Personal data protection - implementation experience
As everyone who is interested in FZ-152 “On Personal Data” remembers, was adopted back in 2006. The enactment of the Law was postponed for a long time, but once it had to work. July 1, 2011 it happened.
For us (the state office, the base is about 20,000 people at the time) the problem rose in 2008.
At the initial stage, not too much, but then, like in a fairy tale: “The further, the worse.”
The first stage is the initial Orgmer.
- In each piece of paper of the Statement type, an inscription appeared in small letters (to leave the former size of the form) - “I agree to the necessary use of my personal data, including in information systems”.
- An addendum on minor children was added to the Statements for children's allowances.
- Separate statements were also taken with the consent of the provision and transfer of data from other institutions (Pension Fund, NPF, etc.).
')
A lot of paper and very little technology.
The second stage is the development of proper documentation.
The year 2009 was coming and it was known that the Law would be postponed again. No funding available. No one is in a hurry. You can develop documentation. The parent office gave samples of the following documents:
The third stage is the purchase of technical information protection tools.
It is more correct to say that the head office bought, then we just took it away. The result was:
- Dallas to workstations
- Vipnet coordinator for secure access via IP-MPLS channel to the superior office.
- jammers
- Windows Server Certification has been completed (this is discussed here)
The fourth stage is mental-physical work.
Protected automated system must be protected and physically. It turned out very well relocated department, working with personal data to another floor. This department was in a confined space, one of the offices was selected for server. As a result, two cables (main and backup) go from the floor to the router. Computer formatted, installed a clean updated Windows, office, antivirus, work program. In October 2009, the guys came with Peter. They installed Dallas, jammers, set up a snooper, made all the measurements, corrected the documentation.
The fifth stage is completion.
At the end of October 2009, an internal commission for the protection of personal data gathered. Responsible persons were appointed who were to prepare documents and work on personal data protection (the same ones listed from the second stage) in a week. For a week, the responsible people did everything. And the commission gladly accepted the protected system into operation. Soon, a certificate for three years was received, and that was all.
It is clear that in fact is not all over.
For example, a protected system is a single software and hardware complex. The mouse can not be changed. But once a year, you can call the appraiser to verify compliance with all indicators of protection. And the assessor has the right to change the available documents. So the mouse change is real.
Well, the modern idea of electronic interagency cooperation. The idea is good. That's just not envisaged by the previous concept of personal data protection. So when we realize - we will do certification again.
Thanks for attention.
For us (the state office, the base is about 20,000 people at the time) the problem rose in 2008.
At the initial stage, not too much, but then, like in a fairy tale: “The further, the worse.”
The first stage is the initial Orgmer.
- In each piece of paper of the Statement type, an inscription appeared in small letters (to leave the former size of the form) - “I agree to the necessary use of my personal data, including in information systems”.
- An addendum on minor children was added to the Statements for children's allowances.
- Separate statements were also taken with the consent of the provision and transfer of data from other institutions (Pension Fund, NPF, etc.).
')
A lot of paper and very little technology.
The second stage is the development of proper documentation.
The year 2009 was coming and it was known that the Law would be postponed again. No funding available. No one is in a hurry. You can develop documentation. The parent office gave samples of the following documents:
- Order on the appointment of officials responsible for the protection of information of limited access, not containing state secrets;
- The order on the definition of a controlled area in which the nodes of the automated system for processing information of limited access not containing state secrets are located;
- Order prohibiting the processing of restricted information on uncertified informatization objects
- Instructions for the use of information security facilities computer facilities;
- Instructions for installing new and modifying the software used on an automated system processing information of limited access;
- Instruction on the organization of anti-virus protection on an automated system processing information of limited access;
- Instructions to the administrator of information security of an automated system that processes information of limited access;
- Instructions for making changes to the lists of users and empowering them to access the resources of the automated system that processes information of limited access;
- Instruction on the organization of password protection of an automated system;
- Instruction on organizing data backup of an automated system processing information of limited access;
- Instruction of the user of the automated system.
- Matrix of access to protected resources of the automated system;
- Technical passport at the AU;
- The log of the admission to work in the automated system processing information of limited access;
- Journal of registration and issuance of computer storage media designed to store information of limited access, not containing state secrets;
- Register of information security tools;
- Application form for the introduction of users of the AU;
- The form of the Act of technical work on the objects of informatization of the NPP;
- List of confidential information;
- The list of protected information resources;
- Description of the technological process of information processing in a dedicated local area network;
- Switching scheme of a dedicated local computer network;
- The list of persons allowed to work independently in the AU.
The third stage is the purchase of technical information protection tools.
It is more correct to say that the head office bought, then we just took it away. The result was:
- Dallas to workstations
- Vipnet coordinator for secure access via IP-MPLS channel to the superior office.
- jammers
- Windows Server Certification has been completed (this is discussed here)
The fourth stage is mental-physical work.
Protected automated system must be protected and physically. It turned out very well relocated department, working with personal data to another floor. This department was in a confined space, one of the offices was selected for server. As a result, two cables (main and backup) go from the floor to the router. Computer formatted, installed a clean updated Windows, office, antivirus, work program. In October 2009, the guys came with Peter. They installed Dallas, jammers, set up a snooper, made all the measurements, corrected the documentation.
The fifth stage is completion.
At the end of October 2009, an internal commission for the protection of personal data gathered. Responsible persons were appointed who were to prepare documents and work on personal data protection (the same ones listed from the second stage) in a week. For a week, the responsible people did everything. And the commission gladly accepted the protected system into operation. Soon, a certificate for three years was received, and that was all.
It is clear that in fact is not all over.
For example, a protected system is a single software and hardware complex. The mouse can not be changed. But once a year, you can call the appraiser to verify compliance with all indicators of protection. And the assessor has the right to change the available documents. So the mouse change is real.
Well, the modern idea of electronic interagency cooperation. The idea is good. That's just not envisaged by the previous concept of personal data protection. So when we realize - we will do certification again.
Thanks for attention.
Source: https://habr.com/ru/post/124380/
All Articles