In many medical institutions, outpatient/inpatient records are duplicated in in electronic format.

And all this data, according to current legislation, is subject to protection.

Where to start protection, and is it necessary at all?

Confidentiality of personal data is a mandatory requirement for the operator or other person who has access to personal data to not allow their distribution without the consent of the subject of personal data or the presence of another legal basis ( FZ-152).

The operator is a government agency, municipal body, a legal entity or individual who organizes and/or carries out the processing of personal data, as well as determining the purposes and content of the processing of personal data ( FZ-152).

Personal data information system (PDIS) is an information system that is a set of personal data contained in a database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without the use of such tools ( FZ-152).

Processing of personal data is actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, changing), use, distribution (including transfer), depersonalization, blocking, destruction of personal data ( FZ-152).

When processing personal data, the operator must take all necessary organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution of personal data, as well as from other unlawful actions.

What needs to be done to protect personal data?

First of all, it is necessary to determine what personal data information systems exist and what type of personal data are processed in them.

Classification of personal data information system

In order to understand how significant the problem of PD protection is, as well as to select the necessary methods and methods for protecting PD, the operator needs to classify the ISPD. The classification order is determined by order of the FSTEC of Russia, the FSB of Russia and the Ministry of Information and Communications of Russia No. 55/86/20 dated February 13, 2008.

So, the operator forms a commission (by order of the head of the organization), which, after analyzing the initial data, makes a decision on assigning the ISPD the appropriate class. During the classification, the following are determined:

category of personal data processed;
volume of personal data processed;
type of information system;
the structure of the information system and the location of its technical means;
personal data processing modes;
modes for delimiting user access rights;
availability of connections to public networks and (or) international information exchange networks.

According to order No. 55/86/20, all information systems (IS) are divided into standard and special.

Typical information systems are information systems that require only ensuring the confidentiality of personal data.

Special information systems are information systems in which, regardless of the need to ensure the confidentiality of personal data, it is necessary to ensure at least one of the security characteristics of personal data other than confidentiality (protection from destruction, modification, blocking, as well as other unauthorized actions).

In practice, it turns out that there are practically no standard information systems, since in most cases, in addition to confidentiality, it is also necessary to ensure the integrity and availability of information. In addition, special systems must include:

information systems in which personal data relating to the health status of the subjects of personal data are processed;
information systems that provide for the adoption, based solely on automated processing of personal data, of decisions that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests.

So, based on the results of the analysis of the initial data, the commission assigns the corresponding class to the personal data system:

class 1 (K1) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data;

class 2 (K2) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;

class 3 (K3) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;

class 4 (K4) - information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data.

The classification results are documented in the Act ISPDn classification, which indicates the type of ISPD (standard, special), the class assigned to the ISPD and the conditions on the basis of which the decision was made.

As already mentioned, classification is necessary for the further selection of methods and means of protecting personal data processed in ISPD, since the FSTEC and FSB documents establish each class with its own requirements for protecting ISPD, which we will talk about a little later.

Consent of the PD subject to processing

Next, you need to proceed to the processing of this data, but before their processing is legal, it is necessary to obtain the consent of the subject of personal data for processing (the law thereby prevents the illegal collection and use of personal data):

Article 6 of Federal Law-152:

Processing of personal data can be carried out by the operator with the consent of the subjects of personal data, except for the following cases:

1) the processing of personal data is carried out on the basis of a federal law establishing its purpose, the conditions for obtaining personal data and the range of subjects whose personal data are subject to processing, as well as defining the powers of the operator;

2) the processing of personal data is carried out for the purpose of fulfilling a contract, one of the parties to which is the subject of personal data;

3) the processing of personal data is carried out for statistical or other scientific purposes, subject to the mandatory anonymization of personal data;

4) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;

5) processing of personal data is necessary for delivery postal items postal organizations, for telecommunication operators to carry out settlements with users of communication services for rendered communication services, as well as for consideration of claims from users of communication services;

6) the processing of personal data is carried out for the purposes of the professional activities of a journalist or for the purposes of scientific, literary or other creative activities, provided that the rights and freedoms of the subject of personal data are not violated;

7) personal data subject to publication in accordance with federal laws is processed, including personal data of persons holding government positions, positions in the state civil service, personal data of candidates for elected state or municipal positions.

So, if our case of personal data processing is provided for in Part 2 of Article 6 of Federal Law No. 152, then obtaining consent is not necessary.

It is also necessary to be guided Labor Code, Chapter 14. For example, an employer has the right to receive and process data about an employee’s private life only with his written consent ( Article 86 part 4 of the Labor Code).

According to Article 9 of Federal Law-152 It is necessary to obtain the consent of the subject of personal data for the processing of his personal data in writing. The written consent of the personal data subject must include:

Last name, first name, patronymic, address of the subject of personal data, number of the main document proving his identity, information about the date of issue of the specified document and the issuing authority;

Name (last name, first name, patronymic) and address of the operator receiving the consent of the subject of personal data;

Purpose of processing personal data;

List of personal data for the processing of which the consent of the subject of personal data is given;

A list of actions with personal data for which consent is given, a general description of the methods used by the operator for processing personal data;

The period during which the consent is valid, as well as the procedure for its withdrawal.

Regulations regulating the procedure for processing and protecting personal data

So, the operator has received (if necessary) consent to the processing of personal data - personal data can be processed. But, according to Labor Code And FZ-152 it is necessary to develop (if any, finalize in accordance with the Federal Law) a regulation regulating the procedure for storing, processing and protecting personal data. Let's call it the Regulation on Ensuring the Security of Personal Data. The regulation on ensuring the security of personal data is an internal (local) document of the organization. There is no strict form for this document, but it must meet the requirements TK And FZ-152, and, therefore, it should indicate:

The regulation on ensuring the security of personal data is approved by the head of the organization or a person authorized by him and put into effect by order of the head. The employer is obliged to familiarize the employee with the Regulations against signature.

List of persons allowed to process personal data

In addition, it is necessary to draw up a list of persons allowed to process personal data, i.e. a list of those (by position) who need access to personal data to perform their official duties. First of all, these are personnel service employees, since they collect and generate data about the employee, as well as accounting employees. In addition, heads of structural units (for example, heads of departments) can get access to this information - and this also needs to be reflected in the list. However, all of them have the right to request not any data, but only those that are necessary to perform specific job functions (for example, to calculate tax benefits, the accounting department will not receive all information about the employee, but only data on the number of his dependents). Therefore, it is advisable to write down a list information resources, to which users are allowed.

The list of persons authorized to process personal data can be drawn up as an appendix to the Regulations on ensuring the security of personal data or a separate document, approved by the manager.

Roskomnadzor notification

Further in accordance with Article 22 FZ-152 Before processing personal data, the operator is obliged to notify the authorized body for the protection of the rights of personal data subjects (today this is the Federal Service for Supervision of Communications, Information Technologies and mass communications(Roskomnadzor)) about its intention to process PD, except for the cases provided for Part 2 of Article 22 of Federal Law-152:

The operator has the right to process personal data without notifying the authorized body for the protection of the rights of personal data subjects:

1) relating to subjects of personal data who have an employment relationship with the operator;

2) received by the operator in connection with the conclusion of an agreement to which the subject of personal data is a party, if personal data is not distributed or provided to third parties without the consent of the subject of personal data and is used by the operator solely for the execution of the specified agreement and the conclusion of contracts with the subject of personal data;

3) relating to members (participants) of a public association or religious organization and processed by the relevant public association or religious organization operating in accordance with the legislation of the Russian Federation, to achieve the legitimate purposes provided for by their constituent documents, provided that personal data will not be disseminated without written consent of the subjects of personal data;

4) which are publicly available personal data;

5) including only the last names, first names and patronymics of the subjects of personal data;

6) necessary for the purpose of one-time entry of the subject of personal data into the territory where the operator is located, or for other similar purposes;

7) included in personal data information systems that, in accordance with federal laws, have the status of federal automated information systems, as well as in state personal data information systems created to protect state security and public order;

8) processed without the use of automation tools in accordance with federal laws or other regulatory legal acts of the Russian Federation that establish requirements for ensuring the security of personal data during their processing and for respecting the rights of personal data subjects

Notice requirements are specified in Part 3 Article 22 FZ-152. The notification form for processing (of the intention to process) personal data can be filled out electronically on the Roskomnadzor website: http://rsoc.ru/personal-data/p181/

Now you can begin processing personal data, while simultaneously solving the most difficult and problematic issue - ensuring the security of personal data during their processing.

Ensuring the security of personal data during their processing

Measures to protect information are labor-intensive and can lead to significant financial costs, due to the need to:

Obtain (if necessary) a license to operate technical protection confidential FSTEC information Russia;

Involve a licensee of the FSTEC of Russia to implement measures to create an ISPD protection system and/or its certification according to information security requirements;

Send employees responsible for ensuring information security to advanced training courses on information security issues and/or hire information security specialists;

Install certified according to requirements FSTEC funds information protection (IPI), FSB-certified means of cryptographic information protection (CIPF) depending on the class of ISPDn.

Some things you can do yourself, but in others it’s better to trust the experts. But it is necessary to protect personal data, one way or another.

Article 19, Federal Law-152:

When processing personal data, the operator is obliged to take the necessary organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, distribution of personal data, as well as from other unlawful actions.

“Regulations on ensuring the security of personal data during their processing in personal data information systems” was approved by Decree of the Government of the Russian Federation No. 781 of November 17, 2007.
“Regulations on the peculiarities of processing personal data carried out without the use of automation tools” was approved by Decree of the Government of the Russian Federation No. 687 of September 15, 2008.
"Requirements to material media biometric personal data and technologies for storing such data outside personal data information systems”, approved by Decree of the Government of the Russian Federation No. 512 of July 6, 2008.
Special requirements and recommendations for the technical protection of confidential information (STR-K), approved by order of the State Technical Commission of Russia No. 282 of August 30, 2002 (DSP)
Basic model of threats to the security of personal data during their processing in personal data information systems dated February 15, 2008 (Extract, when considering threats of information leakage through side channels electromagnetic radiation and interference (PEMIN) it is necessary to use the full version of this document - DSP)
Methodology for determining current threats to the security of personal data during their processing in personal data information systems dated February 15, 2008 (The mark “for official use” was removed by the FSTEC Decision of November 16, 2009)
Recommendations for ensuring the security of personal data during their processing in personal data information systems dated February 15, 2008 (The mark “for official use” was removed by the FSTEC Decision of November 11, 2009)
Main measures for organizing and technically ensuring the security of personal data processed in personal data information systems dated February 15, 2008 (The mark “for official use” was removed by the FSTEC Decision of November 11, 2009)
Methodological recommendations for ensuring the security of personal data using cryptographic tools when processing them in personal data information systems using automation tools. FSB, February 21, 2008
Standard requirements for organizing and ensuring the functioning of encryption (cryptographic) means designed to protect information that does not contain information constituting a state secret in the case of their use to ensure the security of personal data during their processing in personal data information systems. FSB, February 21, 2008

We will not consider in detail all the requirements that must be met to ensure the security of personal data when processed in an ISPD - there are many of them, and they strongly depend on the specific ISPD. Let us dwell on the main points that often cause difficulties for operators.

License - to get or not to get?

Legislation, as well as FSTEC documents, tell us the following:

Article 16, part 6 of Federal Law-149"About information information technology and on the protection of information" dated July 27, 2006:

Federal laws may establish restrictions on the use of certain information security tools and the implementation of certain types of activities in the field of information security.

Article 17, part 1, clause 11 of Federal Law-128“On licensing of certain types of activities” dated August 8, 2001:

In accordance with this Federal Law, licensing is subject to the following types activities: activities for technical protection of confidential information.

Decree of the Government of the Russian Federation No. 504“On licensing activities for the technical protection of confidential information” dated August 15, 2006.

Technical protection of confidential information is understood as a set of measures and (or) services to protect it from unauthorized access, including through technical channels, as well as from special influences on such information for the purpose of its destruction, distortion or blocking access to it.

Main events of FSTEC

Clause 3.14

In accordance with the provisions of Federal Law No. 128 “On licensing of certain types of activities” and the requirements of Government Decree No. 504 “On licensing activities for the technical protection of confidential information”, ISPDn operators when carrying out measures to ensure the security of personal data (confidential information) during their processing in ISPDn 1 , 2 and 3 (distributed systems) classes must obtain a license to carry out activities for the technical protection of confidential information in the prescribed manner.

Also, the head of the department of the FSTEC of Russia, Igor Grigorievich NAZAROV, answered the question about the need for a license at a round table held by the magazine “Connect! World of Communication" (http://www.connect.ru/article.asp?id=9406):

Question: Do operators processing personal data in ISPD need to obtain a license for the technical protection of confidential information?

Igor Nazarov: In accordance with FSTEC documents, a license is required for personal data operators who independently carry out such activities on class 1, class 2 information systems and class 3 geographically distributed systems, as a rule, these are large state information systems. At the same time, for clinics, kindergartens, pharmacies, etc., with ISPD of classes 3 and 4, obtaining such licenses is not required.

In accordance with Decree of the Government of the Russian Federation dated November 17, 2007 No. 781, if the ISPD operator enters into an agreement to carry out appropriate measures in terms of information protection (PD) with authorized person- a licensee of FSTEC of Russia; he is not required to have a license.

So, for small organizations, instead of obtaining a FSTEC TZKI license to carry out measures to ensure the security of personal data (creation of an ISPD protection system, certification), it will be more cost-effective to attract a FSTEC licensee, who will carry out all the necessary work.

For large organizations (such as telecom operators, large banks, etc.) it is more profitable to obtain a license yourself and perform all the necessary work.

The procedure for granting a license to carry out activities for the technical protection of confidential information is determined “Regulations on licensing activities for technical protection of confidential information"(approved by Decree of the Government of the Russian Federation of August 15, 2006 No. 504). Requirements to obtain a license:

a) the presence in the staff of the license applicant (licensee) of specialists with higher education professional education in the field of technical information security or higher or secondary vocational (technical) education and those who have undergone retraining or advanced training in technical information security issues;

b) the presence of premises for the license applicant (licensee) for carrying out licensed activities that comply with technical standards and requirements for technical protection of information established by regulatory legal acts of the Russian Federation, and owned by him by right of ownership or on another legal basis;

c) the presence, on any legal basis, of production, testing and control equipment that has undergone metrological verification (calibration), marking and certification in accordance with the legislation of the Russian Federation;

d) use automated systems processing confidential information, as well as means of protecting such information, which have passed the conformity assessment procedure (certified and (or) certified according to information security requirements) in accordance with the legislation of the Russian Federation;

e) use of programs for electronic computers and databases intended for carrying out licensed activities on the basis of an agreement with their copyright holder;

f) the availability of regulatory legal acts, regulatory, methodological and methodological documents on technical information protection issues in accordance with the list established by the Federal Service for Technical and Export Control.

Stages of creating a SZPDn

According to Main events for the organization and technical support of the security of personal data processed in personal data information systems issued by FSTEC, the creation of a personal data protection system (PDPS) consists of the following stages:

1 Pre-project stage

1.1 inspection of the informatization object:

establishing the need to process PD in the ISPD;
determination of the list of personal data subject to protection;
determining the conditions for the location of the ISPD relative to the boundaries of the controlled zone (CA);
determination of the configuration and topology of the ISPD as a whole and its individual components; physical, functional and technological connections both within the ISPD and with other systems various levels and appointments;
determination of the technical means and systems used in the protected ISPD, the conditions for their location;
identification of system-wide, special and application software used in the protected ISPD;
determination of the information processing mode in the ISPD as a whole and in individual components;
carrying out the classification of ISPD;
determining the degree of personnel participation in processing (discussion, transmission, storage) of information, the nature of their interaction with each other;
identification and compilation of a list of vulnerabilities and threats to information security, assessment of the relevance of threats to information security;
development of a private threat model.

1.2 development terms of reference to create a SZPDn, which should contain:

substantiation of the need to develop SPDn;
original ISPDn data in technical, software, information and organizational aspects;
ISPDn class;
a link to the regulatory documents, taking into account which the SPPD will be developed and the ISPD accepted into operation;
specification of activities and requirements for SPDn;
a list of certified information security tools intended for use;
justification for the development of our own information security tools if it is impossible or impractical to use certified information security tools available on the market;
composition, content and timing of work at the stages of development and implementation of SPDn.

2. Stage of design and implementation of SZPDn

2.1 development of a project for the creation of SZPDn;

2.2 development of organizational and technical measures to protect information in accordance with the requirements;

2.3 purchase of certified information security tools;

2.4 development and implementation of a permit system for access of users and personnel to information processed in the ISPD;

2.5 installation and configuration of information and information devices;

2.6 identification of departments and persons responsible for the operation of information security means, training of designated persons in the specifics of work to protect personal data;

2.7 development of operational documentation for ISPD and information security tools, as well as organizational and administrative documentation for information security (regulations, orders, instructions and other documents);

2.8 implementation of other measures aimed at protecting information.

3. Stage of putting into effect the SZPDn

3.1 trial operation of information security tools in combination with other hardware and software in order to test their performance as part of the ISPD;

3.2 acceptance tests of information security equipment based on the results of trial operation with the execution of an acceptance certificate;

3.3 assessment of compliance of ISPD with information security requirements - certification (declaration) according to information security requirements.

4. Maintenance and support of the information security system

Organizational and administrative documentation for the protection of personal data

Besides technical solutions of the personal data protection system being created, the operator must ensure the development of organizational and administrative documents that will regulate all emerging issues related to ensuring the security of personal data during their processing in the ISPD and operation of the SPD. There are quite a lot of such documents, the main ones are:

1. Regulations on ensuring the security of personal data - at the beginning of the article we already touched on the purpose and composition of this document. Just in case, we repeat - it should indicate:

Goal and objectives in the field of personal data protection;

Concept and composition of personal data;

In what structural units and on what media (paper, electronic) is this data accumulated and stored;

How personal data is collected and stored;

How they are processed and used;

Who (by position) within the company has access to them;

Principles of personal data protection, including from unauthorized access;

Employee rights to ensure the protection of their personal data;

Responsibility for the disclosure of confidential information related to the personal data of employees.

2. To organize a system of admission and registration of persons authorized to work with PD in the ISPD, - a List of persons authorized to process PD (list by position of those who need access to PD to perform official duties) and an Access Matrix (should reflect the powers of users to perform specific actions in relation to specific ISPD information resources - reading, writing, adjusting, deleting). Both documents are approved by the manager.

3. A private threat model (if there are several ISDNs, then a threat model is developed for each of them) - developed based on the results of a preliminary survey. FSTEC of Russia offers Basic model threats to the security of personal data during their processing in personal data information systems, according to which when creating a private model the following should be considered:

Threats of information leakage through technical channels;

Threats of unauthorized access associated with the actions of violators who have access to the ISPD and implement threats directly in the ISPD. In this case, it is necessary to consider legal ISPD users as potential violators;

Threats of unauthorized access associated with the actions of violators who do not have access to ISPD, implementing threats from external public communication networks and (or) international information exchange networks.

The developed threat model is approved by the manager.

4. Based on the approved ISPD threat model, it is necessary to develop requirements to ensure the security of personal data when processed in the ISPD. Requirements, like the threat model, are an independent document that must be approved by the head of the organization.

To develop a model of threats and requirements, it is advisable for the operator to involve specialists from FSTEC licensee organizations.

5. Instructions regarding ensuring the security of personal data during their processing in the ISPD.

In addition, before carrying out all measures to protect personal data, the operator must appoint an official or (if the information system is large enough) a structural unit responsible for ensuring the security of personal data. The decision on the appointment is formalized by order of the head. The tasks, functions and powers of the official (unit) responsible for ensuring PD security are determined by internal organizational and administrative documents (job descriptions, regulations).

What is required to be certified and what is not?

There is often a misconception that all software used must be certified, and certification is expensive and time-consuming.

However, none of the documents regulating personal data protection issues states that all software must be certified. Information security tools must be certified according to the requirements of the FSTEC of Russia, but not system, application or special software that is not involved in the protection of ISPD.

Igor Nazarov:...certification for monitoring the absence of non-compliance with non-compliance information concerns security functionality, specifically security measures, and not all software that is used in the information system (http://www.connect.ru/article.asp?id=9406).

Today, FSTEC documents, which can be viewed on the website of the Federal Service for Technical and Export Control, tell us the following on this matter:

The ISPD must use only data certified according to information security requirements. technical means and protection systems.

Main events…

Clause 4.2:...the ISPD must monitor for the presence of undeclared capabilities in software and hardware and analyze the security of system and application software.

Clause 4.3: For software used to protect information in ISPD (information security tools, including those built into system-wide and application software), an appropriate level of control over the absence of non-compliance data in it must be ensured.

Thus, there is no need to certify system and application software if it is not involved in the information security process - this can be done at the operator’s discretion.

The practice of creating personal data protection systems shows that it is necessary to use licensed software (system, application and special software) and certified information security and anti-virus protection tools (this can be data protection information from personal data, anti-virus products, firewalls, intrusion detection tools, security analysis tools corresponding to a specific class). If cryptographic information security tools (CIPF) are installed in the ISPD, then they must also be certified according to the requirements of the FSB of Russia.

It should be noted that only a FSTEC licensee has the right to install certified information security information, and a FSB licensee has the right to install a CIPF.

Certification

The final stage of creating an ISPD protection system should be certification (declaration of conformity) - a set of organizational and technical measures, as a result of which, through a special document - a Certificate of Conformity (Conclusion), it is confirmed that the ISPD meets the requirements of standards or other regulatory and methodological documents on information security. Having a valid Certificate of Compliance gives the right to process information with an appropriate level of confidentiality for the period of time established in the Certificate of Compliance.

Question: Who can certify workplaces for compliance with the requirements of legislation and regulatory documents in the field of personal data?

Igor Nazarov: FSTEC licensees who have a license to operate in the technical protection of confidential information have the right to certify ISPDn for compliance with information security requirements (http://www.connect.ru/article.asp?id=9406).

Certification provides for a comprehensive check (certification tests) of the information data source under real operating conditions in order to assess the compliance of the adopted set of protection measures with the required level of personal data security.

IN general view ISPD certification according to information security requirements includes the following stages:

Analysis of initial data on the certified ISPD;

Conducting an expert examination of information systems and analysis of developed documentation to ensure the security of personal data for compliance with the requirements of regulatory and methodological documents;

Conducting comprehensive certification tests of ISPD in real operating conditions using special monitoring equipment and software for monitoring security against unauthorized access;

Analysis of the results of complex certification tests, preparation and approval of the Conclusion and Certificate of Conformity based on the certification results.

An important point is that in the event of a change in the conditions and technology for processing PD, the operator is obliged to notify the licensee organization that conducted the certification of the ISPD. After which the licensee organization decides on the need to conduct additional check effectiveness of the ISPD protection system.

Responsibility and risks for failure to comply with legal requirements

If the requirements for ensuring the security of personal data are not met, the operator may face the risk of civil claims from clients or employees.

Which, in turn, can affect the company’s reputation, as well as lead to the forced suspension (termination) of PD processing, bringing the company and (or) its manager to administrative or other types of liability, and, under certain conditions, to the suspension or revocation of licenses. In addition, according to the Federal Law, persons guilty of violating the requirements bear civil, criminal, administrative, disciplinary and other penalties. provided for by law RF responsibility ( Article 24 FZ-152):

Disciplinary (Labor Code of the Russian Federation, articles 81, 90, 195, 237, 391);

Administrative (Code of the Russian Federation on Administrative Offences, articles 5.27, 5.39, 13.11-13.14, 13.19, 19.4-19.7, 19.20, 20.25, 32.2);

Criminal (Criminal Code of the Russian Federation, articles 137, 140, 155, 171, 183, 272, 273, 274, 292, 293).