Independent training of ISPDN for certification (part 1)
Currently, the protection of personal data is one of the most urgent tasks for most commercial and government organizations. Information systems must be brought into compliance with the requirements of the Federal Law “On Personal Data” no later than July 1, 2011.
I plan to write a series of articles on general methods of protecting personal data that will help your company to slightly reduce the costs of the services of data protection firms, or at least understand what you are paying for. We experienced all this at our own company.
As a result of all the actions that will be described, we have successfully received our ISPD certificate of compliance with the requirements of the Federal Law and saved about 45,000 rubles. on integrator services (12 AWP + server).
The construction of the protection of the personal data information system (ISPDn) begins with the examination of the ISPDn, its classification and the formulation of specific protection requirements.
The survey is conducted by a special commission consisting of an information security specialist *, an IP administrator and an IP operator. Accordingly, you must first issue an order for the appointment of the commission and the conduct of the survey.
')
Immediately voiced rates for our city: 200-700r. per hour - pre-project examination, 10-20 thousand. R. - A set of documentation on the results of the survey.
Before starting any actions, it is necessary to establish a list of personal data stored and processed at the enterprise.
Here we have a document with a table of three columns: â„– p \ p; name (file, database, table); the content of the file (name, series \ passport number, etc.).
During the examination, the following should be established:
1. Access to the organization. Who and what time can go there. By or without a pass, is it recorded in the log of visits, etc. Do employees have the opportunity to enter the organization during off-hours.
2. Controlled area (CZ) of the organization.
The controlled zone is the territory of the facility where the uncontrolled stay of persons without permanent or one-time access is excluded.
So, the boundaries of the controlled area will be the enclosing structures of the premises belonging to the Organization (walls, doors, windows, ceiling).
Perhaps your organization owns the entire floor or some kind of wing. In this case, the hall and corridor between the offices will be a controlled area only if there isan evil old woman with a mop of a security guard / administrator or a video surveillance camera.
Some features are possible in the controlled area. For example, it can be a permanent reception of third parties (clients) - this should also be noted.
3. Power supply of the building. It is required to indicate in which territory the transformer substation is located and by which organization it is serviced. Everything is very simple, no need to know Mosgorsvet LLC (nobody is interested in it) - there can be only two answers: the substation is located within the short circuit , or outside it and can be serviced accordingly either by its own organization unit or by an outside organization (name and the address of the organization is not required).
Also, it is required to indicate by which scheme the transformer is earthed and where it is located (within the short-circuit or outside). Knowledge from Wikipedia here is more than enough ru.wikipedia.org/wiki/%D0%A2N-S
4. Telephone communication. Organized through its own PBX or general. Are telephone cables out of short circuit?
5. Fire and security alarm. Where installed, where connected. If connected to the security console, indicate where this remote control is located. Do the cables of these systems go beyond the short-circuit.
6. Computing network organization. What technology is built on, which scheme, structure, are there subnets, etc.
7. Processing information.
- Information input: is carried out in manual / automatic mode on all computers (AWS) using a mouse, keyboard, scanner, etc.
Manual is usually understood as input from paper, and automatic means from flash drives, disks, etc.
- Information display: information is displayed on the monitor during input and output of information by the user and working with software.
- Information processing: made on a computer using such and such software. You do not need to write about all the software on your computer, but only about the way in which personal data are processed.
- Storage of information: information remains on the hard disk of the computer or automatically transferred to the server.
- Information transfer: between users' workstations, between a computer and a scanner / printer, between workstations and a server.
- Information output: on paper \ electronic media using such and such devices.
8. Components of information processing:
- Subjects of access: personnel who, by virtue of their job duties, must interact with PD; processes occurring in the application and system software of the computer.
- Access objects: information resources (example: files, tables, arrays, documents, databases, etc.); elements of the system (flash drives, printers, software, the computer itself).
Subjects' access to objects should be somehow demarcated or regulated (passwords to accounts on a PC, flash drives only for painting, access to files).
9. Groups of subjects of access: administrators (description of who they are and what functions they perform), users (similarly), attendants (similarly). It is also desirable to describe separately in this clause which functions of administering the OS and protecting the information are performed by the administrator (backup, creating accounts, etc.)
10. Backup system: how often, where and where \ who \ how it is then stored.
11. Advanced ... Here you can specify other important points specific to your information system.
Based on the results of all this, we have compiled the Act on the ISPDN survey.
ru.wikipedia.org/wiki/ Controlled_zone
* The presence of a data protection specialist in the commission is advisory in nature and may well be replaced by a senior admin. But in order not to tempt fate, such a specialist can be any administrator who has completed a short course on ZI and has a corresponding piece of paper about it, or an external person. a person who has the appropriate education, with whom a contract is concluded.
In the next article: those. passport ISPDN, description of the process, the act of classification
I plan to write a series of articles on general methods of protecting personal data that will help your company to slightly reduce the costs of the services of data protection firms, or at least understand what you are paying for. We experienced all this at our own company.
As a result of all the actions that will be described, we have successfully received our ISPD certificate of compliance with the requirements of the Federal Law and saved about 45,000 rubles. on integrator services (12 AWP + server).
ISPDN survey
The construction of the protection of the personal data information system (ISPDn) begins with the examination of the ISPDn, its classification and the formulation of specific protection requirements.
The survey is conducted by a special commission consisting of an information security specialist *, an IP administrator and an IP operator. Accordingly, you must first issue an order for the appointment of the commission and the conduct of the survey.
')
Immediately voiced rates for our city: 200-700r. per hour - pre-project examination, 10-20 thousand. R. - A set of documentation on the results of the survey.
Before starting any actions, it is necessary to establish a list of personal data stored and processed at the enterprise.
Here we have a document with a table of three columns: â„– p \ p; name (file, database, table); the content of the file (name, series \ passport number, etc.).
During the examination, the following should be established:
1. Access to the organization. Who and what time can go there. By or without a pass, is it recorded in the log of visits, etc. Do employees have the opportunity to enter the organization during off-hours.
2. Controlled area (CZ) of the organization.
The controlled zone is the territory of the facility where the uncontrolled stay of persons without permanent or one-time access is excluded.
So, the boundaries of the controlled area will be the enclosing structures of the premises belonging to the Organization (walls, doors, windows, ceiling).
Perhaps your organization owns the entire floor or some kind of wing. In this case, the hall and corridor between the offices will be a controlled area only if there is
Some features are possible in the controlled area. For example, it can be a permanent reception of third parties (clients) - this should also be noted.
3. Power supply of the building. It is required to indicate in which territory the transformer substation is located and by which organization it is serviced. Everything is very simple, no need to know Mosgorsvet LLC (nobody is interested in it) - there can be only two answers: the substation is located within the short circuit , or outside it and can be serviced accordingly either by its own organization unit or by an outside organization (name and the address of the organization is not required).
Also, it is required to indicate by which scheme the transformer is earthed and where it is located (within the short-circuit or outside). Knowledge from Wikipedia here is more than enough ru.wikipedia.org/wiki/%D0%A2N-S
4. Telephone communication. Organized through its own PBX or general. Are telephone cables out of short circuit?
5. Fire and security alarm. Where installed, where connected. If connected to the security console, indicate where this remote control is located. Do the cables of these systems go beyond the short-circuit.
6. Computing network organization. What technology is built on, which scheme, structure, are there subnets, etc.
7. Processing information.
- Information input: is carried out in manual / automatic mode on all computers (AWS) using a mouse, keyboard, scanner, etc.
Manual is usually understood as input from paper, and automatic means from flash drives, disks, etc.
- Information display: information is displayed on the monitor during input and output of information by the user and working with software.
- Information processing: made on a computer using such and such software. You do not need to write about all the software on your computer, but only about the way in which personal data are processed.
- Storage of information: information remains on the hard disk of the computer or automatically transferred to the server.
- Information transfer: between users' workstations, between a computer and a scanner / printer, between workstations and a server.
- Information output: on paper \ electronic media using such and such devices.
8. Components of information processing:
- Subjects of access: personnel who, by virtue of their job duties, must interact with PD; processes occurring in the application and system software of the computer.
- Access objects: information resources (example: files, tables, arrays, documents, databases, etc.); elements of the system (flash drives, printers, software, the computer itself).
Subjects' access to objects should be somehow demarcated or regulated (passwords to accounts on a PC, flash drives only for painting, access to files).
9. Groups of subjects of access: administrators (description of who they are and what functions they perform), users (similarly), attendants (similarly). It is also desirable to describe separately in this clause which functions of administering the OS and protecting the information are performed by the administrator (backup, creating accounts, etc.)
10. Backup system: how often, where and where \ who \ how it is then stored.
11. Advanced ... Here you can specify other important points specific to your information system.
Based on the results of all this, we have compiled the Act on the ISPDN survey.
ru.wikipedia.org/wiki/ Controlled_zone
* The presence of a data protection specialist in the commission is advisory in nature and may well be replaced by a senior admin. But in order not to tempt fate, such a specialist can be any administrator who has completed a short course on ZI and has a corresponding piece of paper about it, or an external person. a person who has the appropriate education, with whom a contract is concluded.
In the next article: those. passport ISPDN, description of the process, the act of classification
Source: https://habr.com/ru/post/111409/
All Articles