Structure of the personal data information system. Personal data (classification of personal data)

Personal data information systems (PDIS) are used by many enterprises and organizations in their work. Let's figure out what it is and what nuances need to be taken into account by those who work with ISPD.

What is ISPDN?

To put it simply, the ISPD information system is used to store and process personal data. It consists of the following components:

• Actually, a set of personal data stored in the system, in a database.
• Technical means used to work with this data.
• Tools for automating the processes of accounting and processing information stored in ISPD (may not be available in all systems).

IPDN is serious

When using the systems in question, it is important to ensure the protection of personal data from unauthorized access, loss and other emergency situations. This is even prescribed at the legislative level. And in order to take recommended measures to limit access to information and protect it, an ISPD audit is carried out (more details can be found, for example, from the specialists of the Rentacloud company: http://rentacloud.su/services/zashchita-personalnykh-dannykh /audit/). Based on its results, a report is drawn up containing the following information:

• Category of personal data that is stored and processed in the surveyed system.
• Their class and type (more on this below).
• Parameters and structure of the system under study.
• Volumes of PD (number of records, etc.) stored and processed in the ISPD.
• Information about the location of the system.
• Information about the possibility of accessing the database via networks accessible to common use(LAN, Internet, etc.).

The audit is carried out in strict accordance with joint document, prepared by the Ministry of Communications, FSTEC and FSB. It is very voluminous and requires thorough study. In this regard, the audit of the system and the preparation of recommendations on which the protection of ISPD will be based must be trusted to specialists. You can use their services, for example, by contacting the company “Rentacloud”: (http://rentacloud.su).

Types, classes of ISPD, and what else you need to know about such systems

Personal data information systems (PDI) are divided into 4 classes and 2 types. The division into classes is carried out on the basis of such characteristics as the category of processed personal data and their volumes.

Classes

The table will help you figure this out:

Explanations for the table.

Category number 4 includes anonymized personal data, by which it is impossible to identify a specific subject (example - statistical data). Category 3 includes PD on the basis of which only identification of a person is possible (they are quite rare). Category 2 includes data on the basis of which it is possible to identify a person and obtain certain information about him additional information(example: payroll systems in organizations and enterprises). The first category includes data containing information about nationality, health status and other social information, and information of a different nature (for example, databases of health care institutions).

As for the classes indicated in the table, the assignment of ISDN to them is carried out on the basis of possible damage to subjects in case of violation of security conditions:

• Class 4. Any negative consequences for the subject are excluded.
• Cl 3. Minor negative consequences may occur.
• Cl 2. The occurrence of such consequences.
• Cl 1. Very serious negative consequences are possible.

Types of ISPD

The first type includes systems where the ISPD protection functions are reduced only to achieving necessary indicators her privacy. If, in addition to confidentiality, there is a need to ensure at least one additional security indicator (authenticity, availability, data integrity, etc.), we're talking about about the second type.

It is worth noting that most of the systems used today are classified as the second type.

It can be seen that the development of ISPD, their classification and provision of reliable, effective protection– very complex and multifaceted processes. And in order to avoid mistakes, it is advisable to entrust this to specialists. To do this, you can contact, for example, the Rentacloud company, which occupies one of the leading positions in this market.

An ISPD classification act, as a rule, is a confidential document and must have a confidentiality stamp (“Confidential”, “DSP”, “Trade Secret”) and an account number.

To carry out the classification, a commission must be created at the enterprise. The commission must include a person responsible for the protection of personal data. The commission must be appointed by order of the head and carry out its activities on the basis of the Regulations on the classification commission. Based on the classification results, an act must be drawn up. The ISPD classification act must be approved by the chairman of the commission and signed by all members of the commission.

How to draw up an ISPD classification act

A classification report is drawn up for each identified ISPD. Based on the data received from each ISPD, the required level of protection of personal data is determined. This is necessary in order to establish the requirements for ensuring protection information system personal data. The level of security of personal data is determined in accordance with the Decree of the Government of the Russian Federation of November 1, 2012 No. 1119 “On approval of requirements for the protection of personal data during their processing in personal data information systems.”

The act states:

• personal data processed in the system;
• volume of personal data processed;
• type of current threats to ISPD;
• information system structure;
• availability of connections to public communication networks and (or) international networks information exchange;
• mode of processing personal data in the system;
• differentiation of user access rights;
• ISPDn location;
• PD security level.

The ISPD classification act may include systems that store the following data:

• special categories of personal data - information relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life of the subjects of personal data;
• biometric personal data – information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established and which is used by the operator to establish the identity of the subject of personal data;
• publicly available personal data – information obtained only from publicly available sources of personal data created in accordance with Article 8 of the Federal Law “On Personal Data”.

It is quite rare to find systems in which category 3 personal data is processed. This is due to the fact that for real tasks, not only data identifying the subject (full name, passport data) is needed, but also additional information about him (for example, salary information).

The most common information systems are those in which category 2 personal data is processed. For example, employee payroll systems.

The volume of processed personal data determines the number of subjects whose personal data is processed in the system. The following gradation applies:

• more than 100,000 personal data subjects;
• less than 100,000 personal data subjects.

Types of threats to the security of personal data

Type of current threats for ISPD:

• Type 1 threats are relevant to an information system if, among other things, threats associated with the presence of undocumented (undeclared) capabilities in the system software used in the information system are relevant to it;
• Type 2 threats are relevant to an information system if, among other things, threats associated with the presence of undocumented (undeclared) capabilities in the application software used in the information system are relevant to it;
• Type 3 threats are relevant to an information system if threats that are not related to the presence of undocumented (undeclared) capabilities in the system and application software used in the information system are relevant to it.

By type, personal data information systems described in the ISPD classification act are divided into standard and special. Typical ISPD are information systems in which it is required to ensure only the confidentiality of PD. Special ISPD are information systems in which, in addition to confidentiality, it is necessary to ensure at least one more characteristic of the security of personal data (integrity, availability).

In addition, special systems include all ISPDs that process data on the health of subjects, and ISPDs that provide for the adoption of decisions that generate legal consequences for the subject based on automated processing.

Most existing ISPDs are special. This is due to the fact that in addition to confidentiality, it is also important that personal data are always available for processing, integrity and reliability. For all special systems it is necessary to develop " Private model current threats."

Classification of personal data information systems by structure:

• Autonomous. Represents one automated workplace(computer).
• Local. Automated workstations (AWS), united in a local network.
• Distributed. Automated workstations or local networks interconnected using technology remote access.

According to the mode of processing personal data in the ISPD system, they are divided into single-user and multi-user. Single-user systems are a rarity. As a rule, at least two people work even at one autonomous workplace (in case of vacations and illnesses).

Classification of multi-user ISPDs are divided into:

• Without differentiation of access rights. In such systems, all users have access to all information.
• With differentiation of access rights. Each user has access to a strictly defined part of the information in the system.

Based on the location of the ISPD, they are divided into:

conscript November 9, 2010 at 12:31 pm

Personal data (ISPD Classification)

• Lumber room *

A lot has been written about the classification of personal data information systems: entire articles, websites and forums are devoted to this burning topic. Let's start with the fact that in accordance with the order of FSTEC\FSB\MITiS No. 55\86\20 there are typical And special ISPDn. Typical ISPDs include those in which it is necessary to ensure only the confidentiality of personal data, and special ones - if it is necessary to ensure at least one of the security characteristics of personal data other than confidentiality (integrity, authenticity, accessibility, etc.)
The order involves the classification of ISPD based on an assessment of the possible damage to the PD subjects whose data is processed in it: the higher the possible damage, the higher the class and, accordingly, the higher the requirements for technical protection. Paragraph 14 of the Order speaks of 4 classes:
-absence of negative consequences (grade 4)
-minor negative consequences (grade 3)
-negative consequences (grade 2)
- significant negative consequences (grade 1).
The assignment of one or another ISPD class, according to the same paragraph, is carried out based on the results of the analysis of the source data.
The classification of standard ISPDs has already been discussed here, so let’s move straight to the special ones.

How to classify a special ISPD?

If your ISPD contains personal data related to race, nationality,
political views, religious and philosophical beliefs, health status, intimate life, then everything is simple:
your system class is K1. And it doesn’t matter whether there are 10 records or 100,000. Next, you either protect the system according to K1 in accordance with the requirements of FSTEC Order No. 58, or downgrade the class, for example, by depersonalizing such data.
Now let’s imagine a certain ISPD that we need to classify. Let it be a large enterprise that provides services to its Clients.
Initial data of our system:
1. Scope of personal data- more than 100,000.
2. Category of personal data- 2 (i.e. this is personal data that allows you to identify the subject of personal data and obtain information about him Additional information).
3. Information system structure- distributed;
4. Availability of connections information system to public communication networks and (or) international information exchange networks - yes;
5. Personal data processing mode- multi-user;
6. Access rights control mode users of the information system - with differentiation of access rights;
7. Location of technical equipment information system - within Russian Federation.

But we cannot classify such a system according to the plate from order No. 55\86\20, because “According to the results of the analysis of the initial data typical the information system is assigned one of the following classes.” Don’t get upset, we read the order further and see the following point:
16. Based on the results of the analysis of source data, the class of a special information system is determined on the basis of a model of threats to the security of personal data in accordance with methodological documents developed in accordance with paragraph 2 of the Decree of the Government of the Russian Federation of November 17, 2007 N 781 “On approval of the Regulations on ensuring security personal data when processed in personal data information systems"
Therefore, having analyzed the source data, the composition of the processed PD, determining the structure of the ISPD and technological processes, we can come to reasonable conclusion, What Negative consequences may violate the confidentiality of information (for example, disseminating information about an employee’s disability). The implementation of all other threats will lead to minor negative consequences, because sufficient technical protection measures have been taken (or will be taken in the future during the creation of the ISPD protection system) to neutralize them. Having reflected this information in the threat model, a special ISPD with the specified characteristics can be easily classified by us as K2.

Tags: personal data, ispdn

One of the priority activities that needs to be carried out when creating an information system for processing personal data (ISPD) is the classification of ISPD.

This is necessary in order to determine the class of the system and the corresponding requirements imposed by FSTEC and the FSB when processing personal data (PD). In this article I will describe the general procedure for classifying ISPD.

In accordance with the Order of FSTEC/FSB/Ministry of Communications dated 02/13/2008 No. 55/86/20 on the “Procedure for Classification of Personal Data Information System”, which can be downloaded here, the required classification includes the following steps:

• Collection and analysis of initial data on the information system;
• Assignment of the appropriate class to the information system and its documentation.

When classifying an information system, it is necessary to answer the following questions:

1. 1Which category does the personal data processed in the information system belong to? XPD?
2. What is the volume of personal data processed (number of personal data subjects whose personal data is processed in the information system) – Xnpd?
3. What are the specified security characteristics of personal data processed in the information system?
4. What is the structure of the information system?
5. Is there a connection of the information system to public communication networks and/or Internet networks?
6. What is the regime for processing personal data?
7. What is the mode for delimiting access rights of users of the information system?
8. Location of technical means of the information system?

Background and supporting information

The following categories of personal data processed in the information system (XPD) are defined:

1. category 1- personal data relating to race, nationality, political views, religious and philosophical beliefs, health status, intimate life;
2. category 2- personal data that allows you to identify the subject of personal data and obtain additional information about him, with the exception of personal data related to category 1;
3. category 3- personal data allowing identification of the subject of personal data;
4. category 4- anonymized and (or) publicly available personal data.

Xnpd can take the following values:

• 1 - the information system simultaneously processes personal data of more than 100,000 personal data subjects or personal data of personal data subjects within a constituent entity of the Russian Federation or the Russian Federation as a whole;
• 2 - the information system simultaneously processes personal data from 1,000 to 100,000 subjects of personal data or personal data of subjects of personal data working in the economic sector of the Russian Federation, in a government body, residing within municipality;
• 3 - the information system simultaneously processes data of less than 1000 personal data subjects or personal data of personal data subjects within a specific organization.

Personal data security characteristics

For ISPD, the security characteristics of personal data are determined, which are divided into basic and additional:

BASIC:

• confidentiality
• integrity
• availability

ADDITIONAL:

• non-repudiation
• accounting (controllability)
• authenticity (reliability)
• adequacy

Information system structure divided into:

• autonomous (not connected to other information systems) complexes of hardware and software designed for processing personal data (automated workstations);
• a complex of automated workstations combined into a single information system by means of communication without the use of remote access technology (local information systems);
• a complex of automated workstations and (or) local information systems, combined into a single information system by means of communication using remote access technology (distributed information systems).

Processing mode

When organizing ISPD, the following processing modes are determined:

• single-user;
• multi-user.

Access rights control mode

In ISPD, the access control system implies:

• without differentiation of access rights;
• with differentiation of access rights.

Information systems are divided into typical And special.
Towards a standard information system These include systems that require only confidentiality of personal data.

Towards a special information system These include systems that, in addition to confidentiality, require:

• Information systems in which personal data relating to the health status of the subjects of personal data are processed;
• Information systems in which, based solely on automated processing of personal data, decisions are made that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests.

Information system classification

According to FSTEC/FSB/Ministry of Communications Order No. 55/86/20, ISPDn can take one of four classes defined in this order:

1. class 1 (K1)— information systems for which violation given characteristics the security of personal data processed therein may lead to significant negative consequences for the subjects of personal data;
2. class 2 (K2)- information systems for which violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data;
3. class 3 (K3)— information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data;
4. class 4 (K4)— information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data.

"Budget organizations: accounting and taxation", 2009, N 12

From January 1, 2010, personal data information systems in all organizations, including budgetary institutions, must be brought into compliance with the requirements of the Law “On Personal Data”<1>. A number of by-laws were adopted to this Law, and as a result, there are now different interpretations of the responsibilities of state and municipal institutions in relation to the information systems they have. This article analyzes the provisions of the current legislation and highlights the mandatory requirements.

<1> the federal law dated July 27, 2006 N 152-FZ.

According to Art. 1 of the Law “On Personal Data”, this Federal Law regulates relations related to the processing of personal data carried out by federal government bodies, government bodies of constituent entities of the Russian Federation, and others government agencies, organs local government, not included in the system of local self-government bodies, municipal bodies, legal and individuals using automation tools or without the use of such tools, if the processing of personal data without the use of such tools corresponds to the nature of the actions (operations) performed with personal data using automation tools.

Such attention to the issues of automation of personal data processing entails the need to comply with special legal norms regarding the use information technologies. At the same time, it is necessary to carefully study the regulatory framework, which currently can be interpreted very ambiguously, especially in terms of presenting requirements for information systems.

The concept of "information system" in current legislation

In accordance with the Federal Law "On Information, Information Technologies and Information Protection"<2> Information system- a set of information contained in databases and information technologies and technical means that ensure its processing. Based on this definition, we can conclude that there are no information systems without the use computer equipment and corresponding software.

<2>Federal Law of July 27, 2006 N 149-FZ.

However, in Art. 3 of the Law “On Personal Data” provides a broader definition information system: this is a collection of personal data contained in the database, as well as information technologies and technical means that allow the processing of such personal data with or without the use of automation tools.

Let us analyze the components of this definition, the definitions of which can be found in the Federal Law “On Information, Information Technologies and Information Protection”, other laws and in regulations of the Government of the Russian Federation.

Under database is understood as a set of organized interconnected data on machine-readable media (Temporary Regulations on State Accounting and Registration of Databases and Data Banks<3>). However, in part four of the Civil Code of the Russian Federation (paragraph 2, paragraph 2, article 1260), a more detailed definition is given Database: this is a set of independent materials presented in an objective form (articles, calculations, regulations, court decisions and other similar materials), systematized in such a way that these materials can be found and processed using electronic computer(COMPUTER).

<3>Approved by Decree of the Government of the Russian Federation of February 28, 1996 N 226.

Information Technology- processes, methods of searching, collecting, storing, processing, providing, distributing information and methods of implementing such processes and methods (Federal Law “On Information, Information Technologies and Information Protection”).

Under technical means that allow the processing of personal data are understood as means computer technology, information and computing complexes and networks, means and systems for transmitting, receiving and processing personal data (means and systems for sound recording, sound amplification, sound reproduction, meeting rooms and television devices, means of production, replication of documents and others technical means processing of speech, graphic, video and alphanumeric information), software (OS, database management systems and the like), information security tools used in information systems (Regulations on ensuring the security of personal data during their processing in personal data information systems<4>).

<4>Approved by Decree of the Government of the Russian Federation of November 17, 2007 N 781.

Thus, the technical means include both copiers and software, but the key concept in defining a personal data information system is the concept of “database”. From this definition it follows that the database is processed using a computer (the media must be machine readable). If processing is carried out without the use of a computer and a database (machine-readable media), then formally there is no information system. In addition, without technical means that allow the processing of personal data, the database also cannot be recognized as an information system. In addition, information systems are not just a collection of computer equipment and certain programs that process information from databases; they may or may not use automation tools.

What is meant by automation tools?

There is a point of view according to which the use of automation means any computer processing or processing with electronic devices. If the database is stored on a computer (for example, spreadsheet or accounting program) or, for example, in notebook cell phone, then this is already automated processing of personal data and is subject to notification to Roskomnadzor. In addition, some experts believe that processing without the use of automation tools can only be carried out on paper (in journals filled out by hand, in handwritten lists).

In accordance with Part 3 of Art. 4 of the Law “On Personal Data”, the specifics of processing personal data carried out without the use of automation tools may be established by federal laws and other regulatory legal acts of the Russian Federation, taking into account the provisions of this Federal Law.

Decree of the Government of the Russian Federation dated September 15, 2008 N 687 approved the Regulations on the specifics of processing personal data carried out without the use of automation tools. According to paragraph 1 of the said Regulations The processing of personal data contained in the personal data information system or extracted from such a system (hereinafter referred to as personal data) is considered to be carried out without the use of automation tools (non-automated), if such actions with personal data as use, clarification, distribution, destruction of personal data in in relation to each of the subjects of personal data, are carried out with the direct participation of a person.

Let's reverse Special attention to the fact that, according to clause 2 of the Regulations on the specifics of processing personal data carried out without the use of automation tools, the processing of personal data cannot be recognized as carried out using automation tools only on the basis that they are contained in the information system or were extracted from it.

Thus, it can be stated that from the point of view of the definitions available in current legislation, the vast majority of information systems in state and municipal institutions can formally be considered as implemented without the use of automation tools (including a significant part of accounting software). After all, all face cards in these systems are edited manually in the appropriate windows. To destroy face cards, it is also necessary to select them in the list by the operator and press special key to delete data. Even archiving is carried out special program, which is launched by a person.

And here various programs, allowing you to reformat data (including from the format accounting program in a format, for example, a program Pension Fund) and implementing them automatic input and further transfer without referring to each specific employee record may be classified as automated data processing. At the same time, the processing of personal data (including last name, first name, patronymic, pension certificate number, etc.) is an integral part of such programs.

At the same time, if the transfer of data to other programs (including for tax accounting purposes) is not carried out completely automatically, but with the help of a person involved in the processing of personal data, then such processing also cannot be considered automated.

In this regard, the recommendations of the Federal Agency for Education, set out in Letter No. 17-110 of July 29, 2009 “On ensuring the protection of personal data,” have a rather limited application in practice. In order to automate the processing of personal data in questionnaires, Rosobrazovanie recommends additionally indicating the internal an identification number(personal code) of the subject of personal data, assigned for the entire period of study or work. This allows you to anonymize databases if they do not contain other personal data, and significantly reduce the cost of protecting information.

However, to automate management activities in a state or municipal institution, at least the last names, first names, patronymics of employees, students, etc., as well as a number of other personal data (for employees, for example, information about their income for accounting and tax purposes) are required. . Appeal to personal codes contained in the leaflets (questionnaires), the rest of the data processing using software will look at least strange, reducing the effectiveness of the implementation of modern information technologies. Moreover, depending on the form of the questionnaires used, they can be recognized as part of the information system (as integral part database), which will completely make additional coding meaningless (such coding is required if it is advisable to anonymize data, for example, for statistical research).

Processing of personal data without the use of automation tools

So, as discussed above, despite the computerization of activities, in most cases the processing of personal data in state and municipal institutions is carried out without the use of automation tools (non-automated) and, accordingly, is regulated by the Regulations on the specifics of the processing of personal data carried out without the use of automation tools<5>.

<5>Approved by Decree of the Government of the Russian Federation of September 15, 2008 N 687.

Persons carrying out such processing (including employees of the operator organization or persons working under an agreement with the operator) must be informed about the fact of their processing of personal data without the use of automation tools, the categories of personal data processed, as well as about the features and rules for carrying out such processing established by regulatory legal acts of federal executive authorities, executive authorities of constituent entities of the Russian Federation and local acts of an educational institution.

Personal data, when processed without the use of automation tools, must be separated from other information, in particular, by recording them on separate tangible media, in special sections or in the fields of forms (forms).

At the same time, it is not allowed to record personal data on one material medium if the purposes of their processing are obviously incompatible. In this case, a separate tangible medium must be used for each category of personal data.

And therefore, processing must be carried out in such a way that for each category of personal data there is:

• storage locations have been determined and a list of persons processing data or having access to it has been established;
• Separate storage of personal data (tangible media) is ensured, the processing of which is carried out for various purposes;
• conditions have been met to ensure the safety of personal data and prevent unauthorized access to it.

The list of measures necessary to ensure such conditions, the procedure for their adoption, as well as the list of persons responsible for the implementation of these measures, are established by the educational institution in accordance with the requirements of regulatory legal acts on the protection of personal data.

If the purposes of processing personal data recorded on one material medium are incompatible, if it does not allow them to be processed separately from other personal data recorded on the same medium, measures must be taken to ensure separate processing, in particular:

• if it is necessary to use or distribute certain personal data separately from others located on the same material medium, the data that is subject to distribution or use is copied in a manner that precludes simultaneous copying of data that is not subject to distribution and use, and a copy of the personal data is used (distributed);
• if it is necessary to destroy or block part of the personal data, the material medium is destroyed or blocked with preliminary copying of information that is not subject to destruction or blocking, in a manner that precludes simultaneous copying of personal data subject to destruction or blocking.

Destruction or depersonalization of part of personal data, if permitted by a tangible medium, can be carried out in a way that precludes further processing of this personal data, while maintaining the possibility of processing other data recorded on a tangible medium (deletion, erasure).

Clarification of personal data when processing them without the use of automation tools is carried out by updating or changing the data on a tangible medium, and if this is not allowed technical features material carrier- by recording on the same medium information about changes made to them or by producing a new material medium with updated personal data.

Processing of personal data using automation tools

The Regulations on ensuring the security of personal data during their processing in personal data information systems establishes requirements for ensuring the security of personal data during their processing in personal data information systems, which are a set of personal data contained in databases, as well as information technologies and technical means.

As follows from paragraph 1 of this Regulation, the term “information systems” refers only to information systems that allow the processing of personal data using automation tools, therefore, the requirements of this Regulation do not apply to information systems in which data processing is carried out without the use of automation tools.

If a state or municipal institution carries out automated processing of personal data, then the following requirements must be met.

According to the Regulations on ensuring the security of personal data during their processing in personal data information systems, the security of personal data is achieved:

• by excluding unauthorized, including accidental, access to personal data, which may result in the destruction, modification, blocking, copying, distribution of personal data;
• by excluding other unauthorized actions.

The security of personal data during their processing in information systems is ensured using personal data protection systems, including:

• organizational measures;
• information security tools;
• information Technology.

Information security measures include:

• encryption (cryptographic) means;
• means of preventing unauthorized access;
• means of preventing information leakage through technical channels;
• means of preventing software and hardware impacts on technical means of processing personal data.

To ensure the security of personal data during their processing in information systems, protection is carried out speech information and information processed by technical means, as well as information presented in the form of informative electrical signals, physical fields, media on paper, magnetic, magneto-optical and other bases.

Requests from users of the information system to obtain personal data, as well as the facts of providing data on these requests, must be recorded by automated means of the information system in the electronic log of requests. At the same time, the content electronic journal requests must be periodically verified by the relevant officials (employees) of the operator or authorized person.

If violations of the procedure for providing personal data are detected, the operator or authorized person shall immediately suspend the provision of personal data to users of the information system until the causes of the violations are identified and eliminated.

Hardware and software must meet the requirements established in accordance with the legislation of the Russian Federation to ensure the protection of information. At the same time, methods and methods for protecting information in information systems are established Federal service on technical and export controls(FSTEC) and the Federal Security Service (FSB) within the limits of their powers.

The security of personal data when processed in the information system is ensured by the operator or the person to whom, on the basis of an agreement, the operator entrusts the processing of personal data. Persons whose access to personal data processed in the information system is necessary to perform official (labor) duties are allowed access to the relevant personal data on the basis of a list approved by the operator or authorized person. An essential condition of the contract is the obligation of the authorized person to ensure the confidentiality and security of personal data when processed in the information system.

Information security tools used in information systems, in in the prescribed manner undergo a conformity assessment procedure. The exchange of personal data during their processing in information systems is carried out through communication channels, the protection of which is ensured through the implementation of appropriate organizational measures and (or) through the use of technical means.

At the same time, information systems are classified by state bodies, municipal bodies, legal entities or individuals organizing and (or) carrying out the processing of personal data, as well as determining the purposes and content of the processing of personal data, depending on the volume of personal data processed by them and security threats to vital interests individuals, society and state.

The procedure for classifying information systems is established jointly by the Federal Service for Technical and Export Control, the Federal Security Service and the Ministry of Information Technologies and Communications. This Procedure is determined by the Order FSTEC of Russia, FSB of Russia, Ministry of Information and Communications of Russia dated February 13, 2008 N 55/86/20.

In addition, the requirements for premises and their security are outlined. According to clause 8 of the Regulations on ensuring the security of personal data during their processing in personal data information systems, the placement of information systems, special equipment and security of premises in which work with personal data is carried out, the organization of a security regime in these premises must ensure the safety of personal data carriers and information security means, and also exclude the possibility of uncontrolled entry or stay in these premises strangers.

To do this, state and municipal institutions must install additional alarms in the specified premises, and in doorways - additional locks or metal doors.

Measures to ensure the security of personal data during their processing in information systems include:

a) identification of threats to the security of personal data during their processing, formation of a threat model based on them;

b) development, based on the threat model, of a personal data protection system that ensures the neutralization of alleged threats using methods and methods for protecting personal data provided for the corresponding class of information systems;

c) checking the readiness of information security tools for use with drawing up conclusions on the possibility of their operation;

d) installation and commissioning of information security means in accordance with operational and technical documentation;

e) training of persons using information security tools used in information systems on the rules of working with them;

f) accounting of the information protection means used, operational and technical documentation for them, personal data carriers;

g) accounting of persons authorized to work with personal data in the information system;

h) control over compliance with the conditions for the use of information security tools provided for in the operational and technical documentation;

i) investigation and drawing up conclusions on facts of non-compliance with the storage conditions of personal data carriers, the use of information security measures that may lead to a violation of the confidentiality of personal data or other violations leading to a decrease in the level of security of personal data, development and adoption of measures to prevent possible dangerous consequences of such violations ;

j) description of the personal data protection system.

Persons who have access to information databases with personal data, sign obligations on non-disclosure of confidential information (such an obligation may also be included in the employment contract). Only after this does the educational institution allow them to process personal data.

When processing personal data in the information system, the educational institution must ensure:

a) carrying out measures aimed at preventing unauthorized access to personal data and (or) their transfer to persons who do not have the right to access such information;

b) timely detection of facts of unauthorized access to personal data;

c) preventing influence on technical means of automated processing of personal data, as a result of which their functioning may be disrupted;

d) the possibility of immediate restoration of personal data modified or destroyed due to unauthorized access to it;

e) constant monitoring of ensuring the level of security of personal data.

To develop and implement measures to ensure the security of personal data during their processing in the information system, an operator or authorized person may appoint a structural unit or official (employee) responsible for ensuring the security of personal data.

You should also pay special attention to the fact that, according to clause 17 of the Regulations on ensuring the security of personal data during their processing in personal data information systems, the implementation of requirements for ensuring information security in information security tools is assigned to their developers.

Adequacy measures taken to ensure the security of personal data during their processing in information systems is assessed during state control and supervision.

Classification of personal data information systems

Classification of personal data information systems that allow processing of this data using automation tools is carried out by the educational institution - operator in accordance with the Procedure for classifying personal data information systems<6>depending on the category of data being processed and its quantity.

<6>Approved by Order of the FSTEC of Russia, the FSB of Russia, the Ministry of Information and Communications of Russia dated February 13, 2008 N 55/86/20.

The following four categories of personal data are established:

1. personal data relating to race, nationality, political views, religious and philosophical beliefs, health, intimate life;
2. personal data that allows you to identify the subject of personal data and obtain additional information about him, with the exception of personal data belonging to the first category;
3. personal data allowing identification of the subject of personal data;
4. anonymized and (or) publicly available personal data.

In any university you can find on public stands various lists students, including a combination of full name. student, course, group, which allow you to uniquely identify the student. As a result, such a combination of personal data forces them to be classified as personal data of the third category; The placement of this data in a publicly accessible place formally requires the student’s consent.

An employee’s personal card (form T-2), a student’s personal file belongs to the second category, since this is personal data that allows not only to identify the subject of personal data, but also to obtain additional information about him.

Personal data information systems are divided into standard and special. Typical systems include those that only require the confidentiality of personal data. All other systems are classified as special.

Special information systems should also include:

• information systems in which personal data relating to the health status of the subjects of personal data are processed;
• information systems that provide for the adoption, based solely on automated processing of personal data, of decisions that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests.

Based on the above classification, it can be stated that any medical data, as well as personnel records containing the column “nationality” (and these are almost all valid questionnaires and personal sheets personnel records currently used) must be classified in the first category.

Based on the results of the analysis of available data, a typical information system is assigned one of the four classes specified in the Procedure for Classifying Personal Data Information Systems.

The class of a special information system is determined based on a model of threats to the security of personal data based on the results of the analysis of source data in accordance with the methodological documents of the FSTEC.

FSTEC has issued the following DSP documents, which can only be obtained by contacting this body:

• Main activities for organizing and technical support security of personal data processed in personal data information systems, dated February 15, 2008;
• Basic model of threats to the security of personal data during their processing in personal data information systems dated February 15, 2008;
• Methodology for identifying current threats to the security of personal data during their processing in personal data information systems dated February 15, 2008;
• Recommendations for ensuring the security of personal data during their processing in personal data information systems dated 02/15/2008.

These methodological documents contain numerous requirements, which are extremely difficult for most state or municipal institutions to fulfill for reasons of both organizational and financial nature.

Declaration, certification (attestation) and licensing of activities for the protection of personal data

The FSTEC methodological documents listed above establish the following procedure for assessing compliance of the degree of security of information systems with security requirements:

• for information systems of the first and second class, compliance of the degree of security with security requirements is established through mandatory certification (attestation);
• for information systems of the third class, compliance with security requirements is confirmed by certification (certification) or (at the operator’s choice) declaration of conformity carried out by the personal data operator;
• For information systems of the fourth class, conformity assessment is not regulated and is carried out at the discretion of the personal data operator.

Declaration of conformity- this is a confirmation of the compliance of the characteristics of the personal data information system with the requirements established by law, governing and regulatory documents of the FSTEC and the FSB.

Declaration of conformity can be carried out on the basis of one’s own evidence or evidence obtained with the participation of involved organizations that have the necessary licenses. List of bodies (organizations) for certification of the information security certification system for information security requirements that can be contacted educational institutions and educational authorities that do not have the necessary specialists and licenses, as well as State Register certified information security tools are posted on the FSTEC website. The cost of such procedures is quite high and amounts to hundreds of thousands of rubles.

In the case of a declaration based on its own evidence, the operator independently generates a set of documents, such as: technical documentation, other documents and results of our own research, which served as a motivated basis for confirming the compliance of the personal data information system with all necessary requirements required for third grade.

Attestation (certification) tests are carried out by organizations that have the necessary FSTEC licenses. At the same time, certification is understood as a set of measures that make it possible to bring an information system into compliance with the information security requirements for the declared class, set out in the regulatory and methodological documents of the FSTEC.

Attestation (certification) tests contain an analysis of personal data information systems already available at the facility, as well as again decisions taken to ensure information security and include verification of:

• organizational and regulatory measures to ensure information security;
• security of information from leaks through technical channels (PEMIN);
• security of information from unauthorized access.

Based on the results of certification tests, a decision is made to issue a certificate of compliance of the information system with the declared class of information security requirements. The certificate is issued for a period of three years.

The methodological documents of FSTEC also establish Additional requirements on the availability of licenses to conduct activities to protect personal data. Without the appropriate licenses, such events are only possible for third- and fourth-class information systems.

To carry out measures to ensure the security of personal data for special information systems, first and second class systems and distributed (including those connected to the Internet) third class systems, operators are required to obtain FSTEC license for technical protection activities confidential information.

The legality of the requirements for carrying out declaration, certification (attestation) and licensing procedures by state and municipal institutions on the basis of FSTEC methodological documents raises serious doubts.

Regulations on the procedure for handling official information of limited distribution in federal executive authorities<7>(clause 1.2) classifies as proprietary information of limited distribution unclassified information relating to the activities of organizations, restrictions on the distribution of which are dictated by official needs. The establishment of responsibilities for licensing the activities of organizations cannot in any way be recognized by the DSP information.

<7>Approved by Decree of the Government of the Russian Federation of November 3, 1994 N 1233.

Responsibilities for licensing certain types of activities, including activities for the technical protection of confidential information, are determined by the Federal Law "On Licensing of Certain Types of Activities"<8>. The procedure for licensing activities for the technical protection of confidential information carried out by legal entities And individual entrepreneurs, determined by Decree of the Government of the Russian Federation of August 15, 2006 N 504.

<8>Federal Law of 08.08.2001 N 128-FZ.

Neither the Regulations on licensing activities for the technical protection of confidential information, nor the Procedure for classifying personal data information systems establish obligations for licensing activities for the technical protection of confidential information depending on the class of the information system. These requirements are established in the document DSP - Basic measures for the organization and technical support of the security of PD processed in the ISPD.

The regulation on ensuring the security of personal data during their processing in personal data information systems only determines that:

• information security tools used in information systems undergo a conformity assessment procedure in the prescribed manner (clause 5) - that is, it is not the operator who is subject to certification, but the information security tool, and it is carried out by the manufacturer of this tool (including computer program on information protection);
• the results of conformity assessments and (or) case studies of information security tools designed to ensure the security of personal data during their processing in information systems are assessed during an examination carried out by the Federal Service for Technical and Export Control and the Federal Security Service within the limits of their powers.

In accordance with Part 3 of Art. 15 of the Constitution of the Russian Federation, all laws, as well as any regulations affecting the rights, freedoms and duties of man and citizen, must be officially published for public information, that is, made public. Unpublished normative legal acts are not applied and do not entail legal consequences as they have not entered into force.

Since May 15, 1992, by Decree of the Government of the Russian Federation dated 05/08/1992 N 305 "On state registration departmental normative acts" state registration of normative acts of ministries and departments affecting the rights and interests of citizens and of an interdepartmental nature was introduced.

Issues of state registration and entry into force of departmental regulatory legal acts are regulated by Decree of the President of the Russian Federation N 763<9>and Decree of the Government of the Russian Federation N 1009<10>.

<9>Decree of the President of the Russian Federation of May 23, 1996 N 763 “On the procedure for publication and entry into force of acts of the President of the Russian Federation, the Government of the Russian Federation and normative legal acts of federal executive authorities.”
<10>Decree of the Government of the Russian Federation of August 13, 1997 N 1009 “On approval of the Rules for the preparation of regulatory legal acts of federal executive authorities and their state registration.”

According to clause 10 of the Rules for the preparation of normative legal acts of federal executive authorities and their state registration, normative legal acts affecting the rights, freedoms and responsibilities of an individual and a citizen, establishing the legal status of organizations of an interdepartmental nature, regardless of the period of their validity, are subject to state registration. including acts containing information constituting a state secret or information of a confidential nature.

State registration of normative legal acts is carried out by the Ministry of Justice, which maintains the State Register of normative legal acts of federal executive authorities.

State registration of a normative legal act includes:

• legal examination of the compliance of this act with the legislation of the Russian Federation, including checking for the presence of provisions in it that contribute to the creation of conditions for corruption;
• making a decision on the need for state registration of this act;
• assignment of registration number;
• entry into the State Register of normative legal acts of federal executive authorities.

Regulatory legal acts affecting the rights, freedoms and responsibilities of man and citizen, establishing the legal status of organizations or having an interdepartmental nature are subject to official publication in the prescribed manner, except for acts or their individual provisions containing information constituting a state secret or information of a confidential nature,

An act recognized by the Ministry of Justice as not requiring state registration is subject to publication in the manner determined by the federal executive body that approved the act. At the same time, the procedure for the entry into force of this act is also determined by the federal executive body that issued it.

Therefore, according to the author, state and municipal institutions that carry out automated processing personal data, in the event of demands for obtaining licenses, declaring or certification (attestation), they can appeal such requirements in court (especially if the personal data protection means used have already been certified by their manufacturer).

A.Bethlehemsky

director

Nizhny Novgorod center

economics of education